Better wireless security as well as more speed

Rick Stevens rstevens at vitalstream.com
Thu Feb 3 21:46:09 UTC 2005 

Mark Knecht wrote:
> Hi,
>    As I was working on this ogg file server project here at home I was
> running 'iwlist wlan0 scanning' and, low and behold, just this morning
> a new router turned on in my neighborhood. (Or it just became
> visible...) I removed all power and Ethernet connections from my
> router and continued scanning. The other cell was there (and still is)
> with a different hardware address so I assume it's real.  Anyway, this
> prompted me to look at my setups again and try to go to the next level
> of both speed and security.
> 
>    My setup:
> 
> Router - Netgear 802.11b/g that also supports 108Mb/S
> 
> PCs - 2 FC2 machines with DWL-510G cards running under ndiswrapper
> 
> 1) As a 1st step I changed my ESSID on all stations to a fairly random
> string of letters and numbers. Took the network down and back up.
> Everyone is still connected and the new ESSID shows up under iwlist
> wlan0 scanning. However I assume that this means anyone scanning in
> the neighborhood can get my ESSID so it would seemingly not help alot.
> I changed it because stupidly the ESSID before was my home address.
> Not smart.

Something that identifiable isn't good, but if you use a decent WEP key,
the fact you're broadcasting your ESSID isn't fatal.  It _does_ show
wardrivers out there that there's a network operating, though.

> 2) As a second step I attempted to look at what options I have for
> security options in the router. What it offers is:
> 
> Security:
> - Disable
> - WEP
> - WPA-PSK (Wi-Fi Protected Access Pre-Shared Key)
> 
> Disable seems a bad choice. I've been using WEP as it seems to align
> better with most of the examples in the Linux wireless HOWTO's. Is it
> the best? WEP offers  the following in my router:
> 
> Security Encryption (WEP)
> Authentication Type: 	(Automatic, Open System and Shared Key)
> Encryption Strength:     (64, 128 and 152 bit)
> 
> and then 4 keys.
> 
> I had been using WEP, Open System and 128bit. I'm concerned that 'Open
> System' means it broadcasts my ESSID which I'd like it not to do. Is
> this what happens? If so does Shared Key or Automatic NOT broadcast
> the ESSID?

It depends on the router.  I'm not familiar with the Netgear, but
generally the ESSID broadcast is handled separately.  The two 
authentication types are "open" and "shared key".  Open means ANYONE
can join the network if their ESSID matches yours or uses the special
ESSID "ANY".  In other words, you've turned off authentication.  Bad,
unless you run an internet cafe.

"shared key" means that only stations that have your ESSID and match one 
of the four keys can join the network.  This is the secure mode (such as
it is).

> The router also offers WPA-PSK. When I choose that it offers only an
> 8-63 character passphrase. Would this be better?

All that does is allow you to enter a passphrase.  It generates a
standard WEP key based on the passphrase.  The same passphrase generates
the same key.  The only nice thing this really does is automatically
generate the right sized key--you don't have to remember how many
characters (or hex digits) it takes, so you can change from 64- to
152-bit keys without changing your passphrase.

> 3) I'd also like to set the system up for 802.11g only operation if my
> ndiswrapper stuff will work. How can I do this? As a first try I set
> the router to g & b operation on channel 11. I then went to the
> wireless PC and set up ifcfg-wlan0 to this:

If a network has a mix of 802.11b and 802.11g nodes, the network will
revert to 802.11b (the slowest speed).  Sorry, that's just the way it
works.  If you want to be 802.11g, ALL nodes have to be 802.11g.

> [root at dragonfly root]# cat /etc/sysconfig/network-scripts/ifcfg-wlan0
> # DLink DWL-520 using ndiswrapper
> IPV6INIT=no
> BOOTPROTO=static
> ONBOOT=yes
> USERCTL=no
> PEERDNS=no
> GATEWAY=192.168.10.3
> TYPE=Wireless
> DEVICE=wlan0
> HWADDR=(wnic HW address)
> NETMASK=255.255.255.0
> IPADDR=192.168.10.52
> ESSID=(Long random ESSID)
> CHANNEL=5
> KEY="(26 HEX characters) Restricted"
> MODE=Managed
> RATE=54Mb/s
> [root at dragonfly root]#
> 
> After restarting the network I see this:
> 
> wlan0     IEEE 802.11b  ESSID:"(long random ESSID)"  Nickname:"dragonfly"
>           Mode:Managed  Frequency:2.462GHz  Access Point: (router HW addr.)
>           Bit Rate=11Mb/s   Tx-Power:20 dBm   Sensitivity=0/3
>           RTS thr=2432 B   Fragment thr=2432 B
>           Encryption key:(26 HEX characters)   Security mode:restricted
>           Power Management:off
>           Link Quality:100/100  Signal level:-56 dBm  Noise level:-256 dBm
>           Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
>           Tx excessive retries:0  Invalid misc:0   Missed beacon:0
> 
> So it appears that I'm only getting 11Mb/S. Can I improve on this?
> 
> And currently the other router is apparently still out there:
> 
> [root at dragonfly root]# iwlist wlan0 scanning
> Warning: Driver for device wlan0 has been compiled with version 17
> of Wireless Extension, while this program is using version 16.
> Some things may be broken...
> 
> wlan0     Scan completed :
>           Cell 01 - Address: 00:09:5B:4F:EB:16
>                     ESSID:"NETGEAR"
>                     Protocol:IEEE 802.11b
>                     Mode:Managed
>                     Frequency:2.462GHz
>                     Quality:0/100  Signal level:-72 dBm  Noise level:-256 dBm
>                     Encryption key:off
>                     Bit Rate:1Mb/s
>                     Bit Rate:2Mb/s
>                     Bit Rate:5.5Mb/s
>                     Bit Rate:11Mb/s
>                     Bit Rate:52Mb/s
>                     Extra:bcn_int=100
>                     Extra:atim=0
>           Cell 02 - Address: (My router's HW address)
>                     ESSID:"(Long random ESSID)"
>                     Protocol:IEEE 802.11b
>                     Mode:Managed
>                     Frequency:2.462GHz
>                     Quality:0/100  Signal level:-49 dBm  Noise level:-256 dBm
>                     Encryption key:on
>                     Bit Rate:1Mb/s
>                     Bit Rate:2Mb/s
>                     Bit Rate:5.5Mb/s
>                     Bit Rate:11Mb/s
>                     Bit Rate:6Mb/s
>                     Bit Rate:12Mb/s
>                     Bit Rate:24Mb/s
>                     Bit Rate:36Mb/s
>                     Bit Rate:33Mb/s
>                     Extra:bcn_int=100
>                     Extra:atim=0
> 
> [root at dragonfly root]#
> 
> Thanks in advance for any and all ideas.

Ok, in a nutshell:

	Broadcast your ESSID or not, your choice.  It's best not to, but
	you can determine if that's critical or not.

	Do NOT use "Open System" or "Automatic" authentication.  USE
	"Shared Key" ONLY!  Make your keys as obscure as you can.
	Remember that while your router can use WPA-PSK, Linux can't.

	Use the biggest WEP key size you can.  You max out at 152, but
	256-bit is the biggest.  Also remember that WEP is still fairly
	easy to crack.  If you can, try to use your router's firewall
	tools to restrict access to the NICs you know about (most will
	have methods to match the hardware address).
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-    If Windows isn't a virus, then it sure as hell is a carrier!    -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list