From: Maciej ?enczykowski maze@cela.pl
Hey, Don't bother with it, WEP can be broken (cracked) in 5 minutes (with easily available and freely downloadable soft) and in my experience all WEP really achieves is slows down the link (my 2xIWE1100 bridge runs at 550kB/s without WEP and 100kB/s with WEP).
The idea, as always, is to make yourself a smaller target than the next guy.
As always, standard: - No SSID broadcast - No Open System access - MAC filtering - WEP - Always VPN
Use WPA/802.1x if you've got it.
-- Bryan J. Smith mailto:b.j.smith@ieee.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, Jun 07, 2005 at 04:17:26PM -0500, Bryan J. Smith b.j.smith@ieee.org wrote:
From: Maciej ?enczykowski maze@cela.pl
Hey, Don't bother with it, WEP can be broken (cracked) in 5 minutes (with easily available and freely downloadable soft) and in my experience all WEP really achieves is slows down the link (my 2xIWE1100 bridge runs at 550kB/s without WEP and 100kB/s with WEP).
The idea, as always, is to make yourself a smaller target than the next guy.
As always, standard:
- No SSID broadcast
- No Open System access
- MAC filtering
- WEP
- Always VPN
Use WPA/802.1x if you've got it.
Just out of curiosity, if you are using a VPN, why do you need WEP ?
[]s
- -- Rodrigo Barbosa rodrigob@suespammers.org "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
On Tue, 2005-06-07 at 18:20 -0300, Rodrigo Barbosa wrote:
Just out of curiosity, if you are using a VPN, why do you need WEP ?
You should always prevent someone from even having layer 2 access. That way, they can't easily start breaking your layer 3 encryption.
It's the classic issue of people using the same layer 2 for both public and private IP. I don't need to be able to route to your network, I can scan your 802.3 frames directly!
Am Di, den 07.06.2005 schrieb Bryan J. Smith um 23:17:
The idea, as always, is to make yourself a smaller target than the next guy.
As always, standard:
- No SSID broadcast
- No Open System access
- MAC filtering
- WEP
- Always VPN
Use WPA/802.1x if you've got it.
Bryan J. Smith mailto:b.j.smith@ieee.org
Proven what not secures wireless LAN: MAC Filtering, SSID hiding, LEAP Authentication (EAP-TLS, EAP-TTLS or PEAP would be secure alternates), switching off DHCP, postitioning of the antenna, change to 1a (5 GHz) or to Bluetooth
Paper about good instructions: http://www.lanarchitect.net/Articles/Wireless/SecurityRating/
Alexander
On Tue, 2005-06-07 at 23:41 +0200, Alexander Dalloz wrote:
Proven what not secures wireless LAN: MAC Filtering, SSID hiding,
Yep. Turning off that SSID broadcast, and denying Open System access. I don't know how many times I've gone into a company and they've had "Open System" even though they're using WEP because "oh, we had trouble getting WEP to work when it was Shared Key only."
Duh!
LEAP Authentication (EAP-TLS, EAP-TTLS or PEAP would be secure alternates),
Actually, LEAP/PEAP EAP-TLS is proprietary Cisco/MS whereas EAP-TTLS is open standard IETF.
switching off DHCP,
Or at least MAC-based DHCP assignment (ala old BOOTP style), which you'll want to do with MAC filtering anyway.
postitioning of the antenna,
A little lead against the wall you don't want the signal to travel goes a _long_way_.
change to 1a (5 GHz)
Definitely, much stronger, although not as far. Although the new crop of 802.11a/b/g cards can do a now as well.
or to Bluetooth
Er, um, not sure about that one. ;-ppp
Bryan J. Smith b.j.smith@ieee.org wrote:
The idea, as always, is to make yourself a smaller target than the next guy.
As always, standard:
- No SSID broadcast
- No Open System access
- MAC filtering
- WEP
- Always VPN
Use WPA/802.1x if you've got it.
While I agree with the above, it also all depends where you live. The more of the above you apply, the less convinience you have. If I were to live in downtown across the street from Starbucks, than yes, it would make sense to apply all of the above. But, I live in very quiet neighboruhood. Any stranger parked in in my street with laptop would attract way too much attention than he might be comfortable with. I wouldn't be too surprised if couple of senior neighboors would write down his car's licence plate ;-)
I remember when I was buying the house I live in now, the day before I went to see it with my real estate agent, I was parked for couple of seconds in front of the house (just to give it a quick look from the street). The next day, previous owner told me (when she saw my car) that neighbours told her somebody with the car exactly as mine was watching the house the previous day (and I was parked in front of the house for couple of seconds only). Sure, it might take you 5-10 minutes to crack my WEP keys, but it will take way less time for my neighbours to notice you.
As Bruce wrote in some of his books, the prevention needs to be only strong enough to hold until detection and response kick in.
-
Aleksandar Milivojevic -
Alexander Dalloz -
Bryan J. Smith -
Bryan J. Smith <b.j.smith@ieee.org> -
Rodrigo Barbosa