I see no value in using WEP as an authentication means. If WEP is used for authentication it can be decrypted in a matter of minutes. Since WEP can be used for authentication and encryption if it is compromised then both authenctication and encryption is compromised. If WEP is used for only for encryption it will take roughly 100 meg to a gigs worth of data for a hacker to reverse engineer the WEP key. Time wise this could take any where from 12 hours to a week depending on the load of your network. Unless you have a really large network I think WEP for encryption only will provide a reasonable deterrent. It is far better to use some sort of dynamic keying whether it be 802.1X or a VPN is you can afford it and live with the configuration restrictions associated with these solutions. Cisco's version of 802.1X (LEAP) forces the users to use only Cisco cards. What do you do with users who have non Cisco wireless cards built in to their laptops and no PDAs. VPNs are subject to ARP poisoning attacks and do not always play well with all applications in an enterprise environment. Lucent(Proxim) and Symbol's version of 802.1X have proprietary implications as well. And If you are government agency soon you will be mandated in using AES or 3DES encryption and most 802.1X solution only make WEP dynamic but don’t turn it into AES or 3DES. I always thought it was a bit of an oxymoron by calling the 802.1X, EXTENSIABLE Authentication Protocol, a standard. Don’t get me wrong dynamic WEP via 802.1X even with its non interoperability implications is an improvement over static WEP. The best defense is a layered defense:
1) Don’t beacon your SSID
2) Use MAC Authentication
3) Use WEP for Encryption
4) Consider VPN
5) Consider 802.1X
6) Consider Application Security like PGP or SSH
7) Use a wireless intrusion detection system
8) Have a good enforced company policy
9) Use programs like Netstumbler, Airnsort , Airmagnet, BVeritronics, Snort and Kismet to monitor your airwaves for Rogue Access Points and Hackers
10) Consider running a program like Fake AP to beacon off a bunch of FAKE SSID. Where do you hide a tree..in a forest

Those are great ideas for securing your WLAN.

Please note that turning the SSID broadcasting off on access points only removes the SSID from the frame body of the beacons. The SSID is still sent in the association frame of a station when associating with an access point. So, a hacker can obtain the SSID by sniffing the association request frame (using a packet analyzer such as Airmagnet or Airopeek) when someone boots up their PC. Of course that may take longer, but it's very possible (and done be before).

Not only that, but there are freeware programs available that spoof a deauthenticate frame that forces the client to re-associate, thereby giving you the SSID any time you like.

The SSID should be used only to identify a given network, and not as a security measure. In fact, essentially nothing you can do in an AP itself is of any value, save the enhancements to WEP. A VPN is better than WEP, but subject to attacks at layer 2. A layer 2 solution is the best approach.

Do you have a link for this program(s)?

http://802.11ninja.net/

Can you describe the layer2 attacks you are talking about? I'm wondering how strong the wireless VPN i have is.

I have a Cisco3600 set up for DES/MD5 (ESP only, no AH) it also listens on UDP port 1701 (L2TP) for PPP sessions and also is a DHCP server for the wireless clients.only accepts MD5-CHAP for passwords of username/password combos.

The outside interface is 192.168.69.1/24 and that subnet is all the dhcp addresses.

I have some restrictive ACLs in place on the "outside interface (the one connected to an AP, the AP is really dumb basically a 802.11b-to-802.3 bridge)":

permit esp 192.168.69.0 0.0.0.255 host 192.168.69.1
permit udp 192.168.69.0 0.0.0.255 host 192.168.69.1 eq 1701
permit udp 192.168.69.0 0.0.0.255 host 192.168.69.1 eq isakmp
permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
permit udp 192.168.69.0 0.0.0.255 host 192.168.69.1 eq bootps

these allow hosts to request and renew DHCP and to set up and pass ISAKMP and ESP (ipsec) packets

Basically what happens is the client computers have the Windows L2TP/IPSec VPN client set up to connect to 192.168.69.1

Then they do chap auth and establish a PPP session. (Then they are on the 192.168.100.0/24 network. (the encrypted network) This ppp-over-l2tp is all IPSec ESP-des-md5 encrypted. I know i checked it with a sniffer. So how safe is it could someone hijack the l2tp sessions?

I have all wep turned off i dont see that it gains anything over that which I already have set up.

Thanks for any advice....

-Bo

How safe is this? Would I be any safer by adding AH support to the Cisco3600?

Simple denial of service attack:

1. Get a machine, associate it to the AP.

2. Assign it the IP address of the VPN gateway.

3. Sit back and watch your WLAN go bye-bye.

For more conclusive results, and if the OS supports it, bind the IPs of the clients to the same interface on the attacking system.
Most later Windows OS's permit this, and Linux will.

wont that work on any vpn system? or any AP system?

That will work on any VPN used in a WLAN. It will NOT work against any Layer 2 encryption such as WEP or the AirFortress.