At 03:25 PM 1/16/2004 -0600, you wrote:
>On Fri, Jan 16, 2004 at 02:56:45PM -0600, Ben Kochie wrote:
>> all 802.11b WEP is worthless.. 40bit takes several hours to break, and
>> 128bit only takes a few more than that.
>
>I'm under the impression that if you have sufficiently intelligent
>firmware on the base station and client cards, they can avoid using the
>"weak" WEP keys, which prevents the airsnort-style attack from working.
>
>I don't know how secure WEP such a "careful WEP" is.  Clearly a more
>carefully-thought-out system such as IPSec is more likely to be secure.
>
>-andy

I've read that some firmware is able to dynamically change the WEP keys at
set intervals such that the brute force attack on WEP is marginalized due
to the time for running the brute force being significantly longer than the
key change interval.

My take on WEP in general...none, 40, or 128 bit, is that if you're running
a private network turn it on as high as your hardware will support.  It may
be an easily broken obstacle, but at least its a clear message that you
didn't intend for casual war-drivers to connect to your network.  If there
are other unencrypted networks in the vicinity, they're likely to more
attention first.  If you're running a public network, don't enable WEP.  In
this case users should use SSH, VPN, or other encryption means to secure
any communications they feel could be sensitive if 'heard' (sniffed) over
the air.  

One idea I have (haven't seen it done anywhere myself) is on a public
network the clients could VPN into the machine running the Nocat or dhcp
(or a machine behind it) and then the traffic would be passed on over in
clear over the wired link.  That'd alleviate the most sensitive wireless
link from much sniffing risk for users who don't have any other VPN servers
to connect to.  Their requests are going to go into the clear anyway if all
they are using their VPN setup for is to encrypt the wireless portion and
surf the web thru their VPN gateway (wherever that may be; eg. the umn vpn
gateways).

"If you're reading this, read it again."

_______________________________________________
Twin Cities Wireless Users Group Mailing List - Minneapolis/St. Paul, Minnesota
http://www.tcwug.org
tcwug-list at tcwug.org
https://mailman.real-time.com/mailman/listinfo/tcwug-list