Slashdot Mirror

← Back to Stories (view on slashdot.org)

Replacing WEP with IPsec on OpenBSD, Windows XP

Posted by timothy on from the nearly-navajo dept.

BSD Forums writes "WEP has been proven insecure and is thus inadequate for protecting a wireless network from eavesdropping or abuse. IPsec can be used as a replacement to WEP in the following scenarios. Joshua Stein has implemented IPsec on OpenBSD with manual keying between a router and a client as a replacement. Also, Thomas Walpuski describes in detail the configuration of an IPsec Host-to-Host connection between OpenBSD and Windows XP Professional with Authentication via X.509v3 Certificates."

4 of 47 comments (clear)

  1. Links links links by coyote4til7 · · Score: 5, Informative

    Slashdot had a long discussion on WiFi security late last hear (Replacing WEP for Wireless Security). ComputerBits has a relatively short overview (Wireless Hot Spot Security) for those who prefer something more organized. Then there's the Unoffical 802.11 Security Page, the website of the WiFi Alliance (the industry group for 802.11) and a nifty google search on WiFi Security.

    --

    the clock on the wall says 4 til 7
  2. Re:PPTP by DrCarbonite · · Score: 5, Informative

    PPTP is not very secure. For more information: http://www.counterpane.com/pptpv2-paper.html and http://www.counterpane.com/pptp-paper.html If you are taking the trouble to replace WEP, you might as well replace it with a good solution. That being said, the worst mistake would be to deploy a "fix" incorrectly... ie: an improperly configured IPSec box is far worse than a correctly configured PPTP.

  3. Re:Cool, but does Airport/OS X support this? by MrChuck · · Score: 4, Informative
    Does Apple Airport support [IPSEC]?
    No, but the machine past your Airport does.

    Run WEPless and use IPSec to the house server.

    VaporSec is a pretty GUI to setup racoon and IPSec on your OS X box. (see also netbsd ipsec docs; be neat if apple's userland utilities would keep up with BSDs post 2000 - FreeBSD 4.x and 5.x userlands are far more advanced).

    If WEP is good enough then just turn it off. The WEP emporer is naked. Hell, just print out your squid logs and put them up on your door and your website. Unless you're spinning new keys every couple thousand packets, you're easy to watch. It's not even hard to break - mom can bring up a stumbler program and just leave it on for a couple hours.

  4. Re:Cool, but does Airport/OS X support this? by psxndc · · Score: 3, Informative
    No, but the machine past your Airport does

    Sorry I wasn't clear enough. My setup is more like this:

    Internet -- OpenBSD firewall -- OpenBSD WAP/Firewall -- iBook w/ Airport card.

    I don't have an airport base station, only the airport card. I'll look into VaporSec though. Thanks.

    If WEP is good enough then just turn it off

    I completely disagree with this statement. Yes, WEP is very weak, but if there are 5 WEP networks in the area and 25 networks with no WEP, guess which ones I'm going to try and connect to. If someone wants to break in, sure they can. But having WEP will discourage the casual intruder since there are so many other non-WEPed networks out there. WEP is good enough until you can set up IPSEC. Once that's up, sure, turn off WEP.

    psxndc

    --

    The emacs religion: to be saved, control excess.