Wireless security in "bridge mode"?

[edmicman]

So I was reading this following article by Brian Livingston this morning:http://windowssecrets.com/comp/050526/

I thought it was pretty good, and made me think about my existing wireless network and the new one I'm going to be setting up this weekend.

But then I wondered about a situation at work: We have two older Linksys WAP11 wireless access points that we are using in bridge mode to remotely connect another building to our internal network. They are set to use WEP (which I think is the only thing available), and basically they just each have the MAC address of the other for the bridge mode to work. Is this a security concern, too, or not so much because of the bridge mode?

 

[edmicman]

bump?

 

[Tostada]

I think that article is a bit too harsh on WEP. Yeah, it can be cracked, but it takes a lot of time and effort. You pretty much have to be running Linux, and there are only a few programs and a few compatible network cards. It can take a million intercepted packets or more to crack a 104-bit WEP key. That's a really long time if there's not a ton of traffic on the network.

People will often try to ping-flood you to generate traffic on the network if they're intercepting packets trying to crack the key, and that's something you can look for.

That article's just trying too hard to scare you. It's not like cracking the network key instantly gives the hacker access to your entire hard drive.

There are so many totally unprotected networks out there that your WEP network is pretty safe. People will just find another network to play around on. They have to really want to get in.

That said, I certainly wouldn't buy any new hardware that didn't support WPA2.

 

[StormRider]

That worries me too. I am using Belkin routers and in bridge mode, WPA doesn't work and I have to use WEP.

 

[JackBurton]

As the article states, WEP used to take awhile to crack (had to intercept 600MB-1GB worth of data to decrypt the WEP key), but now it can be cracked VERY quickly. No longer does the attacker have to sit back and just capture data. He can now inject packets to speed up the decryption process. With this method, a WEP key can be taken down within minutes (<3minutes). If you are at home, I don't like WEP but it should scare off noobs. If you are running a business, dump WEP QUICK. I wouldn't use anything less than WPA. If you REALLY want to be hard core, RSA authenication would be the best. But WPA and WPA2 are pretty damn good. Those APs (WAP11) are cheap, dump them and buy newer ones that support at least WPA, WPA2 preferably.

 

[Tostada]

Originally posted by: JackBurton
As the article states, WEP used to take awhile to crack (had to intercept 600MB-1GB worth of data to decrypt the WEP key), but now it can be cracked VERY quickly. No longer does the attacker have to sit back and just capture data. He can now inject packets to speed up the decryption process. With this method, a WEP key can be taken down within minutes (<3minutes). If you are at home, I don't like WEP but it should scare off noobs. If you are running a business, dump WEP QUICK. I wouldn't use anything less than WPA. If you REALLY want to be hard core, RSA authenication would be the best. But WPA and WPA2 are pretty damn good. Those APs (WAP11) are cheap, dump them and buy newer ones that support at least WPA, WPA2 preferably.

Really? What are they using?

Are you just talking about ping flooding then intercepting packets?

Is there something a lot better than AirCrack? I certainly haven't seen anything close to cracking a key in 3 min... maybe a 40-bit key.

 

[JackBurton]

Originally posted by: Tostada

Originally posted by: JackBurton
As the article states, WEP used to take awhile to crack (had to intercept 600MB-1GB worth of data to decrypt the WEP key), but now it can be cracked VERY quickly. No longer does the attacker have to sit back and just capture data. He can now inject packets to speed up the decryption process. With this method, a WEP key can be taken down within minutes (<3minutes). If you are at home, I don't like WEP but it should scare off noobs. If you are running a business, dump WEP QUICK. I wouldn't use anything less than WPA. If you REALLY want to be hard core, RSA authenication would be the best. But WPA and WPA2 are pretty damn good. Those APs (WAP11) are cheap, dump them and buy newer ones that support at least WPA, WPA2 preferably.

Really? What are they using?

Are you just talking about ping flooding then intercepting packets?

Is there something a lot better than AirCrack? I certainly haven't seen anything close to cracking a key in 3 min... maybe a 40-bit key.

Here you go man, 128bit WEP key cracked in 3 minutes.

"At a recent ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes."

Article

 

[edmicman]

THanks for the info - but how does all that apply to the WAPs in bridge mode? I understand the risks of running them as access points that a computer would connect to, but are the risks same if they are in bridge mode and just connecting to another WAP?

 

[n0cmonkey]

There are risks to anything. Setup a VPN, and you'll be set.

 

[Tostada]

Originally posted by: JackBurton
Here you go man, 128bit WEP key cracked in 3 minutes.

"At a recent ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes."

Article

Hmm... Now I'm wondering if I should keep waiting for N...

I don't think my data's important enough for anyone to care.

 

[JackBurton]

Originally posted by: Tostada

Originally posted by: JackBurton
Here you go man, 128bit WEP key cracked in 3 minutes.

"At a recent ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes."

Article

Hmm... Now I'm wondering if I should keep waiting for N...

I don't think my data's important enough for anyone to care.

Nah, you don't need N. G will support WPA2. You just have to find an AP/Wifi card that supports WPA2. (Hint: Linksys WRT54G)

 

[edmicman]

doh, "b" doesn't support WPA OR WPA2, does it? I've got the wireless router, but I think I need a new mini-pci card for my laptop that supports "g" to use the advanced protection, right?