Chris Hull wrote:
>
> We're going wireless on campus and I need to look at the security of
> wireless data.  I thought I read that WEP had been broken?  Is there
> a consensus about if 128 bit WEP is good to use?
>

WEP is useless on any campus of significant size, because you need
to distribute the key to every user.  When that many users share a
secret key, it isn't a secret.

Even if you don't have that problem, 128 bit WEP is statistically
vulnerable.  An attacker can can be expected to break your key after
collecting a few hundred megabytes of data from your link.  If they
get lucky they can do it with less, and I believe there are some
additional vulnerabilities I'm not accounting for that shift the
probabilities even further in their favor.

See http://www.isp-planet.com/technology/2001/wep_p2.html for info
about this.

They can do the monitoring from surprising distances if they use a
high-gain antenna.

Basically, WEP keeps casual snoopers out of your network, but probably
won't stop a real attacker.  For that use, 64 bit WEP might be
preferable to 128 bit: on many cards, it is significantly faster.

You should use additional encryption for anything moving through WEP.
If you can manage it, the best solution is probably to set up a VPN
for your wireless users, and make sure that only authenticated users
can reach anything from your wireless network.

> Chris Hull
> Manager, Information Systems
> Sindecuse Health Center
> Western Michigan University

--

*********************************************************
  Bob Johnson            Senior Systems Programmer
  [log in to unmask]        College of Engineering
                         501 Weil Hall
  352-392-9217 Office    University of Florida
  352-392-7063 Fax       Gainesville, FL  32611
*********************************************************
  "Security is not a product, it's a mentality."           .         .