Wireless encryption (WEP) fast cracks make it insecure (again)

Hi all, and Season's Greetings

http://securityfocus.com/infocus/1814 is an article on a new generation of WEP encryption cracking tools that have moved the time (and number of packets) necessary to crack a WEP (Wireless Encryption Protocol) protected WIFI (802.11) session from millions of packets and up to days, down to thousands of packets and in some cases just seconds.

What this means is that the wireless access point you bought yourself for Christmas may be the undoing of all your other security doings, allowing attackers into the heart of your network with very little effort.
If you are contemplating adding wireless to your life (home, office, etc.) there is one major rule that you should not break unless you truly are going to purchase excellent equipment and change the encryption keys frequently (more than daily - an onerous task to say the least):

Treat the wireless link as if it is completely insecure!

This means:

1 - don't install it onto your normal "inside" LAN behind your normal firewall (you DO have a firewall, don't you!) but instead, purchase one of the ones that is its own firewall and put it "outside" the LAN directly onto the external link to the Internet. (see below for how to do this)

2 - use encryption (a VLAN or other encrypted session such as SSH (secure shell) or SSL (secure socket layer, aka HTTPS) for anything you want to keep safe - such as passwords to your bank, your e-mail information and passwords, etc., or connections to your main computer system for file sharing or remote console

3 - assume someone is sitting at your kerbside listening in to your electronic conversations at all times.

4 - as usual, set your system up using 128 bit encryption (it makes the job of cracking a lot harder) and change the key at regular intervals (weekly is not a bad idea if you use the link a lot, otherwise, at least monthly) This won't guarantee that your system won't be "owned" by the bad uglies, but it will make their job a continuous one instead of a one-time thing.

Now, to make your wireless be "outside" your normal LAN:

1 - find an old Ethernet hub, or failing that, purchase one of the small 5 port switches - you only need 3 ports and the speed is not critical since the modem you'll hook it to is only running at 10Mbps, not the 100Mbps that the new switches mostly run at.

2 - disconnect the lead from your modem to your current firewall at the modem and connect it to one of the "normal" sockets on the new (old) hub.

3 - connect a new cable from the modem to the "uplink" connector on the hub. At this point your system should work as it always has in the past, but the hub's lights will blink in unison with the send/receive lights on the modem.

4 - connect your new wireless access point/router to the hub with the cable it came with. Configure it quickly as it is now open to the outside world and there are any number of ways that it can be discovered and hacked if you don't change its password and lock it down with new settings.

Your new WIFI system should now pick up an address from your ISP. Most ISPs will now allow you more than one of their addresses on your link so you should not have to do much, if anything to get it to work. If you do, just phone them up or visit their web site and go through the process of telling them that you "have a new computer" (the WIFI router looks to them just like another computer on your link) and need another IP address.

Enjoy (if you are not already paranoid enough to block all such enjoyment ;)