Wieless security (was: Suspend bug)

Mon Feb 5 04:29:21 UTC 2007

Tim <ignored_mailbox at yahoo.com.au> wrote:

> On Sun, 2007-02-04 at 08:28 -0700, David G. Miller wrote:
>   
>> > I run WEP (will probably go to WPA when I find time to diddle with 
>> > setting it up), filter MACs and don't broadcast ESSID.  I know that 
>> > theoretically this set up isn't absolutely secure but I'm guessing
>> > I've raised the bar high enough that I'll keep the script kiddies,
>> > access scofflaws and all but the really serious crackers out.  Also, a
>> > quick scan of the APs in the neighborhood indicates there are several
>> > that are much easier to crack (or just use).
>>     
>
> Script kiddies will attempt something just because they can, there
> doesn't have to be some dying need to abuse someone's network.  So I
> wouldn't rely on that.
>
> MAC filtering is utterly useless as a security measure.  Anybody can
> change their MAC on just about all hardware.  It's only of use to make
> accidental connections less likely (i.e. by those not trying to break
> into your network, but accidentally connecting to the wrong one).
>
> Not broadcasting an ESSID is going to cause more problems than it
> allegedly helps with.  Each ESSID should be unique, and all the clients
> should only try to use the ones they're deliberately configured for.  If
> it's a common factory default, all and sundry may try to use it.  If you
> don't deliberately broadcast it, you're not putting off accidental
> connections.  Script kiddies can use your network even if you don't
> broadcast it.  If you do broadcast it, then those properly configured
> clients will be able to avoid it.
>
> Consensus is that WEP is a complete waste of time, now.
<sarcasm>
So, to your way of thinking, everyone should just run their AP wide open 
if they aren't running WPA.  Or is WPA not enough? 

On a similar vein, should I also leave my keys in my car and my front 
door unlocked since someone with the right knowledge can steal my car or 
break into my house anyway?  Just wondering.
</sarcasm>

My approach has been to put as many impediments as I can think of in the 
way of someone attempting to crack my wireless network.  I don't pretend 
that any one of them or even all of them will keep out a determined, 
resourceful cracker.  My goal is simply to make cracking my network 
difficult enough that the cracker goes to an easier target.  Given a 
plethora of neighbors with apparently less secure wireless 
configurations, this isn't just wishful thinking. 

As I pointed out in another post, I also provide some measure of 
physical security by putting my AP in my basement.  I get a good signal 
inside the house and the few places I tend to use the laptop outside the 
house (e.g., on the patio) but the signal degrades rapidly at ground 
level (let's hear it for a poured concrete foundation with steel 
rebar).  Someone might be able to get a decent signal from a few 
neighbor's roofs but, again, we're back to my impediment strategy.  At 
some point I'll implement WPA but I'll probably set up a snort box to 
sniff my incoming wire before I do that.

Cheers,
Dave

-- 
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce