[ae86_16v]

I mean is it really safe? Is it enough?

[John Strung]

WEP will only stop casual hackers.

See:
http://www.pcmag.com/article2/0,4149,844020,00.asp

and

http://www.practicallynetworked.com/...ess_secure.htm

[thesearcher]

It's better than nothing. Thankfully it's due to be replaced soon.

[ghporter]

The good news is that, even before the new IEEE 802 standard for wireless security comes out, and even before the WiFi Alliance's Wireless Protected Access (WPA) comes out, there are things you can do to help keep your network as secure as possible.

First, use 128 bit encryption. It is much harder to break than 64 bit encryption. Second, you'll want to change your keys regularly. I typically recommend changing them every month, and using your ISP's bill (or the light bill, or whatever) as a reminder. Generating hex keys is pretty simple-I use a combination of Internet random number generators and randomly selected phone numbers from a local phone book. You just need to get 26 hex digits for a key, so that's not too difficult. Whenever possible, disable SSID broadcast (I'm not sure which versions of the Admin Utility allow you to do this; I use a Linksys access point), so that the bad guys won't have a "neon sign" to lead them to your network. Finally, whenever possible, use MAC address filtering-this allows you to let in only those network devices (each has a unique Media Access Control address) that you select.

It sounds like a lot of work, but it isn't really, and it'll keep you from providing Internet service to unknown individuals who could be sending who knows what out into the world using your network, address, ISP, and maybe even your user identity.

[ae86_16v]

yeah...I am having problems with my WEP right now, it seems like after I turn it on, it Airport doesn't pick up the signal anymore.

But right now, I just MAC filtering on.

That should be good right? I mean if you aren't on the list then you can't get in.

[Camelot]

Originally posted by ae86_16v:
yeah...I am having problems with my WEP right now, it seems like after I turn it on, it Airport doesn't pick up the signal anymore.

But right now, I just MAC filtering on.

That should be good right? I mean if you aren't on the list then you can't get in.

Many wireless card drivers, especially those in the Linux world, let you override the MAC address used by the card.

It's a simple matter to find a MAC address that is permitted by the base station and set your card to that. So, no, MAC filtering is not sufficient.

[ghporter]

Besides the MAC spoofing issue, without any encryption, anyone with an interest can view everything that goes between your computer and your base station. That includes credit card numbers, email addresses, Social Security numbers...

If you stop getting a connection when you enable WEP there are two major culprits to look at. The first is the WEP key-make sure that it is identical between the computer and the base, and entered in the same format. You can enter the same data in one format on one (say ASCII), and a different format on the other (say hex) and though they look the same they won't talk. The second is evaluating the other WEP settings. Everything must be exactly the same-key length, the selection of what sort of encryption (mandatory, none, both) has to be the same (use mandatory), etc.

It's involved, but not really hard. It just takes some time and organization to get everything set up.

[ae86_16v]

I think something is up with the router.

Because I know I setted it up correctly, but after some down time (like over night) I reboot my computer and the Airport Card in my PB can't find the Network anymore.

The night before, I would be able to use the internet fine, with MAC filtering and WEP 128-bit on.

Maybe I should call tech support and ask them what's going on.

[ghporter]

Go for it! Get those tech support people to walk you through everything, and write it all down! If they don't convince you that there's a simple configuration problem, convince them to replace the box.

[ae86_16v]

Originally posted by GHPorter:
Go for it! Get those tech support people to walk you through everything, and write it all down! If they don't convince you that there's a simple configuration problem, convince them to replace the box.

Hahaha...yeah. We'll give them a call today.

Thanks for your help guys.

[vmpaul]

Originally posted by John Strung:
WEP will only stop casual hackers.

See:
http://www.pcmag.com/article2/0,4149,844020,00.asp

and

http://www.practicallynetworked.com/...ess_secure.htm

Thanks for the links. They helped me setup my wireless today.

All done in about an hour. Used 128-key WEP, MAC Authorization, and specific IP's. I think I'm pretty secure (he says somewhat confidently).

The only thing I couldn't do was shut off broadcast SSID. I changed the default name but I didn't see anything to turn it off completely. I don't see what changing the name does.

[ae86_16v]

Originally posted by vmpaul:
Thanks for the links. They helped me setup my wireless today.

All done in about an hour. Used 128-key WEP, MAC Authorization, and specific IP's. I think I'm pretty secure (he says somewhat confidently).

The only thing I couldn't do was shut off broadcast SSID. I changed the default name but I didn't see anything to turn it off completely. I don't see what changing the name does.

Yeah same there thing...I can't shut off the SSID either. I think GHPorter said you had to used the AirPort Admin Utility, but the thing is that my router (SMC Barricade Wireless) doesn't register it.

So I don't know.

[vmpaul]

Netgear MR814 here and Airport Admin app didn't register mine either.

Where's GHPorter when you need him?

[ghporter]

Originally posted by vmpaul:
Where's GHPorter when you need him?

Trying to look up all those other wireless gadgets! Yikes, I think I've bashed a hornet's nest!

The quick answer is that not all access points let you turn off SSID broadcast, and sometimes it depends on the firmware you're using. My Linksys access point offers a little checkbox to turn it off, but that doesn't address the SMC or Netgear boxes. I didn't see anything in the SMC 7004VWBR manual about SSID broadcast (nobody mentioned which SMC model he had) nor in the MR814 manual, so I don't know that it is possible with these two boxes to turn off SSID broadcast.

I'm also not entirely sure you can turn off broadcast on an AirPort Base Station, since I don't have one here to play with

[vmpaul]

GHPorter you're a rock.

Thanks for the response. I'm going to e-mail Netgear tech Support to see what they say.

I'll let you know when or if I get a answer.

[subego]

Originally posted by GHPorter:
First, use 128 bit encryption. It is much harder to break than 64 bit encryption.

I thought this wasn't the case.

My understanding is the algorithm used in WEP is fine, it's the implementation that's munged. Doubling the key length only doubles the time to crack, whereas a proper implementation would (if I understand this right) square it.

I know from prior experience you knows your stuff, but my source on this is O'Reilly's 802.11 book.

Can someone smarter than me work this out?

[ae86_16v]

GHPorter----> Thanks.

Yeah I am using the SMC7004VWBR Wireless.

Yeah, I've been looking around and it seems like I don't think you could turn it off.

Oh yeah, another thing remember that problem, I told you that I was having? With it not logging on after it has idle for a few hours. Apparently it went away, now all I gotta do is click under the airport icon in my Menu and switch it over to my Wireless Network and everything works. Before it just didn't show up.

Anyways, thanks a lot for your input.

[ghporter]

Originally posted by subego:
I thought this wasn't the case.

My understanding is the algorithm used in WEP is fine, it's the implementation that's munged. Doubling the key length only doubles the time to crack, whereas a proper implementation would (if I understand this right) square it.

I know from prior experience you knows your stuff, but my source on this is O'Reilly's 802.11 book.

Can someone smarter than me work this out?

The term implementation in this context is a little odd. When they planed out the encryption scheme for WEP, they based it on the RC4 stream cypher, which had not been broken and looked solid. They thought their key derivation plan was a great advance. Wrong. It was actually fairly easily broken, particularly with short key lengths.

As for complexity vs. key length, "64-bit" WEP uses 24 automatically generated "initialization vector" bits and 40 "secret" key bits. "128-bit" WEP still uses 24 initialization vector bits, but 104 secret bits. (The weakness in WEP is specific to how the initialization vector bits are derived.) As a result, while 64-bit WEP has a complexity of 2^40, 128-bit WEP's complexity is 2^104, and is thus much more difficult to break.

A good discussion of the subject is here, and here is WECA's take on wireless security as it stands today. Improvements and replacements are in the works, but it still comes down to how the user can protect his or her network today. Since so many people just don't bother with any form of security (great big, resigned sigh...), by just using the best of what you've got makes you far more secure.

[subego]

Originally posted by GHPorter:
As for complexity vs. key length, "64-bit" WEP uses 24 automatically generated "initialization vector" bits and 40 "secret" key bits. "128-bit" WEP still uses 24 initialization vector bits, but 104 secret bits. (The weakness in WEP is specific to how the initialization vector bits are derived.) As a result, while 64-bit WEP has a complexity of 2^40, 128-bit WEP's complexity is 2^104, and is thus much more difficult to break.

I'm totally willing to take your word, but neither of the links really addresses this, and it's in direct conflict with what I'm reading here.

Hell, I'll quote:

"It is interesting to note that the number of weak keys depends partly on the length of the RC4 key used. If the WEP key size is increased for added protection the weak key net pulls in more data for the attack. Most commercial products use a 128-bit shared RC4 key, so there are more than twice as many weak IVs."

"Furthermore, and perhaps worst of all, the attack gains speed as more key bytes are determined; overall, it works in linear time. Doubling the key length only doubles the time for the attack to succeed."

802.11 Wireless networks: The Definitive Guide
Matthew S. Gast
O'Reilly & Associates



P.S. Feel free to tell me to fsck-off, I know you're not my personal network tutor

[ghporter]

Originally posted by subego:
I'm totally willing to take your word, but neither of the links really addresses this, and it's in direct conflict with what I'm reading here......P.S. Feel free to tell me to fsck-off, I know you're not my personal network tutor

I agree with Mr. Gast to a point. The problem is that he doesn't mention the risk assessment that must go along with the possibility of compromise. The attack he describes is a real threat, but it requires the collection of a lot of data and a lot of processing power to crunch what's collected. The implementation he's refering to is how the Initialization Vector is selected, and how it's sent-in the clear in some situations. The IV is far too short for real security, and if it's in the clear, it can be easily collected and studied. Since the IV is so short, the same data will be reused eventually, so if the attacker can collect enough packets, he can analyze the repeated IVs and derive the key.

On the other hand, this is a very advanced attack, and would require significant amounts of traffic to be both intercepted and saved. It only works if the network's WEP keys stay the same for a long time, and of course is overcome as soon as you change the key that the attacker is trying to break. A home network is usually "small pickings" for an attacker with the sophisticated knowledge and tools necessary to mount this attack.

If you're dealing with really sensitive information (bank-level financial data, medical records, trade secrets, etc.) you should be using a VPN between your computer and the distant end, and the encryption used in VPNs is significantly stronger than WEP. The worst that the attack in question would compromise is that the user is running a VPN connection.

On the third hand, if all you're doing is ordering your new PowerBook with your credit card, then using the strongest WEP you can will keep the casual attacker at bay. While it's possible to break WEP, even at 128 bits, it ain't easy without the right tools and training. Joe Attacker down the street is not going to be able to collect your credit card number, and will probably just move on to watch your neighbor's porn downloads .

[subego]

Originally posted by GHPorter:
I agree with Mr. Gast to a point. The problem is that he doesn't mention the risk assessment that must go along with the possibility of compromise. The attack he describes is a real threat, but it requires the collection of a lot of data and a lot of processing power to crunch what's collected...

On the third hand, if all you're doing is ordering your new PowerBook with your credit card, then using the strongest WEP you can will keep the casual attacker at bay. While it's possible to break WEP, even at 128 bits, it ain't easy without the right tools and training. Joe Attacker down the street is not going to be able to collect your credit card number, and will probably just move on to watch your neighbor's porn downloads .

I guess the idea is, since WEP-128 isn't really that harder to break than WEP-40, just use WEP-40. It's more compatable, and has the same level of deterrence for the casual intruder. IIRC this is essentially Gast's recommendation. Use WEP-40, or, as you stated, VPN into your network though your Wi-Fi connection.

Which you should have to do anyways because your Wi-Fi access point is outside your firewall now... right people?

[ghporter]

From a brute force, realtime point of view, 128-bit encryption is still a lot harder to break than 64-bit encryption, so I "use a good lock," even though I know there are attackers that can break everything I have. More complex encryption deters all attackers, though there are some that will still attack. Further, by taking every precaution you can, you put yourself in the best position you can. For example, if your credit card number is stolen, your card company could suggest that you weren't as careful as you could have been with securing it-unless you can show that you've used every precaution available.

Further, there aren't any real compatibility issues with 128-bit WEP, merely differences in the WEP key entry interface between different vendors. Apple seems to have been the odd player with its interface, but the latest versions seem to have overcome that.

Finally, there's a major difference between the protection you can get from your firewall and the protection you can get from securing your wireless network. The firewall keeps probes and hackers from being able to mess with your computers, but doesn't address the wireless links within your network. You protect those links by MAC address filtering (which allows only designated wireless network cards from joining your network) and using WEP, thus denying interactive access and protecting your traffic as much as possible.

[vmpaul]

Originally posted by subego:

Which you should have to do anyways because your Wi-Fi access point is outside your firewall now... right people?

I asked this on another thread but never got an answer. Excuse me if this is too basic but...

If I have one router that serves as a wired port and as a wireless access point are my wired computers still behind my router's firewall? And are my communications with my 'wired' computers susceptible to being 'sniffed' if someone is on my wireless LAN?

[ghporter]

Originally posted by vmpaul:
If I have one router that serves as a wired port and as a wireless access point are my wired computers still behind my router's firewall? And are my communications with my 'wired' computers susceptible to being 'sniffed' if someone is on my wireless LAN?

From the Internet side, all your computers are "behind the firewall;" they cannot be easily messed with from the Internet. However, if you don't take care to protect the wireless segment of your network (restrict shared resources with passwords, limit wireless members to specific MAC addresses, use the strongest WEP/WEP replacement you can), then the whole network is subject to being probed, intercepted (at least anything connecting to the wireless computers), spoofed, hacked, etc.

Sure, WEP ain't a vault door, but it beats using nothing. New protocols due out soon should tighten the control you have through using WEP, and at least one of them (it's called WEP Protected Access or WPA) is supposed to be retrofittable through firmware. (soapbox)If we aren't letting Apple know we want even the oldest AirPort cards to have this protection yet, we're way behind! (/soapbox)

Does that answer your question?

[vmpaul]

I think so. Sorry GHPorter, I don't mean to be dense.

Let me summarize. My router acts as a firewall coming from the Internet side (to both wired & wireless machines) but not as a firewall to my wired computers coming through the wireless side. Is that correct?

In other words, if someone was able to gain access to my network wirelessly than they would be able to 'sniff' traffic from all machines (both wired & wireless). The router does not act as a firewall coming from the wireless side protecting my wired computers.

Even though I'm just assuming my router is acting as a firewall in the first place. I can find nothing in the setup page that states so specifically. It's a Netgear MR814.

And just to state, I'm using all the safeguards you've mentioned here and in previous posts. I've changed my router's default SSID name, using 128-bit WEP, and using MAC Address limiting. I'm also planning on changing my 128-bit key every month.

Plus, I have only one wireless client and I would think there wouldn't be enough traffic to 'sniff' for even the most determined hacker.

[ghporter]

You are correct in just about everything. The only thing I don't go along with is that having only one wireless client means there won't be much traffic to snif-I think any unprotected traffic is "enough to snif." On the other hand, you've done everything to make it difficult to intercept your traffic, so your network will likely be bypassed by the wardrivers and the curious.

As far as I know, the Netgear MR814 does include a NAT firewall.

[vmpaul]

Thanks GH. You've been really helpful as I went through this process.

Hopefully, I can help you out someday or someone who has even less experience than I do (that's not likely though).

[ghporter]

Cool. Glad I could help you out. It's a philosophy called "pay it forward." I like spreading it around, and it sounds like you're a new convert.

[ae86_16v]

Just to let everyone know...

If you go into System Preferences/Network/AirPort

And underneath the the AirPort tab, you could select "Join most recently used available network" and "Remember network password".

Now everytime I boot up the computer everything seems to go through fine.