Re: Is Dynamic WEP Secure Enough?

From: Steve (securityfocus_at_delahunty.com)
Date: 03/22/05

  • Next message: Bob Beck: "RE: Any remote client - without fixed IP"
    To: "Jon Smith" <like2hax@hotmail.com>, <security-basics@securityfocus.com>
    Date: Mon, 21 Mar 2005 20:30:03 -0500
    
    

    I second what John Pettitt noted:
    "Suggestion: forget WEP - get a good ipsec based vpn system, put the
    access points on a DMZ lan and require use of the VPN client to get
    access to anything other than a "help page" web server."

    I would still use WEP though, would keep some folks off this wireless
    network you create. So segment your wireless network outside of your
    corporate network. The wireless network provides your users just with
    access to your Citrix farm (if one exists) or VPN server. The wireless
    clients have to run your VPN client to fully get into the network.

    Somebody that takes the time to gather enough packets from your network to
    crack your WEP (before it changes) will only get access to the same boxes
    you make publicly available anyway, your VPN and/or thin client systems
    (Citrix).

    STEVE
    ----- Original Message -----
    From: "Jon Smith" <like2hax@hotmail.com>
    To: <security-basics@securityfocus.com>
    Sent: Saturday, March 19, 2005 3:27 PM
    Subject: Is Dynamic WEP Secure Enough?

    Hi
    I am responsible for a large wireless infrastructure upgrade. Right now my
    plan is use PEAP w MSCHAP v2 with dynamic WEP crypto for my corporate SSID
    (I have others with much lower security requirements). I cannot easily go
    to WPA without ditching all my current devices that do not support it (good
    luck getting that past the CFO). We have a lot of physical security and
    surveillance with very tight controls, my primary area of concern would be
    people like myself sitting in the parking lot. Due to one of our
    applications, we will be sending a clear strong signal to the parking lot.
    Is this enough security and encryption to significantly slow intrusion
    attempts? Between direction finding capabilities of the Access Points and
    our roaming guards it would be a matter of time before we detected them.

    Thanks

    Rocko

    _________________________________________________________________
    Is your PC infected? Get a FREE online computer virus scan from McAfeeŽ
    Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963


  • Next message: Bob Beck: "RE: Any remote client - without fixed IP"