wireless network security best practice?

We have a local wireless net. Is 128 bit WEP and MAC filtering enough?

I tend to think not, anyone could sniff and pick up MACs and then set their
card to use that MAC, and eventually break the WEP at brute force.

Feedback/Comments?

In article <3f4a5a4a$0$49108$(E-Mail Removed)>, erik wrote:
>> ,,, eventually break the WEP at brute force.
>
> Eventually? Given enough traffic that will go very quickly. Count on a
> week.

A thought: what of a script, cron every few hours or so, to generate a
random WEP key and to distribute it to permitted clients? It would take
some work to implement this, but would it enhance security? (Albeit
perhaps not so much as to eliminate the need for a VPN tunnel.)
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

"/dev/null" <(E-Mail Removed)> wrote in message
news:WXr2b.257963$uu5.59065@sccrnsc04...
> We have a local wireless net. Is 128 bit WEP and MAC filtering enough?
>
No.
1. WEP is easy to break with available tools.
2. MAC addresses can be spoofed.

> I tend to think not, anyone could sniff and pick up MACs and then set
their
> card to use that MAC, and eventually break the WEP at brute force.
>
> Feedback/Comments?
>
>
1. Change the SSID to something unique.
2. Disable broadcast of SSID.
3. Create unique passwords for the WEB interface on the AP.
4. Install a VPN, and block all traffic that is not inside the VPN.

Enjoy,
Don

Thanks for the context.

MAC filtering and 128 bit WEP is okay, but not bulletproof. It will stop
opportunists (within reason).
But as ever, context is everything.

You should ask yourself: Who's in range?
What data are you trying to protect?
What's the worse that could happen?

Unfortunately the VPN idea, while a good one, could be impractical in your
situation, but sensible measures such as turning off broadcasting the SSID
of your wireless network and not using an obvious name for it are steps in
the right direction.

Some more info would help.

Regards, Adrian


"/dev/null" <(E-Mail Removed)> wrote in message
news:WXr2b.257963$uu5.59065@sccrnsc04...
> We have a local wireless net. Is 128 bit WEP and MAC filtering enough?
>
> I tend to think not, anyone could sniff and pick up MACs and then set
their
> card to use that MAC, and eventually break the WEP at brute force.
>
> Feedback/Comments?
>
>

As stupidly simple security precaution - do you keep the base station on
24x7?

Have you thought about putting it on a timer so its only on during working
hours - thus reducing your attacker's window of opportunity to working
hours.

"erik" <(E-Mail Removed)> wrote in message
news:3f4d03ce$0$49099$(E-Mail Removed)...
> Adrian Inman wrote:
>
> > Thanks for the context.
> >
> > MAC filtering and 128 bit WEP is okay, but not bulletproof. It will
> > stop opportunists (within reason).
>
> It will not stop them. Not at all.
>
> > But as ever, context is everything.
>
> That is right.
>
> >
> > You should ask yourself: Who's in range?
> > What data are you trying to protect?
> > What's the worse that could happen?
>
> Assume the worst. Your link is used for spammers. You get disconnected.
>
> >
> > Unfortunately the VPN idea, while a good one, could be impractical in
> > your situation,
>
> What do you mean?
>
> > but sensible measures such as turning off broadcasting
> > the SSID of your wireless network and not using an obvious name for it
> > are steps in the right direction.
>
> No those are steps in the wrong direction. Security by obscurity never
> worked. Listening in will reveal all relevant data within seconds.
>
> >
> > Some more info would help.
>
> A little bit more security consciousness also.
>
> EJ
> --
> Remove the obvious part (including the dot) for my email address
>

"/dev/null" <(E-Mail Removed)> wrote in message news:<WXr2b.257963$uu5.59065@sccrnsc04>...
> We have a local wireless net. Is 128 bit WEP and MAC filtering enough?
>
> I tend to think not, anyone could sniff and pick up MACs and then set their
> card to use that MAC, and eventually break the WEP at brute force.
>
> Feedback/Comments?

WEP is broken (despite the key size) and MAC filtering is easily defeated,
but it keeps script-kidies away (for awhile).

You should try VPN/IPSec solution and some sort of authentication, like a
captive portal, for example: http://nocat.net/.

I have proposed and implemented this solution (VPN + captive portal + ...)
as an academic project, but it's based on OpenBSD and i386 (I setup the
Access Point in a 386 box). I think the security was enhanced a lot, but
there's a price to pay: network overhead. WEP (128 bits) decreases the
throughput by 30% and IPSec (Tunnel - ESP - 3DES-CBC HMAC-MD5) by 60%.
Actually, I feel this kind of solution is the best way to protect your
network nowadays.

I could point the references to my project and the Security X Overhead paper
but they are in portuguese. Sorry.

Other solutions:

* 802.1x - most access point vendors suport 802.1x by default. Windows XP
has a 802.1x client (supplicant) built-in. Some researchers pointed out some
security failures.
* Wait for WPA (Wi-Fi Protected Access). I'm not sure whether the access
point vendors have deployed it already.

hope it helps,

demeck

demeck wrote:

> You should try VPN/IPSec solution and some sort of authentication, like a
> captive portal, for example: http://nocat.net/.
>

I'm planning on doing just that. I've purchased a wireless firwall/router,
which I'll be using as an access point. I'll then use a CIPE VPN to get
through my firewall.

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.

demeck wrote:

> "/dev/null" <(E-Mail Removed)> wrote in message
> news:<WXr2b.257963$uu5.59065@sccrnsc04>...
>> We have a local wireless net. Is 128 bit WEP and MAC filtering
>> enough?
>>
>> I tend to think not, anyone could sniff and pick up MACs and then set
>> their card to use that MAC, and eventually break the WEP at brute
>> force.
>>
>> Feedback/Comments?
>
> WEP is broken (despite the key size) and MAC filtering is easily
> defeated, but it keeps script-kidies away (for awhile).
>
> You should try VPN/IPSec solution and some sort of authentication,
> like a captive portal, for example: http://nocat.net/.
>
> I have proposed and implemented this solution (VPN + captive portal +
> ...) as an academic project, but it's based on OpenBSD and i386 (I
> setup the Access Point in a 386 box). I think the security was
> enhanced a lot, but there's a price to pay: network overhead. WEP (128
> bits) decreases the throughput by 30% and IPSec (Tunnel - ESP -
> 3DES-CBC HMAC-MD5) by 60%.

Nope. That completely depends on the devices you're using. On my 600 MHz
machine, running ipsec I still run at 500-600 kB/s, which is _very_
close to the theoretical maximum. OpenBSD in host AP mode.

> Actually, I feel this kind of solution is the best way to protect
> your network nowadays.

It's the only way ;-)

>
> I could point the references to my project and the Security X Overhead
> paper but they are in portuguese. Sorry.
>
> Other solutions:
>
> * 802.1x - most access point vendors suport 802.1x by default. Windows
> XP has a 802.1x client (supplicant) built-in. Some researchers pointed
> out some security failures.

What's new with M$ security. :-)

> * Wait for WPA (Wi-Fi Protected Access). I'm not sure whether the
> access point vendors have deployed it already.

AFAIK that will take some time, and you need to replace all existing
infrastructure.

EJ
--
Remove the obvious part (including the dot) for my email address

On Mon, 25 Aug 2003 17:46:30 +0000, /dev/null wrote:

> We have a local wireless net. Is 128 bit WEP and MAC filtering enough?
>
> I tend to think not, anyone could sniff and pick up MACs and then set
> their card to use that MAC, and eventually break the WEP at brute force.
>
> Feedback/Comments?

To figure if your security is good enough, you first have to take a look
at the type of traffic you're running on your wireless network, both in
terms of security sensitivity and traffic volume. For example, Fort Knox
needs a lot more protection than the average home.

One of the big issues with wireless is that your radio waves from your
access point don't stop at your home or office's walls. That feature makes
it possible for others to intercept and use your signal.

While breaking a WEP transmission is certainly possible, it still requires
a LOT of data be gathered. Airsnort needs 5 to 10 million packets in order
to break a code, according to their info. In my case, that means someone
would have to park in front of my house for months at a time to gather
enough data to crack my 128 bit WEP code.

On the other hand, an office with many high traffic users on their
wireless network could generate enough traffic in a short period of time
for their code to be cracked. Or, someone located in an apartment building
might have a neighbor who could monitor their connection for months on end
to try and break into their network.

In my case, if I'm going to get paranoid about my wireless network at
home, then I also need to be paranoid about my ISP monitoring my traffic
in general. I need to quit giving my credit card to waiters and
salespeople when I buy stuff. I need to replace all the wood doors in my
house with metal security doors, and so on.

Yeah, WEP has it holes and should be improved. WPA is going to help do
that and there will certainly be continued improvements down the road.

But that doesn't mean I need to stop using wireless right now. A typical
home user is not a high-profile target for a wireless crook. What hacker
wants to spend months gathering data so he can break in and get... what?

Businesses, OTOH, need to be more careful as they generate a lot of
traffic, do so faster, and typically have more people trying to break into
their networks to get critical info. Some others have already described
methods to address those issues.

But wireless security is just like any other security issue. One needs to
do a good risk assessment before going whole-hog. Your security efforts
should match the risk probablility involved.

wesley wrote:

> On Mon, 25 Aug 2003 17:46:30 +0000, /dev/null wrote:
>
>> We have a local wireless net. Is 128 bit WEP and MAC filtering
>> enough?
>>
>> I tend to think not, anyone could sniff and pick up MACs and then set
>> their card to use that MAC, and eventually break the WEP at brute
>> force.
>>
>> Feedback/Comments?
>
> To figure if your security is good enough, you first have to take a
> look at the type of traffic you're running on your wireless network,
> both in terms of security sensitivity and traffic volume. For example,
> Fort Knox needs a lot more protection than the average home.
>
> One of the big issues with wireless is that your radio waves from your
> access point don't stop at your home or office's walls. That feature
> makes it possible for others to intercept and use your signal.
>
> While breaking a WEP transmission is certainly possible, it still
> requires a LOT of data be gathered. Airsnort needs 5 to 10 million
> packets in order to break a code, according to their info. In my case,
> that means someone would have to park in front of my house for months
> at a time to gather enough data to crack my 128 bit WEP code.
>
> On the other hand, an office with many high traffic users on their
> wireless network could generate enough traffic in a short period of
> time for their code to be cracked. Or, someone located in an apartment
> building might have a neighbor who could monitor their connection for
> months on end to try and break into their network.
>
> In my case, if I'm going to get paranoid about my wireless network at
> home, then I also need to be paranoid about my ISP monitoring my
> traffic in general. I need to quit giving my credit card to waiters
> and salespeople when I buy stuff. I need to replace all the wood doors
> in my house with metal security doors, and so on.
>
> Yeah, WEP has it holes and should be improved. WPA is going to help do
> that and there will certainly be continued improvements down the road.
>
> But that doesn't mean I need to stop using wireless right now. A
> typical home user is not a high-profile target for a wireless crook.
> What hacker wants to spend months gathering data so he can break in
> and get... what?
>
> Businesses, OTOH, need to be more careful as they generate a lot of
> traffic, do so faster, and typically have more people trying to break
> into their networks to get critical info. Some others have already
> described methods to address those issues.
>
> But wireless security is just like any other security issue. One needs
> to do a good risk assessment before going whole-hog. Your security
> efforts should match the risk probablility involved.

Wile you may have some points you forget several things:
1 It is signicantly harder to do anything wrong with a hardwired
configuration, your ISP is not worth looking at security wise.
2 It is definately possible to crack WEP without considerable effort.
3 It is not about breaking in into your network, but about _abusing_
your network. You do not want to be disconnected because your gateway
was used to send spam or worse things.
4 Efficient security measures are very simple.

In general security is not only about your (probably invaluable) data,
but about being used as a stepping stone. The latter is something you
need to prevent at all costs.

EJ
--
Remove the obvious part (including the dot) for my email address