Security Basics mailing list archives
RE: wireless security question.
From: "MacFerrin, Ken" <Ken_MacFerrin () csgsystems com>
Date: Thu, 20 Feb 2003 11:38:37 -0600
Paul, A company that I previously worked at used WEP 128 with a bi-weekly key update at all their US offices (plus a measure of physical security). The updated key was distributed using an NT authenticated intranet webpage. This of course was backed up with a highly monitored network, strongly enforced security policies, and nearly all internal systems requiring additional levels of authentication ranging from NT to PKI once on the network. To touch on the password thread that's also going on.. This company also enforced a password policy that required an NT and voicemail password change every 60 days and used some type of technical tool to enforce strong passwords. The tool required that each password had a minimum length, contained some level of complexity (letters, CAPS, symbols and numbers), could not contain any part of the username and could not be significantly similar to a previously used password.. -----Original Message----- From: paul van den bergen [mailto:pvandenbergen () swin edu au] Sent: Wednesday, February 19, 2003 12:45 AM To: security-basics () securityfocus com Subject: wireless security question. There has been much debate recently in my circle about wireless security, WEP, etc. and especially related to the supposed vulnerability of APs to traffic - eg. reports that a large % (40%???) do not have WEP enabled. (my arguement is that these are likey the smart ones who realise that WEP breaking is routine and turn it off as a waste of time...) as far as I can see, it breaks down like this. You can have wireless sites that have WEP off and they cover three basic types 1) Folks who rely on other security measures - IPsec being the most obvious 2) folks who want unrestricted public access - eg. public wireless communities, isolated PCs/LANs with no further connectivity. (really a subset of 1 I suppose - security not needed because physically isolated, or in some other way limited - eg. bandwidth limited) 3) people who have no clue. (and obstrefication is no security at all - SSID as security feature? come on!) with WEP on, I figure that there are 3 classes of sites 4) see three 5) 128 bit WEP on as deterent. is it worth the effort - low security requirements. somewhat 404 (see 3), but not too bad if you know what you are doing. 6) 128 WEP + regular key update. with or without IPsec. My questions relates to scenario 1 and 6, to me the interesting ones. In the case of 1) how would one stop external users using the APs as private network bridges? In the case of 6) how does one distribute the WEP keys at each update? -- Dr Paul van den Bergen Centre for Advanced Internet Architectures caia.swin.edu.au pvandenbergen () swin edu au IM:bulwynkl2002 It's a book. Non-volatile storage media. Everyone should have one.
Current thread:
- wireless security question. paul van den bergen (Feb 19)
- RE: wireless security question. Tim V - DZ (Feb 20)
- Re: wireless security question. Paul Cardon (Feb 20)
- Re: wireless security question. Luigi Grandini (Feb 20)
- <Possible follow-ups>
- RE: wireless security question. Keith T. Morgan (Feb 20)
- RE: wireless security question. Marc Suttle (Feb 20)
- RE: wireless security question. MacFerrin, Ken (Feb 20)