Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Operating Systems Wireless Networking BSD Hardware

Replacing WEP with IPsec on OpenBSD, Windows XP 47

BSD Forums writes "WEP has been proven insecure and is thus inadequate for protecting a wireless network from eavesdropping or abuse. IPsec can be used as a replacement to WEP in the following scenarios. Joshua Stein has implemented IPsec on OpenBSD with manual keying between a router and a client as a replacement. Also, Thomas Walpuski describes in detail the configuration of an IPsec Host-to-Host connection between OpenBSD and Windows XP Professional with Authentication via X.509v3 Certificates."
This discussion has been archived. No new comments can be posted.

Replacing WEP with IPsec on OpenBSD, Windows XP

Comments Filter:
  • by jrpascucci ( 550709 ) <.jrpascucci. .at. .yahoo.com.> on Wednesday May 28, 2003 @01:13PM (#6059169)
    WPA, which stands for 'Wi-Fi Protected Access', is the replacement for WEP. It does a prima facia good job making up for WEP's flaws. Several companies have firmware updates and drivers to enable WPA. More are coming.

    If you want strong protection, use it in combination with 802.1x authentication with a TLS (and accept the infrastructure problem), PEAP (and choose between the incompatible v1 or v2 versions of it, and I personally can never remember which it is MS supports), or TTLS.

    For even stronger protection, turn on 'session resumption' on your .1X client (if you can), and return a Session-Timeout of a few minutes. You'll effectively completely rekey (start from new material, in addition to the rekeying WPA provides.
  • Links links links (Score:5, Informative)

    by coyote4til7 ( 189857 ) on Wednesday May 28, 2003 @01:51PM (#6059562) Homepage
    Slashdot had a long discussion on WiFi security late last hear (Replacing WEP for Wireless Security [slashdot.org]). ComputerBits has a relatively short overview (Wireless Hot Spot Security [computerbits.com]) for those who prefer something more organized. Then there's the Unoffical 802.11 Security Page [drizzle.com], the website of the WiFi Alliance [wi-fi.org] (the industry group for 802.11) and a nifty google search on WiFi Security [google.com].
  • W2K? (Score:2, Interesting)

    by iamr00t ( 453048 )
    This is a very good paper, assuming it works.
    Also, it looks like W2K has all same functionality (besides security monitor, which i assume is just that - monitor). Can it be used for that?

    Also, what about denying non-ipsec protocol over the server interface that is connected to access point?
    • Look, W2K is not going to be a problem. There might be some computers that have problems with the changeover, but most things will function normally. There are Cobol coders working overtime to make sure we transition to W2K smoothly. But just in case I got some guns and a fallout shelter....
  • by psxndc ( 105904 ) on Wednesday May 28, 2003 @09:25PM (#6063788) Journal
    I use an OpenBSD firewall/gateway as my wireless access point and my iBook as the client. Does anyone know how I'd do this under OS X? The last time I looked, the built-in IPSec implementation was not really user accessible.

    psxndc

    • by MrChuck ( 14227 ) on Thursday May 29, 2003 @12:13AM (#6065134)
      Does Apple Airport support [IPSEC]?
      No, but the machine past your Airport does.

      Run WEPless and use IPSec to the house server.

      VaporSec is a pretty GUI to setup racoon and IPSec on your OS X box. (see also netbsd ipsec docs; be neat if apple's userland utilities would keep up with BSDs post 2000 - FreeBSD 4.x and 5.x userlands are far more advanced).

      If WEP is good enough then just turn it off. The WEP emporer is naked. Hell, just print out your squid logs and put them up on your door and your website. Unless you're spinning new keys every couple thousand packets, you're easy to watch. It's not even hard to break - mom can bring up a stumbler program and just leave it on for a couple hours.

      • by psxndc ( 105904 ) on Thursday May 29, 2003 @07:29AM (#6066551) Journal
        No, but the machine past your Airport does

        Sorry I wasn't clear enough. My setup is more like this:

        Internet -- OpenBSD firewall -- OpenBSD WAP/Firewall -- iBook w/ Airport card.

        I don't have an airport base station, only the airport card. I'll look into VaporSec though. Thanks.

        If WEP is good enough then just turn it off

        I completely disagree with this statement. Yes, WEP is very weak, but if there are 5 WEP networks in the area and 25 networks with no WEP, guess which ones I'm going to try and connect to. If someone wants to break in, sure they can. But having WEP will discourage the casual intruder since there are so many other non-WEPed networks out there. WEP is good enough until you can set up IPSEC. Once that's up, sure, turn off WEP.

        psxndc

  • When using my wireless laptop, I use SSH2 tunnels for all of my email and intranet work.

    So - pretty much anything that I wouldn't want sniffed is going through SSH2 anyway.

    Do I still need wep or ipsec? Is it more to protect the host (firewall+WAP), client (my laptop), or the stuff exchanged inbetween?
    • IPSec or WEP doesn't just keep your traffic secure. It also helps ensure who can connect to your access point. So, probably, because it will help keep people from stealing bandwidth from you or finding unencrypted stuff you didn't want them seeing. It's basically to encrypt all traffic to and from the WAP - clients.
  • by adamsc ( 985 ) on Friday May 30, 2003 @12:09AM (#6074023) Homepage

    There's only one way to be secure and that's to use strong, end-to-end encryption. Anything which encrypts only the wireless portion is borderline snake-oil - not only does it not protect your data but it actually makes the problem worse since people see all of the cryptogeekery and assume that it's secure - after all, they didn't understand any of what they had to do to use it! All of this hassle merely gets you an insecure network which is now hard to use, less reliable and slower.

    I've taken the opposite approach [improbable.org] - my access points are wide-open (=easy to use) because all that gets you is access behind a firewall which allows HTTP to a squid proxy, SSH, HTTPS/IMAPS/POP3S/SMTPS, IM and DNS. (When IPSec is more widely available I plan to replace this with something which blocks almost all non-IPSec traffic. I'd be less surprised to find everything running over SSL a decade or more before near universal IPSec deployment)

    This approach encourages better practices because it makes people aware that they're doing something risky - many people have no idea that anyone along the way could capture their password during one of the 5,000 times their email client sends it in cleartext during a given week. One of these days I'd like to hack together a script with ettercap's password collector which would periodically send someone's password to them in a warning and set the expired password flag on their account.

  • by Anonymous Coward
    The End of FreeBSD

    [ed. note: in the following text, former FreeBSD developer Mike Smith gives his reasons for abandoning FreeBSD]

    When I stood for election to the FreeBSD core team nearly two years ago, many of you will recall that it was after a long series of debates during which I maintained that too much organisation, too many rules and too much formality would be a bad thing for the project.

    Today, as I read the latest discussions on the future of the FreeBSD project, I see the same problem; a few

Our policy is, when in doubt, do the right thing. -- Roy L. Ash, ex-president, Litton Industries

Working...