Replacing WEP with IPsec on OpenBSD, Windows XP

BSD Forums writes "WEP has been proven insecure and is thus inadequate for protecting a wireless network from eavesdropping or abuse. IPsec can be used as a replacement to WEP in the following scenarios. Joshua Stein has implemented IPsec on OpenBSD with manual keying between a router and a client as a replacement. Also, Thomas Walpuski describes in detail the configuration of an IPsec Host-to-Host connection between OpenBSD and Windows XP Professional with Authentication via X.509v3 Certificates."

Forget WEP, go to WPA

[jrpascucci]

WPA, which stands for 'Wi-Fi Protected Access', is the replacement for WEP. It does a prima facia good job making up for WEP's flaws. Several companies have firmware updates and drivers to enable WPA. More are coming.

If you want strong protection, use it in combination with 802.1x authentication with a TLS (and accept the infrastructure problem), PEAP (and choose between the incompatible v1 or v2 versions of it, and I personally can never remember which it is MS supports), or TTLS.

For even stronger protection, turn on 'session resumption' on your .1X client (if you can), and return a Session-Timeout of a few minutes. You'll effectively completely rekey (start from new material, in addition to the rekeying WPA provides.

Links links links

[coyote4til7]

Slashdot had a long discussion on WiFi security late last hear (Replacing WEP for Wireless Security). ComputerBits has a relatively short overview (Wireless Hot Spot Security) for those who prefer something more organized. Then there's the Unoffical 802.11 Security Page, the website of the WiFi Alliance (the industry group for 802.11) and a nifty google search on WiFi Security.

Re:Does it mater all that much?

[darthtuttle]

Yes, it does matter.

Not only can it affect what someone can "hear" when they listen to your wireless, it's access control. If I'm a terrorist and I want to post something to the internet for my friends somewhere else to get, I'm going to find an open wireless access point, since that's easiest, but lacking one of those, I can just listen for any, and once I've found one using WEP only for security I can crack it and use it.

What's your point? The point is, if the "evildoers" use your wireless access point to transmit information guess who's hosue the Department of Homeland Security shows up at. Even if they don't haul you off to jail, having them show up at your house is not fun.

There is a misconception that because your not a large company or other visable target that your not going to be targeted. The problem is that people don't have to target you to abuse your network. They simply look for any network easy to abuse, and there's enough people looking to abuse networks that someone will stumble on to yours given enough time and a pringles can.

This is the same as companies I've been to who feel they aren't an "eBusiness company" and their access to the Internet is not public (there's no public website) so they aren't going to get hacked. They got hacked.

Re:PPTP

[DrCarbonite]

PPTP is not very secure. For more information: http://www.counterpane.com/pptpv2-paper.html and http://www.counterpane.com/pptp-paper.html If you are taking the trouble to replace WEP, you might as well replace it with a good solution. That being said, the worst mistake would be to deploy a "fix" incorrectly... ie: an improperly configured IPSec box is far worse than a correctly configured PPTP.