Home: www.packetnexus.com
WEP can't stand alone for security By Herb Bethoney, eWEEK April 15, 2001 9:00 PM PT URL: http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2706267,00.html Although the IEEE's 802.11b wireless LAN standard includes a provision for security called Wireless Equivalent Privacy, or WEP, the protocol leaves much to be desired. WEP is supposed to provide the same security that a locked door does for a building, but recent research from the University of California at Berkeley and the University of Maryland has shown that compromising an 802.11b-based network is easier than picking the lock on an organization's door and jacking in to its network. For example, an attacker could eavesdrop on a wireless network using a wireless LAN analyzer application. The attacker could capture the plain and encrypted text of shared keys used for authentication, figure out the authentication response, and then provide a new checksum using another known exploit and connect to the network as a valid user. Wireless LANs are susceptible to a number of other attacks, but the point is: WEP is no guarantee of security in the face of a determined attacker. And, to the extent that it offers a false sense of security, WEP is worse than no security at all. WEP must be enhanced with end-to-end encryption, additional user authentication, virtual private networks and firewalls (at the very least). The IEEE is working on a better security algorithm to replace WEP, and 802.11b equipment vendors are including proprietary security enhancements with their products. These security enhancements may well become the most important differentiators among the growing large number of wireless LAN options. Back to the Index