Stronger Encryption for Wi-Fi 175
sp00 writes "The first products certified to support Wi-Fi Protected Access 2, the latest wireless security technology, were announced by the Wi-Fi Alliance on Wednesday. The Wi-Fi Alliance says WPA2 is a big improvement on earlier wireless security standards, such as Wired Equivalent Privacy (WEP), which hackers have found easy to circumvent. It includes Advanced Encryption Standard, which supports 128-bit, 192-bit and 256-bit keys."
WPA2? (Score:3, Informative)
Re:Question (Score:3, Informative)
"Easy to circumvent"? (Score:5, Informative)
It is not as easy as everyone says. Try it with some brand-new, high quality equipment and you may be surprised at the result.
Re:Question (Score:4, Informative)
Re:Can we upgrade firmware ? (Score:2, Informative)
Re:WPA2? (Score:5, Informative)
That said, WPA-2 provides basically zero benefit over WPA. WPA relies on the same RC-4 algorithm as WEP, but has a few patches put in place to resolve the problems it had. The most important one is using a new key for each frame. Given a choice between an algorithm that can be broken given 11MB of data and one that has no known attacks, do you think that it matters which you use to encrypt 1500 bytes? Not really.
The good news about WPA-2/802.11i (same thing, just certified and a less scary name for the PHBs) is that it breaks hardware compatibility, and that means there's a chance that things have been done right this time.
Re:Does this means... (Score:4, Informative)
Keeping a serious attacker away from your data, if it's specifically you he's after? Possibly not.
Keeping a casual war(mode-of-transport)'er out of your WLAN to stop him leeching your bandwidth? Probably.
Re:Serious answer form geeks in the know...? (Score:3, Informative)
Re:NSA Encryption Restrictions (Score:1, Informative)
In other words, your concern is baseless.
Re:Flaw fixed? (Score:3, Informative)
Um, yes, it WOULD be a bad idea. WEP/WPA/WPA2 are all server-client protocols, in that they encrypt transmissions between a number of remote clients and a single central point. In order to make the analogy hold to wired Ethernet, you would have to make every Ethernet switch/hub/router support the crypto interaction with clients. As well as replacing every NIC in existence.
And even then, the encryption wouldn't buy you much, because it only encrypts between the Ethernet hosts and the switch. It CAN'T encrypt transmissions past the switch, because it would be hiding the IP addresses and port numbers that are need to route the packets at an IP level. If you wanted to move the link-level encrypted packets further, you would have to either decrypt them and transmit them upstream in the clear, or you'd have to configure every single route in between your endpoints with the WEP-ish key. Which would defeat the point of encrypting, because in order to use this on the Internet, everybody on the Net would have to have the same key.
This is one of the reasons why we have things like IPSEC and VPNs--they're based on PKI systems, or they're built with a centralized authenticator/concentrator, or both. And they encrypt IP packet contents, not the IP packet itself (including the header info), meaning that any router can pass them without having to open the crypto-envelope.
WEP and its relatives are link-level encryption, and only meant for a single physical hop, and they're not particularly scalable. They're niche solutions that either wouldn't work or wouldn't be worthwhile for most other applications.
Re:upgrades to old equipment (Score:3, Informative)
And yes, the WRT54G already does AES-128 in its stock form [linksys.com].
Re:Question (Score:2, Informative)
Nope.
unless there is a way to get a standard card to listen to all traffic on a given channel
Yep. Lots of normal cards can do this easily. The rare cards that can't are considered "crippled". A few cards can collect more than 1 channel at once.
Re:The really important question. (Score:1, Informative)
I use passphrase keys all the time in Linux using iwconfig. Just becuase you don't know how to read the manual does not give you license to trash Linux for your own inabilities.
Re:Serious answer form geeks in the know...? (Score:3, Informative)
If so, you should lay on the best encryption you have. If you can see other APs on the block, they can see you, too. You don't want someone to come in and rifle through your network, or release a worm or whatever. It is prudent to consider anything connected to the AP as untrusted.
The best solution, in my mind, is to put a firewall between your APs and your internal network, and allow only VPN access to your internal net. A few steps back in paranoia from that is to use the best security your hardware supports.
64-bit WEP is only one step up from an open AP. It'll keep the honest people honest, but will barely cause the dishonest people to break stride.
With a Centrino-based laptop, the boss's machine (almost certainly) has good enough hardware and OS to support WPA. With WinXP, it'll even roam between different netwoks reasonably well when he takes it home or wherever. If your AP doesn't support WPA, then at least use the highest level of WEP available to you... and consider getting a new AP that supports WPA2. (I think the Proxim Orinocos look good, but I haven't got one yet. Their AP-600 sounds about right for your use.)
If you're doing IT for this company, you need to be able to get your users' machines set up right, even the CEO's. Y'all only need to enter that nasty hex password once on each machine; it's not that big a burden and you can do it for him.
If he won't let you do it, tell him that it's your job to protect his company, and in order for the company to be protected this must be done. He can do it or you can, but it must be done.
If he still refuses, I'd either kill the AP (pulling the patch cable from the switch back in the server room should do nicely) or resign. This sounds extreme, but if he's not letting you do your job right, you probably don't want to work there anyway. Besides, he's probably not updating his virus scanner like you told him to, either.
I trust it won't come to that, though. If you lay the issues out for him and tell him that its his company's data (possibly financial data) at stake, I think he'll listen. Good luck!
Re:The really important question. (Score:2, Informative)