Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Wireless ethernet?



Mike,

If the underlying cryptography were secure, it would provide some
amount of link-level privacy as well as link-level authentication.

IPsec and SSH do as good a job at keeping nosy people out of your
network.  The way I would do it for a corporate LAN (and I know of
some companies that do it this way) is to have two networks, a wired
network and a wireless network.  Keep the wireless network "outside
the firewall" (note: I disbelieve in firewalls, c.f. my BLU talk
about 5 years ago ;)

In order to get onto the corp. net and reach the corp. assets online,
a user would have to 'VPN' from the wireless to the wired network via
IPsec.  Then all wireless corporate traffic would be protected.

The problem is that WEP does not prevent someone from being nosey.
If I wanted to listen in to your network, I just sit outside in your
parking lot for a couple hours and then I obtain your WEP key.  Tada.
I'm now on your network.

WEP does not protect two adjacent networks, either.  Indeed it was
never meant for that.  That's what the SSID is for!  Set your network
name to something sane, and clients can connect to network 'A'
vs. network 'B'.  Tada.  Network separation.

I know of no incompatibilities with wireless hardware when WEP is not
in use.  The IETF (and many other conferences) certainly shows that
MANY people can use many different pieces of hardware and it will all
work together (without WEP).

-derek

Michael Bilow <mike at bilow.com> writes:

> I am not sure I share your view completely.  From a technical perspective,
> you are absolutely right: it has been well known for a while that WEP has
> severe vulnerabilities, and that they amount to near-total compromise.  
> For some discussion, see:
> 
> 	http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
> 
> However, WEP is useful for keeping nosey people out of your network, or
> preventing confusion between neighboring networks.  With an understanding
> of its security vulnerabilities, I think it still has some use.
> 
> WEP does effective authentication in the sense that, if the underlying
> cryptography were secure, then any participant in a WEP LAN would be at
> least known to be a friend rather than a foe.  This is not the main
> purpose of WEP and is really more of a side effect.
> 
> I brought up the WEP subject only as an example of incompatibility between
> different models of wireless LAN hardware from the same manufacturer.  
> You were right to point out that WEP is now generally regarded as
> insecure.  This is an especially nasty problem, really a cryptographer's
> worst nightmare, because so many people now have investments in hardware
> with a known vulnerability and they will likely keep using it forever.
> 
> -- Mike
> 
> 
> On 2001-08-13 at 10:30 -0400, Derek Atkins wrote:
> 
> > No, WEP does no such thing.   Consider that your whole system, and
> > all users, have to share a single WEP key...    No, there is
> > no authentication.  And yes, WEP _DOES_ encrypt the on-the-airwaves
> > data, but does so in a broken way that allows someone to derive
> > your actual WEP key.  Once I have your WEP key, I'm on your wireless
> > network....  This implies that it's safer to not trust your wireless
> > network in the first place.
> > 
> > In other words, keep your wireless network "open" and use real
> > encryption/authentication technologies to let users access your
> > network services.
> > 
> > -derek
> > 
> > David Kramer <david at thekramers.net> writes:
> > 
> > > On 13 Aug 2001, Derek Atkins wrote:
> > > 
> > > > Don't use WEP.. It's broken, completely.  If I can _hear_ your
> > > > base station I can break your keys in a matter of minutes (well,
> > > > after I 'hear' a few million packets, but that only takes an hour
> > > > or so on a busy LAN).
> > > >
> > > > WEP is broken.  You might as well keep it off and just use IPsec
> > > > and ssh.
> > > 
> > > I'm more-than-new to this (I have ordered, but not received, my wireless
> > > gear), but isn't the purpose of WEP to authenticate the client, not
> > > encrypt the connection?  I can't vouch for how crackable WEP is, but using
> > > ssh over wireless does not help authenticate the client, so it's not
> > > really a substitute.
> 
> 

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org