Don't write off WEP, and don't rush to get WPA

If you are in the market for a new router, get one with WPA by all
means. After all, you want to buy the latest and greatest.

If your router AND cards have WPA update available, get them by all
means. After all, you want to keep your system updated.

But if your gear doesn't support WPA, or you are having trouble
enabling WPA, don't loose sleep either. Here's why:

Yes, WEP can be compromised. But you have to realy think about what
you are at risk of loosing:
1. Theft of Sensitive Information:
It is secure to begin with. *MOST* site use SSL when requesting
personal information, or more importantly, credit cards or when you do
online banking etc. It doesn't leave your browser till it's secure.
The small couple hundered feet of radius that your router covers is
NOTHING compared to the vast scary jungle out there called internet.
There might be one or two hackers in your neighbourhood, and there are
thousands out there on the internet. The point is, such information is
secure even if you don't have even WEP enabled. Just make sure that
when you do any such sensitive information exchange, your address bar
is showing HTTPS as opposed to HTTP. Or quickly check for a lock icon
in the bottom status bar of your browser. If you are sending your
sensitive information over the information without being cautious
about HTTPS (i.e. SSL), then even 1024bit tripple layer WPA (probably
still be invented) won't be able to protect you. And if you always
make sure that you are doing business over SSL (i.e. HTTPS), then WPA
is a moot point because once the data leaves your router and touches
the internet, it is WPA free. That is, it will be as if WPA was never
applied to it. SSL is all you need. And if you have some reason to
doubt the security of SSL, YOU SHOULD STOP USING INTERNET RIGHT NOW
for anything sensitive.

2. Someone accessing your Router (Free Loaders):
128bit WEP and MAC address filtering is good enough. Don't believe
that someone can just setup a sniffing gear and have your WEP cracked
in 10 minutes or less. It requires quite an elaborate setup, and weeks
worth of data collection (from a typical home usage) to be able to
have a go at it. I don't think anyone is going to go to all that
lenght and expense just to freely use your internet. (unless,
ofcourse, someone just like that happens to live just next door to you
well within the usable reach of your wireless router). By the time
signal leaves your hours and crosses walls to get to the neighbour's
house, it is already week enough to be not that attrative anyways. And
if you see someone parked in front of your house for days on end with
a lot of computer gear, well you know what to do. But all that is
fictous. I don't think anyone is going to do all that just to use your
internet connection.

3. Safety of your network:
#2 applies again. Someone first has to break into your network to be
able to do anything further. And then they will be faced with further
firewall security and access security built into the OS.

Bottom line, if you are a business and need to protect your network at
all costs, WPA is definetly for you. If you are a home user and WPA is
available as part of the new gear or as a free upgrade, it is
definetly for you. But if you are a home user upgrading just to get
WPA because you are so scared after reading everything negative about
WEP, relax and go back to worry free times.

(always ready to accept a valid correction--not a far fetched
theoratical one because if you approach things from that point of view
*NOTHING* is secure)

In article <(E-Mail Removed)> ,
Mike Harris <(E-Mail Removed)> wrote:
:Yes, WEP can be compromised. But you have to realy think about what
:you are at risk of loosing:
:1. Theft of Sensitive Information:
:It is secure to begin with. *MOST* site use SSL when requesting
ersonal information, or more importantly, credit cards or when you do
nline banking etc. It doesn't leave your browser till it's secure.
:The small couple hundered feet of radius that your router covers is
:NOTHING compared to the vast scary jungle out there called internet.
:There might be one or two hackers in your neighbourhood, and there are
:thousands out there on the internet.


You are missing out on an important usage: access to local
resources that contain sensitive information. There are two
important sub-types of this:

A) You use wireless to actively access the senstive information;
someone monitoring copies it over the air;

B) Someone uses your wireless network to access your resources
without authorization.

You nearly get to B) in your discussion of someone using
your wireless router, but you missed this case. If you
are known to have valuable information and you don't change
your keys often (which can be impractical if lots of devices
are involved) then someone might take the bother to crack in.


:By the time
:signal leaves your hours and crosses walls to get to the neighbour's
:house, it is already week enough to be not that attrative anyways. And
:if you see someone parked in front of your house for days on end with
:a lot of computer gear, well you know what to do. But all that is
:fictous. I don't think anyone is going to do all that just to use your
:internet connection.

We put a single consumer access point in the middle of a building
the size of a small condo. There are places inside the building
where we cannot get a usable signal (we have some pretty hefty
shielding), but along the longer wall [shorter distance from
AP but more walls to go through] the signal was usable out to the
near edge of the sidewalk; along the shorter wall [longer distance
from the AP but fewer walls to go through], the signal was usable
right to the public on-street parking.

During our testing, we were getting clear signals from hundreds of
feet away. There's a particular sweet spot in our lobby at which
it is easier to lock in to a signal from a few blocks away than
it is to lock in to our own signal from inside the building. Signals
bounce off the highrises.


So... we aren't going to trust WEP. We will use IPSec. It is
possible we will consider using WPA and 802.11x at some point, but
we shall see.
--
Pity the poor electron, floating around minding its own business for
billions of years; and then suddenly Bam!! -- annihilated just so
you could read this posting.

Mike Harris <(E-Mail Removed)> wrote:
> If you are in the market for a new router, get one with WPA by all
> means. After all, you want to buy the latest and greatest.
<snip>
> 2. Someone accessing your Router (Free Loaders):
> 128bit WEP and MAC address filtering is good enough. Don't believe
> that someone can just setup a sniffing gear and have your WEP cracked
> in 10 minutes or less. It requires quite an elaborate setup, and weeks
> worth of data collection (from a typical home usage) to be able to
> have a go at it. I don't think anyone is going to go to all that
> lenght and expense just to freely use your internet. (unless,
> ofcourse, someone just like that happens to live just next door to you
> well within the usable reach of your wireless router). By the time
> signal leaves your hours and crosses walls to get to the neighbour's
> house, it is already week enough to be not that attrative anyways. And
> if you see someone parked in front of your house for days on end with
> a lot of computer gear, well you know what to do. But all that is
> fictous. I don't think anyone is going to do all that just to use your
> internet connection.

If I was slightly less scrupulus than I am, and living near several
wireless networks, I'd certainly do a survey to find nearby networks,
then see if I could get to them with a cantenna or similar.
I've got lots of old computer hardware, so setting up an old PC to do WEP
cracking is almost free.

IIRC, you need 7 million packets to be fairly sure of cracking a WEP key.
This is around 3-9Gb of transfer.

Taking one extreme, a G network transferring files could be cracked in
as little as half an hour.
Someone running P2P over a 512K wireless ADSL link in 3-4 days.
MAC filtering isn't a panecea.
I can trivially set the MAC, and snoop for when the PC is off, to
access the net.