Jon Smith wrote:
Hi
I am responsible for a large wireless infrastructure upgrade. Right
now my plan is use PEAP w MSCHAP v2 with dynamic WEP crypto for my
corporate SSID (I have others with much lower security requirements).
I cannot easily go to WPA without ditching all my current devices that
do not support it (good luck getting that past the CFO). We have a
lot of physical security and surveillance with very tight controls, my
primary area of concern would be people like myself sitting in the
parking lot. Due to one of our applications, we will be sending a
clear strong signal to the parking lot. Is this enough security and
encryption to significantly slow intrusion attempts? Between
direction finding capabilities of the Access Points and our roaming
guards it would be a matter of time before we detected them.
Thanks
Rocko
All wireless networks are public and should be treated as such.
Two things to consider:
1) Even with a dynamically generated WEP key you're still vulnerable to
active attacks that can force the generation of lots of traffic and or
just mess with your network. See http://www.securityfocus.com/infocus/1824
2) If you can access from the parking lot with a regular laptop you can
access from the next town with a parabolic antenna. Unless you guards
roam huge distances you won't be able to protect the signal. - See
http://www.radiolabs.com/products/antennas/2.4gig/stage4.php
Suggestion: forget WEP - get a good ipsec based vpn system, put the
access points on a DMZ lan and require use of the VPN client to get
access to anything other than a "help page" web server.
