| securely mixing WEP and WPA - two routers required? I access my ADSL connection through a Netgear DG834GT wireless router.
The internet connection is shared by multiple computers. My wireless LAN is locked down using WPA and all the usual security measures. All fine and dandy.
Recently I bought a couple of devices that only support WEP, not WPA. Naturally I don't want to downgrade the security of all my existing devices by switching everything to WEP.
My WEP devices need to be able to access the internet, but they don't need to access my LAN.
I have a spare wireless access point, so presumably I could connect this to a spare port on my router, and dedicate this to serving my WEP-only devices. (Does that sound reasonable?)
However, if I've understood this correctly, presumably that would mean my WPA devices would be on the same LAN segment as my WEP devices, lowering my security to the lowest common denominator. I.e. if my WEP network got hacked, wouldn't it be easy for the hacker to access my previously-secure PCs?
In researching this, I read something about 'double NAT', and I wonder if this could be the answer. If I bought a second wireless router, connected its WAN port to a spare LAN port on my existing ADSL router, and configured it to be on a different subnet, could I access the internet via the second router using WEP? Would it correctly route stuff via the original router to the internet?
And, crucially, would this achieve the desired effect of isolating my WEP and WPA networks?
Thanks in advance. |
|
 PetePumaHow many lumps do you wantPremium,MVM
join:2002-06-13
Arlington, VA | That won't work. Anything hanging off a LAN port on the WPA router can see everything on that network. This means the 2nd WEP router can see everything on the 1st router.
To do this correctly, you either need to switch them (make the WEP router first, or with some other setup that provides for separate networks (most consumer routers don't provide for this...) |
|
2 edits | reply to LiquidEyes
to run WEP and WPA, buy an access point (or fake a w-router to be an AP). Set its encryption to differ and put it on a different WiFi channel among 1, 6 or 11.
My unpopular opinion is that WEP128 is sufficient. Can be broken, but lack of motive and proximity make cracking highly unlikely.
Funny how people don't worry about unencrypted but semi-sensitive traffic flowing on the vast routers of the Internet and in e-mail but are hyper about wireless. |
|
| reply to PetePuma
Thanks for the replies. Pete, I wonder if you could help me understand this a bit better...
1. I thought the idea of a router was that it could join two different network segments - have I misunderstood?
2. Following on from that assumption: if router 1 was 192.168.1.x and router 2 was 192.168.2.x, how could the devices on the second network see the devices on the first?
3. Are you saying that all I need to do is swap the routers round? I.e. my ADSL router should serve the less secure network, and my second (WPA) router can hang off a LAN port on the first router?
4. If so, would the second router be on a separate subnet as I described above? |
|
| reply to stevech0
Steve: please can you clarify how the access point would be connected to my original ADSL router? Would it just be hanging off a LAN port, and configured to be on the same subnet?
And just for clarity - the solution you are proposing won't isolate my WEP LAN from my WPA LAN will it?
I take your point that there are steps I can take to make my WEP network more secure, but my inquiry is specifically about the scenario where my WEP has been hacked. How far can I protect the rest of my network in this event?
If I don't take measures to isolate the WEP from the WPA network, then from a security perspective I might just as well set the entire network to WEP, no? |
|
 AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | An access point with multiple essids will do the job.
Case in point
»www.us.zyxel.com/web/product_fam···A2007128
Ensures defined WIFI groups such as guests, only have access to the internet and not other PCs LAN devices etc..
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
|
|
YqE41k24Premium
join:2004-05-02
Tarrytown, NY | reply to LiquidEyes
Another option to consider is moving the WEP traffic onto a bridge. A wireless bridge (WDS) between your firewall and WEP-only equipment, now wired, might offer you better encryption options, support for non-WEP devices in that corner of your house, and give you a hot backup on standby should your Netgear fails. |
|
| reply to LiquidEyes
said by LiquidEyes:Steve: please can you clarify how the access point would be connected to my original ADSL router? Would it just be hanging off a LAN port, and configured to be on the same subnet? And just for clarity - the solution you are proposing won't isolate my WEP LAN from my WPA LAN will it? Me, I'd just use WEP128.
Access point connects via CAT5 cable to a LAN port on your router or a switch. |
|
| quote:
Me, I'd just use WEP128.
Actually it is WEP 104, not 128 but but why bother? WEP 104 bit can be broken using the same tools in the same amount of time as WEP 40 bit. So why bother with the extra bits since you are not concerned about security anyway. |
|
| said by whynot40 : quote:
Me, I'd just use WEP128.
Actually it is WEP 104, not 128 but but why bother? WEP 104 bit can be broken using the same tools in the same amount of time as WEP 40 bit. So why bother with the extra bits since you are not concerned about security anyway. Actually, it is both, and they are the same thing. It depends on whether you include the 24 bit initialization vector in the bit count. |
|
| reply to Anav
Anav, how do multiple ESSIDs help me?
Creating 'wifi groups' may prevent the layman from logging into my WEP network, but once somebody is on the WEP section of my LAN (e.g. because I let them, or because they defeated the encryption) what stops them from seeing everything else on the LAN?
I'm already using one access point, and it completely merges all my wifi-networked and ethernet-networked PCs into a single network. The AP's ESSID is different from the router's SSID, but none of my PCs 'know' whether any other PC is wired or wireless.
(I have my ADSL router in room A where the telephone line is. In room B I have a number of PCs connected by gigabit ethernet, and they all share a wireless access point, which in turn talks to the router in room A. There are also a couple of PCs in other rooms which have wifi cards and talk to the router directly. Every PC can see every other PC. Everything has an IP address on the same subnet - at the IP level, there is no distinction between a wireless NIC and a wired NIC.)
A number of the suggestions posted here appear to be ways of improving the security of a WEP network at the wifi configuration level, which is great - but ultimately, don't encryption and ESSIDs go out of the window once the WEP network has been hacked?
As a thought exercise to illustrate my point more clearly: imagine that instead of a WEP network, I've got a totally unsecured wifi network - with no encryption or protection whatsoever - and I want my ADSL connection to be shared by both my secure WPA network and the unsecured network. Exactly how would I go about that? |
|
| reply to LiquidEyes
Let me explain myself a different way:
What I am trying to achieve is full isolation of one group of PCs (some of which just happen to be talking via WPA ... some of which just happen to be connected by blue ethernet cables ... some of which just happen to be connected via yellow ethernet cables ... you get the idea!) from another group of PCs (which, for whatever reason, has a much higher probability of being infiltrated by somebody who shouldn't be on my network!)
But I only have one ADSL connection, so fundamentally the two have to be connected at some point.
I (perhaps naively) thought the conventional way to isolate groups of PCs was to have them on separate subnets, just as you would when creating a DMZ / web server / private network setup. In this case there is a single point (the firewall) where the two networks cross (public and private), and the firewall routes traffic accordingly via NAT. Explicit allow/disallow rules prevent any packets from the public network from being routed to the private network.
So when I read about double-NAT, the idea of using a second router seemed to make sense because (as I understand) routers are responsible for bridging two completely separate networks, and even the most inexpensive routers now have sophisticated firewall facilities.
I figured that, just as my ADSL router prevents a hacker on the internet from seeing my PC as though he were on the same LAN -- because stuff only crosses over with the router's explicit say-so -- so could a second router prevent people on 'one side of the router' from seeing people on 'the other side of the router'.
If my logic is faulty, please can somebody explain which part(s) I have misunderstood? |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3
1 edit | Assuming from your description, your Netgear has its own wifi setup. This should only be accessible by you and protected by WPA or WPA2.
The Access Point I noted ZyXEL NWA-3163 can host up to 8 virtual ESSIDS. Each having its own security settings etc.
These settings include:
a. type of security (WPA, none etc)
b. ability to block users within the same ESSID from seeing each other.
c. ability to block users from all LAN resources and just access the internet
With these three under your belt, there should be no problem to assign groups of users to the virtual ESSIDS without fear of LAN hacking.
(1) Those users on a WEP network solely for access to gaming purposes would be "LOCKED" into internet/gateway access only.
(2) Those users, that need WAN access, but do not need to see each other, and do not need LAN access can be a separate group using better WPA security.
(3) Those users that need access to your LAN (very much trusted) can be in a third group, again using WPA but obviusly a different key.
ETC.......
If unauthorized users accessed the wep portion, the only thing they would have access to is the internet.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
PetePumaHow many lumps do you wantPremium,MVM
join:2002-06-13
Arlington, VA | reply to LiquidEyes
Your mistake is that you're hanging the 2nd router off the first router's LAN port. They are not separate networks, one is "inside" the second.
To do what you want to do, you need either 3 routers or a router that provides for two independent subnets on the LAN side. |
|
1 edit | assuming you don't try to double-NAT (ill-advised), and assuming you have a Internet Service provider that gives you the normal one IP address (public side), you can have ONE router. O-N-E.
You can have as many access points as you'd like. Each can run WEP or WPA or nothing, independently. And each can have whatever SSID you like.
You can use a wireless router to emulate an access point, if it is configured correctly; that's discussed in the FAQs. In this case, it is an access point, NOT a router. The WAN port goes unused. |
|
PetePumaHow many lumps do you wantPremium,MVM
join:2002-06-13
Arlington, VA | said by stevech0:assuming you don't try to double-NAT (ill-advised) I think this is overblown. Double NAT isn't a problem 99% of the time, especially if you control all routers in the chain.
If I was the OP, I'd also be considering running something like M0n0wall with multiple NICs and setting up a true DMZ for the WEP wireless access. |
|
| reply to LiquidEyes
Sorry for coming to this thread late and not reading the entire thread - maybe this has been covered.
What you want to do is pretty easy with two routers. You connect your WEP-secured router ("first router") to your WAN (broadband) and connect the WAN port of your "second router" - the WPA-secured router - to one of the LAN ports on the first router. Make sure they are on different sub-nets, and that the firewall is enabled on the second router.
Here is a brief article about setting up an unsecured wireless assess to the internet but keeping the LAN secure. Just substite your WEP router (first router) for the open router (router #1) in this article.
»www.smallnetbuilder.com/componen···/aid,87/ |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3
1 edit | Actually Tom thats 'not secure' because all the traffic coming from the second router or from the WAN side has to pass the first (WEP - hackable router). Thus all the 'secure second router' traffic can be intercepted, the worst case being man in the middle attacks. Now for the average homeowner and probably hacker (assuming), this is probably not going to be an issue, but I wouldn't want to give someone the false impression that this method is actually secure or bonafide.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
| reply to Tom Blue
quote:
Actually, it is both, and they are the same thing. It depends on whether you include the 24 bit initialization vector in the bit count.
As defined there is a 40 bit or a 104 bit secret key which has the public IV concatenated to it to produce the input for the PRNG. So if you are referring to the key size WEP 104 is correct. If you are in marketing and want to "prove" to your customers that your product you call it WEP 128 without mentioning that the key size is only 104 bits. |
|
2 edits | It is referred to both ways in the literature, in user manuals, and in product descriptions. To clarify to people who read this stuff and may become confused,
40 bit is identical to 64 bit WEP, and
104 bit is identical to 128 bit WEP.
It has nothing to do with marketing, unless the marketing person is an idiot. It has to do whether you are describing the raw key that is entered (by a user, for example) or the length of the string of bits as transmitted over the wire. |
|
