Wireless Network Security

[herme3]

I am securing the wireless networks at the offices of the company that I work for. I wanted to use WPA, but some of their older wireless cards aren't compatible with it. They want to use WEP, but I heard that it is very easy to decrypt. They don't want me to spend a lot of extra time working to upgrade all the wireless cards so that we can use WPA security on the networks.

 

Do you believe there are any benefits to taking the time to setup WEP? I've heard people say that using WEP is as secure as using no encryption at all.

[Klaynos]

WEP is better than nothing for the simple reason that your average idiot wont be able to break it, but it's not secure really. WPA is better but it's in no way perfect. TBH you want a wired network because then people have to physically plug into the network.

 

Make sure you lock all the devices to mac addresses, but this is simple to break also.

[Royston]

I am securing the wireless networks at the offices of the company that I work for. I wanted to use WPA' date=' but some of their older wireless cards aren't compatible with it. They want to use WEP, but I heard that it is very easy to decrypt. They don't want me to spend a lot of extra time working to upgrade all the wireless cards so that we can use WPA security on the networks.

 

Do you believe there are any benefits to taking the time to setup WEP? I've heard people say that using WEP is as secure as using no encryption at all.[/quote']

 

It entirely depends on the office you're networking (size, number of workstations et.c), and the level of security that is needed. WEP, as you say, is incredibly easy to decrypt, it's a matter of trial and error, anybody can do it. WPA as Klaynos said is harder to crack. The only problem with a wired network in an office environment, is feeding it through the partitions in the office walls, which will be timely...and possibly expensive, unless you can do it yourself.

 

I'd ask for a compromise on cost, labour and how much security they need, and take it from there.

[Cap'n Refsmmat]

WEP is enough to keep your average bored dude with a laptop sitting at the coffeshop across the street from stealing your internet access, but that's about it.

[Rhino]

What kind of business is this? I want to make sure that I don't have anything to do with them if they are going to be cheap this on securing their data. I don't know what kind of data you have, but I'm sure customers would absolutely love to know what securing their data is worth to your company.

 

Is there some way you can propose to them that spending a little on newer wireless cards can be a lot less expensive than having to recover their lost or corrupted data when the integrity of thier network is compromised?

 

I'm surprised these days with all the news about identity theft, virus threats, e-mail scams, and companies that end up with compromised data that contained all kinds of personal information that security wouldn't be a bigger priority. Does your company use virus scan and spyware programs? Or are they too cheap for that?

 

I just hope that when you get everything set for WEP that no one gets into your network and does any damamge. Because if I know how upper management works in the end you'll probably get the blame since you "secured" the network.

 

My end all solution would be a wired network, but I doubt they'd put out the cash for that if they won't buy newer wireless cards.

 

If you get enough convicing arguements on the forum print them out and lay them on your bosses desk. If that won't get you fired of course.

[Dak]

I cant remember the details, but i remember that one of the wifi thingies -- 802.11A, iirc -- is very week, so, if the buisnesses cards and router support it, you could switch over to 802.11A, and if your lucky the wireless signal might be able to go through the office but not be strong enough to penetrate that far outside. you can use tin-foil to 'aim' wifi router signals, which may help limiting the signal range aswell.

 

other than that, make sure they're not broadcasting the network name/ssid/essid, change the passwords regularly, turn off remote administration, change the default user and password for the router, filter by mac address, turn the router's hardware firewall on etc.

 

if this buisness is in any way, shape, or form involving bank details, then i'd advise reccomending they switch over to ethernet (pretty much as rhino said), or at the very least cover your own ass by making them aware of the security risks, and reccomend that they at least don't have computers that deal with, say, payroll and credit controll on the network. yes, it's a bit of a pain in the arse to have a non-networked set of computers, but it's less annoying than having a hacker get into your network and steal your company and employers bank details.

 

if it's a small/medium-small buisness -- as i suspect that it is -- that should be doable with just one computer offline (with a printer and possibly a scanner) to deal with bills for the company and payroll.

 

its a bit complecated, so someone else will have to give you the exact details, but you could probably set up a nice-looking pc in the network and set up an alarmed tarpit in it?

[herme3]

Thank you, I appreciate everyone providing their advice.

 

They are a pest control company, so they don't deal with banking or anything extremely classified. However, they do have credits card numbers in their system.

 

The company needs wireless networks because they have multiple locations. There are employees who travel to the different locations, and need to be able to easily connect using their laptops. We used to have them connect to the networks using ethernet cables, but they kept unplugging the wrong cables and messing up the networks. Therefore, we decided that wireless networks would be the best solution.

 

Security is a large concern for the company. They've spent thousands of dollars on new servers, firewalls, and computers so they can increase their security. Unfortunately, their weakest security point seems to be the wireless networks. They don't seem to realize how easily someone can capture data from a wireless network, especially since they have some offices in populated areas.

 

I've sent them information about WEP, and how easily it can be decrypted. However, they don't believe that anyone would target a pest control company when looking for data to steal. They seem convinced to stay with WEP, so I suppose I have no other choice but to use it.

[Cap'n Refsmmat]

If you can't get them to switch from WEP, just make sure that the credit card numbers are stored in a thoroughly encrypted form so that even if they are stolen, no harm will be done.

[Dak]

However, they don't believe that anyone would target a pest control company[/b'] when looking for data to steal

 

credit card companys etc would be more profatable, but also waaaaaaaaaaay more likely to be well protected.

 

other companies -- like, for example, pest control companies -- offer less rich, but easyer, pickings, so would consievably be targetted for that reason.

 

it's like saying a corner-shop wouldn't be robbed because everyone will be out robbing banks

[herme3]

I've been talking to some of the top people at the company about the wireless security issue. I don't believe that they fully understand the security issues with WEP. The top executives have been told that they will be fully protected by the firewalls. The firewalls will be installed between the DSL modems and the wireless routers. They believe that this will completely prevent anyone from seeing the data sent across the wireless networks.

 

I know the firewalls should prevent people from hacking into the network from the Internet. However, I don't know how they will do anything to secure the wireless signals. Another technical person at the company believes the firewalls will create "invisible wireless tunnels" that will directly link the wireless routers with the company's PCs. However, I've never heard of a wireless network that behaves this way. As far as I know, it would still be possible for anyone to receive the signals and decrypt the WEP data. I don't see how these firewalls will have any affect on the wireless signals.

 

Tomorrow, I'm going to meet directly with the President of the company. He is very concerned about the security, and he wants me to demonstrate how to break their WEP encryption. He has been told different things from different people, so he's not really sure what to believe. He has been told by some of the other technical people that it is completely impossible to see any of their wireless data, but I'm almost positive that it can be done.

 

I'm going to use a laptop with a wireless card to try to show him how this is a security issue for the company. I believe that all I will need is some free wireless eavesdropping software, but I've never tried to do this before. Does anyone have any suggestions?

[Cap'n Refsmmat]

Invisible wireless tunnels - does he mean a Virtual Private Network (VPN)? If so, and the VPN uses some sort of encrypted tunneling (like SSL), you should be fine.

[herme3]

Invisible wireless tunnels - does he mean a Virtual Private Network (VPN)? If so, and the VPN uses some sort of encrypted tunneling (like SSL), you should be fine.

 

Yes, we are planning to use a VPN. I don't have that much information about them yet, but I believe we will be using FortiGate firewalls at each office location. They will be the type that connect between the DSL modem and wireless router. I believe the VPNs will be setup using Windows XP Professional. I'm not sure if the VPNs can be encrypted or not.

[Cap'n Refsmmat]

VPNs can be encrypted over what is called a "secure tunnel." Ask for more details about this "secure tunnel." It could be a setup where all tunnel traffic is encrypted with SSL (the most common encrypted setup) or one of several other choices, or it could be plaintext.

 

Even if it is encrypted, however, encryption will not prevent others from being able to access the network. They will not be able to access data being sent over it, but if they can access your computers, that's worthless. This can be negated if you use a secure setup in which computers can only be accessed by authorized users, even from within the network. If they can connect but can't get into any of the computers, it's no big deal. This, of course, depends on you keeping up-to-date with security patches, and still is not good as solid WPA protection.

[bascule]

The most reliable way to secure wireless is a firewall + IPSEC... what you're ultimately after is network security, and that's much better handled at the network layer, not the datalink layer.