WEPHack (24th September 2013)
As mentioned it's really time to get rid, but...
Depending on your APs you could set up WPA2-xx on one radio/ssid, and WEP with an allowed MAC address list on the other. Never been in that situation so it may not be possible on your APs, it may not be possible on any APs...
In a scrape when I had a laptop I needed to keep going for a month until a planned refresh, I bought one of these micro USB wifi adapters
It definitely supported WPA and was a lot easier than replacing the wifi card. It was actually the fastest wifi connection in the school at the time Might not be quite so good on student machines though...
Moving to Wireless Networking forum.
I've tested 4 laptops, from our oldest to newest, with WPA2-AES 504 bit key (most of our APs are Netgear WG302's, so I've tested with one of these using the latest 4.2.17 firmware). Ironically our newest Lenovo laptops just refuse to connect with this config. I will double check, but I'm fairly sure they have the latest (Intel) drivers (Centrino Wireless-N 2230). These are all Win 7.
As an aside, it transpires that WEP wasn't hacked. A student went onto a teacher's laptop, looked at the wireless settings (click "show characters") and wrote down the WEP key. We've told teachers time and time again to not leave their laptops unsupervised.
People up to no good love piggybacking into WEP networks. You should take this extremely seriously.
You should only use WPA2/AES.
WEP was regarded as broken by 1999. The WiFi alliance implemented WPA while the IEEE 802.11i standard was developed. WPA uses the same RC4 hashing technique as WEP, however TKIP generates a temporary encryption key to encode data, and the keys are produced during the 4-way handshake immediately after association. WPA could be implemented with a firmware upgrade and was designed to last about 4 years until 802.11i, which was implemented by the WiFi alliance as WPA2.
WPA2 introduces the concept of the Robust Secure Network (RSN). It uses the same 4 way handshake to generate a temporary key, however it uses AES in place of RC4 and CCMP in place of TKIP. Advanced processing required new hardware in access points.
Enterprise encryption us a bit of a misnomer. It generally uses Radius to authenticate the user or device. Once the authentication is complete there is still a 4-wayhandshake.
A network is classed as a true RSN if it's WPA2 only, if it's WPA/WPA it's called a transitional network. The aim should ALWAYS be to get yourself to a true RSN.
Any security is going to be vulnerable if you use a weak key. An attacker can capture the 4-way handshake and run an analysis against a set common passwords. If yours is on it then the key will be found.
If you use enterprise security it can come at a cost of roaming times in delay sensitive applications like VoIP, which is why some admin's mistakenly use WEP on VoIP systems (I have seen it). 802.11k and 802.11r allow for fast BSS transitions, and Cisco/Apple are one of the first to get this working well. If you have Enterprise and need fast roaming look into that.
However, it's not the only answer. Some vendors implement Dynamic Pre-Shared Key - enterprise level of security without the admin headache. Each user gets their own key. It works great.
However here is my advice it you are responsible for running this network.
1) educate yourself on the fundamentals of WiFi. Why is it so many people are responsible for WLAN deployment and admin who have zero training and even worse, make no attempt at getting any training. It baffles me.
2) Put some serious planning into what your network is supposed to be doing now, in three years and in 5 years.
3) Take immediate steps to remove WEP, even if it means old laptops can't connect (which I doubt - are they older than XP ?)
4) Examine all options to provide good security. Remember, security is also about protecting your users. If you are in education there will be huge implications if security is breached (data protection, student records, etc). Hackers are predators, they will pick off the weak ones first.
5) If in doubt, talk to a professional WiFi person. In fact, this should be rule 1. Talk to a professional WiFi person.
I've used a random generator to create the 504 bit key, so definitely not dictionary.
What type of access points do you have ?
WPA is not easy to crack unless you have a weak password. Don't worry about the 504 bit, it won't really add anything, plus some clients won't be compatible.
Concentrate on the bigger picture. Describe your network before making changes.
Going forward we will look next FY at replacing the wireless solution with something managed, if budget allows. (Budget being another problem...)
I'd prefer a managed solution, but as per the above it won't be happening until at least the next FY. Clearly we'd then need to look at the network infrastructure as a whole, to make sure it will all work together.
It's funny, in education there are always funds for silly projects but never something as key as WiFi. There are good solutions out there, but the WG302 isn't one of them.
If your infrastructure allows, just create a new SSID mapped to the same VLAN and migrate users from old to new. Otherwise, bite the bullet and get some help, spend a weekend doing it when the school is closed.
How many devices are we talking about ?
Last edited by neilmac; 24th September 2013 at 01:04 PM.
There are currently 1 users browsing this thread. (0 members and 1 guests)