Can 802.11 Networking Be Made Safe?

plumpy asks: "I am a developer at a small (~100 people) company that develops web and wireless (Palm, WAP) applications. Recently a few developers began a campaign to get a wireless access point for the company so that we could carry our laptops to meetings and work more flexibly. Two people had been bringing in their own personal access points from home while we waited for someone to actually purchase one for the company. Everything was going okay, and it sounded like the purchase request was going to go through. Then our IT manager read a few of the recent articles about the lack of security in 802.11 networks and killed the idea." Wireless Networks, like their wired counterparts are only as secure as the procedures behind the people that maintain them. A wireless AP can be secured against casual attacks and WEP, properly implemented, should take care of the rest, shouldn't it?

"From what I've read, it sounds like 802.11 is not as secure as it COULD be, but is plenty secure for most networks. My IT manager LIKES wireless (he has an 802.11 network at home) but doesn't think it's secure enough for the workplace. Does anyone have any links to articles that could convince him otherwise? Or does anyone have any articles that can convince me he's right? Also, does anyone have any stories about where wireless networking has been helpful for developers. There is some additional resitance because management thinks it's just a toy for us with no real useful applications."

what sort of work are you doing? dictates needs

[StandardDeviant]

Seriously, if you're doing work that is too sensitive for 128-bit WEP (need both AP and client cards to be 128, obviously), well, yeah, wireless is inappropriate. (If your work is this sensitive, as the CTO how secure your LAN cable is against emission snooping or unauthorized taping.)

Further, are you in a crowded office building? Are your 2-6 side-sharing neighbors competitors? How absorbant are the walls (I mean of RF radiation)?

Plus, let's not forget that 128-bit gear isn't cheap. Not uber-expensive, but definitely not cheap either (especially if you have a large number of potential clients which means you will need several access points in addition to many client pcmcia cards; you might need several access points to begin with if you office has lots of structural walls and whatnot in it).

--
"Overrated" is "overfuckingused".

Re:what sort of work are you doing? dictates needs

[tzanger]

Plus, let's not forget that 128-bit gear isn't cheap.

Uhhh... compared to what? There's only like $16 difference between the silver (64) and gold (128) bit encrypted versions of the Lucent (Orinoco) wireless cards. Silver is $133.76 and Gold is $149.76 from CDW, not exactly the cheapest place on the planet.

In fact, I'm picking up a half dozen of them and a few PCMCIA-PCI bridge cards this Saturday.

WEP isn't that bad

[kevin42]

Keep in mind WEP stands for "Wired Equivilancy Protocol" which means it's meant to be about as secure as physical ethernet cables.

Yeah, there's a big hole in WEP, but in order to crack it the person would have to have a lot of equipment that isn't readily available, not to mention cryptoanalysis expertise. It would probably be a lot easier for them to break into your building and put a device on the network somewhere and capture packets.

It's not as if you can wander within range of a WEP protected network and just start sniffing. First off the NIC has to associate and authenticate with the AP to even get the packets past the MAC layer. You can turn access control on with most APs so you only allow certain MAC addresses. Even if they got past that layer they're going to not be able to sniff anything because the MAC chip in the card will discard anything it can't decrypt, even in promiscuous mode.

The only way they could sniff you out with 802.11 and WEP would be to have some custom hardware and software to bypass the MAC layer(or be able to rewrite the firmware for an existing card). Anyone who goes to these lengths are going to be able to get past your pysical security anyway.

Security concerns are common

[Raetsel]

I've seen several cases where the security provided with 802.11b was not considered adequate.

The solution was to configure the network in such a way that access to the corporate LAN was impossible, unless

• You authenticated with a VPN server, and tunneled your LAN connection over that -- in addition to the security already provided by the hardware

• OR

• You used SSH to tunnel (again to a gatekeeper/firewall machine), and then again to tunnel your X session over.

I know it's a lot, and it's not the easiest thing to just set up. Hardware is something you can plug in and have running 5 minutes later -- this takes a lot more work.

Remember that it's worth it -- you're already doing this, it needs to have the level of security the company is comfortable with. If you drive the project underground, you won't know what's going on, what hardware is being used -- or even by who.

Don't let your PHB be scared away by the fact that the hardware is not as secure as he'd like. You have options to make it more secure, and these options have already been enough to placate other PHBs.

You can do this. Yes, you can make a wireless connection secure enough -- unless you're doing something to piss off the NSA. If you're up against an adversary like that, my money's on them.

Just trying to keep things in perspective.

Insecure? Compared to what?

[NoahSpurrier]

I'd trust 128-bit WEP more than an ethernet line. Heck, I'd trust 40-bit WEP more than a regular lane. It's trivial to tap into an ethernet line. That's not theorestical. I've never heard of a real system for tapping into an 802.11b link. But the point is that you shouldn't trust any communication link. You should learn more about SSH or a VPN.

Re:Insecure? Compared to what?

[Hast]

Well, you can check the small slide show presentation at dsniff for starters. It was mentioned (along with a bunch of others) not too long ago in the "WEP Isn't Secure" thingy here on Slashdot a week or so ago...

Yes

[peccary]

IPsec
CIPE
SSH

Basically, if you treat the wireless LAN as untrusted, and think about it that way, there are natural solutions that will present themselves.

WEP is insecure...

[X]

The specific failings of WEP are documented here. If your boss is concerned about WEP security, he/she should read this document, and make an assessment as to whether adding WEP to your network significantly increases the security risk.

Assuming you use 128-bit WEP, you have a reasonable chance of blocking attackers. While you could be compromised, it's important to compare the risk vs. the risk of your wired LAN being compromised. For example, do you allow visitors to plug in their computers into your LAN? If so, 802.11b is not going to increase your security risk.

Even if 802.11b would increase the security risk, you need to asses if it's a good trade-off in return for your benefits. Finally, if you can't accept the risk, then just run IPSec (or the poor-man's IPSec: SSH ;-) for communications over 802.11b. Indeed, you could have an IPSec gateway on whatever is plugged in to your 802.11b access point. Sure, it's a bit more work to setup, but the benefits would be substancial.