WEP, WPA, whatever....

[Interrogative]

Hi all,

Just curious as to the opinions on what is the better thing to do in
securing a network. WEP can be cracked in 10 minutes apparently. WPA seems
to be the way to go but then as luck would have it, not every single wi-fi
NIC has WPA.

What do YOU do/use to ensure the integrity of your network? So far I rely on
WEP, a firewall and the fact that where I am has quite a bit of wi-fi but is
not considered an active wi-fi area by anyone. Time will eventually change
that and I must be prepared. I use a D-Link DWL-120+ which is a USB external
NIC/Aerial and is good for longer and more reliable connection.

 

[Jack \(MVP\)]

Hi
WEP, WPA, and the Future - http://www.ezlan.net/wpa_wep.html
Wireless Security - http://www.ezlan.net/Wireless_Security.html
Jack (MVP-Networking).

 

[Interrogative]

In short, according to the article, though something new and you-beaut is
coming out, it doesn't look promising for too far into the future.

So again I ask the question I asked before:

What do YOU do/use to ensure the integrity of your network?

Zone Labs have a wireless firewall (supposedly though what the difference is
on a LAN I am not sure). Software firewalls just aren't enough. Those plus
WEP aren't enough and it looks like nothing much is enough. There must be
SOMEONE who has an original idea on this. I just haven't been able to find
one as yet.

 

[Barb Bowman [MVP-Windows]]

http://www.microsoft.com/windowsxp/using/networking/learnmore/bowman_05february10.mspx

 

[Interrogative]

Barb,

Thanks for that info but - and I mean no disrespect - it isn't new and it
isn't enough. WEP is too easily cracked, WPA isn't a real lot better and the
new stuff coming only promises to confound hackers for a short lifetime. I
was hoping there may be something new about but it doesn't look like it.

I was thinking the ideal would be a cyclical pass phrase change, the phrase
made up by the computer and it cycles every few minutes. Of course that
means every single connected wi-fi device would have to correspond but that
could easily be handled by a simple pass phrase that connects only to a
program that is user answered. If the connecting device is allowed, then OK
it and it's device gets told the current passphrase and the sequence of
change and off it goes. If it isn't allowed, the MAC is instantly held in a
blacklist (which may be useless as MAC is easily spoofed, too).

I can see all sorts of problems in that approach but to me it equates to
changing the door locks every few minutes but your key changing with it if
allowed. See, most people aren't aware but major models of cars have the
same key every 14th car. So, the chances are good in a Ford, for example,
that your key fits the car next to you if the same make and model. If the
door locks changed every few minutes and the owner's key was pre-programmed
to change at the same interval, the owner would be able to get in but not
the person with the same make and model of car no matter what. That is what
I am attempting to find.

I understand the principle. I once wrote a program that had a cyclical
decryption key based upon my own embedded passphrase of about 40 odd
characters I chose. If you decrypted the message this time, it didn't mean
you ever would again because the key changed every single time the program
started. You needed the same program to decrypt at the other end. This is
why I think cyclical would be the way to go though I see many problems of
course.

 

[Doug Sherman [MVP]]

Devising complex wireless encryption standards will not secure your
network -it is at best, only a small part of the solution. If network
security is really your top priority, you probably wouldn't use Wi-Fi at
all. If you absolutely had to allow wireless access, you would be well
advised to concentrate on security techniques well beyond wireless
authentication. For example, most wireless routers support MAC address
filtering; you could implement IPSec for network communication, etc.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

 

[Interrogative]

Devising complex wireless encryption standards will not secure your
network -it is at best, only a small part of the solution. If network
security is really your top priority, you probably wouldn't use Wi-Fi at
all. If you absolutely had to allow wireless access, you would be well
advised to concentrate on security techniques well beyond wireless
authentication. For example, most wireless routers support MAC address
filtering; you could implement IPSec for network communication, etc.

Doug,

Don't take me the wrong way. I really appreciate the answers here from you,
Barb and others, OK?

However, MAC address spoofing is currently easy to do apparently - though is
not something I have ever tried so please don't ask me to do it or explain
it. I have set up wi-fi networks through a well known brand name ADSL wi-fi
router and interestingly, no matter how it was set up, when using auto IP
assigning, it would only intermittently work. So, I changed it to assign IP
addresses per recognised MAC address and those client machines to connect
using ONLY those same IP addresses, never any other and immediately the
whole thing started working like a dream. I shoved in WEP at the time as the
area this is in is actually remote and while there IS some other non-related
wi-fi in the area, it is only from a residence on the way to this place so
it isn't something to really worry about. However, a contractor for the
Royal Australian Air Force who works ON an air force base has recently
called me in for the first time due to their wired ADSL not working (which
turned out to be a cable problem on the carrier's side across the base so
something I wasn't physically allowed to do though I could have fixed it)
and they told me that this had happened before. They are doing about 600
metres of simple phone wire from the telephone point to the ADSL modem
(wired, of course) and for some reason I didn't know, it actually WAS
working though no repeater was in use. Amazed me! However, they had said
they had constant problems with it so I suggested we survey wireless because
right now they are looking at digging up the line over half a kilometre of
tarmac and no-one at the base is in any way pleased. With a repeater we
could make it across the base with no trouble and depending on interference
as it would have been line of sight anyway with one wall in between, it may
have worked without the repeater, especially with a "coke can aerial" each
end. Unfortunately, the approval dance you have to do to get the thing in
place was so massive that no-one wanted in on it. You can understand why.
Since the Twin Towers in 2001, no-one who isn't Air Force personnel is
allowed to park near any of the huts or buildings on the base at all, even
those who are contractors there for years.

They asked me about protection of the wi-fi signal and I went through all
the usual stuff but they then asked how easy it was to crack and I had to
admit nothing is impossible in wi-fi to date. Some take mere minutes while
others would be a heck of a lot more difficult though I showed them how
pinpointing an intruder on a war drive could be done if the intruder stayed
put long enough. Now they are less than impressed with wi-fi and I don't
blame them. I just want to find a better security. The lack of it is doing
me out of some serious money for a start and when you think about it is a
real problem in many ways for anybody using it.

Recently I have been asking a lot of infosec people how they approach people
to tell them that their network is open to abuse as there is money to be had
in fixing that, too. No-one has a reply that would allow people to do that
without looking like the burglar int he first place. So I am wondering,
then, what to do about it all. I cant fix anything without looking
suspicious yet the "out of the box" wi-fi is so easy to break in to that
people using it without even 64 bit WEP are really leaving the keys in the
front door. Why are we being held back doing a job that needs to be done
while at the same time, wi-fi suppliers aren't doing the right thing and
having their gear set up with at LEAST WEP 64 bit ON? After all, XPSP2 comes
out with firewall ON out of the box. Isn't it time for people to wonder
where their wi-fi data has been today?

Thanks, anyway.