LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 12-05-2003, 11:44 PM   #1
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
wireless encryption


Ok, with the big move lately toward wireless ( I'm just saying that because I just got one) there are several things to consider when setting up your network.

Should I use WEP?

What does it do for me?

Is 128 bit WEP secure?

Is it supposed to secure transfer of data or is it just to keep other people from accessing my network?

If I use MAC address filtering on my AP and 128 bit WEP is it secure enough?

What other option is there?
 
Old 12-06-2003, 12:36 AM   #2
ter_roshak
Member
 
Registered: May 2001
Location: Everett, WA
Distribution: Gentoo, RedHat
Posts: 102

Rep: Reputation: 15
WEP enabled provides sender and receiver with a 40 or 128 bit shared private key that is used to encrypt packets transmitted over the network. This is supposed to transmit secure data, not just prevent access to your network.

The SSID is transmitted in cleartext, so if you are sniffing the local area, it can be detected easily. Even if the access point is not active, but a passive node, any replies by the access point will transmit the SSID in cleartext.

With the MAC address filtering, the MAC addresses are transmitted in cleartext, vulnerable to sniffing. Some cards allow you to modify the MAC, and this would allow access.

Josh
 
Old 12-06-2003, 01:18 AM   #3
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Original Poster
Rep: Reputation: 56
So what we have thus far is that there is no way to prevent someone from accessing the network through the AP using WEP and MAC filtering.

So what about VPN?

Lets say we have a dedicated nic for the AP.
 
Old 12-06-2003, 01:31 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
What does it do for me?
Technically WEP uses an RSA RC4 algorithm to encrypt traffic going from one wireless segment to the other. Everything on the wire is unencrypted. Anyone trying to sniff the wireless packets will see garbage and if you have your network setup to only allow "shared-key" mode, then only those possessing the WEP key can associate with your access point.

Is 128 bit WEP secure?
Normally RSA RC4 is fairly strong encryption, but the way in which the WEP protocol actually implements it allows it to be cracked. For 128 bit encryption, it actually uses a 104bit WEP key plus a 24 bit 'initialization vector'. The initialization vector is cycled with each packet and every once in a while the same IV is used, potentially revealing part of the WEP key. If you capture enough of these "weakly encrypted" packets, you can eventually determine the entire WEP key. However, I've monkeyed around cracking WEP and it is HIGHLY dependent on the amount of traffic that you generate. For most normal home networks, someone would have to sniff your wireless network for 2-4 weeks non-stop to gather enough weakly encrypted packets to crack your WEP key. All of the reports on how you can crack WEP in a couple of hours setup one of the clients to ping flood the AP, thereby generating an abnormally high number of packets. So for most people that really isn't a realistic model, but if you had a large network or did something like stream mp3s I would definitely be concerned. Not matter what, I would highly recommend changing the WEP key at the very least once a month. As far 128 vs 64 bit encryption, supposedly they are both equally as vulnerable.

Is it supposed to secure transfer of data or is it just to keep other people from accessing my network?
Again if you set you network up to only allow those with the WEP key to connect, then it will do both.

If I use MAC address filtering on my AP and 128 bit WEP is it secure enough? MAC filtering is trivial to get around and would really be just a minor inconvenience to anyone wanting access. Truthfully though it really depends on what you mean by secure enough. If you are talking about a corporate network that has sensitive data on it, then you would be insane to rely on WEP. If you mean your home LAN where you just don't want your neighbor to know you have goatse as your homepage, then you should be alright. The biggest factor is that most wireless networks don't use WEP and a surprising number haven't changed the default settings. So people wanting to leach off someone elses connection or break into networks would really have a cornucopia of choices, the question you have to ask is would someone have a reason to sniff your network for a month non-stop. If your answer is yes or maybe, then you should probably think about using something besides WEP. If your just worried about the average Wardriver, then WEP should be enough of a deterrent that they'd probably look for easier targets.

What other option is there?
Besides buying a whole mess 'o CAT5 and chucking your AP out the window, there are a number of WEP alternatives that do a better job. FreesWAN/IPsec, using ssh or ssl tunnels to span the wireless segment, WPA, and the IEEE is supposedly going to come up with a new wireless encryption implementation to replace WEP.

As far as preventing people from associating with your WEP, you can use something like RADIUS or NoCAT authentication as a further layer of security.
 
Old 12-06-2003, 02:46 AM   #5
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Original Poster
Rep: Reputation: 56
That's very good information.

Should I assume that if there are no valid client connections to the AP that it would be almost impossible for someone to figure out how to connect through it. So it should be ok to leave it on.
 
Old 12-06-2003, 03:27 AM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
No, actually that would be incorrect. It's possible to generate interference that kicks the WAP off the air and causes it to restart. When it restarts it may broadcast for a brief period. Also, you would need to be absolutely positive that there were no clients still associated with it (even if they weren't actively using the connection) because when it's lost, they will try to reassociate with the AP, thus causing traffic.

The only real way to protect 802.11a/b/g is to set the AP on it's own network segment, firewalled from your LAN and to use IPSec to reach any internal hosts that you need. All the normal ports should be completely blocked from the W/LAN side (except for 500/UDP for IPSec, and that only to your IPSec box). If you're only allowing IPSec traffic through, then there's no point to use WEP since the traffic is already encrypted and WEP is just adding more overhead to each packet. Only permitting approved MAC addresses will cause a speedbump for dedicated crackers, but it will keep casual/accidental users off your AP, so it's still recommended.
 
Old 12-06-2003, 12:12 PM   #7
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Original Poster
Rep: Reputation: 56
How about using WPA?

Is that a total solution?


I have these other choices,

WPA pre-shared key -- TKIP or AES
WPA RADIUS -- TKIP or AES
RADIUS -- WEP
 
Old 12-07-2003, 02:31 AM   #8
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Original Poster
Rep: Reputation: 56
Here is the verdict..

WEP is off now, it is useless.

My WPC11 only supports WEP so the other types of built-in security in my AP are out.

I have decided to go with openvpn using a pre-shared key.

I have a dedicated NIC on the router for the AP.
Firewall in laptop and router, closed all ports except 5000 on the interfaces.


At this point I think we have secure #cough * choke# wireless.

That's it for now, gotta fly.

Next time I come home I will get it working with windows on the laptop.


Last edited by DavidPhillips; 12-07-2003 at 02:45 AM.
 
Old 12-07-2003, 03:03 AM   #9
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Yep, that's pretty much the way to do wireless "right".
 
Old 12-07-2003, 03:30 AM   #10
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Original Poster
Rep: Reputation: 56
Thanks for all the input the ideas.

 
Old 12-07-2003, 05:47 PM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
With the state of Linux wireless nowadays, you're lucky to get WEP to even work. The WPA-TKIP is a really nice solution, but like you know first hand, finding hardware that supports it is tough. Plus I would imagine severing your big toe off with a spork would be a significantly more enjoyable experience than trying to get non-standard wireless protocols to work under linux. I really hope that changes, but for now the options are kind of slim. Using VPN or some other kind of encryption tunnel is probably the best way to go in terms of security vs ease of implementation.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Wireless-G and WPA encryption ?? lawadm1 Linux - Wireless Networking 1 06-19-2004 05:03 PM
Wireless Encryption gobits Linux - Newbie 1 09-16-2003 08:15 PM
wireless encryption ematrixxx Linux - Newbie 3 08-18-2003 06:42 AM
Mandrake 9.0 Wireless Works without encryption.. does not with encryption topcat Linux - Wireless Networking 3 05-04-2003 08:47 PM
Wireless encryption sertup misguidedute Linux - Wireless Networking 2 10-15-2002 08:31 AM


All times are GMT -5. The time now is 07:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration