Living with devices that only do WEP
Keep them away from the stuff that matters
By Devin Akin, CWNP | Network World US | Published: 18:00, 13 October 2006
What's the best way to deal with embedded devices that only support WEP with respect to WPA/WPA2 networks and keeping them secure?
Unfortunately, some embedded devices are not upgradeable to WPA/WPA2. Take 802.11 phones for example. Many 802.11 phones support only WEP using either of two key lengths - both easily breakable and both equally unscalable. Newer phones support the WPA/TKIP and WPA2/CCMP cipher suites using passphrases. In addition, some may support lightweight EAP types such as Cisco's LEAP, which has its own problems.
So what do we do when our 802.11 phone (or other similar embedded device) supports only WEP? First of all, WEP phones need to be on their own VLAN using their own SSID, and that VLAN needs to be heavily fire-walled from the rest of the network infrastructure (like file servers, email servers, etc.). Why would we do this? The phones must be able to reach each other and the voice server, but we must be able to block access to mission critical network resources to which the phones do not need access. Since both autonomous APs and WLAN controllers with lightweight APs provide the ability to tie SSIDs, VLANs, and security parameters together as a set, the aforementioned tasks are quite simple.
Filter WEP After separating and controlling access between the WEP network and all other networks that are part of the infrastructure, we need to heavily filter the WEP network. An important question to ask ourselves before creating filters would be, "What protocols am I using and what are my source and destination IP networks?" For example, if I'm using SIP/RTP and my voice server is 192.168.100.2 /24, then I configure my WLAN controller (or other filtering device) to allow only SIP and RTP protocols between devices that are part of the 192.168.100.0 /24 network. This provides filtering at layers 3, 4, and 7 and can severely limit the damage an intruder can do if WEP is broken. If the intruder were able to get past this security, the only two destinations available would be the firewall (acting as a gateway out of the VLAN) and the voice server (which should have its own firewall installed). Each of these two firewalls should be strictly configured and monitored.
Keep your data safe The last consideration is that of protecting the data itself. Voice conversations are by their nature considered somewhat confidential, but if WEP is the only security mechanism available, consider limiting the topics of conversation to those that would not pose a threat to the organisation if they were overheard. If the data protected by WEP is raw data (not voice), then steps should be taken to use encryption at higher layers.
Devin Akin is CTO of CWNP, the industry standard for wireless LAN training and certification, as well as an editorial board member of the WVE. This article appeared in Network World.