Jon Smith wrote:
> Hi
> I am responsible for a large wireless infrastructure upgrade. Right
> now my plan is use PEAP w MSCHAP v2 with dynamic WEP crypto for my
> corporate SSID (I have others with much lower security requirements).
> I cannot easily go to WPA without ditching all my current devices that
> do not support it (good luck getting that past the CFO). We have a
> lot of physical security and surveillance with very tight controls, my
> primary area of concern would be people like myself sitting in the
> parking lot. Due to one of our applications, we will be sending a
> clear strong signal to the parking lot. Is this enough security and
> encryption to significantly slow intrusion attempts? Between
> direction finding capabilities of the Access Points and our roaming
> guards it would be a matter of time before we detected them.
>
> Thanks
>
> Rocko
>
All wireless networks are public and should be treated as such.
Two things to consider:
1) Even with a dynamically generated WEP key you're still vulnerable to
active attacks that can force the generation of lots of traffic and or
just mess with your network. See http://www.securityfocus.com/infocus/1824
2) If you can access from the parking lot with a regular laptop you can
access from the next town with a parabolic antenna. Unless you guards
roam huge distances you won't be able to protect the signal. - See
http://www.radiolabs.com/products/antennas/2.4gig/stage4.php
Suggestion: forget WEP - get a good ipsec based vpn system, put the
access points on a DMZ lan and require use of the VPN client to get
access to anything other than a "help page" web server.
Received on Mar 22 2005
Intro
