WEP keys, beyond WEP?

Hi,

I have a Draytek BB wifi/ethernet router (2900Gi) working with a HP
2900 wifi laptop and a Dell laptop which has the Linksys WPC54g PCMCIA
wifi card in it.

It took me a little while to realise that passphrases are not
necessarily compatible between different-brand equipment. They are
compatible between the Draytek and the HP, but the Linksys software
encodes them differently, so I had to enter a hex key...

I would like to go beyond WEP, to get more security. The WPC54g can do
128-bit WEP - is that really more secure? It can't do any more.

The HP laptop can do just 64-bit WEP.

What solutions are there for greater security, which can be installed
on a laptop?

I also have a Tosh E800 PDA (with a not yet working Linksys WCF12 CF
wifi card) and the software on that doesn't support anything beyond
WEP as far as I can tell. So I need something that will run on a
pocket/pc..

Is there a security solution which will handle 64-bit wep, 128-bit
wep, and higher security levels, without every device using it having
to support the highest security?

I realise that if I spend long enough connected at 64-bit WEP then the
key will get cracked sooner.

Any advice much appreciated.


Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to (E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.

Peter <(E-Mail Removed)> wrote:
<snip>
> What solutions are there for greater security, which can be installed
> on a laptop?

You'r looking for VPN software, or a newer wireless card for the laptop
that does WPA.
A Virtual Private Network is one where all the traffic is encrypted before
sending over an unsecured link.

If your router supports this, then it's a perfect solution, as though the
WEP key may be crackable, it doesn't get anywhere if the router does
not accept packets that are not going over the VPN.

Peter <(E-Mail Removed)> wrote:
<snip>
> What solutions are there for greater security, which can be installed
> on a laptop?

You're looking for VPN software, or a newer wireless card for the laptop
that does WPA.
A Virtual Private Network is one where all the traffic is encrypted before
sending over an unsecured link.

If your router supports this, then it's a perfect solution, as though the
WEP key may be crackable, it doesn't get anywhere if the router does
not accept packets that are not going over the VPN.

Ian Stirling <(E-Mail Removed)> wrote:

>Peter <(E-Mail Removed)> wrote:
><snip>
>> What solutions are there for greater security, which can be installed
>> on a laptop?
>
>You're looking for VPN software, or a newer wireless card for the laptop
>that does WPA.
>A Virtual Private Network is one where all the traffic is encrypted before
>sending over an unsecured link.
>
>If your router supports this, then it's a perfect solution, as though the
>WEP key may be crackable, it doesn't get anywhere if the router does
>not accept packets that are not going over the VPN.

What VPN software is recommended by the experts here? It has to match
what the Draytek 2900 supports, presumably.


Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to (E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.

On Wed, 01 Sep 2004 09:48:26 +0100, (E-Mail Removed) (Peter) wrote:

>What VPN software is recommended by the experts here? It has to match
>what the Draytek 2900 supports, presumably.

You should be able to get away with using the Win2K/XP built-in VPN
client. Or so I heard.

(E-Mail Removed) (Peter) wrote:

>The HP laptop can do just 64-bit WEP.

Can you find out if a firmware or software upgrade will allow the HP
to do 128bit WEP? Or failing that, swap the card for one which can?

>What solutions are there for greater security, which can be installed
>on a laptop?

WPA is the next generation. With WPA, the WEP key is automatically
changed ever couple of hours, so anyone who's trying to crack it will
have to start over. The "key" that the WPA system uses to transfer the
new WEP key around the lan is still short, but as the amount of data
you send using the key is much smaller (i.e. just the new WEP keys,
not your whole data stream) then it provides a far less crackable
target. (The point here is that any encyption scheme is crackable if
you have *enough* sample encrypted data which uses the same key,
compared to the size of the key. Send a couple of gigabytes of data
using a 128bit key, then it's just a number crunching exercise to
derive the key.)

BUT if you can't even support 128bit WEP keys on some of your kit, you
are unlikely to have WPA capability. If you need the security, you
probably need to upgrade all the hardware.


The only route you may have to more security using the current
hardware is to put the wireless base station *outside* your firewall,
and then use a VPN connection from the wireless client to access
systems inside the firewall. Use DES3 or better encryption on the VPN
link, with a tunnel refresh time as short as you can live with (the
default is 8 hours, drop it to 2, but every two hours there will be a
slight "pause" in VPN traffic as the tunnel key is re-created and
restarted).

>I realise that if I spend long enough connected at 64-bit WEP then the
>key will get cracked sooner.

Same is true of a 128 bit key - just takes the cracker a little
longer.

>Any advice much appreciated.


One last trick. Your wireless access point may have, in addition to
WEP, the facility to limit access to your wireless network by MAC
address. List the MAC addresses of your valid devices in there and
block any others. It's not foolproof (MAC addresses *can* be faked)
but it's one more layer on your security onion.

A big questoin you need to ask yourself is - how likely is it someone
is *trying* to crack your wireless network? Are you a "target"? i.e.
do you have lots of sensitive information that someone may know you
have? Or are you just taking "normal precautions" against casual
sniffing? What's your physical environment? If you live in a large
house with a big garden the chances of anyone being near enough to
pick up your waves are slim. If you live in a block of flats then the
chances are your WiFI lan is radiating to the flats of several of your
neighbours. How many of your neighborus have teenage kids who may have
nothing better to do than see if they can crack your lan?


---
Wizards Ltd www.wizards.co.uk
UK supplier of Sonicwall, Watchguard, Zywall.

Chris Comley <(E-Mail Removed)> wrote:

>(E-Mail Removed) (Peter) wrote:
>
>>The HP laptop can do just 64-bit WEP.
>
>Can you find out if a firmware or software upgrade will allow the HP
>to do 128bit WEP? Or failing that, swap the card for one which can?

The laptop is a Compaq/HP Presario 2900 which has wifi built-in. I
downloaded a driver which claimed to do WPA but nothing has changed in
the available options...

Then I have a Dell laptop with a brand new Linksys WPC54G PCMCIA wifi
card which does 64/128 bit WEP only, no WPA.

>BUT if you can't even support 128bit WEP keys on some of your kit, you
>are unlikely to have WPA capability. If you need the security, you
>probably need to upgrade all the hardware.

What I wondered about is whether one can set things up so that a
64-bit WEP (non-WPA) device can access the access point alongside
64-bit WEP (with WPA) devices. Presumably this is not possible, unless
one has multiple APs.

>The only route you may have to more security using the current
>hardware is to put the wireless base station *outside* your firewall,
>and then use a VPN connection from the wireless client to access
>systems inside the firewall. Use DES3 or better encryption on the VPN
>link, with a tunnel refresh time as short as you can live with (the
>default is 8 hours, drop it to 2, but every two hours there will be a
>slight "pause" in VPN traffic as the tunnel key is re-created and
>restarted).

The router is a Draytek 2900 which supports VPN operation, so I need
to investigate Windows VPN software, I think.

>One last trick. Your wireless access point may have, in addition to
>WEP, the facility to limit access to your wireless network by MAC
>address. List the MAC addresses of your valid devices in there and
>block any others. It's not foolproof (MAC addresses *can* be faked)
>but it's one more layer on your security onion.

Sure, I've seen this config. One can also stop SSID broadcast.

>A big questoin you need to ask yourself is - how likely is it someone
>is *trying* to crack your wireless network? Are you a "target"? i.e.
>do you have lots of sensitive information that someone may know you
>have? Or are you just taking "normal precautions" against casual
>sniffing? What's your physical environment? If you live in a large
>house with a big garden the chances of anyone being near enough to
>pick up your waves are slim. If you live in a block of flats then the
>chances are your WiFI lan is radiating to the flats of several of your
>neighbours. How many of your neighborus have teenage kids who may have
>nothing better to do than see if they can crack your lan?

It is casual hackers I need protection from. However there is a whole
village within wifi range (assuming a decent aerial at the other end)
which can't get broadband because they are too far from the exchange,
full of IT pros working at home, and it wouldn't suprise me if some of
them started sniffing around...


Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to (E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.

On Wed, 01 Sep 2004 17:07:07 +0100, (E-Mail Removed) (Peter) wrote:

>
<snip>
>
>>A big questoin you need to ask yourself is - how likely is it someone
>>is *trying* to crack your wireless network? Are you a "target"? i.e.
>>do you have lots of sensitive information that someone may know you
>>have? Or are you just taking "normal precautions" against casual
>>sniffing? What's your physical environment? If you live in a large
>>house with a big garden the chances of anyone being near enough to
>>pick up your waves are slim. If you live in a block of flats then the
>>chances are your WiFI lan is radiating to the flats of several of your
>>neighbours. How many of your neighborus have teenage kids who may have
>>nothing better to do than see if they can crack your lan?
>
>It is casual hackers I need protection from. However there is a whole
>village within wifi range (assuming a decent aerial at the other end)

I doubt it. The effective range is rarely more than 100 metres, even
with the router outside.

You don't get a very big "whole village" in a 100 metre radius.

It is more common to have problems getting connectivity within one
building than it is to get hacked connectivity from further away than
a couple of buildings.

Well "IT Pros working from home" are probably pros and couldn't give a
fig about your network, it's kids and smartarses you generally have to
worry about.

If you need that level of security, you need to get kit which can
provide it. This may mean replacing older cards and where necessary
turning off built-in wireless and using slot-in cards instead which
*can* provide the security level you need.

If this isn't possible, then your only option will be to go the route
of having teh Access Point *outside* your firewall and use VPN. But
the Draytek won't help here as with the firewall/VPN *in* the router
there's no way you can connect an Access Point outside o fthe router,
but inside the ADSL. Unless Draytek has a built-in access point and
that can be *configured* to be "outside" the firewall.


---
Business ADSL solutions
www.wizards.co.uk

Chris Comley <(E-Mail Removed)> wrote:

>If this isn't possible, then your only option will be to go the route
>of having teh Access Point *outside* your firewall and use VPN. But
>the Draytek won't help here as with the firewall/VPN *in* the router
>there's no way you can connect an Access Point outside o fthe router,
>but inside the ADSL. Unless Draytek has a built-in access point and
>that can be *configured* to be "outside" the firewall.

Draytek do a 2900Gi which uses an external ADSL modem (ether
connected) so presumably one could put an ethernet wifi access point
there.

I didn't realise that the Draytek 2600/2900 routers cannot run a VPN
over the wifi port. It looks like the VPN can run only over the ADSL
port, which is actually OK for me - the wifi feature would be used
only very occassionally, for portable devices which don't have an
ethernet port (most laptops have one)

Incidentally one thing I discovered is that WEP passphrases aren't
implemented in a standard manner across manufacturers. The Draytek
algorithm is same as HP use but Linksys are different, so the key has
to be entered in hex.


Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to (E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.