Getting Around the 128-bit WEP Failure?

shokk asks: "To get around the failed encryption of WEP 128bit, we're going ahead with setting our own way of encrypting wireless traffic. Because we already have a firewall that laptop users will use to connect to from the outside, we've set up a second mini-firewall parallel to the main firewall, in this case a Netscreen 5, for the access point to hide behind. These people then use their SafeNet SoftPK VPN software to reach through to the main firewall so that their chatty wireless traffic is off on another net and they can still get decent encryption. It brings up the load on the firewall, but then again laptop users are generally not generating much traffic to read their emails and Word documents. How are other people getting around this problem to secure their wireless networks?"

Our Corporate Policy

[Anonymous Coward]

Part of our corporate design policy addresses wireless access. Esentially, we build separate or isolated wireless LANs, using Nortel's eMobility 802.11b products, that provide the necessary coverage. These WLANs Connect to the corporate wired LAN through Nortel's Contivity VPN concentrator.

With this setup LAN access is possible only through 128bit IPSec connections. This is also how we provide remote access to our field users.

We have found that the IPSec VPN offers the same throughput performance that we would get using 40 or 128 bit WEP. I found it interesting that there was VERY little performance difference between 40 and 128 bit WEP. However, it is generally agreed that the VPN approach that we have chosen is far more secure than simply using WEP. And, since there isn't a performance hit, better safe than owned.

Re:Free software for this purpose?

[jermz]

Get the cygwin tools. It includes a port of the actual OpenSSH code. Everything works splendidly, and you get a unix shell and tools for Windows!

Exactly what failure are you talking about?

[frankie]

Yes, I know that WEP 128 supposedly only has 30something bit entropy. I also know that none of the naysayers have actually demonstrated working software that breaks WEP. A theoretical problem without a practical application is only a vulnerability, not a "failure".

That said, using VPN and a separate firewall for the wireless base station is a good plan.

Novell BorderManager

[Taufiq]

Great VPN encryption and control with eDirectory/NDS.

Wireless

[kruczkowski]

In my opinion anyone that runs wireless in a production network with sensitive data should be shot!

Wireless is a great tool, and I would recomend WEP to people just so someone dosent snoop on you network. But how long does it take to break the WEP 128? I don't know. but my best guess it that eather with good hardware or some time it can be done easly if you know what your doing. I have wireless at home and I haven't turned on WEB becouse it seems to be a pain for me. What is the worst someone can do? Change the IP address on my accsess point? I have a USB connection for it. Use my interet connection? Go ahead.

Using a new technology is a secure network is not a good idea.

Re:Free software for this purpose?

[krismon]

TTSSH [zip.com.au] has ssh tunneling, but not ssh v2.

I don't know about the stability/memory leakage though.. I use ipsec for my vpn with windows/linux/freebsd/etc.

Free software for this purpose?

[jmerinen]

I think all of us agree that WEP isn't secure enough to be used as an only encryption method. So that's not the case.

Is there any free software available for Windows-platforms to handle the encryption? I think that a SSH tunnel would be a nice way to securely read email, transfer files, etc, but the problem is that I haven't found any free and working SSH client for Windows that supports tunneling.

SSH Secure Shell for Windows [ssh.com] is very good and free for private/educational use, but it leaks memory when closing a tunnel, thus local tunnel can be used only certain amount of times until the client hangs. This is very annoying, one can't check POP mail continually because the client hangs in short time.