Is WEP the most secure encryption in wireless network security?
stru...@gmail.com
most secure choice?
I am the home user, and have multiple machines connect to
the wireless router inside the house. I worry about the
wireless security and people can hack the machines.
There are choices such as WEP 64 bits, WEP 128 bits, and PSK.
I chose WEP 128 bits but not sure if this is the most
secure choice.
Any other suggestions to make the wireless network more secury?
Please advise. thanks!!
Jerry Park
WEP is flawed. Anyone with the proper tools and time can break it.
WPA is considered very secure if you use a good passphrase. Either TKIP
or AES (WPA2).
Unruh
>In terms of wireless network security, is WEP encryption the
>most secure choice?
No, it is not WPA is more secure. WEP is breakable with sufficient captured
traffic.
>I am the home user, and have multiple machines connect to
>the wireless router inside the house. I worry about the
>wireless security and people can hack the machines.
Yes, they can.
Make your essid hidden, so that the outsider has to try to figure out
what your essid is to connect. Then make sure you have some encryption
configured. If you are worried, make sure that the key is changed
periodically.
David Taylor
> what your essid is to connect. Then make sure you have some encryption
> configured. If you are worried, make sure that the key is changed
> periodically.
No point in hiding the SSID if it's intentional intruders that are a
worry, they'll just run Kismet and immediately find it.
Similarly, WEP is equally pointless for deterring intentional intruders.
Llanzlan Klazmon
@bignews6.bellsouth.net:
> stru...@gmail.com wrote:
>
>>In terms of wireless network security, is WEP encryption the
>>most secure choice?
>>
>>I am the home user, and have multiple machines connect to
>>the wireless router inside the house. I worry about the
>>wireless security and people can hack the machines.
>>
>>There are choices such as WEP 64 bits, WEP 128 bits, and PSK.
>>I chose WEP 128 bits but not sure if this is the most
>>secure choice.
>>
>>Any other suggestions to make the wireless network more secury?
>>
>>Please advise. thanks!!
>>
>>
>>
> WEP is flawed. Anyone with the proper tools and time can break it.
Yes and not much time either. Say around two minutes max.
>
> WPA is considered very secure if you use a good passphrase. Either TKIP
> or AES (WPA2).
Much stronger than WEP. Probably fine for most purposes.
Klazmon.
>
johnny
WEP isn't recommended but it's better than no encryption. It would be best
to use WPA or WPA2 encryption instead.
James Knott
WEP will only stop casual intruders. With sufficient data, it can be
broken. WPA is more secure, however you may also want to use a VPN.
Postmaster
"James Knott" <james...@rogers.com> wrote in message
news:4aKdnUewnua1YaTe...@rogers.com...
1. Use WPA not WEP
2. Use a password that is at least 20 characters long.
( This will handle the weakness in WPA ... as per the latest
research on WPA :-)
or if you're wanting to up the security, you might want
to consider a VPN (with a digital certificate), or
a Radius authentication server (with digital certificates)
Enjoy
Postmaster
Jeffrey Goldberg
> In terms of wireless network security, is WEP encryption the
> most secure choice?
There is a very serious flaw in WEP which allows it to be cracked fairly
easily. If you have a choice between WEP and WPA go with WPA.
> I am the home user, and have multiple machines connect to
> the wireless router inside the house. I worry about the
> wireless security and people can hack the machines.
Thank you. You would be surprised at how many home users are
unconcerned about this sort of thing.
> There are choices such as WEP 64 bits, WEP 128 bits, and PSK.
> I chose WEP 128 bits but not sure if this is the most
> secure choice.
If PSK is shorthand for WPA-PSK (which it probably is) than that is the
best choice.
-j
stru...@gmail.com
Jeffrey Goldberg wrote:
> stru...@gmail.com wrote:
> > In terms of wireless network security, is WEP encryption the
> > most secure choice?
>
> There is a very serious flaw in WEP which allows it to be cracked fairly
> easily. If you have a choice between WEP and WPA go with WPA.
>
I am using linksys wireless router, and it doesn't support WPA, it has
WEP.
any ideas??
David Taylor
> WEP.
> any ideas??
None, shall we continue to guess *which* Linksys wireless router or are
you going to tell us? :)
David.
James Knott
> Thank you. You would be surprised at how many home users are
> unconcerned about this sort of thing.
I recently did a scan at a friends home. There were 5 or 6 open WiFi
connections available and only a couple using encryption.
James Knott
> I am using linksys wireless router, and it doesn't support WPA, it has
> WEP.
> any ideas??
See if there's an update available. My SMC didn't originally support WPA,
but does now.
Unknown
>I am using linksys wireless router, and it doesn't support WPA, it has
>WEP.
Either upgrade the firmware so it does support WPA, or replace it with
a more modern one (WRT54G is nice, and around $60) that does support
WPA.
Postmaster
<stru...@gmail.com> wrote in message
news:1127882106.5...@g44g2000cwa.googlegroups.com...
If you go out to the Linksys web site, you can download
a newer version of the firmware for the box. This will
add WPA.
Other options:
1. Use a VPN (openvpn, poptop)
2. Use a Radius authentication server.
3. Use a different router.
4. Use this router as a front-end to another firewall,
so you'll have WiFi (public, and open, and also
have a secure private LAN).
Enjoy
Postmaster
Marc Schwartz
There are also three other things to do here, which will provide some
additional layers that someone would have to go through:
1. Properly configure a local firewall on your computers. The router
will provide protection from someone coming in via the hardwired ISP WAN
connection, but will not protect you from someone trying to do
computer-to-computer access via wireless.
2. Disable the ESSID broadcast on the WAP. This disables the ability for
someone to casually identify your WAP passively using common clients.
Also change the ESSID from the default to something that is not
associated with you or your location. The number of my neighbors who
have WAPs in their homes was easy for me to determine, including their
use of ESSID's that reflected their names or addresses or the defaults.
I have spoken to each.
3. Use MAC address filtering on the WAP, which links the WAP connection
to the physical ID's of the wireless NIC's on your computers. It is
possible to spoof MAC addresses, but it is one more thing for someone to
do to get into your network.
The key to security is layers. Do not depend upon a single protection
mechanism.
HTH,
Marc Schwartz
Sander
> 1. Properly configure a local firewall on your computers
Good advice.
> 2. Disable the ESSID broadcast on the WAP.
Absolutely useless.
Casually connecting using common clients is already prevented even by
using only WEP.
This will not slow down people that really want to attack your network
at all.
> Also change the ESSID from the default
That's usefull to prevent from accidentally associating with your
neighbours network instead of your own if they buy the same brand access
point.
For security purposes again this is completely useless.
> 3. Use MAC address filtering on the WAP, which links the WAP connection
> to the physical ID's of the wireless NIC's on your computers. It is
> possible to spoof MAC addresses,
MAC address filtering is by far the easiest 'security measure' to
circumvent.
It can be useful to maybe alert an administrator or to log unregistered
MAC adresses that try to associate but that usually doesn't happen in
home situations.
If someone is actually capable of cracking WEP they will not have any
problem at all with any of the other mentioned "security layers" so
don't even bother.
As already mentioned:
Just use WPA, make sure you use a _long_ and _random_ key and don't
worry about the rest except the firewalls because it just doesn't add
anything useful.
Sander
Unruh
wep is better than nothing. Remember that an attacker is going to have to
be located fairly near you ( but the house next door might be fine).
As I mentioned, hide the essid, make it complicated as well, so that the
attacker cannot guess it. Again security by obscurity, but that sometimes
works. If on the other hand you have issues that are worth thousands or
millions of dollars, buy a new wireless router that does support WPA, and
make sure that your connections are encrypted (ssh, VPN,...)
>any ideas??
stru...@gmail.com
(http://www.pcsforeveryone.com/product_info.php?products_id=20704),
which contains Linksys WRT54GS v2 router and Linksys WUSB54GS network
adapter.
Does it have WPA support?
WPA is the same as PSK? It has PSK-RADIUS, and RADIUS, which one is
better?
Ok, if someone really hacked my WEP key, then they can get in my
machine and steal things?
Please advise more...
Postmaster
"Marc Schwartz" <MSch...@mn.rr.com> wrote in message
news:fGw_e.75371$32.2...@tornado.rdc-kc.rr.com...
Gee guys, we forgot the big-ie...
Change the password on the router to something other
than "admin" :-)
-----------------
and of course one might consider hiding in a toxic cloud ...
Get another router with WAP, but hook up that old
beast to a separate computer that is infested with
viruses. Set it to channel 6, NO encryption, ESSID = linksys,
Enable DHCP, Don't connect to the net, just to the
honeypot/infested system, (change the password on the router),
Export plenty of Windows shares with read-only permissions.
( Not drive C )
and every few minutes send a Winpopup type message
to your guests... "Come on in, the water is fine"
And just let the invaders choke in a toxic cloud :-)
Then at the same time, on your new router..
1. Enable WAP (Use a 20+ character password)
2. Enable MAC filtering.
3. Change the router management password
4. Disable broadcast of ESSID.
5. Disable WAN ICMP (ping replies)
6. Use a Radius authentication server.
7. Use a VPN. ( IPSEC with certs )
8. Enable router logging.
9. Router's LAN side only goes to the internal firewall
and VPN gateway.
Now your comfortable fort is moderately secure and has a
nifty toxic cloud, for the "casual" invader's entertainment :-)
Enjoy,
Postmaster
David Taylor
> attacker cannot guess it. Again security by obscurity, but that sometimes
Any hacker isn't going to guess, they're just going to run kismet for
example and it'll pop right up.
Don't hide the SSID, it just makes it harder to find a free channel and
doesn't add any security.
David.
Floyd L. Davidson
>wep is better than nothing. Remember that an attacker is going to have to
>be located fairly near you ( but the house next door might be fine).
True.
>As I mentioned, hide the essid, make it complicated as well, so that the
Silly.
You *can't* hide the ESSID! You can turn off periodic
broadcasting of the ESSID, but that does *not* hide it. It is,
unencrypted, sent in every packet you transmit. The broadcast
merely makes sure that you do in fact transmit a packet at
short, regular intervals.
The point of doing that is to allow a short "scan" to detect the
presense of a network. The value is that it can be *avoided* if
it will interfere with another network. Hence if you turn off
ESSID broadcasts the likelyhood that a neighbor will fire up his
wifi access point on the same channel as yours, is much greater
than if the ESSID broadcast is enabled.
If the neighbor is interested in cracking your network, the lack
of an ESSID broadcast is *not* going to hide the existance of
the network for longer than it takes you to use it. Which is to
say that as soon as you actually do use it for traffic, your
ESSID is available to the neighbor.
>attacker cannot guess it. Again security by obscurity, but that sometimes
It has *nothing* to do with security, obscure or otherwise.
>works. If on the other hand you have issues that are worth thousands or
>millions of dollars, buy a new wireless router that does support WPA, and
>make sure that your connections are encrypted (ssh, VPN,...)
All of the Linksys routers support WPA. The earlier /firmware/
doesn't though, and either a Linksys upgrade or third party
firmware can be downloaded and applied to add support for WPA.
--
Floyd L. Davidson <http://www.apaflo.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) fl...@apaflo.com
Jeffrey Goldberg
> I am using linksys wireless router, and it doesn't support WPA, it has
> WEP.
> any ideas??
Can you post the model number of your linksys? You did say earlier that
among your choices was something called "PSK" (Private Shared Key).
That may be a WPA mode.
-j
Jeffrey Goldberg
> I have Linksys Wireless-G USB Kit with SpeedBooster
> (http://www.pcsforeveryone.com/product_info.php?products_id=20704),
> which contains Linksys WRT54GS v2 router
> Does it have WPA support?
Yes it does.
> WPA is the same as PSK?
PSK, in this context, is a mode of operation of WPA. In your case, PSK
is the best choice. (For environments in which there is a geeky system
administrator at hand, I would advise RADIUS, but that requires a whole
lot of other stuff to be set up on the network.)
> It has PSK-RADIUS, and RADIUS, which one is
> better?
Use the one that offers PSK.
> Ok, if someone really hacked my WEP key, then they can get in my
> machine and steal things?
Big question. It doesn't have a simple answer, which is why security
issues are hard. If someone gets passed WEP, it means that they've
gotten on to your network. The analogy that I like to use, is imagine
if you had a wired home network and you ran some wires out from your
house into the neighborhood for any to connect to.
The rest depends on the security of any internal firewall you may have
(say between your wireless and wired internal networks) and the security
of the particular hosts on those networks and the communication between
those hosts.
So it is best to secure each machine on the network as best as possible
on its own. Keep in mind that someone who gets onto your private
network can sniff all the network traffic, so you don't want sensitive
information (particularly) passwords traveling around your network
unencrypted. If you have highly sensitive information, you should
consider keeping that encrypted even on the disk. With Linux you can
set up entire encrypted filesystems. (But if you forget the pass
phrase, you're data is truly unrecoverable.)
I'm sorry that there isn't a simple answer. For some purposes it is
"good enough" to be better secured then your neighbors. There is the
old joke of two men camping, and a bear starts threatening them at their
campsite. One man starts to put on running shoes. The other says,
"What are you doing? You can't out-run a bear." The first answers with,
"I don't need to out-run the bear, I just need to out-run you."
On the whole, this "good enough" is a bad approach. But nearly
everything needs to be evaluated on a case by case basis. If you wish
to publicly be more specific about your concerns, it will be much easier
to give specific advice.
-j
Postmaster
"Jeffrey Goldberg" <nob...@goldmark.org> wrote in message
news:11jli7q...@news.supernews.com...
Step 1. Security mode -> WPA Preshared key
Step 2 WPA Algorithm -> TKIP (Temporal Key Integrity Protocol)
It's the temporal key exchanges that add the additional
security of WPA. A key, is only a key for a short
period of time, then the keys change. Thus making
a sniff and capture much less interesting.
Enjoy
Postmaster.
Mike Preston
wrote:
> -----------------
> and of course one might consider hiding in a toxic cloud ...
>
> ...... <snip>
>
> Now your comfortable fort is moderately secure and has a
> nifty toxic cloud, for the "casual" invader's entertainment :-)
The US is just crazy enough that an intruder who choked on your toxic
cloud would be able to sue you for setting a trap. I kid you not.
Unfortunately.
mike
Unruh
No. They can get onto your network. Linux machines need to be logged into.
Ie there is yet another layer of protections-- your password to log onto
your system. Now, if you make a habit of not using ssh to log from one
machine to the other on your network, then they could monitor your network
to find your password and then log onto your system and steal stuff.
On the other hand if you do not do such things, then they will somehow need
to get your password first before they can get into your machine.
>Please advise more...
Unruh
>True.
>Silly.
Thanks for the lesson. One of the wonderful features of netnews is that
your own mistakes get rapidly corrected.
jrefa...@hotmail.com
should make sure all connections are encrypted?
I should setup VPN host or SSH at home, so that all machines are inside
the VPN network? Does PC Anywhere work?
please advise ...
James Knott
Set up a VPN. There are several to chose from. Windows includes PPTP and
others are available. I use OpenVPN, which comes with Linux and is also
available for Windows.