WEP is bad, but better than nothing

By Joel Snyder
Network World, 09/09/02

Original Article on Network World Web Site

The Wired Equivalent Privacy encryption algorithm has a bad reputation because it's relatively easy to crack and it's difficult to deploy (see What's wrong with WEP). But sometimes it might be your only option. The iLabs team built a small wireless LAN secured by WEP-using devices that supported no other security mechanism. We can report that these devices interoperated while using WEP, even when we employed nonstandard extensions such as 128-bit encryption.

Our network was based on the popular WAP11 wireless access points from Linksys. Although it's not designed as an enterprise access point, the WAP11 has attracted many adopters because of its low price and easy setup. The devices connected to these WAP11 boxes were PDAs and wireless Ethernet phones, which typically don't work well with other wireless security strategies.

Sharp's Zaurus is a Linux-based handheld, which makes an excellent platform for deploying small, portable applications. Like all PDAs, the Zaurus has strictly limited memory and a relatively slow CPU. Adding wireless to the Zaurus wasn't as simple as plugging in a wireless card; we had to find drivers, card management tools and a recompiled kernel to add support for the card we chose. But once we figured all that out, the first real test against our Linksys WAP11 wireless access point worked.

Symbol's NetVision phone is another example of a device for which WEP fits best. NetVision is a very cool but deceptively simple device. It looks like a wireless phone without a base station that connects directly to your 802.11b infrastructure, talking H.323 protocols directly to your voice-over-IP network. You need the usual H.323 gatekeeper to run things, but no Symbol-specific or proprietary pieces. NetVision supports a proprietary high-security wireless protocol based on Kerberos that would have required Symbol access points and additional hardware on the network. We used WEP to add basic security against our Linksys access points, and had complete interoperability with devices on and off the network the first time out.

WEP is useful for devices such as printers, which might be located in remote areas yet still need to connect back to the corporate LAN. Most wireless vendors have an Ethernet-to-wireless adapter that can be used for devices such as printers or Replay TV.

One of the advantages of WEP in this type of network is that the WEP keys don't have to be widely distributed to a lot of people (see our WEP primer). Programming phones and PDAs is hard enough that you probably wouldn't ask an end user to do it. This helps to reduce some of the obvious vulnerabilities of WEP, such as people sharing the keys or writing them down and leaving them around public areas.

Although most modern wireless card firmware has been secured against the initialization vector problems exploited by tools such as AirSnort, PDAs and embedded devices, in particular, they may not be as up to date as wireless cards for laptops and PCs. Thus, the advice to change WEP keys frequently still holds: it may be painful, especially in small, portable, devices, but it's an important consideration in WEP-based networks.