Re: Is Dynamic WEP Secure Enough?

[John Pettitt <jpp () cloudview com>]

Jon Smith wrote:

> Hi
> I am responsible for a large wireless infrastructure upgrade.  Right
> now my plan is use PEAP w MSCHAP v2 with dynamic WEP crypto for my
> corporate SSID (I have others with much lower security requirements). 
> I cannot easily go to WPA without ditching all my current devices that
> do not support it (good luck getting that past the CFO).  We have a
> lot of physical security and surveillance with very tight controls, my
> primary area of concern would be people like myself sitting in the
> parking lot.  Due to one of our applications, we will be sending a
> clear strong signal to the parking lot.  Is this enough security and
> encryption to significantly slow intrusion attempts?  Between
> direction finding capabilities of the Access Points and our roaming
> guards it would be a matter of time before we detected them.
>
> Thanks
>
> Rocko
All wireless networks are public and should be treated as such.

Two things to consider:

1) Even with a dynamically generated WEP key you're still vulnerable to
active attacks that can force the generation of lots of traffic and or
just mess with your network.  See http://www.securityfocus.com/infocus/1824

2) If you can access from the parking lot with a regular laptop you can
access from the next town with a parabolic antenna.   Unless you guards
roam huge distances you won't be able to protect the signal. - See
http://www.radiolabs.com/products/antennas/2.4gig/stage4.php

Suggestion: forget WEP  - get a good ipsec based vpn system, put the
access points on a DMZ lan and require use of the VPN client to get
access to anything other than  a "help page" web server.