wpa encryption of wireless network how to?

Bill Davidsen davidsen at tmr.com
Wed Feb 20 19:52:13 UTC 2008 

Matthew Saltzman wrote:
> On Tue, 2008-02-19 at 14:19 -0500, Bill Davidsen wrote:
>> Tim wrote:
>>> Bill Davidsen:
>>>> You read different security books than I do, mine say you should make 
>>>> every single step as hard as possible, even if there's a workaround the 
>>>> intruder may not know it.
>>> You're still missing the point completely:
>>>
>>> IT DOES NOT, IN *ANY* WAY, MAKE IT HARDER FOR A HACKER TO HACK INTO YOUR
>>> WIRELESS LAN WHEN YOU STOP "BROADCASTING" THE SSID.  *THEY* DO *NOT*
>>> NEED YOU TO BROADCAST IT TO BE ABLE TO HACK IT.  IT GIVES YOU ZERO
>>> BENEFIT AND EXTRA PROBLEMS.
>>>
>> Caps don't make you right, nor do bogus arguments. The object is to make 
>> it less appealing to people just looking for a hot spot to use without 
>> paying Starbucks, not to block serious hackers. And if they see one with 
>> some vendor's default SSID and one with no visible SSID, which do you 
>> think they use?
>>
>> As far as problems (sorry, "PROBLEMS") haven't had or seen any in years, 
>> not sure what hidden SSID would hurt.
> 
> Several of the wireless drivers have a great deal of trouble with hidden
> SSIDs.  The Intel drivers have been notorious pains in the <> about it
> until about a week or so ago.  The latest kernel patches from John
> Linville and a version of NetworkManager that's currently in pre-testing
> finally seem to have solved the problem.  But it's been years.  For a
> number of reasons, hidden SSIDs seem quite difficult to get right in the
> driver.
> 
Ah ha, then that's a limitation I haven't had. I'm running the IPW2200 
driver on most laptops, and even as far back as FC4 I haven't had a 
problem connecting. Good thing to keep in mind if I see this, though, 
new generation of laptops will be deployed this year.

>>> Do you hear me now?  How hard is it to understood that message?  Hiding
>>> it does NOT give you ANY security benefits.  Not one, not even a little
>>> bit, not even a teensy tiny little bit.  You're deluding yourself, start
>>> making your tinfoil beanie, now, if you think that sort of rubbish
>>> helps.  
>>>
>> You clearly don't believe that part of security is avoiding attacks. The 
>> reason to put ssh on a non-standard port is not because it makes it 
>> harder to crack, just because it gets less casual attention. Like a 
>> burglar choosing between the dark house with the empty garage or the one 
>> with lights on, cars in the driveway, and a "beware of dog" sign, 
>> someone looking for easy pickings takes the easy target.
>>
>> If you think that discouraging wannabees isn't worth it, feel free to 
>> set your SSID to "Free Public Access" if you want.
> 
> If you want to discourage casual browsers, just encrypt the channel.
> WEP is no more of a barrier to anyone with a serious will to connect,
> but it's at least as good at stopping casual connectors.  It also stops
> casual eavesdroppers, but again, not anyone serious about listening in. 
> 
Do run WEP, router doesn't support WPA so I am using OpenVPN once 
connected. Since all the laptops need to use hotspots and random wired 
connections, OpenVPN is installed everywhere.

> We had a lecture last fall by security researcher Rick Farina.  He
> finally seems to have convinced our wireless network admins to give up
> on hidden SSIDs.  His point?  They don't provide any additional security
> and they annoy people who should be able to connect legitimately.
> 
> WPA2 is about the only halfway serious measure you can take short of
> requiring a VPN.
> 
If the laptops are used on the road, encryption of partitions and a VPN 
seem like a slightly better than average compromise, while usable beyond 
some really paranoid setups.

Thanks for the input on blank SSID, happily haven't seen it, but I have 
a box of PCMCIA cards on my desk which I have to shake out, we may 
change SSID if the drivers are so limited (or I might think of hacking 
the driver).

-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

More information about the fedora-list mailing list