Ok, with the big move lately toward wireless ( I'm just saying that because I just got one) there are several things to consider when setting up your network.

Should I use WEP?

What does it do for me?

Is 128 bit WEP secure?

Is it supposed to secure transfer of data or is it just to keep other people from accessing my network?

If I use MAC address filtering on my AP and 128 bit WEP is it secure enough?

What other option is there?

WEP enabled provides sender and receiver with a 40 or 128 bit shared private key that is used to encrypt packets transmitted over the network. This is supposed to transmit secure data, not just prevent access to your network.

The SSID is transmitted in cleartext, so if you are sniffing the local area, it can be detected easily. Even if the access point is not active, but a passive node, any replies by the access point will transmit the SSID in cleartext.

With the MAC address filtering, the MAC addresses are transmitted in cleartext, vulnerable to sniffing. Some cards allow you to modify the MAC, and this would allow access.

Josh

So what we have thus far is that there is no way to prevent someone from accessing the network through the AP using WEP and MAC filtering.

So what about VPN?

Lets say we have a dedicated nic for the AP.

What does it do for me?
Technically WEP uses an RSA RC4 algorithm to encrypt traffic going from one wireless segment to the other. Everything on the wire is unencrypted. Anyone trying to sniff the wireless packets will see garbage and if you have your network setup to only allow "shared-key" mode, then only those possessing the WEP key can associate with your access point.

Is 128 bit WEP secure?
Normally RSA RC4 is fairly strong encryption, but the way in which the WEP protocol actually implements it allows it to be cracked. For 128 bit encryption, it actually uses a 104bit WEP key plus a 24 bit 'initialization vector'. The initialization vector is cycled with each packet and every once in a while the same IV is used, potentially revealing part of the WEP key. If you capture enough of these "weakly encrypted" packets, you can eventually determine the entire WEP key. However, I've monkeyed around cracking WEP and it is HIGHLY dependent on the amount of traffic that you generate. For most normal home networks, someone would have to sniff your wireless network for 2-4 weeks non-stop to gather enough weakly encrypted packets to crack your WEP key. All of the reports on how you can crack WEP in a couple of hours setup one of the clients to ping flood the AP, thereby generating an abnormally high number of packets. So for most people that really isn't a realistic model, but if you had a large network or did something like stream mp3s I would definitely be concerned. Not matter what, I would highly recommend changing the WEP key at the very least once a month. As far 128 vs 64 bit encryption, supposedly they are both equally as vulnerable.

Is it supposed to secure transfer of data or is it just to keep other people from accessing my network?
Again if you set you network up to only allow those with the WEP key to connect, then it will do both.

If I use MAC address filtering on my AP and 128 bit WEP is it secure enough? MAC filtering is trivial to get around and would really be just a minor inconvenience to anyone wanting access. Truthfully though it really depends on what you mean by secure enough. If you are talking about a corporate network that has sensitive data on it, then you would be insane to rely on WEP. If you mean your home LAN where you just don't want your neighbor to know you have goatse as your homepage, then you should be alright. The biggest factor is that most wireless networks don't use WEP and a surprising number haven't changed the default settings. So people wanting to leach off someone elses connection or break into networks would really have a cornucopia of choices, the question you have to ask is would someone have a reason to sniff your network for a month non-stop. If your answer is yes or maybe, then you should probably think about using something besides WEP. If your just worried about the average Wardriver, then WEP should be enough of a deterrent that they'd probably look for easier targets.

What other option is there?
Besides buying a whole mess 'o CAT5 and chucking your AP out the window, there are a number of WEP alternatives that do a better job. FreesWAN/IPsec, using ssh or ssl tunnels to span the wireless segment, WPA, and the IEEE is supposedly going to come up with a new wireless encryption implementation to replace WEP.

As far as preventing people from associating with your WEP, you can use something like RADIUS or NoCAT authentication as a further layer of security.

That's very good information.

Should I assume that if there are no valid client connections to the AP that it would be almost impossible for someone to figure out how to connect through it. So it should be ok to leave it on.

No, actually that would be incorrect. It's possible to generate interference that kicks the WAP off the air and causes it to restart. When it restarts it may broadcast for a brief period. Also, you would need to be absolutely positive that there were no clients still associated with it (even if they weren't actively using the connection) because when it's lost, they will try to reassociate with the AP, thus causing traffic.

The only real way to protect 802.11a/b/g is to set the AP on it's own network segment, firewalled from your LAN and to use IPSec to reach any internal hosts that you need. All the normal ports should be completely blocked from the W/LAN side (except for 500/UDP for IPSec, and that only to your IPSec box). If you're only allowing IPSec traffic through, then there's no point to use WEP since the traffic is already encrypted and WEP is just adding more overhead to each packet. Only permitting approved MAC addresses will cause a speedbump for dedicated crackers, but it will keep casual/accidental users off your AP, so it's still recommended.

How about using WPA?

Is that a total solution?


I have these other choices,

WPA pre-shared key -- TKIP or AES
WPA RADIUS -- TKIP or AES
RADIUS -- WEP

Here is the verdict..

WEP is off now, it is useless.

My WPC11 only supports WEP so the other types of built-in security in my AP are out.

I have decided to go with openvpn using a pre-shared key.

I have a dedicated NIC on the router for the AP.
Firewall in laptop and router, closed all ports except 5000 on the interfaces.


At this point I think we have secure #cough * choke# wireless.

That's it for now, gotta fly.

Next time I come home I will get it working with windows on the laptop.

Yep, that's pretty much the way to do wireless "right".

Thanks for all the input the ideas.

With the state of Linux wireless nowadays, you're lucky to get WEP to even work. The WPA-TKIP is a really nice solution, but like you know first hand, finding hardware that supports it is tough. Plus I would imagine severing your big toe off with a spork would be a significantly more enjoyable experience than trying to get non-standard wireless protocols to work under linux. I really hope that changes, but for now the options are kind of slim. Using VPN or some other kind of encryption tunnel is probably the best way to go in terms of security vs ease of implementation.