Just t make sure I am not missing something, I thought I'd throw out these
questions...

Is WEP still as insecure as it was reported to be circa 2001?

What if you have WEP into a network that requires logging in to the server
(like a 2003 Windows server) - is WEP still an issue?

Can you "make WEP secure"?

Is there any valid reason to use WEP in a business environment?

Thanks!

jim

jim wrote:

> Just t make sure I am not missing something, I thought I'd throw out these
> questions...
>
> Is WEP still as insecure as it was reported to be circa 2001?
>
> What if you have WEP into a network that requires logging in to the server
> (like a 2003 Windows server) - is WEP still an issue?
>
> Can you "make WEP secure"?
>
> Is there any valid reason to use WEP in a business environment?
>
> Thanks!
>
> jim


No WEP 256 and WEP 512 bits are still secure here.

jim wrote:
> Just t make sure I am not missing something, I thought I'd throw out
> these questions...
>
> Is WEP still as insecure as it was reported to be circa 2001?
>
> What if you have WEP into a network that requires logging in to the
> server (like a 2003 Windows server) - is WEP still an issue?
>
> Can you "make WEP secure"?
>
> Is there any valid reason to use WEP in a business environment?
>
> Thanks!
>
> jim

I always find it interesting in these discussions - here and elsewhere -
that folks are always saying that WEP is not secure...
My question is - from whom ???

How many "posters" that mention this have actually hacked a WEP network ?
I mean, I can drive around and see over a dozen APs in my neighborhood,
and sometimes try and connect to the ":unprotected" ones...
For those that have WEP, I don't even bother -
not really interesting in actually putting forth the time and effort "to say
I can do it".
Others may be more dedicated.

SO - for me - at home - I run MAC address filtering -

At our local school district, and at work I think they are running
"something",
but never really looked to see.... WEP, WPA, etc

You might have a more dedicated audience at these locations,
that really want to get into the network - and therefore Wxx security might
be justified.

jim wrote:
> Just to make sure I am not missing something, I thought I'd throw out these
> questions...
>
> Is WEP still as insecure as it was reported to be circa 2001?

Given that no one ever bothered fixing what was wrong with it, yes.

>
> What if you have WEP into (sic) a network that requires logging in to the server
> (like a 2003 Windows server) - is WEP still an issue?

See the answer to your first question.


>
> Can you "make WEP secure"?
>

In a word, no.

> Is there any valid reason to use WEP in a business environment?
>

Maybe if the business is about to go down the tubes and you'd like to
rid yourself of it while at the same time ripping off your insurance
company...but then again, an insurer dumb enough to keep a business
that's still using only WEP covered probably has it coming.

Bottom line: If there's anything behind your access point that's worth
anything to anyone else, you need to upgrade your equipment to at least
the capability to use WPA.

On Thu, 29 May 2008 16:04:45 -0400, "jim" <jim@home.net> wrote:

>Is WEP still as insecure as it was reported to be circa 2001?

Worse. There have been some new tools developed that crack WEP in a
few seconds.

However, there are some proprietary band-aid's to WEP that partly fix
the problem. WEP Plus, Dynamic WEP and WEP2 are some fixes. See:
<http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy>
The problem is that the vendors of commodity hardware have not been
very good about admitting that they use one of these band-aid's. They
don't want to admit that their WEP is broken, so they don't admit that
they've fixed it. Kinda dumb, methinks.

>What if you have WEP into a network that requires logging in to the server
>(like a 2003 Windows server) - is WEP still an issue?

It's an improvement, but not good enough. Someone can still sniff the
traffic if they can recover the WEP key.

>Can you "make WEP secure"?

Not me. However the Wi-Fi Alliance has released WPA and WPA2, which
were specifically designed to fix the problems inherent in WEP.

>Is there any valid reason to use WEP in a business environment?

Yes. Ancient hardware and operating systems that do not support WPA.
It's only slightly better than no-encryption, but should be sufficient
to stop casual wireless "tourists" and accidental wireless
connections. For real security in a business environment, look into
running a VPN connection. You can do that even with an unencrypted
network as the traffic is password authorized, authenticated,
encrypted, and not sniffable.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@comix.santa-cruz.ca.us
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

Hi
From the weakest to the strongest, Wireless security capacity is.
No Security
MAC______(Band Aid if nothing else is available).
WEP64____(Easy, to "Break" by knowledgeable people).
WEP128___(A little Harder, but "Hackable" too).
WPA-PSK__(Very Hard to Break).
WPA-AES__(Not functionally Breakable)
WPA2____ (Not functionally Breakable).
Note 1: WPA-AES the the current entry level rendition of WPA2.
Note 2: If you use WinXP and did not updated it you would have to download
the WPA2 patch from Microsoft. http://support.microsoft.com/kb/893357
The documentation of your Wireless devices (Wireless Router, and Wireless
Computer's Card) should state the type of security that is available with
your Wireless hardware.
All devices MUST be set to the same security level using the same pass
phrase.
Therefore the security must be set according what ever is the best possible
of one of the Wireless devices.
I.e. even if most of your system might be capable to be configured to the
max. with WPA2, but one device is only capable to be configured to max . of
WEP, to whole system must be configured to WEP.
If you need more good security and one device (like a Wireless card that can
do WEP only) is holding better security for the whole Network, replace the
device with a better one.
Setting Wireless Security - http://www.ezlan.net/Wireless_Security.html
The Core differences between WEP, WPA, and WPA2 -
http://www.ezlan.net/wpa_wep.html
Jack (MVP-Networking).

"jim" <jim@home.net> wrote in message
news:VZD%j.7618$772.6889@bignews2.bellsouth.net...
> Just t make sure I am not missing something, I thought I'd throw out these
> questions...
>
> Is WEP still as insecure as it was reported to be circa 2001?
>
> What if you have WEP into a network that requires logging in to the server
> (like a 2003 Windows server) - is WEP still an issue?
>
> Can you "make WEP secure"?
>
> Is there any valid reason to use WEP in a business environment?
>
> Thanks!
>
> jim
>

On Thu, 29 May 2008 16:04:45 -0400, "jim" <jim@home.net> wrote:

>Can you "make WEP secure"?

WPA with tkip (as opposed to aes) was written so that it could be
installed as a software upgrade to existing hardware running wep
whereas aes required different hardware. So in that respect wep can be
made more secure except it's not called wep anymore. It's called wpa.

More accurately, "can hardware running wep be made more secure"? Yes.


Jim.

On Thu, 29 May 2008 15:39:10 -0500, "ps56k"
<pschuman_no_spam_me@interserv.com> wrote:

>I mean, I can drive around and see over a dozen APs in my neighborhood,
>and sometimes try and connect to the ":unprotected" ones...
>For those that have WEP, I don't even bother -


And that's wep's biggest plus point. There are enough completely open
networks to hack into that it's too much hassle to hack into a wep
encrypted one albeit very easy and automated these days. Also the
people who have open networks are more likely to be lax on file
sharing security too.

That hardly makes wep secure, though.


Jim.

"James Egan" <jegan@jegan.com> wrote in message
news:6a9ma3F36hbuiU1@mid.individual.net...
>
> On Thu, 29 May 2008 16:04:45 -0400, "jim" <jim@home.net> wrote:
>
>>Can you "make WEP secure"?
>
> WPA with tkip (as opposed to aes) was written so that it could be
> installed as a software upgrade to existing hardware running wep
> whereas aes required different hardware. So in that respect wep can be
> made more secure except it's not called wep anymore. It's called wpa.
>
> More accurately, "can hardware running wep be made more secure"? Yes.

Is all WEP hardware upgradable or do you just have to look to each vendor to
find out?

On Thu, 29 May 2008 16:04:45 -0400, "jim" <jim@home.net> wrote:

>Just t make sure I am not missing something, I thought I'd throw out these
>questions...
>
>Is WEP still as insecure as it was reported to be circa 2001?
>
>What if you have WEP into a network that requires logging in to the server
>(like a 2003 Windows server) - is WEP still an issue?
>
>Can you "make WEP secure"?
>
>Is there any valid reason to use WEP in a business environment?
>
>Thanks!
>
>jim

WEP is not secure - period.

Right now, it's more secure than a completely unsecured network, and that's the
best that you can say for it. As completely unsecured networks become rarer -
and in some neighbourhoods, that's happening - networks "secured" by WEP will
become more interesting to malicious users.

You're right, not every wardriver wants to hack into your network. But all that
it takes is one. It's a risk, like everything. As WPA / WPA2 use becomes more
common, WEP will become more popular with the kidz. A 30 second hack will
become 15 seconds, then 5 later.

There's no law that requires most businesses to use WPA. I'm not sure that the
US Govt standards HIPAA, SOX, etc, even explicitly require such. I do know,
though, that the principle of "due diligence" encourages us to require WPA
whenever possible.

And so we will recommend WPA /WPA2. You're welcome to do as your heart leads
you.

--
Cheers,
Chuck, MS-MVP 2005-2007 [Windows - Networking]
http://networking.nitecruzr.net/

On Fri, 30 May 2008 12:03:17 -0400, "jim" <jim@home.net> wrote:

>Is all WEP hardware upgradable or do you just have to look to each vendor to
>find out?

I suppose there must be exceptions somewhere along the line, but that
was the plan in developing wpa tkip. it uses a stream cipher just like
wep but beef's up on some of wep's vulnerabilities.

In reality the issue isn't "is my wep hardware upgradeable?" but
"could the manufacturer be bothered writing software upgrades for
legacy equipment?". It probably is upgradeable but maybe doesn't have
an upgrade available. At the end of the day it amounts to the same
thing. The continued use of wep.

You may find that some "new" hardware has been boxed up for so long
that the initial installation only supports wep. That's usually just a
matter of visiting the manufacturer's website for a software upgrade.
For the real legacy stuff, I think they would prefer to give you an
incentive to buy some new equipment and save themselves some work in
the process.


Jim.