WEP vs. WAP

Yes. No form of WEP is acceptable for corporate communications, IMHO. Just make sure it is configured correctly or WPA (ed.) can be equally bad. In fact, since 802.11i is now an official standard, you should plan for and implement that instead of either WPA (ed.) or WEP.

SANS has a great selection of 802.11[a-z] papers:

http://www.sans.org/rr/whitepapers/wireless/

-g

If WEP is their only security measure on their WiFi network segment, then the answer can only be a big resounding YES. And it is not WAP, but WPA.

WEP as a security measure is deader than a doornail. Tools has been released, ensuring that even the biggest Junlygust fucktard can crack a WEP "protected" WiFi network (if they pulled their head out of their asses long enough to read and comprehend the documentation, that is...).

Dutch

WEP = Wired Equivalent Privacy
WAP= Wireless Access Point
WPA = Wi-Fi Protected Access

Do you mean WPA? If so, the answer is "yes", especially in a commerical or enterprise setting. Even 128-bit WEP can now be broken within an hour or so if someone is determined. It's either that or go to a VPN across the WLAN.

Enterprise sytems should use the Temporal Key Integrity Protocol (WPA-TKIP) variant of WPA, which is the stonger of the two WPA types. Even home users should be stepping up to the weaker Pre-Shared Key version of WPA (WPA-PSK) at this point.

much of it depends on the network's functionality and how the wireless is being used. are they using wireless as a way to access internal, sensitive files and data shares? are they treating the wireless as part of their DMZ and making sure that connected clients act with the same responsibility as someone just connected to the internet from anywhere? (using tunneling, etc?)

personally, i've always setup wireless that way for people... treating it as just a connection similar to a dialup from home or a free internet access point at a café. i setup remote access tools with the proper encryption and only allow access through appropriate VPN and SSL connections. technically you could leave the AP totally open at that point, but i wouldn't reccomend it since it can lead to people piggy-backing on your connection.

if you don't want to install WPA hardare all over your facility, beef up all other aspects as best you can... turn off SSID broadcast, do MAC filtering, keep WEP and run it as strong as possible (to dissuade the most bottom-rung of casual kiddie attackers), and have clients use proper encryption on their traffic.

geez... three replies while i was still typing. you guys are fast.

There is another possibility that springs to mind...

Dutch

>> And it is not WAP, but WPA.

!iacixelsyd ym rof seigolopa, spoO

Thorn's advice is sound...like I said read 802.11i to understand what is currently considered "best of breed" wireless security. Almost all of Cisco's gear now supports it, and the smaller players are adopting it quickly. But lets also hope that the algorithms in the new standard aren't broken as quickly as WEP was.

-g

Thanks all for your replies & insight.

I am going to suggest that they restrict the range of their wireless network (they're currently using a special high-gain antenna), and implement MAC filtering.

For now, that may be the best solution.
--BC,

Only if you want to make them more vulnerable than they are at the moment..

What I mean by that is : They will think your recommendation will make them more secure, thereby thinking they are safe, while in reality those two measures have very little effect, when protecting the WiFi segment.

Dutch

Limiting the Ap's TX range will tend to lessen the associations and connection beyond a certain distance, but it will not prevent passive sniffing from greatly beyond the point. Example: I can associate with a local commerical hotspot only within approximately 100 yards, but can still passively detect the AP (and therefore passively sniff packets going over that network) from over 7 miles away. In addition, it will not prevent a connection from someone using a high-gain antenna at a range further than you expect.

MAC filtering will also prevent association and connections, but will not prevent passive sniffing. In addition, it is easily defeated by merely cloning the MAC.

I don't mean to intrude on this topic but I have a small question pertaining to the subject: I have Linksys Wireless B router connected to my iBook, as some of you may know Apple doesn't support encryption with third party devices so I can't use WEP, WPA, etc. I do have the basic security measures configured though, changed the default username and pass, enabled MAC filtering and disabled SSID broadcasting. Do you think this is good enough for a home small network and what more can I do? Also, installed an IDS.

Excuse me? I, and many others, use encryption on Apple's wireless cards with non-Airport base stations. Perhaps I misunderstood you?

What I meant was Apple’s algorithm for generating a key from the passphrase is different from the algorithm used by most other transmitters, this is why I and many other's keep having a problem setting up WPA and WEP up. I got this information from here
However, he may be wrong and I'm going to take your word that it does work. Also, he does go on about how to make it work but I am unsuccessful in doing so. Mind giving me some insight on how you got it up and running? Thanks.

Thats because you should enter the key in hexadecimal, instead of relying on different vendors half assed attempts in generating keys from a passphrase, to protect the consumer from actually using their systems with hardware of their own choice.

Dutch