Time to Banish WEP
by Arnold Reinhold, Principal
It is time to banish WEP from the face of the Earth. WEP (Wired Equivalent Privacy) was the first generation security layer for WiFi (802.11) wireless networks. It had the modest goal of providing the same level of security users enjoyed when plugged into an ordinary Ethernet network. Unfortunately serious design flaws were discovered that rendered WEP vulnerable to a number of cryptographic attacks, the most devastating of which allows an attacker to recover the master key, allowing full access to the network.
The industry responded by trying to accelerate the plan for a strong security layer, called 802.11n. But realizing it would not be available soon enough and would require replacing many network cards, an interim solution, called WPA (Wi-Fi Protected Access) was created that reduced WEP’s vulnerability by changing traffic keys frequently. The drawback of WPA is that it requires some older access points to be replaced, but it should work with most, if not all, network cards. The 802.11n project is now complete and it has been monikered WPA2. The latest releases of all the common PC platforms; WindowsXP, Mac OS-X and Linux, support both WPA and WPA2.
Organizations that care about security have no excuse for continuing to use WEP. Yes, some access points may need to be replaced and if you move to WPA2 you may require new network cards. But access points are fairly inexpensive, so for most needs, WPA provides a very good solution with minimal additional investment. However, truly mission critical networks should bite the bullet and switch to WPA2.
A word of advice: Use strong passwords when operating these security layers in what the WiFi folks call Personal Shared Key mode (PSK). This is the keying method most smaller organizations use, where each user has to enter the same key into their laptop or other wireless device. Passwords should be 16 or more random characters, something like CDYB XYSZ BPGL RECH, or four random words. The complexity of the passwords isn?t a problem. They needn’t be memorized since they should only have to be entered once.
If you really don’t care about security enough for all this bother, and the minor associated cost, then you don?t care much at all. If that really is the case, then maybe you should turn off WEP altogether and provide an open access point. The dedicated bad guys who might attack a WEP network, will probably leave an open network alone.