Solved: WEP vs WPA

utawakevou · ‎10-07-2004

Need some insight for the above. I recommend 350 bridges for a site and they ask me why use WEP when WPA is more secure.

scottmac · ‎10-08-2004

WPA is more secure. It provides a mechanism for rotating keys periodically (much much harder to tap into the network as a rogue client), uses dynamically generated keys (more difficult to break), and (with AES) uses what is considered to be an un-crackable encryption.

WEP (both 40 and 128 bit) has been broken. There are scripts, tools, and applications all over the Internet for breaking WEP ... it's almost an automatic process at this point.

You are using bridges; that would imply a static setup. It would be rel tively easy from someone to intercept the signal, break the WEP, and gain access to your network.

WPA is (at least for now) much much better.

FWIW

Scott

View solution in original post

dixho · ‎10-11-2004

350 bridges run on VxWorks. There is no WPA support on VxWorks.

Both 1310 and 1410 runs on IOS. Both of them support WPA. 1310 uses 802.11G while 1410 uses 802.11a.

View solution in original post

scottmac · ‎10-08-2004

WPA is more secure. It provides a mechanism for rotating keys periodically (much much harder to tap into the network as a rogue client), uses dynamically generated keys (more difficult to break), and (with AES) uses what is considered to be an un-crackable encryption.

WEP (both 40 and 128 bit) has been broken. There are scripts, tools, and applications all over the Internet for breaking WEP ... it's almost an automatic process at this point.

You are using bridges; that would imply a static setup. It would be rel tively easy from someone to intercept the signal, break the WEP, and gain access to your network.

WPA is (at least for now) much much better.

FWIW

Scott

csthorne · ‎10-11-2004

Scott,

Do you have to assign an encryption mode to each vlan for that traffic to be encrypted, or can you assign the native vlan and have all the traffic encrypted?

scottmac · ‎10-11-2004

I believe the default is open / unauthenticated per SSID. You can set the encryption / authentication mode per SSID.

The VLAN will take the encruption characteristics of the SSID you associate to it.

I'm pretty sure you have to configure each SSID/VLAN association or it will default to open/unauth.

There may also be some constraints on which encryption / auth will be compatible from one SSID to another...i.e.,, if you are doing WPA with mandatory / TKIP for one SSID/VLAN, the system won't allow WEP on another SSID/VLAN... you need to set the system to Optional / TKIP + WEP (either 40 or 128) to use both encryptions ... even though they are on different SSIDs (and VLANs).

I don't have access to my boxes right now, this is off the top of my head : it could be "a little wrong" ...

FWIW

Scott

dixho · ‎10-11-2004

If you use IOS (i.e. not VxWorks), you need to enable encryption on each VLAN.

utawakevou · ‎10-11-2004

But Im using 350 Access Bridges where there is no option for WPA. Does any new Cisco Wireless Bridges uses WPA as an option of encryption ? If so please let me know.

dixho · ‎10-11-2004

350 bridges run on VxWorks. There is no WPA support on VxWorks.

Both 1310 and 1410 runs on IOS. Both of them support WPA. 1310 uses 802.11G while 1410 uses 802.11a.

scottmac · ‎10-12-2004

If you only have WEP available, there are still some things you can do (short of buying new equipment).

Probably the easiest would be to set up endpoint gateway machines (both ends) that would give you some flavor of VPN (as well as some firewall protection).

It could be something like old PCs running Linux,a pair of PIX with a LAN-to-LAN VPN, or a couple of MS boxes using PPTP / L2TP.

Anything you run over WEP should have some other form of protection in the form of additional encryption and security / firewall to make sure the War Drivers can't get into your network,

Good Luck

Scott