WEP vulnerabilities and SOHO WLAN products

Jim Carter jimc at math.ucla.edu
Fri Nov 22 04:44:49 EST 2002 

On Thu, 21 Nov 2002, Dale Shaw wrote:
> I'm gonna connect up to TransACT (http://www.transact.com.au/about/ for
> those non-Canberrans on the list) so I'm looking at connecting some kind
> of all-in-one wireless AP/router to the TransACT STB. I'll be looking
> for something with a 4-port switch too.

My son has DSL and active neighbors like yours.  We got a Linksys WAP11
802.11b access point and a Linksys BEFSR41 (I think it was)
router-NAT-switch (4 ports).  (Around here, the DSL vendor insists that you
use their modem.)  Presently Linksys has additional combined products, such
as the BEFSR41W (same thing with a PCMCIA slot "for use with WPC11 only",
the Linksys 802.11b PCMCIA card).  But I have no experience with that exact
model.  D-Link has similar products, I believe.  I've had two Netgear
MA-401 PCMCIA cards dead on arrival.

We set it up with WEP, plus MAC filtering in the router, so only machines
known to him can have their packets leave the net.  Any knowledgeable
hacker can crack this combination in 5 minutes (well, maybe longer,
depending on packet rates), but it's proof against a clueless leechoid.

At home I have an equivalent setup running on Linux, but more and better,
i.e. a "real" firewall.  I get probed once a minute, on average, through
the DSL interface.

> Is Cisco the only company that's come up with a (proprietary, for now)
> solution for the known vulnerabilities?

Solution?  Hype?

> I want to keep it as simple as possible with as little 'infrastructure'
> as possible. Do any of the consumer-level products do 802.1X? I'm mostly
> concerned about authentication, but something that also covers
> encryption would be nice. IPSec requires infrastructure, so unless I can
> terminate a tunnel on the AP/router, I'd like to avoid going down that
> path.

Good design goals.  I haven't seen anything about 802.1x but I'm not on top
of the market.  Neither would consumer equipment offer an ipsec terminus.
If you do decide you need it, consider a Linux box for your router.

> Maybe I'm being paranoid? Maybe I'm asking too much of this level of
> device. Thoughts and opinions please :-)

I think you're right, on that point.  I don't take seriously the protection
of data at the packet level; I protect data at higher protocol layers.  For
example, login connections are via SSH; I don't run the daemons and don't
use the clients for telnet and rlogin/rsh.  Web data with real value, like
credit card numbers, should be (and generall is) protected by SSL/TLS (port
443).  To my mind, ordinary web data (like the latest Dilbert cartoon)
doesn't have to be encrypted; you don't care if the neighbors share your
giggles.  I'm investigating FreeS/WAN (ipsec) and TLS-protected SMTP for my
department, but I don't expect to use ipsec much except for demos.  But
more and more, SMTP gateways are insisting on TLS, not for privacy but to
enforce anti-relaying (spam).

If you're running Windows, put your Windows boxes behind a serious firewall
and put the wireless Linux laptop and access point on a separate subnet
with only a few ports open between them.  This would probably require a
Linux router, not the US$120 Linksys product.

In case you're wondering why your neighbor is trying every 5 minutes to
connect to your net, that's a "feature" of Windows IP Connection Sharing,
not a hacker.  Ignore the log messages.

James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA  90095-1555
Email: jimc at math.ucla.edu    http://www.math.ucla.edu/~jimc (q.v. for PGP key)

More information about the wireless mailing list