1

WEP is dead and no one should use it... but I have a couple of devices that I would like to use (mainly an original DS that does not support any of the newer standards)

Is it possible to set up a usable WEP wifi network that isn't a gaping hole into the rest of my network? Maybe something that can reject devices that aren't ones that I want connecting to it.

The encryption won't be anything useful but the devices connecting to it won't be transmitting anything important, however I'd really like to prevent others from connecting to and using it

  • @ThoriumBR slightly different, because the motivation differs. Nevertheless the referenced question covers most of the information. – Ariser Sep 30 '19 at 05:26
  • The motivation does not matter much: old hardware, "I love WEP,", it does not matter. You cannot secure a WEP network. – ThoriumBR Sep 30 '19 at 11:02
  • Important side note: if you enable WEP or TKIP on a modern (standards compliant) network, this will result in the HT/VHT data rates automatically being disabled. This limits your data rates to 802.11a/g speeds (i.e. max 54 Mbps) and will significantly reduce the user experience on the wireless network. – YLearn Sep 30 '19 at 14:28

1 Answers1

3

Consider a WEP-network as a room with public access. Think of it as a dark room and people communicating by calling each other's names audible to everyone.

All means to identify persons eligible to enter are rendered futile due to the nature of that room. After cracking the WEP-key any MAC-address can be spoofed. You cannot increase security for any device within that network, because there are no means to cut off communication effectively or in other words to throw someone out of the room, as you can't see that person.

If you consider your WEP-unprotected network public, you can limit further access to a more secure network segment by enabling access via VPN. This can reduce harm to devices and services located behind the VPN-gateway.

The only faint possibility to keep attackers slowed down eavesdropping within your WEP-protected network is to use heuristics to throw them out of your network as soon as they do „unusual“ things in comparison to the devices normally connected to your network. But keep in mind, that this will lead to a false sense of security as it relies on obscurity of some behaviour of your common network devices. And there is no security by obscurity. Also honeypots used to detect attackers might work only once. Every measure you can use to identify attackers can be analysed by the attackers themselves to circumvent it.

Summarised you can:

  • protect network devices within that segment, if they can protect themselves i.e. up to date operating systems tuned to a security level that you might use to log into a public WIFI-network
  • protect attached network segments by enforcing usage of VPN for access

you cannot:

  • protect credentials used in that segment
  • protect obsolete devices within that network from being attacked
  • protect communication which doesn't use an encryption totally unrelated to the authentication mechanisms of WEP.
Ariser
  • 591
  • 3
  • 10