Solved: Hotspots and Security

cbirming1 · ‎02-01-2005

My company is about to go live with its first wireless extension of our internal LAN. Our original intention was to provide wireless access to our customers and vendors while they were waiting for appointments and/or attending meetings in our conference rooms, essentially a public wireless hotspot. To protect our LAN we installed a NAT router and 10/100 switch on the outside of our DMZ and connected our four wireless AP's (Cisco 1231B/G) to the switch. We set-up the AP's with 128bit WEP and planned to give out the encryption key to whoever needed it, but now we are wondering if that is really any more secure than running without WEP. If two or more clients are logged onto our WLAN are they any more secure because we are running with WEP enabled, if the encryption key is publicly available? What is the current standard practice? Thanks for any suggestions.

CB

thisisshanky · ‎02-02-2005

In this situation, enabling wep encrypts all traffic coming from all the guests. This doesnt prevent a guest from snooping into another's traffic. He can still use a laptop with linux loaded with opensource tools like Airsnort, Kismet etc and if he can get atleast a million to 4 million packets he can crack the wep key (which is a huge number and will take probably weeks to collect - and this can be done by a guest who knows the wep key and tries to hack the network by sitting in his car in a parking lot)

Enabling WEP definitely helps, but I would recommend having a policy rotating WEP keys frequently. WEP will atleast make it difficult for a snooper to hack the network rather than having an unencrypted network.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

View solution in original post

thisisshanky · ‎02-01-2005

It makes sense to create two vlans, one for guest and one for users, and also two SSIDs (for the same). You can leave the guest SSID open with no WEP (if you use WEP, that key will be given to guests so he will any way get the key). What you could do on the switch or router that does routing between various vlans is to put an ACL to prevent all access to user vlans. All traffic from Guest vlan will be routed to the internet gateway, thus providing only internet access. Also when you specify a DHCP scope for the guest vlans, specify a public DNS ip and not your internal DNS server. Hope that helps!

In case you still want to run two WEP keys (one for users and one for guests, you can use two ssids, two vlans and use two different wep keys for these vlans.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

cbirming1 · ‎02-01-2005

Your suggestion makes sense, however we only intend to provide outward access to the internet via the WLAN so there will only be one class of clients, "guests". So my question is...if all traffic is routed to the internet, does enableing WEP give our guests any more security? In other words, does enabling WEP protect our guests from snooping on each other if they all have the key? Thanks again.

CB

thisisshanky · ‎02-02-2005

In this situation, enabling wep encrypts all traffic coming from all the guests. This doesnt prevent a guest from snooping into another's traffic. He can still use a laptop with linux loaded with opensource tools like Airsnort, Kismet etc and if he can get atleast a million to 4 million packets he can crack the wep key (which is a huge number and will take probably weeks to collect - and this can be done by a guest who knows the wep key and tries to hack the network by sitting in his car in a parking lot)

Enabling WEP definitely helps, but I would recommend having a policy rotating WEP keys frequently. WEP will atleast make it difficult for a snooper to hack the network rather than having an unencrypted network.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus