Archived from groups: comp.dcom.lans.ethernet,alt.internet.wireless (
More info?)
"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> a écrit dans le message de
news:d392hb$c3c$1@canopus.cc.umanitoba.ca...
> In article <4257dfaf$0$28649$636a15ce@news.free.fr>,
> David Josty <dav.josty@pasemail> wrote:
> :I want to use a Wireless Ethernet Bridge as a kind of "cable-less cable"
to
> :connect remote areas together.
>
> :What do you think about the security ?
>
> [Note: I have added alt.internet.wireless as it is a very valuable
> source of information about wireless practices and security.]
>
> What are your risks? How much is an outsider (or insider!) going to
> desire to crack your security? How narrow can you make the
> beam, how weak can you make it and get the throughput you want,
> how much can you insulate to cut down the beam from outside
> access? If you are thinking of 802.11b or 802.11g then three
> good common insulators are metal, books, and live tree-leaves
> (i.e., water cuts WiFi signals by quite a bit.) I see your posting
> server is in France; if the installation is to be outdoors,
> I seem to recall that you would have to use 802.11a in France:
> that has slightly but significantly different signal characteristics.
>
> If you use 64 bit WEP and an intruder can monitor your signal
> for about 6 hours, they *will* be able to crack your WEP key.
> 128 bit WEP has basically the same flaw; the standard technical
> report on the WEP64 flaw says that WEP128 should take only twice
> as long to crack, but the various field reports I happen to have
> seen suggest it is closer to 4 times as long. Either way, someone
> who can monitor your signal for less than a day -can- crack
> a WEP128 key.
>
> The replacement for WEP is WPA. If you look around, you will find
> the statement that WPA has been cracked. I looked into that recently,
> and though I might have missed something, it appeared that what
> was being referred to was a dictionary attack, sort of similar
> to "John the Ripper" against standard unix passwords. If your
> key is not a combination of words findable in some dictionary, then
> even on a fast machine there would be a long search. I imagine
> that in time someone will organize a distributed.net type
> distributed WPA key cracking party just to show it can be done: that
> implies a fundamental weakness with WPA to the extent that your
> opponents are likely to be rich, dedicated, and well-organized...
> so don't go around using the link for billions in electronic funds
> transfers!
>
> The way to avoid WEP and WPA problems is to have the traffic
> pass through a good secure VPN encryption (e.g., IPSec with AES-512)
> so that even if the opponents do manage to break the wireless key,
> they get left with the much harder task of breaking your VPN.
>
>
> Consumer-grade wireless ethernet bridges such as the linksys WET11
> support WEP128 but not WAP. You can get wireless ethernet bridges
> with stronger security, either by using one of the variant
> firmwares available for some of the 802.11G devices, or by getting
> a commercial-grade device such one by Cisco.
>
>
> If you are seriously considering what is essentially a consumer-grade
> device then I very much recommend that you examine user reviews
> of the devices, especially if you are looking at one of the very
> popular 802.11g devices. I looked around recently, and found that
> even the top-selling devices are only rated "mediocre" at best:
> the reviews of even the top-selling devices were, I found, filled
> with people saying they can't get connections, the connections
> break, the devices break, the support -really- s*cks, and that they
> would never *ever* buy the device again
In that regard, you
> reduce your risk significantly by seperating functions: buy a wireless
> device that has a good track record of holding the signal, and buy
> a -seperate- security device.
>
> Alternately, go for a commercial-grade device in the first place: even
> if the list price is 8 times as much, consider the "time is money"
> factor, and that if you have a business need for this kind
> of device, then the amount your organization might save by
> getting through to a *real* technical support organization might
> be worth many many times the price difference against a
> consumer company device from a company that is selling at so little
> markup that they can't afford a support organization that does
> more than read from a script.
> --
> Ceci, ce n'est pas une idée.
Thanks for your response.
If i understand (your are true, i'am french, but i don't speak english very
well).
The solution for a good security is "to have the traffic pass througha good
secure VPN encryption"
<LAN>====ETHERNET ====<BRIDGE A>----- WIFI VPN ------<BRIDGE B>===<ETHERNET
>====<LAN>
Is it possible to install a VPN between my 2 bridges, if i use the
Wireless-G Broadband Route WRT54G with the firmware OpenWrt ?
Do you know a solution more easy ?
Thanks a lot.