os2-wireless_users@2rosenthals.com ?????????????? ????? #941 ??????? ??????? ?????

???: "Lewis G Rosenthal" <os2-wireless_users@2rosenthals.com> ?? ????
?????????
??: Re: [OS2Wireless]The 'Final' Nail in WEP's Coffin?
??: Sun, 08 Apr 2007 13:19:55 -0400
??: OS/2 Wireless Users Mailing List <os2-wireless_users@2rosenthals.com>

On 04/08/07 09:49 am, Sam Lewis thus wrote :
Carl Gehr wrote:

On Sat, 7 Apr 2007 15:29:19 -0700, Neil Waldhauer wrote:

 

On Sat, 07 Apr 2007 17:42:34 -0400 (EDT), "Carl Gehr"
<os2-wireless_users@2rosenthals.com> wrote:

  
Either eCS provides support, or users will find that they
can no longer attach to any wireless site that cares about a
secure network.
    
I'm sure that's true, but in several years of using wireless on eCS, I haven't
encountered a public, secure network.

The current GenMac/XWLan is quite nice for using public, unsecured wireless. I
use it often.

Neil
  

Neil,
<snip>
So, let's say I want to improve the speed of MY network from the
802.11b that I currently have, to 802.11g.  I need a new router/AP, but
it does not support WEP, only WPA2 to promote a more secure
environment.  Of course, when I make the router/AP change, I would
expect to use my new TPad T60s that support 'g' access and WPA2.
<snip>
Carl,
Thanks for the link to the article.  I find these interesting.

However if one wants/requires a secure network then WiFi shouldn't be used, period.  I don't care what type of encryption/security scheme is employed, WiFi will always  be vulnerable  because there will always be some intelligent hacker with too much time on their hands with nothing to do but crack networks.  Heck as per your article governments will pay these hackers to crack the networks.

My company doesn't allow WiFi on the corporate network.  I'm expect that is a common policy with most major companies as well with government agencies.  A friend of mine just got rid of all his WiFi equipment because his wife's government employer won't allow it to be used when she VPN's into the work network.

So the bottom line is if you really require a secure network then the only way to accomplish that is physical security.  How good is the lock to your network closet? :)
Good points, all (and good article, too; thanks, Carl). However, I think Carl's point is that it is necessary for us to have WPA2 support in order to continue as a viable platform. Carl, AFAIK, *all* GenMAC-supported cards are compatible with the WPA/WPA2 supplicant we now have, so once support is available for your 3945ABG, WPA2 capability will be there by default.

Sam, the first thing we are (were?) taught in NetWare management class, insofar as securing the server is concerned is to put a lock on the server room door. ;-)

WEP is no longer a viable option for security, providing little more protection than turning off SSID beaconing or employing MAC filtering (it will effectively eliminate unintentional trespassing by roving clients, but anyone with the desire to actually break in can do it rather easily). Now, insofar as wireless connections not being secure over VPN links, I guess that depends upon whether the VPN link is client-to-site or site-to-site. In the former case, the transmission is encrypted end-to-end, so the fact that the connection travels over the air should have no less security than if it were to travel across the net (packets can be sniffed in either place). However, if the VPN is established between the home router and the remote network (site-to-site), then connections between the router (AP) and the wireless client could indeed be sent unencrypted to the local router, and encrypted from that point on. In that case, the wireless link does provide a real chink in the armor.

BTW, I saw Laura Chappell demonstrate cracking 104-bit WEP in about a minute. When it gets to the point where setting up the security takes longer than breaking it, it's time to go to something else. ;-)

I think the trick to effective WPA configuration will be when these AP/router combo boxes come with USB ports and a small memory stick, which will allow the settings to be downloaded to the stick and then plugged into the computer to be configured. A simple xml file would be read by the client software, and a new profile created for the newly encrypted network. This would take all the pain out of manually typing in encryption keys with symbols, numerals, and letters, and allow for even longer keys, making the encryption harder to break (though 256-bit AES is pretty tough).

--
Lewis
------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE
Rosenthal & Rosenthal, LLC
Accountants / Network Consultants
 New York / Northern Virginia           www.2rosenthals.com
eComStation Consultants                  www.ecomstation.com
Novell Users Int'l       www.novell.com/openenterpriseserver
Need a managed Wi-Fi hotspot?               www.hautspot.com
------------------------------------------------------------
???????: ????, ??????, ??????.
?????????
??? ????????