Announcement

Collapse
No announcement yet.

WEP vs. WAP

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • WEP vs. WAP

    I know that WAP is better than WEP, but is it worth changing a client's network (and replacing expensive non-WAP complant PDAs) to switch from WEP to WAP?
    --BC,

  • #2
    Yes. No form of WEP is acceptable for corporate communications, IMHO. Just make sure it is configured correctly or WPA (ed.) can be equally bad. In fact, since 802.11i is now an official standard, you should plan for and implement that instead of either WPA (ed.) or WEP.

    SANS has a great selection of 802.11[a-z] papers:

    http://www.sans.org/rr/whitepapers/wireless/

    -g
    Last edited by Grond; August 11, 2005, 11:07.
    Jesus built my car
    It’s a love affair
    Mainly Jesus and my hot rod

    Comment


    • #3
      Originally posted by big chopper
      I know that WAP is better than WEP, but is it worth changing a client's network (and replacing expensive non-WAP complant PDAs) to switch from WEP to WAP?
      --BC,
      If WEP is their only security measure on their WiFi network segment, then the answer can only be a big resounding YES. And it is not WAP, but WPA.

      WEP as a security measure is deader than a doornail. Tools has been released, ensuring that even the biggest Junlygust fucktard can crack a WEP "protected" WiFi network (if they pulled their head out of their asses long enough to read and comprehend the documentation, that is...).

      Dutch
      All your answers are belong to Google. Search dammit!!!

      Comment


      • #4
        Originally posted by big chopper
        I know that WAP is better than WEP, but is it worth changing a client's network (and replacing expensive non-WAP complant PDAs) to switch from WEP to WAP?
        --BC,
        WEP = Wired Equivalent Privacy
        WAP= Wireless Access Point
        WPA = Wi-Fi Protected Access

        Do you mean WPA? If so, the answer is "yes", especially in a commerical or enterprise setting. Even 128-bit WEP can now be broken within an hour or so if someone is determined. It's either that or go to a VPN across the WLAN.

        Enterprise sytems should use the Temporal Key Integrity Protocol (WPA-TKIP) variant of WPA, which is the stonger of the two WPA types. Even home users should be stepping up to the weaker Pre-Shared Key version of WPA (WPA-PSK) at this point.
        Thorn
        "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

        Comment


        • #5
          much of it depends on the network's functionality and how the wireless is being used. are they using wireless as a way to access internal, sensitive files and data shares? are they treating the wireless as part of their DMZ and making sure that connected clients act with the same responsibility as someone just connected to the internet from anywhere? (using tunneling, etc?)

          personally, i've always setup wireless that way for people... treating it as just a connection similar to a dialup from home or a free internet access point at a café. i setup remote access tools with the proper encryption and only allow access through appropriate VPN and SSL connections. technically you could leave the AP totally open at that point, but i wouldn't reccomend it since it can lead to people piggy-backing on your connection.

          if you don't want to install WPA hardare all over your facility, beef up all other aspects as best you can... turn off SSID broadcast, do MAC filtering, keep WEP and run it as strong as possible (to dissuade the most bottom-rung of casual kiddie attackers), and have clients use proper encryption on their traffic.
          Last edited by Deviant Ollam; August 11, 2005, 10:47.
          "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
          - Trent Reznor

          Comment


          • #6
            geez... three replies while i was still typing. you guys are fast.
            "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
            - Trent Reznor

            Comment


            • #7
              Originally posted by Deviant Ollam
              geez... three replies while i was still typing. you guys are fast.
              There is another possibility that springs to mind...

              Dutch
              All your answers are belong to Google. Search dammit!!!

              Comment


              • #8
                >> And it is not WAP, but WPA.

                !iacixelsyd ym rof seigolopa, spoO

                Thorn's advice is sound...like I said read 802.11i to understand what is currently considered "best of breed" wireless security. Almost all of Cisco's gear now supports it, and the smaller players are adopting it quickly. But lets also hope that the algorithms in the new standard aren't broken as quickly as WEP was.

                -g
                Jesus built my car
                It’s a love affair
                Mainly Jesus and my hot rod

                Comment


                • #9
                  Thanks all for your replies & insight.

                  I am going to suggest that they restrict the range of their wireless network (they're currently using a special high-gain antenna), and implement MAC filtering.

                  For now, that may be the best solution.
                  --BC,

                  Comment


                  • #10
                    Originally posted by big chopper
                    Thanks all for your replies & insight.

                    I am going to suggest that they restrict the range of their wireless network (they're currently using a special high-gain antenna), and implement MAC filtering.

                    For now, that may be the best solution.
                    --BC,
                    Only if you want to make them more vulnerable than they are at the moment..

                    What I mean by that is : They will think your recommendation will make them more secure, thereby thinking they are safe, while in reality those two measures have very little effect, when protecting the WiFi segment.

                    Dutch
                    All your answers are belong to Google. Search dammit!!!

                    Comment


                    • #11
                      Originally posted by big chopper
                      Thanks all for your replies & insight.

                      I am going to suggest that they restrict the range of their wireless network (they're currently using a special high-gain antenna), and implement MAC filtering.

                      For now, that may be the best solution.
                      --BC,
                      Limiting the Ap's TX range will tend to lessen the associations and connection beyond a certain distance, but it will not prevent passive sniffing from greatly beyond the point. Example: I can associate with a local commerical hotspot only within approximately 100 yards, but can still passively detect the AP (and therefore passively sniff packets going over that network) from over 7 miles away. In addition, it will not prevent a connection from someone using a high-gain antenna at a range further than you expect.

                      MAC filtering will also prevent association and connections, but will not prevent passive sniffing. In addition, it is easily defeated by merely cloning the MAC.
                      Thorn
                      "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

                      Comment


                      • #12
                        I don't mean to intrude on this topic but I have a small question pertaining to the subject: I have Linksys Wireless B router connected to my iBook, as some of you may know Apple doesn't support encryption with third party devices so I can't use WEP, WPA, etc. I do have the basic security measures configured though, changed the default username and pass, enabled MAC filtering and disabled SSID broadcasting. Do you think this is good enough for a home small network and what more can I do? Also, installed an IDS.

                        Comment


                        • #13
                          Originally posted by mikedc1760
                          Apple doesn't support encryption with third party devices so I can't use WEP, WPA, etc.
                          Excuse me? I, and many others, use encryption on Apple's wireless cards with non-Airport base stations. Perhaps I misunderstood you?

                          Comment


                          • #14
                            What I meant was Apple’s algorithm for generating a key from the passphrase is different from the algorithm used by most other transmitters, this is why I and many other's keep having a problem setting up WPA and WEP up. I got this information from here
                            However, he may be wrong and I'm going to take your word that it does work. Also, he does go on about how to make it work but I am unsuccessful in doing so. Mind giving me some insight on how you got it up and running? Thanks.

                            Comment


                            • #15
                              Originally posted by mikedc1760
                              What I meant was Apple’s algorithm for generating a key from the passphrase is different from the algorithm used by most other transmitters, this is why I and many other's keep having a problem setting up WPA and WEP up. I got this information from here
                              However, he may be wrong and I'm going to take your word that it does work. Also, he does go on about how to make it work but I am unsuccessful in doing so. Mind giving me some insight on how you got it up and running? Thanks.
                              Thats because you should enter the key in hexadecimal, instead of relying on different vendors half assed attempts in generating keys from a passphrase, to protect the consumer from actually using their systems with hardware of their own choice.

                              Dutch
                              All your answers are belong to Google. Search dammit!!!

                              Comment

                              Working...
                              X