OT: unathorized network user.

[Jacques B.]

On Jan 24, 2008 8:50 AM, John Summerfield <debian at herakles.homelinux.org> wrote:
> Jacques B. wrote:
>
> Jacques
> Don't be so touchy. Surely, if someone gave you bad advice you'd want to
> hear that is is bad. None of us is perfect.
>
>
>
> --
>
> Cheers
> John

My frustration has to do with the fact that someone asked a question
on how to secure a wireless connection.  I provided advice of measures
available within the context of a typical home wireless router.  And
my reference to low hanging fruit and such and the caveat of the kid
next door who has all the time in the world to bang away at your
system (vs someone driving by) made it obvious that it's not a 100%
guaranteed secure solution.

In comes Tim stating that most of what I said was "useless".

What I provided are all steps that can be taken on a typical home
wireless router.  The layers of security (using the term loosely) by
themselves for most part provide no security (with the exception of
WPA).  However combined these layers will frustrate efforts of a
script kiddy/less sophisticated hacker hopefully enough that they will
move on to the next target.  I agree that it will do little other than
mildly entertain a more sophisticated hacker.

Following Jim's advice if all you enable is WPA, then you've made
things that much more convenient for the unsophisticated hacker (and
the sophisticated one as well of course).

Much like even a deadbolt and a lock will not stop a determined thief,
neither will any of the measures available on your typical home
wireless router.  That does not mean we should not even bother
implementing the various measures available to us if they are within
our abilities to do so.  Closing & locking the windows is another step
to securing a home.  A burglar can very, very easily break the window
if they want to get in.  Does that mean we shouldn't bother with that
because it's essentially "useless"?

The other reason you should take all the steps I recommended is
because if someone does manage to connect, it will be very clear that
it was not accidental and that the wireless AP was not meant for
public use.  Proving criminal intent becomes that much easier because
of all the hurdles the person had to jump in order to connect to your
AP.  Yes cracking encryption should be enough to establish intent.
Someone could argue that they thought they were cracking their own AP
(under the guise of doing some penetration testing on their own system
or perfecting their skills because they are a security consultant).
That becomes much less of a plausible argument if the person had to go
through multiple hurdles along the way.

No, it's not perfect.  But I definitely disagree that it's completely
useless.  Unless the feature introduces a vulnerability in the process
or significantly degrades the performance of your network, it's not
useless (and in some cases serious degradation is tolerable if the
resulting security is much greater and necessary due to the
sensitivity of the data on the network) .  To what depth you deploy
the various options I threw out will depend on your abilities and your
personal views on this issue.

Perhaps some have been tasked with deploying and managing more complex
layers of network security for too long.  Just because it's not up to
the standard used by a corporation does not make it worthless.

Jacques B.