WEP and WPA wireless network - possible?

Hi there,

Having got the kids Nintendo DS's for Christmas, I notice they have WiFi support - but only for WEP protocol.

My current home WiFi is set to use WPA, and I don't see an option to support both WEP and WPA.

I'm currently using a o2 supplied (Thompson) router, and do have a spare BT Voyager router in a drawer.
http://www.voyager.bt.com/wireless_devices/voyager_2110/product_info.htm

My question is - can I setup a second wireless network to support WEP for the Nintendos only?

The BT Voyager does support Wireless Distribution WDS - but I'm guessing it needs to be the same security settings as the source wireless network.

Any suggestions greatfully received - please don't suggest lowering my main network to WEP - everything I hear tells me this is basically completely un-secure.

Thanks
Ian,

I was in a similar situation two years ago when I got two DS's, although at the time my network would not do WPA for some reason so it wasn't a problem.

Now however I'm on WPA2 and I've just resigned the consoles never to go online again. I know it sounds a bit bleak but I don't use them anymore.

You can use your router in WPA+WPA2 mode but you can't mix WEP and WPA.

Have you looked at this

Thanks for the replies - the Nintendo adapter definitely looks like the easiest option.

I'm still curious if there's a way for 2 routers to connect to each other and for one to be a slave to the other.
- Sounds like something I can investigate over the holiday period.

Ian.

Yes it is possible to set up two routers each with its own subnet, using different network addresses on each subnet.

You problem with using WEP on one such router is that the WEP which becomes the weakest security point for the whole network.

If you allow your kids to have Internet access via such security then anyone else could hack in at that point and also use your internet connection. (basically making your WPA somewhat pointless )

Or just buy a cheap access point and set that up.

I (used to) have 2x WAP54G setup - one was for normal use and had WPA on and the other was WEP for the DS. I only have the 1 now as I have a wireless router and ditched the WPA access point but the WEP access point is still running happily.

I just had to make sure that the router/first WAP used channel 1 and the DS's WAP used channel 13 for maximum seperation.

UPDATE: As WEP is as secure as my money in Iceland, I'd recommend that once it's setup and working you change the default usernames / passwords, enable the MAC filter and limit it to the DS and hide the SSID broadcast. Although all of these can be gotten arround quite easily if you know how it means that the casual browsing neighbour can't get in too easily, and turn the access point off when the DS is not being used.

Edited by deleted (Tue 30-Dec-08 11:45:58)

In reply to:

---

UPDATE: As WEP is as secure as my money in Iceland, I'd recommend that once it's setup and working you change the default usernames / passwords, enable the MAC filter and limit it to the DS and hide the SSID broadcast. Although all of these can be gotten arround quite easily if you know how it means that the casual browsing neighbour can't get in too easily, and turn the access point off when the DS is not being used.

---

But a casually browsing neighbour would be put off by WEP, and anyone who wouldn't would laugh at MAc filtering and SSID hiding.

Unless you are really sure you can separate the networks then you may as well turn your main router over to WEP.

The Nintendo WiFi dongle is an easy way to do it but I'm not entirely convinced of it's security. I'm not sure if it has any extra security over WEP/MAC filtering or it's just a case of nobody has tried to crack it yet.

This is true. However I was OK in my case as I live in a detached house and with a couple of signal attenuators on the aerials there was not much chance of the signal leaking out past the boundaries of my property.

The only way to get this reliably working is with a multi SSID access point (such as a Cisco Aironet) with seperate VLANs for each SSID, but that's well outside the scope of a regular user.

It is perfectly possible to do this securely. You need a WPA wireless cable router with a NAT firewall. I have done this easily and cheaply. Cable routers have an ethernet WAN port, whereas ADSL routers use an ADSL broadband connection to the ADSL filter to the telephone outlet.

Because you have 2 routers, you have 2 NAT firewalls. You can thus set up a layered 2 tiers system of firewalls such that the WEP network is outside the firewall of the WPA network.

Setup up your existing router "outer" connected to your broadband as WEP. Plug the WAN port of the second router "inner" into one of the LAN ports of first router, configure the two subnets to be disjoint (non overlapping IP address ranges e.g. 192.168.0.x and 192.168.1.x) and setup the wireless networking to WPA/WPA2.

This then gives you two layers of NAT firewall, with the WEP encrypted network outside the NAT firewall of the WPA netword. This then prevents attacks from the WEP network penetrating the WPA network because of the inner NAT firewall - it regards the WEP network on the WAN port as being the internet.

Reconfigure your existing wireless devices to connect to the inner WPA wireless network, configure your NDS lites to talk to the outer WEP network and enjoy.

If you want to do port forwarding to the inner network from the internet, configure the outer NAT firewall to make the WAN port of the inner router the DMZ. Then all incoming packets will be forwarded to the WAN port of the inner router, making it appear directly connected to the internet. The packets will then be filtered by the NAT firewall on the inner router.

barnabear

Save yourself the hassle of setting everything up in a complex way, just use the longes WEP key possible, with upper and lower case charcters and numbers and no words that are in the dictionary.

(Also avoid things like d1ct10n4ry as well).

You were probably going to use a WPA-PSK key (pre shared key). To find out what it is all I need to do is capture the 4-way handshake when your machine connects, then deauth it whilst capturing the IV's and then I can dictionary attack it in just a few minutes, even if you didn't use a word/s I can still brute force it through a quad sli nvidia setup using CUDA.

WEP with a long key won't give any dis-advantage over WPA-PSK with a long complex key.

The only way to be secure, would be to stick with WPA2 with TKIP/AES and no PSK. Otherwise you are wasting you would be wasting time and money.

Change the WEP, honestly, its the easiest and just a ssecure as anything else suggested here.

(FYI - I am a qualified ethical hacker who's business provides security services to large clients, hacking wi-fi is my day job)