Re: wirless connection security issues

["Jarrod Frates" <jfrates.ml () gmail com>]

On 8/1/06, Michael Krymson <krymson () gmail com> wrote:
> It is better than trying to teach every home user (think your
> parents) the ins and outs of RADIUS, TLS, VPN, etc. They don't care, and
> that kind of approach will just turn them away from trying anything.

Teaching them how to enable WPA/WPA2 is little more difficult than
using WEP.  Both can use shared keys, and the only additional thing
needed for WPA2 is a patch for XP.  If that's not available due to
being on Windows 2000 or earlier but still having a WPA2-capable
network, a supplicant can be purchased, but WPA with a sufficient
passphrase will suffice for most home users if WPA2 isn't available
for technical or financial reasons.  I brought up RADIUS and EAP
because Cherian mentioned paranoia -- and then I backtracked because
it was overkill for that particular situation.

> But never deny that WEP or any encryption will still deter everyone else
> including Windows XP which automatically connects to open wireless
> networks.

Saying that WEP provides security because it deters the people that
have their computers set to connect automatically is like saying that
closing your front door deters people that might just walk into your
home.  If that was an issue, MAC address lockdowns would be
sufficient, and we wouldn't need encryption.  It provides little more
than privacy from people who generally have no desire to look in the
first place.

I really don't understand why this idea that WEP is "good enough" is
still present.  I knew five years ago that WEP was a bad idea.  WEP
cracking is only going to get faster as network and CPU speeds
improve.  At some point, I imagine someone will break the two-minute
mark -- if not better -- on a routine basis.  Perhaps at that point,
it will be drilled in that WEP needs to be not only disabled, but
deprecated and eventually removed.


Jarrod

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------