RE: [WIRELESS-LAN] Wireless encryption

[Frank Bulk]

Doesn't take that many packets any more: http://www.tomsnetworking.com/Sections-article111.php http://www.securityfocus.com/infocus/1814 http://www.securityfocus.com/infocus/1824 http://blogs.zdnet.com/Ou/index.php?p=41   Once it's cracked, they can go back and look at all the packets using that key.  Of course, dynamic WEP in place is better than nothing, but progress should be made toward WPA/WPA2-Enterprise.  If you don't have anything now and are looking for a L2 solution, skip dynamic WEP altogether.   It depends on your wireless vendor, but it might be possible to serve a mixed 802.1X-WEP/WPA using the same SSID, and transition that way.  Or just add a new SSID, and move a department/building/class one at a time.   Kind regards,   Frank   From: Ruiz, Mike [mailto:[EMAIL PROTECTED] Sent: Friday, February 03, 2006 8:44 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless encryption We’re still using 802.1x to distribute WEP keys.  It’s not that bad from a security perspective really, far from ideal granted.  While it’s getting to the point that WEP can be cracked faster it still takes a fairly significant number of packets.  If someone really wants to crack it and they succeed they only succeed for that one user.  Even if they succeed they are likely to find that most critical information is already encrypted anyway (Kerberos logins, HTTP over SSL, etc…).  We do plan on moving toward WPA or WPA2 at some point but it was a bit of work to get everyone on 802.1x over the past 4 years so it is a nice spot to rest for a bit. Mike     Michael Ruiz Network and Systems Engineer, ESSE ACP A+ Hobart and William Smith Colleges ' 1-315-781-3711 š [EMAIL PROTECTED] ¸ Monday to Friday, 08:30 A.M. – 05:00 P.M. ET All support inquiries should be initiated with the IT Services Helpdesk at ' 1-315-781-4357 or on campus x4357 š [EMAIL PROTECTED] or http://www.hws.edu/itservices From: Frank Bulk [mailto:[EMAIL PROTECTED] Sent: Friday, February 03, 2006 9:33 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless encryption   WEP keys can be distributed via dynamic WEP in conjunction with 802.1X is also possible, but I wouldn't recommend it.   Frank   From: Tillman, Don [mailto:[EMAIL PROTECTED] Sent: Friday, February 03, 2006 8:09 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless encryption Anthony,   We have the Aruba system too, utilizing WPA-TKIP, which authenticates users on the AD via Microsoft’s IAS. We decided to use WPA-TKIP primarily because TKIP handles key creation as well as the interval key changes. WPA-PSK is more secure than WEP but you still have the overhead of distributing the PSK; like you would a WEP key. Sure this process could be automated, but if the key is intercepted, it must be changed to maintain the integrity of your network.   Don     From: Anthony R. Rosario [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 01, 2006 9:04 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless encryption   Hello all,         Currently we have the Aruba wireless solution at our facility with a combination of the AP60’s and 70’s and we are considering using WPA-TKIP or WPA-PSK encryption. I am curious to know if any of you have deployed WPA encryption at an enterprise level and if so how were the encryption keys distributed to the end-users? Anthony R. Rosario Network Technician Fordham University Dealy Hall,  B-14 718-817-3774 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.