Hardening Wireless LAN Connections, Part 2 - Hardening Wired Equivalent Privacy (WEP)

(Page 2 of 8 )

As the name implies, WEP was designed to provide privacy to wireless connections on par with a wired connection. WEP was part of the original 802.11 standard and is used by all three wireless standards. WEP was designed to prevent eavesdropping and data tampering and to prevent unauthorized access to the wireless network. WEP functions by utilizing the RC4 cipher stream and combining a 40-bit or a 104-bit WEP key with a 24-bit random number known as the initialization vector (IV). This results in either a 64-bit or 128-bit encryption key. Because the IV changes with every message, a new encryption key is generated for each message. WEP functions by combining the encrypted data packet (known as the ciphertext) with the clear-text IV before transmitting. The IV is sent in clear text due to the destination needing to know the IV used to generate the encryption key. The receiver then uses the WEP key and attached IV to decrypt the packet.

Unfortunately, for all this effort, WEP has some significant security flaws that make it a very ineffective protocol. Although WEP is better than nothing, a hacker can crack WEP in 15 minutes or less, depending on the amount of traffic they can sniff. This is attributed to the following flaws:

• WEP key recovery WEP uses the same WEP key and a different IV to encrypt data. The IV has a limited range of values (from 0 to 16777215) to choose from and eventually it uses the same IV over and over. By sniffing the wireless network and picking the same IVs out of the datastream, a hacker can gain enough information to figure out what the WEP key is.
  
  One Step Further: RSA Security has developed a solution that addresses the weak WEP key methods. It is called the Fast Packet Keying Solution and utilizes a hashing mechanism to dynamically generate unique WEP keys for each packet, thus preventing a hacker from being able to determine the WEP key. You can find more information about this at http://www.rsasecurity.com/newsletter/wireless/2002_winter/feature.html and http://www.rsasecurity.com/rsalabs/technotes/wep-fix.html.
  

• Unauthorized data decryption Once the WEP key is known, a hacker can transform the ciphertext into its original form and gain access to the original unencrypted data.

• Violation of data integrity Once the original data has been decrypted, a hacker could potentially use the hacked WEP key to change the ciphertext and forward the changed message to the destination.

• Poor key management WEP keys are typically static keys that, once configured on a device, remain the same from that point forward. The problem is exacerbated when an employee leaves the company because the WEP key really needs to be changed to ensure security. Unfortunately, this is not a practical solution if your company has hundreds or thousands of wireless devices because they will all need to be configured with the new WEP key.
  
  One Step Further: Some vendors address the key-management issue through the use of proprietary “dynamic WEP” mechanisms. This causes the systems to dynamically generate WEP keys that devices will use in conjunction with 802.1x authentication. Essentially, a new secret key is generated for each client that is authenticated. Although this can increase the security of WEP, because these are proprietary implementations, they are only practical if you use wireless devices that support the mechanism. 

• No access point authentication WEP functions by allowing the wireless clients to authenticate the WAP; however, the WAP has no means of authenticating the client. Consequently, a hacker can reroute the data to access points through an alternate and unauthorized path.

Although these flaws may seem to imply that one should not use WEP, this is not correct. If you have the ability to use a better protection mechanism, such as WPA or 802.11i, do so. If you can’t, though, WEP is still better than nothing—even with the flaws.

For your Cisco Aironet 1200, you can configure WEP at the Security | Encryption Manager screen, shown next. Select WEP Encryption and choose Mandatory from the drop-down list. Enter the four 128-bit encryption keys and click Apply when you’re finished.

For your Linksys WAP54G, the first step of configuring WEP is to enable wireless security at the Setup | Basic Setup screen. Next, you should click Edit Security Settings. This will present you with the Security Settings screen, shown next. Select WEP for the security mode. Select “128 bits 26 hex digits” for the WEP Encryption. Enter a passphrase that meets the requirements of your password security policy and click Generate. This will generate the WEP keys you will need to enter on your wireless clients. When you have finished, click Save Settings to close the Security Settings screen.

You can enable WEP on your Dell TrueMobile 2300 at the Basic Settings | Wireless Security screen. Once you check Enable Wireless Security and select WEP from the Network Authentication drop-down list, you will be presented with the WEP Settings section, shown next. Select “104 bits(13 characters)” for Key Length and enter a 13-character key value for all four keys that conforms to your password security policy. When you have finished, click Save & Apply. When prompted, click Save & Restart.