RE: WEP alternative

From: Richard Conlan (conlar@cs.rpi.edu)
Date: 08/13/02 

Date: Tue, 13 Aug 2002 13:01:20 -0400 (EDT)
From: Richard Conlan <conlar@cs.rpi.edu>
To: Tim V - DZ <iceburn@dangerzone.com>

On Mon, 12 Aug 2002, Tim V - DZ wrote:

> Just from the name (netgear) I'm guessing that the management side of
> the Access Point is a little lacking. Generally speaking if the AP cost
> less than $500ish you're going to be out of luck for most things...that
> said:
>
> 1)One of the best things you can do is turn of ESSID polling...generally
> called "secure mode" or something similar. The way 802.llb works is the
> client says "hey anyone out there on ESSID <whatever>?" then the AP
> replies "nobody on that ESSID, but my ESSID is <something else> and I'll
> talk to you" I know that many people don't even change their ESSID so
> linksys APs are "linksys", cisco is "tsunami", D-Link is "default", and
> I believe netgear is "wireless"? Anyway, change the ESSID from default
> and turn of polling.

I do not know that is qualifies as "one of the best" things you can do. It
is only useful if the network is sitting idle (i.e. with no users logged
on). If even a single user is connected then the ESSID is still being
transmitted in plaintext with every packet and programs such as
NetStumbler will just grab it from there.

>
> 2)Everyone bashes WEP, but personally I think it still does what it is
> supposed to...It's not Wireless Encryption Protocol like some believe,
> it's actually Wired Equivalency Protection. Yeah WEP can be broken
> using simple tools, but it still requires a lot of packets before the
> key can be accurately guessed. So turn on WEP, use the 128-bit instead
> of 40 if possible.

Yes, technically it requires a lot of packets, but for any network running
with multiple users a sufficient number of packets can be acquired in less
than a day. Even that is optimistic, depending on your hardware. Some
wireless cards just start the packet-specific key at 0 and count up from
there; if multiple users employ the same hardware then you are getting
collisions from the getgo and the packets necessary to break WEP will be
available in a few hours.

>
> 3)Many of the slightly better quality APs support MAC address security
> where an admin (you) must enter a MAC in the AP's management software
> via the wired side. Then when a client wants to communicate with the
> AP, the AP checks to see if that MAC is on the "approved list" first, if
> not the communication is simply dropped.

This sounds a lot better than it is, as it is not very hard to spoof a MAC
address. (Hell, many cheap routers have MAC spoofing built in.)

>
> 4)Some more advanced technologies available that are generally geared
> toward the enterprise are things like automated rapid re-keying, which
> basically assumes that if the WEP key is changed fast enough, then
> nobody can break a key before everything has been changed to another
> one.
> 5)Or TLS based authentication.
>
> When 802.11X is widely available, MS is starting to push it...and it's
> in XP professional now, most of these authentication problems will be
> solved.
>
> So I would definitely do 1-3. Download a copy of netstumbler, apsniff,
> airsnort and/or kismet and run it. Do step 2 then run the program again,
> do step 1 or 3 and run it again, the impact on common war driving /
> walking is great.
>
> -t
>

The later suggestions are pretty good.
However, the best way to secure a WEP network is to run some kind of VPN
so that just breaking WEP is not sufficient to get network access. If a
VPN is too costly, you could explore tunneling your communications over
SSH or some other secure protocol.

>
> -----Original Message-----
> From: Brown, Robert [mailto:epyon@ecogchair.org]
> Sent: Friday, August 09, 2002 9:27 AM
> To: 'SECURITY-BASICS@securityfocus.com'
> Subject: WEP alternative
>
>
> I've set up a netgear wireless router in the office to allow greater
> mobility for the administrators. Is there any way, other than WEP
> encryption to secure this from unauthorized users ?
>
> Robert.
>
>

Relevant Pages

  • RE: WLAN
    ... someone using that same sniffer can crack the WEP after about 400,000 ... WEP every 200,000 packets or so. ... registered MAC addresses or WLAN cards to join the network. ...
    (Security-Basics)
  • Re: Whats the current status on WEP cracking?
    ... Some claim that WEP is/can be secured so that it is practically ... MAC filtering also doesn't work. ... addresses can be found from traffic on the network. ... but the tools require a certain number of packets. ...
    (sci.crypt)
  • RE: WLAN
    ... >Besides the fact it's trivia to sniff and then spoof a MAC address ... >packets -- if you are running everyone through an IPSEC ... >WEP every 200,000 packets or so. ... >registered MAC addresses or WLAN cards to join the network. ...
    (Security-Basics)
  • Re: radius+ wireless
    ... if you or someone else has duplicated a MAC address on the same ... current set up with weak WEP and but decent authentication, ... You didn't mention what kind of wireless, what your coverage area is, ... gear, RADIUS might be sufficient. ...
    (Security-Basics)
  • RE: About War Driving ..
    ... Use WPA/TKIP instead of WEP. ... 2a) Enable static DHCP for the MAC Addresses of the authorized PC's ... Disable the torrent ports at the firewall .. ...
    (Security-Basics)