WEP - stil insecure?

Just t make sure I am not missing something, I thought I'd throw out these questions...

Is WEP still as insecure as it was reported to be circa 2001?

What if you have WEP into a network that requires logging in to the server (like a 2003 Windows server) - is WEP still an issue?

Can you "make WEP secure"?

Is there any valid reason to use WEP in a business environment?

Thanks!

jim

Reply to
jim
Loading thread data ...

No WEP 256 and WEP 512 bits are still secure here.

Reply to
F8BOE

I always find it interesting in these discussions - here and elsewhere - that folks are always saying that WEP is not secure... My question is - from whom ???

How many "posters" that mention this have actually hacked a WEP network ? I mean, I can drive around and see over a dozen APs in my neighborhood, and sometimes try and connect to the ":unprotected" ones... For those that have WEP, I don't even bother - not really interesting in actually putting forth the time and effort "to say I can do it". Others may be more dedicated.

SO - for me - at home - I run MAC address filtering -

At our local school district, and at work I think they are running "something", but never really looked to see.... WEP, WPA, etc

You might have a more dedicated audience at these locations, that really want to get into the network - and therefore Wxx security might be justified.

Reply to
ps56k

Given that no one ever bothered fixing what was wrong with it, yes.

See the answer to your first question.

In a word, no.

Maybe if the business is about to go down the tubes and you'd like to rid yourself of it while at the same time ripping off your insurance company...but then again, an insurer dumb enough to keep a business that's still using only WEP covered probably has it coming.

Bottom line: If there's anything behind your access point that's worth anything to anyone else, you need to upgrade your equipment to at least the capability to use WPA.

Reply to
Jonathan L. Parker

Worse. There have been some new tools developed that crack WEP in a few seconds.

However, there are some proprietary band-aid's to WEP that partly fix the problem. WEP Plus, Dynamic WEP and WEP2 are some fixes. See:

The problem is that the vendors of commodity hardware have not been very good about admitting that they use one of these band-aid's. They don't want to admit that their WEP is broken, so they don't admit that they've fixed it. Kinda dumb, methinks.

It's an improvement, but not good enough. Someone can still sniff the traffic if they can recover the WEP key.

Not me. However the Wi-Fi Alliance has released WPA and WPA2, which were specifically designed to fix the problems inherent in WEP.

Yes. Ancient hardware and operating systems that do not support WPA. It's only slightly better than no-encryption, but should be sufficient to stop casual wireless "tourists" and accidental wireless connections. For real security in a business environment, look into running a VPN connection. You can do that even with an unencrypted network as the traffic is password authorized, authenticated, encrypted, and not sniffable.

Reply to
Jeff Liebermann

Hi From the weakest to the strongest, Wireless security capacity is. No Security MAC______(Band Aid if nothing else is available). WEP64____(Easy, to "Break" by knowledgeable people). WEP128___(A little Harder, but "Hackable" too). WPA-PSK__(Very Hard to Break). WPA-AES__(Not functionally Breakable) WPA2____ (Not functionally Breakable). Note 1: WPA-AES the the current entry level rendition of WPA2. Note 2: If you use WinXP and did not updated it you would have to download the WPA2 patch from Microsoft.

formatting link
documentation of your Wireless devices (Wireless Router, and Wireless Computer's Card) should state the type of security that is available with your Wireless hardware. All devices MUST be set to the same security level using the same pass phrase. Therefore the security must be set according what ever is the best possible of one of the Wireless devices. I.e. even if most of your system might be capable to be configured to the max. with WPA2, but one device is only capable to be configured to max . of WEP, to whole system must be configured to WEP. If you need more good security and one device (like a Wireless card that can do WEP only) is holding better security for the whole Network, replace the device with a better one. Setting Wireless Security -
formatting link
Core differences between WEP, WPA, and WPA2 -
formatting link
(MVP-Networking).

"jim" wrote in message news:VZD%j.7618$ snipped-for-privacy@bignews2.bellsouth.net...

Reply to
Jack (MVP-Networking).

WPA with tkip (as opposed to aes) was written so that it could be installed as a software upgrade to existing hardware running wep whereas aes required different hardware. So in that respect wep can be made more secure except it's not called wep anymore. It's called wpa.

More accurately, "can hardware running wep be made more secure"? Yes.

Jim.

Reply to
James Egan

And that's wep's biggest plus point. There are enough completely open networks to hack into that it's too much hassle to hack into a wep encrypted one albeit very easy and automated these days. Also the people who have open networks are more likely to be lax on file sharing security too.

That hardly makes wep secure, though.

Jim.

Reply to
James Egan

Is all WEP hardware upgradable or do you just have to look to each vendor to find out?

Reply to
jim

WEP is not secure - period.

Right now, it's more secure than a completely unsecured network, and that's the best that you can say for it. As completely unsecured networks become rarer - and in some neighbourhoods, that's happening - networks "secured" by WEP will become more interesting to malicious users.

You're right, not every wardriver wants to hack into your network. But all that it takes is one. It's a risk, like everything. As WPA / WPA2 use becomes more common, WEP will become more popular with the kidz. A 30 second hack will become 15 seconds, then 5 later.

There's no law that requires most businesses to use WPA. I'm not sure that the US Govt standards HIPAA, SOX, etc, even explicitly require such. I do know, though, that the principle of "due diligence" encourages us to require WPA whenever possible.

And so we will recommend WPA /WPA2. You're welcome to do as your heart leads you.

Reply to
Chuck [MVP]

I suppose there must be exceptions somewhere along the line, but that was the plan in developing wpa tkip. it uses a stream cipher just like wep but beef's up on some of wep's vulnerabilities.

In reality the issue isn't "is my wep hardware upgradeable?" but "could the manufacturer be bothered writing software upgrades for legacy equipment?". It probably is upgradeable but maybe doesn't have an upgrade available. At the end of the day it amounts to the same thing. The continued use of wep.

You may find that some "new" hardware has been boxed up for so long that the initial installation only supports wep. That's usually just a matter of visiting the manufacturer's website for a software upgrade. For the real legacy stuff, I think they would prefer to give you an incentive to buy some new equipment and save themselves some work in the process.

Jim.

Reply to
James Egan

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.