Doug Sherman said:
Devising complex wireless encryption standards will not secure your
network -it is at best, only a small part of the solution. If network
security is really your top priority, you probably wouldn't use Wi-Fi at
all. If you absolutely had to allow wireless access, you would be well
advised to concentrate on security techniques well beyond wireless
authentication. For example, most wireless routers support MAC address
filtering; you could implement IPSec for network communication, etc.
Doug,
Don't take me the wrong way. I really appreciate the answers here from you,
Barb and others, OK?
However, MAC address spoofing is currently easy to do apparently - though is
not something I have ever tried so please don't ask me to do it or explain
it. I have set up wi-fi networks through a well known brand name ADSL wi-fi
router and interestingly, no matter how it was set up, when using auto IP
assigning, it would only intermittently work. So, I changed it to assign IP
addresses per recognised MAC address and those client machines to connect
using ONLY those same IP addresses, never any other and immediately the
whole thing started working like a dream. I shoved in WEP at the time as the
area this is in is actually remote and while there IS some other non-related
wi-fi in the area, it is only from a residence on the way to this place so
it isn't something to really worry about. However, a contractor for the
Royal Australian Air Force who works ON an air force base has recently
called me in for the first time due to their wired ADSL not working (which
turned out to be a cable problem on the carrier's side across the base so
something I wasn't physically allowed to do though I could have fixed it)
and they told me that this had happened before. They are doing about 600
metres of simple phone wire from the telephone point to the ADSL modem
(wired, of course) and for some reason I didn't know, it actually WAS
working though no repeater was in use. Amazed me! However, they had said
they had constant problems with it so I suggested we survey wireless because
right now they are looking at digging up the line over half a kilometre of
tarmac and no-one at the base is in any way pleased. With a repeater we
could make it across the base with no trouble and depending on interference
as it would have been line of sight anyway with one wall in between, it may
have worked without the repeater, especially with a "coke can aerial" each
end. Unfortunately, the approval dance you have to do to get the thing in
place was so massive that no-one wanted in on it. You can understand why.
Since the Twin Towers in 2001, no-one who isn't Air Force personnel is
allowed to park near any of the huts or buildings on the base at all, even
those who are contractors there for years.
They asked me about protection of the wi-fi signal and I went through all
the usual stuff but they then asked how easy it was to crack and I had to
admit nothing is impossible in wi-fi to date. Some take mere minutes while
others would be a heck of a lot more difficult though I showed them how
pinpointing an intruder on a war drive could be done if the intruder stayed
put long enough. Now they are less than impressed with wi-fi and I don't
blame them. I just want to find a better security. The lack of it is doing
me out of some serious money for a start and when you think about it is a
real problem in many ways for anybody using it.
Recently I have been asking a lot of infosec people how they approach people
to tell them that their network is open to abuse as there is money to be had
in fixing that, too. No-one has a reply that would allow people to do that
without looking like the burglar int he first place. So I am wondering,
then, what to do about it all. I cant fix anything without looking
suspicious yet the "out of the box" wi-fi is so easy to break in to that
people using it without even 64 bit WEP are really leaving the keys in the
front door. Why are we being held back doing a job that needs to be done
while at the same time, wi-fi suppliers aren't doing the right thing and
having their gear set up with at LEAST WEP 64 bit ON? After all, XPSP2 comes
out with firewall ON out of the box. Isn't it time for people to wonder
where their wi-fi data has been today?
Thanks, anyway.