Possible to secure WEP?
in [Wireless Internet]
|
From: Jeff Liebermann on 8 Mar 2006 12:45 William P.N. Smith <news2006a(a)compusmiths.com> hath wroth: >Jeff Liebermann <jeffl(a)comix.santa-cruz.ca.us> wrote: >>Wireless routers with VPN endpoint built in: >> http://www.netgear.com/products/details/FVG318.php >> http://www.netgear.com/products/details/FWAG114.php > >Will these terminate a VPN that originates with WiFi clients, or just >terminate VPNs that originate on the Internet? I've always thought it >was the latter... I don't have much experience with either of the above routers. Most of my VPN's are terminated with Sonicwall, Netscreen or products. Well, a few Linksys BEFVP41 boxes (non-wireless). Most of these talk to other identical routers to form the VPN between a central office and a remote office. Users with laptops use various VPN clients including the PPTP client that comes with Windoze. In theory, any IPSec VPN client will work. I use clients from SafeNet, Cisco, Sonicwall, and open source. Unfortunately, I haven't tried whatever Netgear is selling: http://www.netgear.com/products/details/VPN01L_VPN05L.php Looking at the photos, it appears to be the same as SafeNet. http://www.safenet-inc.com Where the VPN client runs is irrelivent. It can be on a PDA, palmtop, notebook, laptop, desktop, Mac, PC, Linux, etc. There is no such thing as "VPN's that originate on the Internet". It has to come from a machine. As long as it talks IPSec or PPTP, you can play VPN from anywhere. One gotcha is that the routers have to be able to accomidate "VPN passthrough" for whatever protocol (IPSec, PPTP) you're using. Most routers have this feature, but also limit the number of VPN tunnels. This has become a problem with some popular hot spots, where the wireless router can only handle about 10 VPN tunnels, and all the clients are using VPN's. -- Jeff Liebermann jeffl(a)comix.santa-cruz.ca.us 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
From: Jeff Liebermann on 8 Mar 2006 13:00 Derek Broughton <news(a)pointerstop.ca> hath wroth: >> Will these terminate a VPN that originates with WiFi clients, or just >> terminate VPNs that originate on the Internet? I've always thought it >> was the latter... > >It really shouldn't matter - an IP network is an IP network - but I confess >to being stumped trying to make it work on my WRT54G. DD-WRT comes with a PPTP VPN server. I installed pptpclient: http://pptpclient.sourceforge.net on mine to allow a router to router VPN. I just noticed that it comes with the current version (V23) of DD-WRT. Oops. The chart at: http://www.linksysinfo.org/modules.php?name=Content&pa=showpage&pid=31 claims that Talisman 1.05 includes pptpclient, but when I went looking for it, it wasn't there. There's also a post by James Ewing of Sveasoft claiming that it's there, when it wasn't: http://groups.google.com/group/alt.internet.wireless/msg/f0fdeb300c3d9b22 Suggestion.... dump Sveasoft. If you want to do an IPSec VPN, you'll need someones custom compiled image. I've read articles that claim they exist, but I haven't seen one. Google finds numerous questions, but nothing definitive. For DD-WRT, there's also the VPN version of the firmware, which includes OpenVPN. http://wrt-wiki.bsr-clan.de/index.php?title=OpenVPN which is SSL based. This is probably the best way to go but I haven't had the need to try it. However, it's not easy. The easiest way is the standard firmware and the Microsoft PPTP client. http://wrt-wiki.bsr-clan.de/index.php?title=PPTP_Server_Configuration The usual screwup is the really weird format of the user/password file with "*" as a delimiter. -- Jeff Liebermann jeffl(a)comix.santa-cruz.ca.us 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
From: Derek Broughton on 8 Mar 2006 14:46 William P.N. Smith wrote: > Derek Broughton <news(a)pointerstop.ca> wrote: >>William P.N. Smith wrote: >>> Jeff Liebermann <jeffl(a)comix.santa-cruz.ca.us> wrote: >>>>Wireless routers with VPN endpoint built in: > >>> Will these terminate a VPN that originates with WiFi clients > >>being stumped trying to make it work on my WRT54G. > > What firmware? IIRC, the Linksys firmware doesn't terminate VPNs... Talisman does. Looking at the pptpd documentation, I think I may have misunderstood what the server IP needs to be. I think I need one IP for the router itself, and another IP for the pseudo-device in the pptp server. I'll have to try it again, this evening. -- derek
From: Derek Broughton on 8 Mar 2006 15:04 Jeff Liebermann wrote: > Derek Broughton <news(a)pointerstop.ca> hath wroth: > >>> Will these terminate a VPN that originates with WiFi clients, or just >>> terminate VPNs that originate on the Internet? I've always thought it >>> was the latter... >> >>It really shouldn't matter - an IP network is an IP network - but I >>confess to being stumped trying to make it work on my WRT54G. > > DD-WRT comes with a PPTP VPN server. I installed pptpclient: > http://pptpclient.sourceforge.net > on mine to allow a router to router VPN. I just noticed that it comes > with the current version (V23) of DD-WRT. Oops. The chart at: > > http://www.linksysinfo.org/modules.php?name=Content&pa=showpage&pid=31 > claims that Talisman 1.05 includes pptpclient, but when I went looking > for it, it wasn't there. There's also a post by James Ewing of > Sveasoft claiming that it's there, when it wasn't: > > http://groups.google.com/group/alt.internet.wireless/msg/f0fdeb300c3d9b22 > Suggestion.... dump Sveasoft. I'm beginning to think you're right. Anyway, easy enough to install DD-WRT and restore it to Talisman if I prefer it. > > If you want to do an IPSec VPN, you'll need someones custom compiled > image. I've read articles that claim they exist, but I haven't seen > one. Google finds numerous questions, but nothing definitive. I'll probably stick to pptp, since most of the clients are Windows > The usual screwup is the really weird format of the user/password file > with "*" as a delimiter. Yeah, but I never even got that far. It never sends me any GRE packets back, which makes me think it's a firewall issue, but turning off any packet filtering at either end didn't seem to help. -- derek
From: Rico on 8 Mar 2006 16:03
In article <qqir02pd1so2e1metfn7rf9ikvo1a1nmhr(a)4ax.com>, Ari <nomail(a)pass.com> wrote: >On Tue, 07 Mar 2006 17:16:19 GMT, David Taylor <djtaylor(a)bigfoot.com> >wrote: > >>> Is there any way to secure the data that passes over the wireless so >>> that it is not available to hackers without buying a different router? >>> I want the data that I send over the air to be relatively secure and I >>> want to make sure no one accesses my system via the wireless. >> >>You could change the key every 5 minutes? :) > > >I was thinking more along the lines proxy software on both ends of the >wireless, where the user could define the method of encryption or set >up a table to change the key every so often automatically, most >machines with internet access can easily maintain time within a few >seconds, so the keys could be changed on a predefined schedule. This >would be software running in the PC, so perhaps this is a weakness. > WEP with a decent passphrase (use hex key to embed in laptop) should be fine for most purposes. If you are the Bank of England maybe you need more. Why is someone going to sit around and hack your wireless network when just down the street the neighbor in the white house with blue shutters has a wide open network. Think of this like a burglar alarm on your house, will it actually stop a determined thief, absolutely not, will it get 99.99% of them to try the house next door without the alarm, of course. Why struggle with an alarm if the pickings are easier just a few feet away. Remember your online banking etc is down via SSH anyway (https) so that in itself is additonal security. If you are just not going to be happy, there are those services that will let you VPN into their network and then they route your traffic. In some public hotspots likely not a bad idea. But you can use them for every day use if you wish. I think there are free ones and fee ones. Shop around before you buy. fundamentalism, fundamentally wrong. |