Doug, You are falling victim to sales propaganda. The reps want to sell you gear. Here is what they didn't tell you:
1. Wireless LAN MAC addresses are incredibly easy to sniff and spoof. If your WLAN security plan is based solely on MAC address filters, you will be cracked in less time than it takes to read this mail. 2. Unauthorized access is only a part of the problem. It is very difficult, if not impossible, to prevent wireless sniffers from receiving your wireless LAN packets (its radio - remember). Your second biggest concern should be making those packets so hard to decrypt that the cracker will eventually realize that its a waste of time to keep trying. Basic WEP is not good enough - there are widely available exploit tools that can crack any static 128-bit WEP key in less time than it took me to write this response. 3. 802.11 can, in some cases, get better distance than Cat5 - especially outdoors with directional antennas (up to 40 kilometers at 2Mbps). Indoors, however, 802.11 signal strength/quality depends more on construction materials and antenna choice than distance. 11Mbps at 200m is based on ideal conditions, and is not likely unless the site was built with wireless in mind. In fact, I have seen Wi-Fi deployments where the client cannot get an intelligible signal at any data rate at 50m. 4. It is less likely that a hacker will come sniffing in your neighborhood. So, why would a hacker 'waste time' sniffing in your home WLAN? Do you ever buy merchandise or services online at home? If so, do you pay with credit card? If so, do you always verify that the site is using SSL for transactions? Do you ever send or receive work-related emails at home? If so, do these contain any sensitive information? If so, are they always PGP-encrypted? There are lots of other reasons. 5. Here's one you didn't even think of - rogue access points. A hacker sets up a hidden access point that spoofs your real access point. This access point can now intercept your wireless traffic. In a basic exploit, all a hacker would need to do is capture basic authentication information to be successful. In a more advanced exploit, the AP could even pass the traffic in what looks like a normal manner, gaining all kinds of valuable information. The only prevention is mutual authentication - the access point authenticates the client, and the client authenticates the access point. 802.1x EAP/LEAP is designed to do this. MAC address filters are a good start, but nowhere near enough on their own. To secure your wireless effectively, you need to either implement 802.1x EAP/LEAP (encrypted mutual authentication with dynamic WEP keys), or deploy VPN (IPSec or PPTP/L2TP) on top of the wireless network. Wireless LANs cannot replace wired LANs - at least not yet. At best, they can significantly enhance LAN services, but only if deployed properly and secured appropriately. Lou -----Original Message----- From: Doug Wombles [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 12:01 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Wireless LAN for the Home network. I talked to several reps at a Technology Expo here last week about wireless technology. They told me that the latest wireless systems are based on MAC address because of the problems experienced at trade shows. They also said that you can even set up the systems to ONLY give access to machines with specific MAC addresses which eliminates the sniffers from getting in to your network even if they do have your login/password. Another thing they showed me was that the wireless system they were using(I am sure it was top of the line to show how great it could be) was able to go much further than Cat-5 cabling. They were using it at about a 200m range. Also, the signal was not affected by fluorescent lights, power lines or other normal forms of interference. Besides, unless you live in an apartment complex or you work for the CIA/FBI, why would a hacker waste their time sniffing in a normal neighborhood in the hopes that someone MIGHT have a wireless network in their home they can hack into? later dw >From: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >CC: [EMAIL PROTECTED] >Subject: RE: Wireless LAN for the Home network. >Date: Tue, 16 Oct 2001 13:05:05 -0400 > >I am considering doing the same thing at home and have done a fair >bit of research. > >What I have determined so far: > >1. Wireless is not very secure. > >2. If you are not careful on how you configure your bridge then >someone outside of your house can *easily* connect, sniff and use >your network. Just ask anyone that has done this at a trade show >or airport and they can tell you it is very easy. > >3. It sure beats pulling wires so if you can deal with points 1 >and 2 then it is worth serious consideration. > >Best regards, > >Brian >----- >Brian Monkman >Technical Program Manager, Firewall Certification >ICSA Labs >1200 Walnut Bottom Road >Carlisle PA 17013-7635 >Phone:717.241.3263 >Fax:717.243.8642 >www.icsalabs.com > >-----Original Message----- >From: Alan Wright [mailto:[EMAIL PROTECTED]] >Sent: Sunday, October 14, 2001 3:03 PM >To: [EMAIL PROTECTED] >Subject: Wireless LAN for the Home network. > > >Hi, >Has anyone any specific do's and don'ts for a wireless LAN at home, >I am looking at running the Buffalo Air station PCMCIA cards (2) in >my sons desktop and my laptop, and the wireless bridge with router >on he main desktop machine which is the machine with adsl coming >into it. > >Currently running Win ME on the machine with ADSL on it but would >consider upgrade to/or dual boot with Win 2K. > >Usual IDS suite running ( snort, blackice defender, plus a couple >of Ateliers progs ) > >All the best > >Alan > >Alan J Wright B.Sc(Hons)(Open) >SMS +47624462772. >Email [EMAIL PROTECTED] >[EMAIL PROTECTED] _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
