Sign in with
Sign up | Sign in
Your question

"Wireless Ethernet Bridge" and security ?

Last response: in Networking
Share
Anonymous
a b F Wireless
a b 8 Security
April 9, 2005 10:31:30 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

Hello

I want to use a Wireless Ethernet Bridge as a kind of "cable-less cable" to
connect remote areas together.

What do you think about the security ?
Anonymous
a b F Wireless
a b 8 Security
April 9, 2005 10:31:31 PM

Archived from groups: comp.dcom.lans.ethernet,alt.internet.wireless (More info?)

In article <4257dfaf$0$28649$636a15ce@news.free.fr>,
David Josty <dav.josty@pasemail> wrote:
:I want to use a Wireless Ethernet Bridge as a kind of "cable-less cable" to
:connect remote areas together.

:What do you think about the security ?

[Note: I have added alt.internet.wireless as it is a very valuable
source of information about wireless practices and security.]

What are your risks? How much is an outsider (or insider!) going to
desire to crack your security? How narrow can you make the
beam, how weak can you make it and get the throughput you want,
how much can you insulate to cut down the beam from outside
access? If you are thinking of 802.11b or 802.11g then three
good common insulators are metal, books, and live tree-leaves
(i.e., water cuts WiFi signals by quite a bit.) I see your posting
server is in France; if the installation is to be outdoors,
I seem to recall that you would have to use 802.11a in France:
that has slightly but significantly different signal characteristics.

If you use 64 bit WEP and an intruder can monitor your signal
for about 6 hours, they *will* be able to crack your WEP key.
128 bit WEP has basically the same flaw; the standard technical
report on the WEP64 flaw says that WEP128 should take only twice
as long to crack, but the various field reports I happen to have
seen suggest it is closer to 4 times as long. Either way, someone
who can monitor your signal for less than a day -can- crack
a WEP128 key.

The replacement for WEP is WPA. If you look around, you will find
the statement that WPA has been cracked. I looked into that recently,
and though I might have missed something, it appeared that what
was being referred to was a dictionary attack, sort of similar
to "John the Ripper" against standard unix passwords. If your
key is not a combination of words findable in some dictionary, then
even on a fast machine there would be a long search. I imagine
that in time someone will organize a distributed.net type
distributed WPA key cracking party just to show it can be done: that
implies a fundamental weakness with WPA to the extent that your
opponents are likely to be rich, dedicated, and well-organized...
so don't go around using the link for billions in electronic funds
transfers!

The way to avoid WEP and WPA problems is to have the traffic
pass through a good secure VPN encryption (e.g., IPSec with AES-512)
so that even if the opponents do manage to break the wireless key,
they get left with the much harder task of breaking your VPN.


Consumer-grade wireless ethernet bridges such as the linksys WET11
support WEP128 but not WAP. You can get wireless ethernet bridges
with stronger security, either by using one of the variant
firmwares available for some of the 802.11G devices, or by getting
a commercial-grade device such one by Cisco.


If you are seriously considering what is essentially a consumer-grade
device then I very much recommend that you examine user reviews
of the devices, especially if you are looking at one of the very
popular 802.11g devices. I looked around recently, and found that
even the top-selling devices are only rated "mediocre" at best:
the reviews of even the top-selling devices were, I found, filled
with people saying they can't get connections, the connections
break, the devices break, the support -really- s*cks, and that they
would never *ever* buy the device again :(  In that regard, you
reduce your risk significantly by seperating functions: buy a wireless
device that has a good track record of holding the signal, and buy
a -seperate- security device.

Alternately, go for a commercial-grade device in the first place: even
if the list price is 8 times as much, consider the "time is money"
factor, and that if you have a business need for this kind
of device, then the amount your organization might save by
getting through to a *real* technical support organization might
be worth many many times the price difference against a
consumer company device from a company that is selling at so little
markup that they can't afford a support organization that does
more than read from a script.
--
Ceci, ce n'est pas une idée.
Anonymous
a b F Wireless
a b 8 Security
April 10, 2005 12:34:44 AM

Archived from groups: comp.dcom.lans.ethernet,alt.internet.wireless (More info?)

"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> a écrit dans le message de
news:D 392hb$c3c$1@canopus.cc.umanitoba.ca...
> In article <4257dfaf$0$28649$636a15ce@news.free.fr>,
> David Josty <dav.josty@pasemail> wrote:
> :I want to use a Wireless Ethernet Bridge as a kind of "cable-less cable"
to
> :connect remote areas together.
>
> :What do you think about the security ?
>
> [Note: I have added alt.internet.wireless as it is a very valuable
> source of information about wireless practices and security.]
>
> What are your risks? How much is an outsider (or insider!) going to
> desire to crack your security? How narrow can you make the
> beam, how weak can you make it and get the throughput you want,
> how much can you insulate to cut down the beam from outside
> access? If you are thinking of 802.11b or 802.11g then three
> good common insulators are metal, books, and live tree-leaves
> (i.e., water cuts WiFi signals by quite a bit.) I see your posting
> server is in France; if the installation is to be outdoors,
> I seem to recall that you would have to use 802.11a in France:
> that has slightly but significantly different signal characteristics.
>
> If you use 64 bit WEP and an intruder can monitor your signal
> for about 6 hours, they *will* be able to crack your WEP key.
> 128 bit WEP has basically the same flaw; the standard technical
> report on the WEP64 flaw says that WEP128 should take only twice
> as long to crack, but the various field reports I happen to have
> seen suggest it is closer to 4 times as long. Either way, someone
> who can monitor your signal for less than a day -can- crack
> a WEP128 key.
>
> The replacement for WEP is WPA. If you look around, you will find
> the statement that WPA has been cracked. I looked into that recently,
> and though I might have missed something, it appeared that what
> was being referred to was a dictionary attack, sort of similar
> to "John the Ripper" against standard unix passwords. If your
> key is not a combination of words findable in some dictionary, then
> even on a fast machine there would be a long search. I imagine
> that in time someone will organize a distributed.net type
> distributed WPA key cracking party just to show it can be done: that
> implies a fundamental weakness with WPA to the extent that your
> opponents are likely to be rich, dedicated, and well-organized...
> so don't go around using the link for billions in electronic funds
> transfers!
>
> The way to avoid WEP and WPA problems is to have the traffic
> pass through a good secure VPN encryption (e.g., IPSec with AES-512)
> so that even if the opponents do manage to break the wireless key,
> they get left with the much harder task of breaking your VPN.
>
>
> Consumer-grade wireless ethernet bridges such as the linksys WET11
> support WEP128 but not WAP. You can get wireless ethernet bridges
> with stronger security, either by using one of the variant
> firmwares available for some of the 802.11G devices, or by getting
> a commercial-grade device such one by Cisco.
>
>
> If you are seriously considering what is essentially a consumer-grade
> device then I very much recommend that you examine user reviews
> of the devices, especially if you are looking at one of the very
> popular 802.11g devices. I looked around recently, and found that
> even the top-selling devices are only rated "mediocre" at best:
> the reviews of even the top-selling devices were, I found, filled
> with people saying they can't get connections, the connections
> break, the devices break, the support -really- s*cks, and that they
> would never *ever* buy the device again :(  In that regard, you
> reduce your risk significantly by seperating functions: buy a wireless
> device that has a good track record of holding the signal, and buy
> a -seperate- security device.
>
> Alternately, go for a commercial-grade device in the first place: even
> if the list price is 8 times as much, consider the "time is money"
> factor, and that if you have a business need for this kind
> of device, then the amount your organization might save by
> getting through to a *real* technical support organization might
> be worth many many times the price difference against a
> consumer company device from a company that is selling at so little
> markup that they can't afford a support organization that does
> more than read from a script.
> --
> Ceci, ce n'est pas une idée.


Thanks for your response.

If i understand (your are true, i'am french, but i don't speak english very
well).
The solution for a good security is "to have the traffic pass througha good
secure VPN encryption"


<LAN>====ETHERNET ====<BRIDGE A>----- WIFI VPN ------<BRIDGE B>===<ETHERNET
>====<LAN>


Is it possible to install a VPN between my 2 bridges, if i use the
Wireless-G Broadband Route WRT54G with the firmware OpenWrt ?

Do you know a solution more easy ?

Thanks a lot.
Anonymous
a b F Wireless
a b 8 Security
April 10, 2005 12:34:45 AM

Archived from groups: comp.dcom.lans.ethernet,alt.internet.wireless (More info?)

In article <42582017$0$28379$626a14ce@news.free.fr>,
David Josty <dav.josty@pasemail> wrote:
:If i understand
:The solution for a good security is "to have the traffic pass througha good
:secure VPN encryption"

:<LAN>====ETHERNET ====<BRIDGE A>----- WIFI VPN ------<BRIDGE B>===<ETHERNET
:>====<LAN>

You could use this arrangement instead:

<LAN> --- <VPN DEVICE> --- <BRIDGE A> ==== wifi ===
<BRIDGE B> --- <VPN DEVICE> --- <LAN>

This way the signal that passes through the air is -already- protected
by the VPN.


:Is it possible to install a VPN between my 2 bridges, if i use the
:Wireless-G Broadband Route WRT54G with the firmware OpenWrt ?

Sorry, that is beyond my knowledge. OpenWrt itself does not
offer VPN services, but there are add-on packages that do. Some
of those packages are for use of the device as a VPN endpoint
rather than as a VPN gateway. I did not check to see what the
possibilities were for gateways. I did, though, search for
the combination of openwrt vpn bridge and the hits that I
got back did not look promising, with several of them suggesting
the combination is not known to be available yet.

:D o you know a solution more easy ?

OpenWrt appears to be a kit package, and thus (like Linux in general)
is more suitable for those who have time to learn and experiment
than for those who need something reliable quickly. If this is a
one-shot project or there is a need for commercial-level reliability
from the start, then it might not be worth using OpenWrt. If, though,
you have available time and experimental failures will be forgiven
and you expect to be able to use the knowledge in future (such as
to put in more links), then the effort could be worth it.

If the requirement is "stable" and "reliable" and that the features
already be there and well tested, then especially if you
need 802.11a (to meet French regulations) then I would suggest
a dedicated wireless bridge product such as those available from
Cisco. There are also some lesser-known wireless bridge companies
which have very good reputations, but no company names come to
mind at the moment -- someone from alt.internet.wireless can
probably give some good leads.

Commercial grade wireless bridges are several times more expensive
than the WRT54G .

If I were considering a WRT54G, I would investigate its durability.
The material I was reading recently on several of the common
consumer-grade 54G wireless devices suggested to me that, as a class
the current generation of consumer-grade 54G (802.11G) devices
are much less reliable than the 802.11B devices were. Some of the
less common manufactuers may still have good reliability records
though.
--
Walter Roberson is my name,
And Usenet is my nation.
Cyber space is my dwelling place,
And flames my destination.
!