I just wanted to take an opportunity to apprise folks of Cisco's solution for vulnerabilities identified in the WEP protocol.
Recently, Berkley issued a white paper detailing the weakness of WEP in 802.11 wireless networks. They were "right-on" in their assessments. Problems stem from both the fact that WEP keys are statically assigned to wireless clients, and some vendors implement IVs (Initialization Vectors) poorly.
The problem with static WEP keys is that once assigned (manually) to a wireless client, they remain in-place for all encryption sessions. Not only does this cause problems if the client device is stolen, but with a constant stream of single key encrypted sessions, cryptographic techniques can discover the WEP key and compromise encrypted traffic.
Cisco recently announced a security architecture designed to mitigate the inherent flaws of WEP. Cisco's new architecture uses dynamic WEP key distribution based on EAP (Extensible Authentication Protocol) and the forthcoming 802.1x standard. The bottom line is that Cisco now offers a wireless authentication mechanism that facilitates dynamic WEP key generation. This solution works with Aironet 340 and 350 products and the CiscoSecure ACS 2.6 AAA server.
Cisco uses a pre-standard implementation of EAP and 802.1x called LEAP (Light-weight Extensible Authentication Protocol). LEAP uses a challenge/response methodology for generating dynamic WEP keys that can be configured to forcibly expire and refresh without user intervention. Think of it as a wireless version of PPP with WEP key generation based on successful authentication.
The wireless client and the AAA server generate the WEP key locally without actually passing the key in the clear. After proper authentication and key generation the AAA server passes the key to the wireless access-point to stimulate mutual authentication between the access-point and wireless client.
Thus, Cisco's LEAP solution facilitates dynamic, refreshable (if that's a word) key generation with mutual authentication between the wireless client and access-point. This solves the problem of static WEP keys and so called rogue access-points, as detailed in the Berkley white paper.
Concerning IV vulnerabilities, Cisco uses per-packet random IVs. On a packet-by-packet basis, the Cisco wireless-client generates a random (or more properly, pseudorandom) IV for every IP packet transmission. This reduces the likelihood that a snooper could cryptanalyze wireless traffic via IV attacks.
The Cisco LEAP architecture is nothing short of a phenomenal advance in wireless security. Even though our solution is "pre-standard" 802.1x, which will offer a fully specified solution for WEP vulnerability, Cisco is the first wireless vendor to provide a solution to wireless security vulnerabilities. When 802.1x becomes standard, we will of course comply with the specification and offer software upgrades for all wireless products.
Furthermore, to achieve an even higher-level of wireless security, you can use remote-access VPN solutions based on the Cisco VPN 3000 solution.
No matter how you slice it. Cisco has a robust architecture for solving wireless security problems.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :