Wireless network (WEP security)

Tim Writer tim-s/rLXaiAEBtBDgjK7y7TUQ at public.gmane.org
Tue Sep 30 22:17:53 UTC 2003


Emir <emir-rdkfGonbjUTTQjIoRn/dzw at public.gmane.org> writes:

> On 30/09/2003 13:44, Gardner Bell wrote:
> 
> | I've been considering moving to a wireless network system but after many
> | articles I have read is it really worth it?  One such article I read was on the
> | WEP algorithm and numerous flaws found by the analysts, such as a
> | dictionary-building attacks, active attack to inject new traffic from
> | unauthorized mobile stations, etc. How easily could a
> | hacker pull off this kind of attack on an 802.11 network?
> | The initialization vector in WEP I have read is only 24-bit and is sent in
> | the clear-text part of a message, with only a small amount of initialization
> | vectors how often would the same key-stream be used on a rather small home
> | network?  A busy access point, which constantly sends 1500 byte packets at
> | 11Mbps, will exhaust the space of IVs after 1500*8/(11*10^6)*2^24 = ~18000
> | seconds, or 5 hours.  Would the time increase or decrease using wireless with
> | Roger's or does it all depend on how much traffic my machines are sending?
> | What measures have others here taken to secure their wireless networks if any of
> | you have them and what specific hardware would you recommend?  Any other info
> | that you could provide would be greatly beneficial.
> 
> As people already pointed out, there's a slew of "solutions"; I prefer to call
> them "workarounds".  As someone who's had a wireless network for a very long
> time now (I was one of the co-founders of the now-defunct Toronto Wireless
> Community Network), I can offer you the following advice: treat your wireless
> network as the most hostile section of the Internet.
> 
> Don't rely on WEP by any means, in fact I'd suggest you turn it off because it
> does nothing 'cept reducing throughput and causing silly disconnects.  Your
> real protection comes higher up on the TCP stack, as VPN, SSL, or SSH tunnel.

I couldn't agree more.  A few people have mentioned FreeS/WAN which is a
great solution but can be daunting to setup.  A very nice alternative is:

    http://openvpn.sourceforge.net/

which runs on Linux and Windows.  On my home network, I have a LEAF firewall
with a wireless card.  All traffic from the WLAN is denied except OpenVPN to
my desktop.  When I bring the WLAN interface of my notebook up, I also bring
up OpenVPN.  And the OpenVPN startup script makes OpenVPN the default route.
With this approach, anyone can join my WLAN without too much difficulty but
they can't go anywhere unless they have an OpenVPN connection.

> The moment you introduce wireless access on your network, all your computers
> are exposed, which means don't rely on your Internet firewall, every machine
> needs to firewall itself (you can still keep your Internet firewall as an
> outer perimeter, but don't fall into false sense of security).

Another good point.  Many (most?) of the SOHO wireless access points on the
market claim to be firewalls too.  In practice, they firewall only the
Internet connection, giving wireless devices full access to your LAN.  Don't
be misled by features such as a MAC filter which deny Internet access to
devices with an unknown MAC address but still give them full access to the
LAN.

-- 
tim writer <tim-s/rLXaiAEBtBDgjK7y7TUQ at public.gmane.org>                                  starnix inc.
tollfree: 1-87-pro-linux                        thornhill, ontario, canada
http://www.starnix.com              professional linux services & products
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list