Securing an Ad Hoc Network

microsoft.public.windowsxp.network_web

2 Nov 2006 2:55 PM

AmyM

I am using XP Pro on 2 notebooks. I have just set them up on a peer-to-peer
connection with each other. The data encryption is set to WEP, however from
what I am reading this is a vulnerable method. These notebooks will be used
in meeting environments where corporate espionage is a concern. Is there any
way for me to enhance the security of these two units and still remain
wireless? Perhaps make the network itself invisible? Thank you in advance.

2 Nov 2006 8:36 PM

Steve Winograd [MVP]

In article <883A360F-D0D9-4A1F-893C-70F80F1BC***@microsoft.com>, AmyM
<A***@discussions.microsoft.com> wrote:

>I am using XP Pro on 2 notebooks. I have just set them up on a peer-to-peer
>connection with each other. The data encryption is set to WEP, however from
>what I am reading this is a vulnerable method. These notebooks will be used
>in meeting environments where corporate espionage is a concern. Is there any
>way for me to enhance the security of these two units and still remain
>wireless? Perhaps make the network itself invisible? Thank you in advance.

Windows XP Service Pack 2 supports the more secure WPA and WPA2 data
encryption standards. If the wireless network adapters in the
notebooks support WPA or WPA2, use it. If they don't, consider
replacing them.

--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

2 Nov 2006 10:26 PM

Lem

Steve Winograd [MVP] wrote:

> In article <883A360F-D0D9-4A1F-893C-70F80F1BC***@microsoft.com>, AmyM
> <A***@discussions.microsoft.com> wrote:
>> I am using XP Pro on 2 notebooks. I have just set them up on a peer-to-peer
>> connection with each other. The data encryption is set to WEP, however from
>> what I am reading this is a vulnerable method. These notebooks will be used
>> in meeting environments where corporate espionage is a concern. Is there any
>> way for me to enhance the security of these two units and still remain
>> wireless? Perhaps make the network itself invisible? Thank you in advance.
>
> Windows XP Service Pack 2 supports the more secure WPA and WPA2 data
> encryption standards. If the wireless network adapters in the
> notebooks support WPA or WPA2, use it. If they don't, consider
> replacing them.

I could be wrong, but as far as I am aware,

Neither WPA-PSK nor WPA2-PSK, regardless of the encryption algorithm
being TKIP or AES, is supported in XP in ad hoc mode.

In Vista, WPA2-PSK with AES is supported in ad hoc mode. WPA2-PSK with
TKIP and WPA-PSK with either TKIP or AES are not supported.

IN XP sp1 there was an option for "WPA-None", but from what I
understand, that (a) wasn't much, if any, more secure than WEP, and (b)
is no longer available in sp2.

If I am wrong, I'd appreciate a link to some official documentation that
shows WPA-PSK supported in ad hoc mode. I don't have a wireless
computer here, so I can't test it empirically.

--
Lem MS MVP -- Networking

To the moon and back with 64 Kbits of RAM and 512 Kbits of ROM.
http://en.wikipedia.org/wiki/Apollo_Guidance_Computer

2 Nov 2006 10:49 PM

AmyM

Thank you so very much for your input. I'll give them a try. Just now
realizing there is also a wireless networking forum so sorry to post here.

Show quoteHide quote

"Lem" wrote:

> Steve Winograd [MVP] wrote:
> > In article <883A360F-D0D9-4A1F-893C-70F80F1BC***@microsoft.com>, AmyM
> > <A***@discussions.microsoft.com> wrote:
> >> I am using XP Pro on 2 notebooks. I have just set them up on a peer-to-peer
> >> connection with each other. The data encryption is set to WEP, however from
> >> what I am reading this is a vulnerable method. These notebooks will be used
> >> in meeting environments where corporate espionage is a concern. Is there any
> >> way for me to enhance the security of these two units and still remain
> >> wireless? Perhaps make the network itself invisible? Thank you in advance.
> >
> > Windows XP Service Pack 2 supports the more secure WPA and WPA2 data
> > encryption standards. If the wireless network adapters in the
> > notebooks support WPA or WPA2, use it. If they don't, consider
> > replacing them.
>
> I could be wrong, but as far as I am aware,
>
> Neither WPA-PSK nor WPA2-PSK, regardless of the encryption algorithm
> being TKIP or AES, is supported in XP in ad hoc mode.
>
> In Vista, WPA2-PSK with AES is supported in ad hoc mode. WPA2-PSK with
> TKIP and WPA-PSK with either TKIP or AES are not supported.
>
> IN XP sp1 there was an option for "WPA-None", but from what I
> understand, that (a) wasn't much, if any, more secure than WEP, and (b)
> is no longer available in sp2.
>
> If I am wrong, I'd appreciate a link to some official documentation that
> shows WPA-PSK supported in ad hoc mode. I don't have a wireless
> computer here, so I can't test it empirically.
> --
> Lem MS MVP -- Networking
>
> To the moon and back with 64 Kbits of RAM and 512 Kbits of ROM.
> http://en.wikipedia.org/wiki/Apollo_Guidance_Computer
>

3 Nov 2006 2:05 AM

Steve Winograd [MVP]

In article <ego1x3s$GHA.***@TK2MSFTNGP02.phx.gbl>, Lem
<lem***@hotmail.com> wrote:
Show quoteHide quote

>Steve Winograd [MVP] wrote:
>> In article <883A360F-D0D9-4A1F-893C-70F80F1BC***@microsoft.com>, AmyM
>> <A***@discussions.microsoft.com> wrote:
>>> I am using XP Pro on 2 notebooks. I have just set them up on a peer-to-peer
>>> connection with each other. The data encryption is set to WEP, however from
>>> what I am reading this is a vulnerable method. These notebooks will be used
>>> in meeting environments where corporate espionage is a concern. Is there any
>>> way for me to enhance the security of these two units and still remain
>>> wireless? Perhaps make the network itself invisible? Thank you in advance.
>>
>> Windows XP Service Pack 2 supports the more secure WPA and WPA2 data
>> encryption standards. If the wireless network adapters in the
>> notebooks support WPA or WPA2, use it. If they don't, consider
>> replacing them.
>
>I could be wrong, but as far as I am aware,
>
>Neither WPA-PSK nor WPA2-PSK, regardless of the encryption algorithm
>being TKIP or AES, is supported in XP in ad hoc mode.
>
>In Vista, WPA2-PSK with AES is supported in ad hoc mode. WPA2-PSK with
>TKIP and WPA-PSK with either TKIP or AES are not supported.
>
>IN XP sp1 there was an option for "WPA-None", but from what I
>understand, that (a) wasn't much, if any, more secure than WEP, and (b)
>is no longer available in sp2.
>
>If I am wrong, I'd appreciate a link to some official documentation that
>shows WPA-PSK supported in ad hoc mode. I don't have a wireless
>computer here, so I can't test it empirically.

Hi, Lem, and thanks for your though-provoking reply.

You're right that a Windows XP ad-hoc wireless connection can't use a
pre-shared key (WPA-PSK or WPA2-PSK).

WPA-None is still supported in SP2 for an ad-hoc wireless connection.
You can open the wireless connection properties and specify it as the
value for Network Authentication.

However, on reflection, it might not be a good choice for Amy,
because:

1. I don't know what wireless network adapters actually support
WPA-None in the hardware and drivers. I'd recommend using identical
make/model adapters in both computers. Even then, it could be iffy.

2. I've seen reports that installing WPA2 support removes WPA-None.

3. I don't know if it's more secure than WEP.

I haven't found any good documentation of this from Microsoft. It's
mentioned in this article:

The Cable Guy - July 2003
Configuring Wireless Settings Using Windows Server 2003 Group Policy
http://www.microsoft.com/technet/community/columns/cableguy/cg0703.mspx

It's described in this Cisco web page:

http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/350cards/windows/incfg9/win6_ape.htm

3 Nov 2006 4:38 PM

Lem

Steve Winograd [MVP] wrote:
Show quoteHide quote

> In article <ego1x3s$GHA.***@TK2MSFTNGP02.phx.gbl>, Lem
> <lem***@hotmail.com> wrote:
>> Steve Winograd [MVP] wrote:
>>> In article <883A360F-D0D9-4A1F-893C-70F80F1BC***@microsoft.com>, AmyM
>>> <A***@discussions.microsoft.com> wrote:
>>>> I am using XP Pro on 2 notebooks. I have just set them up on a peer-to-peer
>>>> connection with each other. The data encryption is set to WEP, however from
>>>> what I am reading this is a vulnerable method. These notebooks will be used
>>>> in meeting environments where corporate espionage is a concern. Is there any
>>>> way for me to enhance the security of these two units and still remain
>>>> wireless? Perhaps make the network itself invisible? Thank you in advance.
>>> Windows XP Service Pack 2 supports the more secure WPA and WPA2 data
>>> encryption standards. If the wireless network adapters in the
>>> notebooks support WPA or WPA2, use it. If they don't, consider
>>> replacing them.
>> I could be wrong, but as far as I am aware,
>>
>> Neither WPA-PSK nor WPA2-PSK, regardless of the encryption algorithm
>> being TKIP or AES, is supported in XP in ad hoc mode.
>>
>> In Vista, WPA2-PSK with AES is supported in ad hoc mode. WPA2-PSK with
>> TKIP and WPA-PSK with either TKIP or AES are not supported.
>>
>> IN XP sp1 there was an option for "WPA-None", but from what I
>> understand, that (a) wasn't much, if any, more secure than WEP, and (b)
>> is no longer available in sp2.
>>
>> If I am wrong, I'd appreciate a link to some official documentation that
>> shows WPA-PSK supported in ad hoc mode. I don't have a wireless
>> computer here, so I can't test it empirically.
>
> Hi, Lem, and thanks for your though-provoking reply.
>
> You're right that a Windows XP ad-hoc wireless connection can't use a
> pre-shared key (WPA-PSK or WPA2-PSK).
>
> WPA-None is still supported in SP2 for an ad-hoc wireless connection.
> You can open the wireless connection properties and specify it as the
> value for Network Authentication.
>
> However, on reflection, it might not be a good choice for Amy,
> because:
>
> 1. I don't know what wireless network adapters actually support
> WPA-None in the hardware and drivers. I'd recommend using identical
> make/model adapters in both computers. Even then, it could be iffy.
>
> 2. I've seen reports that installing WPA2 support removes WPA-None.
>
> 3. I don't know if it's more secure than WEP.
>
> I haven't found any good documentation of this from Microsoft. It's
> mentioned in this article:
>
> The Cable Guy - July 2003
> Configuring Wireless Settings Using Windows Server 2003 Group Policy
> http://www.microsoft.com/technet/community/columns/cableguy/cg0703.mspx
>
> It's described in this Cisco web page:
>
> http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/350cards/windows/incfg9/win6_ape.htm

Thanks for the feedback, Steve. I typed too fast: As you said, I had
seen comments to the effect that WPA-None was disabled with the WPA2
update, not the service pack 2 update.

As near as I can tell, without more study than I have time for at the
moment, securing ad hoc wireless networks is not a high priority task
for the Wi-Fi Alliance, IEEE, or other interested parties. In fact,
most of the discussion of ad hoc networks I have seen from corporate
security types is directed toward stamping out ad hoc networks as a
potential security hole.

One of the major reasons for the increased security of WPA compared to
WEP is the use of TKIP, Temporal Key Integrity Protocol. This protocol
changes the encryption key on a per-packet basis, thus making it
considerably tougher for a cracker to gather enough data to crack the
encryption. In WPA-Enterprise, the initial key is supplied by a special
key server (e.g., RADIUS) and is different for each session, while in
WPA-PSK, the initial key is fixed until manually changed.

In WPA-PSK (TKIP) the basic encryption scheme used is the same as that
used in WEP. Some implementations of WPA-PSK allow the use of AES
(Advanced Encryption Standard), and thus become sort of a hybrid between
WPA and WPA2.

According to the doc linked below, in WPA "a simple IBSS [ad hoc]
approach is described [that] uses no authenticated key management
protocol but uses a pre-shared key directly as the encryption/integrity
key (Note: IBSS is much reduced in security since it has no key
management.)"

And later in the same doc, "The following paragraph describes a simple
approach to IBSS. IBSS is not supported in Wi-Fi Protected Access and
this paragraph is provided for information only. The system is meant
for a very simple IBSS usage. A pre-shared key is configured as a Group
key and no authentication is carried out (even though IEEE 802.11
authentication frames are exchanged)."

A shorter version of the paper suggests that in WPA2, AES will be used
even in ad hoc networks, although I did not see any indication that
there will be any key management system (packet-wise change of keys)
used in WPA2 ad hoc networks.

The bottom line is that an ad-hoc wireless network probably is not a
good idea in "meeting environments where corporate espionage is a
concern." If it is used, the "passphrase" should be strong (see, e.g.,
Diceware http://world.std.com/~reinhold/diceware.html) and it should be
changed frequently. That is, if you're going to have an hour-long
meeting, the odds are that the encryption won't be broken, but if you're
having a two-day conference, I wouldn't count on it.

For small meetings, one could simply set up an inexpensive hub with
cat5e jacks at each seat around the conference table. If there are too
many attendees to use cabled connections, set up a dedicated
infrastructure mode wireless network. It's not that expensive,
certainly when compared to corporate trade secret information.

Wi-Fi Protected Access (Wi-Fi Alliance 4/29/03)
http://www.wi-fi.org/files/uploaded_files/wp_8_WPA%20Security_4-29-03.pdf

Portions of IEEE 802.11 Draft 3.0 for implementing WPA
http://www.qacafe.com/WPAfor802.11ver2_042903.pdf

--
Lem MS MVP -- Networking

To the moon and back with 64 Kbits of RAM and 512 Kbits of ROM.
http://en.wikipedia.org/wiki/Apollo_Guidance_Computer