Security – Is WEP used in conjunction with a wireless access list adequate security

hackingSecuritywifiwpa

I use a Netgear wireless router, with various wireless devices connecting to it. One of my wireless devices doesn't support WPA2 security, so I had to downgrade the security on the router to WEP.

We all know WEP is broken, so as an added measure I enabled a wireless access list on the router so that only devices with specified MAC addresses which are in my access list are permitted to connect to the router.

I know it is possible to spoof a MAC address from a device for the purposes of accessing a secure network like this. But is it easy? Is using WEP and a wireless access list good enough to prevent most hacking attacks? Or should I do whatever I can to ensure all devices support WPA2 in the future?

Best Answer

No.

WEP is trivial to break. MAC addresses aren't secure. They can be trivially spoofed. Take a look at The six dumbest ways to secure a wireless LAN:

MAC filtering: This is like handing a security guard a pad of paper with a list of names. Then when someone comes up to the door and wants entry, the security guard looks at the person's name tag and compares it to his list of names and determines whether to open the door or not.

Related Solutions

WiFi Security – WPA vs WPA2 Security Considerations

WPA is "pretty secure", while WPA2 is "very secure". There are partial attacks against WPA in the wild already, and more complete attacks are expected to appear over time. WPA2 (using AES rather than TKIP) has no known vulnerabilities yet.

As you said, the decision as to which you choose is mostly up to the value of your data, but my personal suggestion is to migration to WPA2 now, rather than having to do it when a practical attack is discovered sometime in the next few years. Putting your wireless on a segregated subnet and treating it almost like "the internet" in terms of what access is allowed is also a good idea, given how easy it is to sniff.

Nice summary page: http://imps.mcmaster.ca/courses/SE-4C03-07/wiki/bournejc/wireless_security.html#2

EDIT: actually, the aircrack-ng team don't think WPA will be cracked anytime soon.

Cisco Aironet (802.11n models): how to put a WEP128 ssid and a WPA/WPA2 ssid on the same radio

I believe you have to use VLANs to configure different types of authentication/encryption for separate SSIDs on the same radio. For example

dot11 ssid my_wpa_network
   vlan 1
   authentication open 
   authentication key-management wpa version 2
   guest-mode
   infrastructure-ssid optional
   wpa-psk ascii 7 [...cut...]
!
dot11 ssid my_wep_network
   vlan 2
   authentication open 
!
interface Dot11Radio0
 encryption vlan 1 mode ciphers aes-ccm
 encryption vlan 2 key 1 size 128bit 7 [...cut...] transmit-key
 encryption vlan 2 mode wep mandatory
 ssid my_wep_network
 ssid my_wpa_network
 [... other stuff here ...]
!
interface Dot11Radio0.1
  encapsulation dot1q 1 native
  bridge-group 1
!
interface Dot11Radio0.2
  encapsulation dot1q 2
  bridge-group 2
!
interface Dot11Radio1
 encryption vlan 1 mode ciphers aes-ccm 
 ssid my_wpa_network
 [... other stuff here ...]
!
interface Dot11Radio1.1
  encapsulation dot1q 1 native
  bridge-group 1
!
interface FastEthernet0.1
  encapsulation dot1q 1 native
  bridge-group 1
!
interface FastEternet0.2
  encapsulation dot1q 2
  bridge-group 2

If you are not using VLANs on the wired side I have found that you can adjust the bridge group statement for the other radio subinterfaces to reflect the native bridge group 1 and get them all to connect to a single Layer 2 LAN but that is not a supported configuration by Cisco.

Best Answer

Related Solutions

WiFi Security – WPA vs WPA2 Security Considerations

Cisco Aironet (802.11n models): how to put a WEP128 ssid and a WPA/WPA2 ssid on the same radio

Related Topic