should i make a fuss about WEP?

Im not on the CWNP track, but this seemed like a good place to ask my question

Im a new IT tech, only been onboard for 3 months, and i find myself in a position where im being told to do something that i feel i should not be doing, but im not sure because i have never configured a Cisco AP, only home-market AP's, i dont wanna make a fuss and look like a fool because of something i was not aware of about Cisco AP's, heres the story....

we are setting up a wireless LAN in a satellite office which connects to the main office via VPN tunnel, i was told that the AP's, which are high-end Cisco AP's (sorry i dont know the model), are configured for 128-bit WEP encryption, and i am to configure all the wireless thin terminals at that office, i was basically given the shared key and told to choose WEP

given that these are fairly new Cisco AP's, shouldnt WPA encrpytion be utilized instead of the easily hacked WEP, im not an expert at all on Cisco AP's but logic tells me that if they are less than a year old than they must offer WPA

basically the Cisco vendor configured the AP's, and has passed the config info on to my boss (who doesnt know jack about wireless), who passed it on to me to do the workstation setups

I STRONGLY FEEL I SHOULD NOT PROCEED USING WEP AND INSIST WE NOT PROCEED UNTIL THE AP'S ARE RECONFIGURED FOR WPA, the information traveling on that WLAN includes HIPAA sensitive personal medical data on our clients

but being a new employee i dont wanna make trouble and step on anyones toes, my boss keeps referring to the Cisco vendor as his 'network guy' and just follows his recomendations, i told my boss yesterday that WEP was lame and we should not be using it, he countered that 'his network guy' informed him that they are using a 128-bit key and are ok...

...i just wanted to exclaim back across his desk, BS.. we are not ok, we are paying a premium for Cisco APs and then using WEP, thats like buying a Maserati sports car and leaving the keys in the ignition every time you park it, youre asking for trouble

OK, you folks know far more about Cisco AP's than i do, so maybe im missing something when it comes to Cisco APs, and i need an answer to this simple question..........

SHOULD WEP EVER BE USED, IN ANY SITUATION, ON ANY CISCO AP, WHEN WPA IS AN OPTION?

Thanks folks!

Find more posts tagged with

Comments

Schluep

I am not a wireless expert by any means, but are the thin terminals capable of handling the WPA encryption? They may be using WEP because it is the best option available for access by the clients in use at that location. My brother came in from out of town and stayed with me for a week. He brought his old laptop and he was unable to access the WPA-2 AES encryption that I had in place at my house. I had to back down to WEP for a week until he left so that he could browse the internet with his laptop while he was there.

General rule of them is to avoid WEP though because it is easily broken (even with longer key lengths) whenever possible. WEP is certainly much better than no encryption though and will keep casual passerbys away. Many people with no clue how encryption works can run simple programs to crack WEP easily and quickly. A determined intruder intent on obtaining personal information from your site will find a way to get past the WPA as well though.

If all of the clients in your office are capable of accessing the higher level of encryption I think a case could easily be made that it is a better choice. Just make sure you have all of your ducks in a line first and verify they can handle it before making any type of push for it.

garv221

hugolucky wrote:

but being a new employee i dont wanna make trouble and step on anyones toes, my boss keeps referring to the Cisco vendor as his 'network guy' and just follows his recomendations, i told my boss yesterday that WEP was lame and we should not be using it, he countered that 'his network guy' informed him that they are using a 128-bit key and are ok...

This is a good opportunity to impress your boss. I would ask if the thin clients can handle WPA or do some research on your own. Tell you boss using WEP would be under utilizing the Cisco AP.

If WEP is your only option, you can add MAC filtering and even RADIUS. Just some options.

Schluep wrote:

My brother came in from out of town and stayed with me for a week. He brought his old laptop and he was unable to access the WPA-2 AES encryption that I had in place at my house. I had to back down to WEP for a week until he left so that he could browse the internet with his laptop while he was there.

Here is a link for the XP patch allowing WPA2 access.

http://www.microsoft.com/downloads/details.aspx?FamilyID=662bb74d-e7c1-48d6-95ee-1459234f4483&displaylang=en

hugolucky

Schluep wrote:

I am not a wireless expert by any means, but are the thin terminals capable of handling the WPA encryption?

thanks Schluep for the reply, sorry i should have mentioned that part already

the thin clients are running Windows embedded and have the WPA-PSK option available in the connection properties

garv221 wrote:

do some research on your own.

I was up at 5am this morning doing just than, apparently German security experts have proven that it is possible to hack 128-bit WEP in less than 1 minute, after 85,000 packets have been captured you have a 90% chance of owning the key

Schluep

garv221 wrote:

Here is a link for the XP patch allowing WPA2 access.

http://www.microsoft.com/downloads/details.aspx?FamilyID=662bb74d-e7c1-48d6-95ee-1459234f4483&displaylang=en

Thanks. I knew one existed because one my desktop PCs can handle it. I didn't bother looking while he was only here for a week but bookmarked it for quick reference. He probably won't be back for another year but I will send him an e-mail with the link in case he needs to use it elsewhere.

xwesleyxwillisx

If the clients support WPA there is absolutely no reason to be using WEP on a WLAN that is passing HIPAA regulated info.

Just because the WEP key in use is 128-bit doesn't make it any more secure in my mind. The weak RC4 cipher is still used in conjunction with the weak IV (unencrypted part of the key). It really doesn't take that much longer to crack a 128-bit WEP key than a 64-bit one.

I don't know what model AP you are deploying (1242 or 1131 immediately come to mind), but they will definitely support WPA and WPA2. For compatibility, run both WPA and WPA2 with TKIP and AES encryption. I don't know HIPAA's exact specifications, but 512-bit AES is the only encryption certified by the U.S. Government for Top Secret information.

Another thing to consider, it is possible to run a separate WLAN (via vlans) that uses WEP in addition to your WPA protected WLAN. Using ACLS/firewalls/etc., you can essentially quarantine this WLAN to access only certain resources (only web traffic, only a certain ip range). This way, any clients you have that support only WEP can still have access without posing too much of a security threat.

Hopefully your boss' "network guy" has the answers

dynamik

WEP can be cracked effortlessly. Listen to this podcast: http://www.twit.tv/sn89

dtlokee

PSK is not considered an enterprise solution by any means (WEP or WPA). There should be 802.1x authentication included IMO if you truly want it to be secured in conjunction with WPA/WPA2. My other question would by why wireless if they are stationaty devices?

Cherper

dtlokee wrote:

My other question would by why wireless if they are stationaty devices?

Money I would think. We are running into this more and more with agencies that are setting up new offices in leased buildings. The buildings aren't wired or wired poorly (they are usually older buildings) and the landlord isn't willing to spend the money to improve them. These agencies figure that all they need is a wireless router and a few access points and away they go.

As for the OP's question, give your boss some of the write-ups, and let him read them and take on the "network guy," that way you put the knowledge in your boss' hands and you let him make a decision, if he spends the time reading what you gave him, you look good and he will remember it.

msnelgrove

I refuse to setup WEP for any clients, backed up by information handouts and a video presentation if need be.

hugolucky

dtlokee wrote:

PSK is not considered an enterprise solution by any means (WEP or WPA). There should be 802.1x authentication included IMO if you truly want it to be secured in conjunction with WPA/WPA2. My other question would by why wireless if they are stationaty devices?

thanks, ill consider that suggestion, but right now i just wanna get my boss outta wep land, one step at a time i dont wanna suggest too much at once, as far as why the wireless and stationary thin clients... the reason being we are a non-profit agency on a tight budget, thin clients are a bit cheaper, and many of the offices are donoted buildings, or recently closed schools that we lease, they are often not network ready and wireless saves the agency money.

Thanks guys for all ur help, im gonna get my info/facts together, give it to the boss and let him make the call

JDMurray

hugolucky wrote:

thanks, ill consider that suggestion, but right now i just wanna get my boss outta wep land, one step at a time i dont wanna suggest too much at once, as far as why the wireless and stationary thin clients... the reason being we are a non-profit agency on a tight budget, thin clients are a bit cheaper, and many of the offices are donoted buildings, or recently closed schools that we lease, they are often not network ready and wireless saves the agency money.

Mention to your boss that you have found recent technical articles indicating that WEP is no longer considered secure and (at least) WPA-PSK should be used instead. Present to your boss the URLs to the articles and let him/her decide. If you boss wants more proof, use the free AirSnort tool to demonstrate how to hack into your WEP-protected wireless LAN.

Either way, make sure that you also install a free IDS (Intrusion Detection System) package, like Snort, and monitor it carefully. There are people who will try to break into any wireless LAN regardless of the security controls that are implemented, and you want to know about anyone who succeeds in penetrating your network.

KGhaleon

Yeah, I believe even WPA is crackable making wireless a very risky technology to use. I always suggest going wired if possible. What happened, have your bosses done anything?

JDMurray

KGhaleon wrote:

Yeah, I believe even WPA is crackable making wireless a very risky technology to use.

When using any password-protected technology, you must have a way to periodically rotate your passwords. Never treat password selection as a "set it and forget it" mechanism.

dynamik

If you haven't seen it, https://www.grc.com/passwords.htm is a great password generator. After having to manually enter that into my Wii, I'm going to throw caution to the wind and not change that for a long time

JDMurray

Be wary of entering too long of a password into wireless security mechanisms. Although longer passwords are (potentially) stronger, they require more time to en/decrypt data (i.e., every packet's payload), and the extra time can be a drag on small, wireless embedded systems (e.g., PDAs, cheap access points).

Also, not all wireless soft/firmware has the same maximum password length. One day I was debugging a wireless client that mysteriously couldn't connect to a WPA-PSK WLAN despite all of the setting being correct. It turned out that the WLAN's password was longer than what the wireless client software (D-link) could use, but the client software didn't give a warning that the password entered was too long.

That was one instance when thinking like a software guy saved me a lot of time.

freetech

So there's an old saying that "the boss isn't always right but he's always the boss." Make sure, via email or other documented communication, that you record that the boss specifically requires WEP as part of your job assignment. Persuade if you can (again via written record), but do what you are required - and document, document, document.
I have a customer who refuses to use any encryption OR passwords. Document, document, document.

Darthn3ss

just wire it. run your ethernet cables along the floor and duct tape them every few feet.

freetech

Better yet, .
use powerline and convince him it's wireless because you didn't "run cables"

KGhaleon

No, better!
Cut the cables on the back of his computer and tell him that it's now wireless.