Increasing the security of WEP?

[anguish79]

Got an issue I'm trying to develop a potential solution to.

A client has a rather large wifi network at one of their production facilities. The problem we're facing is that it's WEP-based, and due to certain wireless devices, can apparently only be WEP. It's also a single network across the board, no DMZ's or anything.

Knowing that WEP is fairly easy to crack, is there anything that can be done to increase the security? This would have to be no cost at the moment as there is no budget for new hardware. I'm already planning on advising them to look into new scanners that can support at least WPA, but that wouldn't be for another six months until the new fiscal year.

The AP's are Cisco 1200's too.

Thanks!

[Sparda]

All you can do to secure the wireless is enable mac address filtering and disable SSID broadcasting. This won't actually stop any one, just makes it slightly more inconvenient.

What you need to do is have two separate networks. The wireless is it's own network and every thing else is it's own network with routing between the two. Then, you need to secure the data that is going over the wireless, a VPN would be the blanket solution, how feasible that is for you I don't know.

[VaKo]

Yeah, they seriously need to invest in a DMZ for the wireless, you need to make it very clear to them that currently there is no real difference between what they have and emailing trade secrets to there competitors. You could simply take a computer, add a 2nd NIC, and use PFsense to act as a transparent bridge firewall. Then re-patch or VLAN your WAP's into a separate network that connects to this on one side, and your production network on the other. Even with WPA, wireless is not secure and should always be treated as a publicly accessible network no matter what measures you have in place.

I like PFsense more than Smoothwall et al, so I will recommend it. However there are other similar solutions you may prefer so do some research. Microsoft ISA will work perfectly for this role, its just not as cheap.

[anguish79]

Thanks for the suggestions!

VPN is probably not an option. Based on what I am reading, the devices that are restricted to WEP don't support anything like that. Obviously for the laptops that use the same network, this is not an issue.

I'm going to have to look into the AP's and VLAN'ing them though and putting them on a DMZ. I believe most of the switches (if not all of them) are Cisco, so it's just a matter of dusting off the Cisco skills.

A mental note I'm going to have to check on too is to see if the AP's are plugged into anything that would make VLAN'ing difficult. Going to have to dust off my knowledge on VLAN's too.

[beakmyn]

Got an issue I'm trying to develop a potential solution to.

A client has a rather large wifi network at one of their production facilities. The problem we're facing is that it's WEP-based, and due to certain wireless devices, can apparently only be WEP. It's also a single network across the board, no DMZ's or anything.

Knowing that WEP is fairly easy to crack, is there anything that can be done to increase the security? This would have to be no cost at the moment as there is no budget for new hardware. I'm already planning on advising them to look into new scanners that can support at least WPA, but that wouldn't be for another six months until the new fiscal year.

The AP's are Cisco 1200's too.

Thanks!

By saying scanner and production environment I'm taking a leap and assuming that you may be using Symbol wireless barcode scanners. Perhaps the handheld units running WM5.0.

What we did was to disable DHCP on the router use static IPs and set a very restrictive subnet mask (max 6 devices) , turn off ssid broadcasting, turn on MAC filtering. Since these scanners were the only thing that was wireless we locked down the router to only pass traffic on the port(s) that were needed and then only to the IPs needed. We blocked HTTP(s),FTP,IRC, et. al.

We also put a policy in place to change the WEP key routinely.

[anguish79]

Oops. Meant to leave out that they're barcode scanners, but that's exactly what they are. I'm not sure who the manufacturer is though, but according to the guy down there who knows them, they are DR-DOS-based.

Not sure on the feasibility of that approach, but I am going to investigate it. I'm all for locking it down, but I need to find out how many scanners I'm looking at, as well as how many laptops (since I know they are all using the wireless as well).

[3w`Sparky]

Cisco Sticky mac addresses are your friend

your need to setup the permitted qty on the interface which will relate to that of the wep users so it wont scale above 20 ish without being a nightmare but its the quickest medium fix you can get , if you watch the latest ep of hak5 they cover ssl vpn would that not resolve your issues, also is your wep 64 128 etc

it's just a thought i have , an app that uses the time and date to generate a wep key that is matched by the access point , ie a key that cycles throughout the day would increase security mmmmmmm

anyways i will keep thinking

[anguish79]

Because of the devices, VPN'ing isn't easy. But, it sounds like we're going to be looking very seriously at implementing a hybrid of the suggestions here. Going to be a pain in the arse, and I need to get my duff back down here again to do it, but it sounds like fun. :)

[barry99705]

also is your wep 64 128 etc

It's wep, it doesn't matter.

[3w`Sparky]

well i would say it does matter , as 64 is far easier to crack than 128 ok there both crap in terms of secure but if you on 128 wep your atleast making it alittle more difficult

[barry99705]

well i would say it does matter , as 64 is far easier to crack than 128 ok there both crap in terms of secure but if you on 128 wep your atleast making it alittle more difficult

The extra two minutes it takes really doesn't make a difference.

[digip]

The extra two minutes it takes really doesn't make a difference.

QFE!

Spoonwep can crack wep in less than 3 minutes on a decent machine with a good card. Doesn't matter what level of WEP encryption it is.

[barry99705]

QFE!

Spoonwep can crack wep in less than 3 minutes on a decent machine with a good card. Doesn't matter what level of WEP encryption it is.

Shaman made an awesome java front end for the aircrack tools. Shame he's fallen off the face of the earth.

[beakmyn]

Shaman made an awesome java front end for the aircrack tools. Shame he's fallen off the face of the earth.

He's playing poker with Blackwave, Dutch and Chubbs ;)

[MaxRabbit]

Honestly, though, none of these steps that involve still using WEP are gonna make you any more secure. If a hacker is looking at cracking your network, he's probably in Backtrack 3. It would take him only, what, 30 seconds more to find out what MAC adresses and IP adresses are authorized on your network by sniffing it...

[barry99705]

He's playing poker with Blackwave, Dutch and Chubbs ;)

Who's Chubbs??

[anguish79]

Honestly, though, none of these steps that involve still using WEP are gonna make you any more secure. If a hacker is looking at cracking your network, he's probably in Backtrack 3. It would take him only, what, 30 seconds more to find out what MAC adresses and IP adresses are authorized on your network by sniffing it...

I don't disagree, although I'm not in total agreement either. WEP is inherently insecure, we know that. But, if it's on a separate and more locked down network, the potential damage points can be minimized.

That said, I still have more research to do. The only thing that would truly make it secure involves pulling power cables. :)

[MaxRabbit]

I don't disagree, although I'm not in total agreement either. WEP is inherently insecure, we know that. But, if it's on a separate and more locked down network, the potential damage points can be minimized.

That said, I still have more research to do. The only thing that would truly make it secure involves pulling power cables. :)

But, currently, the damage points are pretty large ;) It's like taking an elephant and putting some camouflage on it :P

Nevertheless, I s'pose the camouflaged elephant is less likely to get shot than the on standing out in the open. But, neither option is that good :(

[555]

I don't disagree, although I'm not in total agreement either. WEP is inherently insecure, we know that. But, if it's on a separate and more locked down network, the potential damage points can be minimized.

That said, I still have more research to do. The only thing that would truly make it secure involves pulling power cables. :)

I am thinking the more you know about this stuff = lesser amount of damage points taken. I dont see why someone would log into their router and purposely use WEP instead of some kind of WPA method, when all you have to do ussually is click it from the same drop down menu. Yes, you can make it so your SSID does not appear when the area is scanned in your WIFI radius, it all depends i guess on what kind of network you are trying to build, and I am no where near to being a network genius.

[anguish79]

MaxRabbit, Yeah, a camouflaged elephant is less likely to get shot. But, I'm also unfortunately limited with what I can do as well, so camouflage it is.

555, unfortunately the overall issue is that due to some barcode scanning devices, the network was and has been at WEP for quite a while. Dealing with the fact that the company has no IT budget this fiscal year (and I'm finding out now it also looks like little to none for next fiscal year as well), I'm trying to increase the security doing what I can. The ESSID is already set to not broadcast, but we all know that does next to nothing.

If I could rebuild the entire infrastructure from the ground up, I would, but sadly, that's not an option.

[digip]

I take it they walk around with said bar code scanner amd it reports back to some terminal/printign station, like to print lables for shipping and stuff? I know someone who works in a warehouse and has the same type of setup, so just guessing here.

One thing you can try to do, seperate the network into two different networks, one for the barcode process, the other for the rest of the companies important stuff, and set them up with wpa on the corporate side, leave wep only for the scanner stuff with no internet access/lan access to the rest of the company. At least that way, the only process that needs wep is the barcode stuff, while the other side of the network that needs more security, uses at least wpa.

[anguish79]

I take it they walk around with said bar code scanner amd it reports back to some terminal/printign station, like to print lables for shipping and stuff? I know someone who works in a warehouse and has the same type of setup, so just guessing here.

One thing you can try to do, seperate the network into two different networks, one for the barcode process, the other for the rest of the companies important stuff, and set them up with wpa on the corporate side, leave wep only for the scanner stuff with no internet access/lan access to the rest of the company. At least that way, the only process that needs wep is the barcode stuff, while the other side of the network that needs more security, uses at least wpa.

That's pretty much it right there. Next time I'm down there I am going to do some more investigation on it to confirm how it works exactly, but that's basically it. And that's along the lines of what I'm thinking as well. WEP for them, separate LAN, and WPA for the corporate. They'd shit bricks if I took their ability to use their laptops wirelessly away from them. :D Thankfully, they realize there is a very real security risk also though (especially after taking some pics of me cracking the network while sitting outside of the building over the weekend).

[MaxRabbit]

That's pretty much it right there. Next time I'm down there I am going to do some more investigation on it to confirm how it works exactly, but that's basically it. And that's along the lines of what I'm thinking as well. WEP for them, separate LAN, and WPA for the corporate. They'd shit bricks if I took their ability to use their laptops wirelessly away from them. :D Thankfully, they realize there is a very real security risk also though (especially after taking some pics of me cracking the network while sitting outside of the building over the weekend).

Good man, scare the shit out of them and maybe you'll get a budget :P

So keep us updated on what's happening!

[anguish79]

I will. I'm hoping to be back down there at the end of November to start tackling the issue. I need to get my hands on a switch that I can do some VLAN'ing with to do a POC though...plus figure out exactly what I'm doing. :D

[BornDEAD]

ya it use to make me lol at this all the time they give you no cash to make or keep the network and systems safe but they want it as safe as a bank

and if anything goes worng or some 1 gets in you get feked over even tho you told them what you need to make it safer for them

i tihnk its time to scare them even more and show them a interceptor on a fon and show them that they dont need to be sitting right out side the work place no more