Wieless security (was: Suspend bug)
David G. Miller
dave at davenjudy.org
Mon Feb 5 04:29:21 UTC 2007
Tim <ignored_mailbox at yahoo.com.au> wrote:
> On Sun, 2007-02-04 at 08:28 -0700, David G. Miller wrote:
>
>> > I run WEP (will probably go to WPA when I find time to diddle with
>> > setting it up), filter MACs and don't broadcast ESSID. I know that
>> > theoretically this set up isn't absolutely secure but I'm guessing
>> > I've raised the bar high enough that I'll keep the script kiddies,
>> > access scofflaws and all but the really serious crackers out. Also, a
>> > quick scan of the APs in the neighborhood indicates there are several
>> > that are much easier to crack (or just use).
>>
>
> Script kiddies will attempt something just because they can, there
> doesn't have to be some dying need to abuse someone's network. So I
> wouldn't rely on that.
>
> MAC filtering is utterly useless as a security measure. Anybody can
> change their MAC on just about all hardware. It's only of use to make
> accidental connections less likely (i.e. by those not trying to break
> into your network, but accidentally connecting to the wrong one).
>
> Not broadcasting an ESSID is going to cause more problems than it
> allegedly helps with. Each ESSID should be unique, and all the clients
> should only try to use the ones they're deliberately configured for. If
> it's a common factory default, all and sundry may try to use it. If you
> don't deliberately broadcast it, you're not putting off accidental
> connections. Script kiddies can use your network even if you don't
> broadcast it. If you do broadcast it, then those properly configured
> clients will be able to avoid it.
>
> Consensus is that WEP is a complete waste of time, now.
<sarcasm>
So, to your way of thinking, everyone should just run their AP wide open
if they aren't running WPA. Or is WPA not enough?
On a similar vein, should I also leave my keys in my car and my front
door unlocked since someone with the right knowledge can steal my car or
break into my house anyway? Just wondering.
</sarcasm>
My approach has been to put as many impediments as I can think of in the
way of someone attempting to crack my wireless network. I don't pretend
that any one of them or even all of them will keep out a determined,
resourceful cracker. My goal is simply to make cracking my network
difficult enough that the cracker goes to an easier target. Given a
plethora of neighbors with apparently less secure wireless
configurations, this isn't just wishful thinking.
As I pointed out in another post, I also provide some measure of
physical security by putting my AP in my basement. I get a good signal
inside the house and the few places I tend to use the laptop outside the
house (e.g., on the patio) but the signal degrades rapidly at ground
level (let's hear it for a poured concrete foundation with steel
rebar). Someone might be able to get a decent signal from a few
neighbor's roofs but, again, we're back to my impediment strategy. At
some point I'll implement WPA but I'll probably set up a snort box to
sniff my incoming wire before I do that.
Cheers,
Dave
--
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce
More information about the fedora-list
mailing list