I actually have a counter to all this. WEP and its various forms will always be capable of being decrypted. For Hotspots, especially those in Tech savvy areas of the country, and LAN's using WiFi, I would do this and more to keep data encrypted and people off the network. But in Rural WISP markets, its a semi-unimportant and actually decreases the capacity of the network (increases latency and overhead).
Figure this, most rural networks have very few people savvy enough to pull of MAC cloning (I do believe you need at least MAC authentication for access to the network). And those that do probably work for you ;). But even if not, what's the worst they can do but steal a bit of bandwidth. Hopefully we all have our Core network firewalled against our endusers so the network infrastructure isn't unsecure. Hopefully all of our customers are not sending vital information across the net unencrypted (hits the wide open web, and your asking for this data to be stolen anyways), and hopefully we are all advising customer's on Firewalls or NAT's at a minimum. And if we watch closely enough, we can detect the MAC clone, or we set-up PPPOE (encrypted) to even prevent this.. Just my thoughts on WEP.. Scott -----Original Message----- From: "Breiland, Derek" <[EMAIL PROTECTED]> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> Date: Mon, 13 Oct 2003 15:53:06 -0500 Subject: RE: [smartBridges] Auth question > Good point Mark. With that being said, I ask the SmartBridges folks as > to > when some of these better forms of WEP will be implemented? As > providers > all we can provide is a best effort to keep subscriber data secure. > The > technology to do better is out there just not available in the > SmartBridges > products. Any ideas? > > > > -----Original Message----- > From: Mark Radabaugh [mailto:[EMAIL PROTECTED] > Sent: Monday, October 13, 2003 3:43 PM > To: [EMAIL PROTECTED] > Subject: Re: [smartBridges] Auth question > > > > Almost correct - but keep in mind that all of these methods are still > vulnerable to the weak WEP key problem. By collecting enough data > (only a > couple of hours worth) it is possible to decrypt the WEP key (even the > 128 > bit version) and then connect to your network. MAC authentication may > keep > them from associating unless they clone an existing users MAC address - > and > they can still decode information in the users data without associating > once > they have found the WEP key. > > > > Current wireless security using WEP without any of the various patches > (LEAP, MIC, TKIP) doesn't do any more than keep the honest people > honest. > AKAIK Smartbridges has not implemented any of the workarounds for the > WEP > key problems. > > > > Mark Radabaugh > Amplex > (419) 720-3635 > > > > > > ----- Original Message ----- > > From: Sevak Avakians <mailto:[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > Sent: Monday, October 13, 2003 4:19 PM > > Subject: RE: [smartBridges] Auth question > > > > Sorry for being such a dope on this... > Now I think I've got it, but one more question: > When in OPEN - OPEN, the transmissions are still encrypted, but no > challenge > is made? > > So, this is why Shared is a little less secure than Open...because > someone > listening to the unencrypted challenge and resultant encrypted response > from > CPE -theoretically- would be able to figure out the key. So, as long > as MAC > authorization is enabled and all of my real customers' MAC addresses > are in > the list, I can confidentally use the Open method without fearing that > illegal users would be able to get on the network if they don't have > the > key. > > > > > On Fri, 2003-10-10 at 14:37, Seeni Mohamed wrote: > > Hi Sevak, > > > > I am sorry about that if I confused. > > > > As you mentioned, if your APPOs are in "OPEN" with WEP keys enabled, > then > the CPE without these WEP keys will not be able to communicate each > other. > > Here is the table for the various authentication TYPE can be used with > our > sB devices. Please remember that Authentication will be valid only if > WEP > encryption enabled. > > > > > smartbridges > > CPE > > smartbridges > > Access point > > Encryption > > Associate > > PING > > > Open > > Open > > 64/128 > > Y > > Y > > > Shared > > Shared > > 64/128 > > Y > > Y > > > Shared > > Open > > 64/128 > > N > > N > > > Open > > Shared > > 64/128 > > N > > N > > > Open > > Both > > 64/128 > > Y > > Y > > > Shared > > Both > > 64/128 > > Y > > Y > > > Both > > Both > > 64/128 > > Y > > Y > > > > > > Here is the difference between OPEN and SHARED keys. > > OPEN > > During the OPEN key authentication, the CPE sends only the request and > AP > response and process request based on the WEP encryption. With this > authentication, they key will be hidden and not shared among the > devices. > > SHARED > > During the shared key authentication, the access point sends an > unencrypted > challenge text string to any device attempting to communicate with the > access point. The device requesting authentication encrypts the > challenge > text and sends it back to the access point. If the challenge text is > encrypted correctly, the access point allows the requesting device to > authenticate. > > > > Kind regards, > > Seeni > > sB Tech support > > <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of Sevak Avakians > Sent: Saturday, October 11, 2003 12:01 AM > To: [EMAIL PROTECTED] > Subject: RE: [smartBridges] Auth question > > > > Ok, I'm very confused by this authentication thing now. I thought that > OPEN > meant that anyone without a matching WEP key can connect and SHARED > meant > only those with a matching WEP key can connect. But you are saying > that > OPEN means that they still need a matching WEP key? Is this a typo? > Does > this mean if my APPOs are in "OPEN" with WEP keys enabled, then > customers > without these WEP keys will not be able to connect? If this is the > case, > then what's the difference between OPEN and SHARED. Is it that the > OPEN > does not bother encrypting after the first check to see if the CPE has > the > right keys and SHARED always encrypts using those keys? > > Please help a lost soul!!! > > Thanks, > Sevak > > On Thu, 2003-10-09 at 15:16, Seeni Mohamed wrote: > > > > > > The AUTHENTICATION TYPE option provided in the Advanced TAB for the > purpose > of WEP key encryption, not for the wireless clients MAC authentication > > > > OPEN SYSTEM allows any device to authenticate and then attempt to > communicate with the access point (null authentication) > > Using OPEN SYSTEM, any wireless device can authenticate with the access > point, but the device can only communicate if its WEP keys match the > access > points. > > Devices not using WEP do not attempt to authenticate with an access > point > that is using WEP. > > > > Best regards, > > Seeni > > sB Tech support > > <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of Rick Kunze > Sent: Friday, October 10, 2003 1:48 AM > To: [EMAIL PROTECTED] > Subject: [smartBridges] Auth question > > > > 'scuse me if this has been covered, I just joined. > > > > Regarding an APPO, in the Advanced tab under Authentication Type: > > > > If one selects OPEN SYSTEM, does that permit clients to associate even > if > > their mac address isn't in the Client Auth table, or is it that they > must > > still be mac authorized yet are allowed if they don't have the WEP key? > > > > Thanks. > > > > Rk > > > > ----------ANNOUNCEMENT---------- > > Don't forget to register for WISPCON IV > > http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm > > > > The PART-15.ORG smartBridges Discussion List > > To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe > smartBridges <yournickname> > > To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe > smartBridges) > > Archives: http://archives.part-15.org > > > > > > ----------ANNOUNCEMENT---------- Don't forget to register for WISPCON IV http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org
