mailing list archives
RE: wireless security question.
From: "Tim V - DZ " <iceburn () dangerzone com>
Date: Wed, 19 Feb 2003 13:44:23 -0600
Totally agreed. WEP is wired equivalency...it's just a deterrent, most
don't realize that.
1) lock down the AP as tight as you can then make the AP's IP
non-routable, on it's own network that can't make it past the firewall,
put it in a DMZ, pick-your-poison, etc. Then use your authenticated VPN
to tunnel "through" the AP to a 'real' network. DHCP and like have a
way with not working with this kind of setup
6) Rapid re-keying and the like are typically vendor implemented...ie
not standard and typically based on a per brand per hardware instance.
Look at PEAP for cisco and Rapid-Rekeying for Enterasys. The later is
probably more what you're looking for.
From: paul van den bergen [mailto:pvandenbergen () swin edu au]
Sent: Wednesday, February 19, 2003 12:45 AM
To: security-basics () securityfocus com
Subject: wireless security question.
There has been much debate recently in my circle about wireless
etc. and especially related to the supposed vulnerability of APs to
eg. reports that a large % (40%???) do not have WEP enabled. (my
that these are likey the smart ones who realise that WEP breaking is
and turn it off as a waste of time...)
as far as I can see, it breaks down like this. You can have wireless
that have WEP off and they cover three basic types
1) Folks who rely on other security measures - IPsec being the most
2) folks who want unrestricted public access - eg. public wireless
communities, isolated PCs/LANs with no further connectivity. (really a
of 1 I suppose - security not needed because physically isolated, or in
other way limited - eg. bandwidth limited)
3) people who have no clue. (and obstrefication is no security at all -
as security feature? come on!)
with WEP on, I figure that there are 3 classes of sites
4) see three
5) 128 bit WEP on as deterent. is it worth the effort - low security
requirements. somewhat 404 (see 3), but not too bad if you know what
6) 128 WEP + regular key update. with or without IPsec.
My questions relates to scenario 1 and 6, to me the interesting ones.
In the case of 1) how would one stop external users using the APs as
In the case of 6) how does one distribute the WEP keys at each update?
Dr Paul van den Bergen
Centre for Advanced Internet Architectures
pvandenbergen () swin edu au
It's a book. Non-volatile storage media. Everyone should have one.