Educause Security Discussion mailing list archives

Re: WEP

From: "Christopher E. Cramer" <chris.cramer () DUKE EDU>
Date: Wed, 13 Jul 2005 09:10:15 -0400

Duke has never (to my knowledge) deployed WEP.  Our primary reasoning is
that WEP has two main intentions: a) encryption, and b) access control.
It doesn't do either particularly well.

As you note, the encryption is fairly easy to break.  My recollection
(take this with a grain of salt, it was 2 or 3 years ago that I last
checked)  is that both 64 bit and 128 bit keys both provide an encryption
strength equivalent to 24 bits used to encrypt the seed to the RC4
algorithm.  Given the large quantities of data we push through our
wireless network in places like the student union, gathering the number of
packets needed to break the encryption seemed trivial.

Regarding access control, it seemed to us that a "shared secret" between
the 30,000+ people at the institution, wasn't much of a secret and so the
access control capability wasn't too useful.

Instead of relying on WEP for encryption, we've tried to ensure that all
institutionally provided applications which transmit sensitive data (e.g.
passwords, grades, etc.) over the network are encrypted at layer 7.  So,
the application itself should ensure encryption through a mechanism like
kerberos or SSL.  My general line has been, "you shouldn't trust the
wireless network, but you can't trust the wired network either."

Access control's been a bit different.  We don't currently implement
effective access control.  There is a registration system in place for the
majority of users, but that would not prevent a determined individual from
getting on the network without going through the registration.  We're
looking at 802.1x in the future, but for now, we're living with a
registration system and have had no major problems.

I hope this helps
-chris

--
Christopher E. Cramer, Ph.D.
University Information Technology Security Officer
Duke University,  Office of Information Technology
334 Blackwell St., Suite 2106, Durham, NC 27701
PH: 919-660-7003  FAX: 919-668-2953  CELL: 919-210-0528

On Wed, 13 Jul 2005, Chad McDonald wrote:

Understanding that WEP is relatively easy to crack, how many of you have
moved away from WEP as an addtional layer of security for your wireless
networks?  What was your reasoning for doing so?

Thanks,
Chad McDonald, CISSP
Chief Information Security Officer
Georgia College & State University
478.445.4473  Office
478.454.8250 Cell
478.445.1202 Fax

Current thread:

WEP Chad McDonald (Jul 13)
- <Possible follow-ups>
- Re: WEP Dan Updegrove (Jul 13)
- Re: WEP Alt, Brandon C. (Jul 13)
- Re: WEP Christopher E. Cramer (Jul 13)
- Re: WEP Dean De Beer (Jul 13)
- Re: WEP Brenda B Gombosky (Jul 13)
- Re: WEP Penn, Blake (Jul 13)
- Re: WEP Chris Steele (Jul 13)
- Re: WEP Gaddis, Jeremy L. (Jul 15)
- Re: WEP Koerber, Jeff (Jul 18)