Hi guys.
I have about 30 mikrotik point to multi point local links that i use wpa2 aes ccm encryption in all of them. That links are local connection among our branches and dont have connection with internet or other companies . My manager say to me that because the wpa2 aes worked with pre-shared key then Anyone can guess it and sniffing the data of our company .then you should using one of types of vpn with ip-sec protocol in our ptp links . Is it necessory for all link to using vpn and ip-sec to be secure?
I’ll start by saying that if your manager said that “anyone can guess it”, this likely means your manager is used to picking weak passwords such as “yourcompanyname01!” or “Winter2023!”. If the PSK is or are really random, for example you generated them with a password generator and is or are at the maximum length of 63 characters, the chances someone can guess them is pretty slim.
A potential, alternative solution is to use WPA2-entreprise and certificate-based authentication. This requires however a RADIUS server, which needs to be redundant. Bonus: you can revoke a single device without having to change the PSK on all the devices on the same wifi, and you can manage all identities from a single location.
If you go the way of the VPN, keep in mind that either you have a hub or a pair of hubs that will receive decrypt and re-encrypt all the traffic between two remote sites, which means beefier processor and increased BW usage, OR you will have to deploy and maintain a number of VPN that will increase as n2.
Anyone can guess it and sniffing the data of our company .then you should using one of types of vpn with ip-sec protocol in our ptp links
Ok, adding another encryption layer on top is a possibility, but what method does he suggest to pick the key?
Another passphrase? And why can that not be guessed, when a WPA2 passphrase can?
Indeed chmotry is right, pick a password that cannot be guessed. Or when you want to please the boss, configure IPsec.
Another trick (when the links are really point-to-point) is to reverse the configuration of the access points. Make the side where all the valuable data lives the “station” and the remote branch that has only users the “ap”.
WPA2 PSK is very secure if you use maximum length key with high entropy. Bruteforcing such key is impossible in any reasonable time even using dedicated hardware. As for actual data encryption, you can always use shorter re-key intervals so AES CTR keys rotated more often (ie. before there is even any chance to accumulate enough traffic for any type of attack on AES). If that’s still enough, as suggested use WPA2 Enterprise with RADIUS server and eliminate the PSK if that’s the problem.
Running VPN as another layer is always possible, but if this is your only link and you have secure control over both ends, it seems like overkill that will just reduce actual throughput and increase latency.