wpa encryption of wireless network how to?
Bill Davidsen
davidsen at tmr.com
Wed Feb 20 19:52:13 UTC 2008
Matthew Saltzman wrote:
> On Tue, 2008-02-19 at 14:19 -0500, Bill Davidsen wrote:
>> Tim wrote:
>>> Bill Davidsen:
>>>> You read different security books than I do, mine say you should make
>>>> every single step as hard as possible, even if there's a workaround the
>>>> intruder may not know it.
>>> You're still missing the point completely:
>>>
>>> IT DOES NOT, IN *ANY* WAY, MAKE IT HARDER FOR A HACKER TO HACK INTO YOUR
>>> WIRELESS LAN WHEN YOU STOP "BROADCASTING" THE SSID. *THEY* DO *NOT*
>>> NEED YOU TO BROADCAST IT TO BE ABLE TO HACK IT. IT GIVES YOU ZERO
>>> BENEFIT AND EXTRA PROBLEMS.
>>>
>> Caps don't make you right, nor do bogus arguments. The object is to make
>> it less appealing to people just looking for a hot spot to use without
>> paying Starbucks, not to block serious hackers. And if they see one with
>> some vendor's default SSID and one with no visible SSID, which do you
>> think they use?
>>
>> As far as problems (sorry, "PROBLEMS") haven't had or seen any in years,
>> not sure what hidden SSID would hurt.
>
> Several of the wireless drivers have a great deal of trouble with hidden
> SSIDs. The Intel drivers have been notorious pains in the <> about it
> until about a week or so ago. The latest kernel patches from John
> Linville and a version of NetworkManager that's currently in pre-testing
> finally seem to have solved the problem. But it's been years. For a
> number of reasons, hidden SSIDs seem quite difficult to get right in the
> driver.
>
Ah ha, then that's a limitation I haven't had. I'm running the IPW2200
driver on most laptops, and even as far back as FC4 I haven't had a
problem connecting. Good thing to keep in mind if I see this, though,
new generation of laptops will be deployed this year.
>>> Do you hear me now? How hard is it to understood that message? Hiding
>>> it does NOT give you ANY security benefits. Not one, not even a little
>>> bit, not even a teensy tiny little bit. You're deluding yourself, start
>>> making your tinfoil beanie, now, if you think that sort of rubbish
>>> helps.
>>>
>> You clearly don't believe that part of security is avoiding attacks. The
>> reason to put ssh on a non-standard port is not because it makes it
>> harder to crack, just because it gets less casual attention. Like a
>> burglar choosing between the dark house with the empty garage or the one
>> with lights on, cars in the driveway, and a "beware of dog" sign,
>> someone looking for easy pickings takes the easy target.
>>
>> If you think that discouraging wannabees isn't worth it, feel free to
>> set your SSID to "Free Public Access" if you want.
>
> If you want to discourage casual browsers, just encrypt the channel.
> WEP is no more of a barrier to anyone with a serious will to connect,
> but it's at least as good at stopping casual connectors. It also stops
> casual eavesdroppers, but again, not anyone serious about listening in.
>
Do run WEP, router doesn't support WPA so I am using OpenVPN once
connected. Since all the laptops need to use hotspots and random wired
connections, OpenVPN is installed everywhere.
> We had a lecture last fall by security researcher Rick Farina. He
> finally seems to have convinced our wireless network admins to give up
> on hidden SSIDs. His point? They don't provide any additional security
> and they annoy people who should be able to connect legitimately.
>
> WPA2 is about the only halfway serious measure you can take short of
> requiring a VPN.
>
If the laptops are used on the road, encryption of partitions and a VPN
seem like a slightly better than average compromise, while usable beyond
some really paranoid setups.
Thanks for the input on blank SSID, happily haven't seen it, but I have
a box of PCMCIA cards on my desk which I have to shake out, we may
change SSID if the drivers are so limited (or I might think of hacking
the driver).
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the fedora-list
mailing list