Protected WLAN

Thu May 19 13:25:10 UTC 2011

On 05/18/2011 06:23 AM, Tim wrote:
> Tim:
>>> Completely pointless:
>>>
>>>  Your device is transmitting something, this is detectable.  And it
>>> does so several times a second (i.e. it's continual).
> 
> 
> James McKenzie:
>> True.  Bet you have a lock on every door to your house as well.
>> Turning off the SSID is a deterent.  Make them go somewhere else.
>> Same with door locks.  If I want to get into your house, I will.  Even
>> if it means using TNT.
> 
> They're completely unrelated.  If you want to play with analogies, let
> me put it this way:  Painting over the house's street number does not
> make it any harder to pick the lock.
> 
> SSID has *absolutely* nothing to do with security.
> 
> 
>>>  MAC filtering is useless as a security measure
> 
>> It will take more 'work'.  Make them go away.
> 
> It won't cause /them/ to expend any more effort to get in.  The whole
> thing is automated, for complete idiots to be able to do it.  
> 
> It does, however, make things more awkward for legit users to use a
> network.  Your admin has to reconfigure the network for each new device.
> Any mistakes, or hardware changes, and you have to go through all that
> again.  All that pain for absolutely no gain.
> 
>> Again, make them go away.  Determined criminals will enter your house.
>> The common thief will rattle your front door, finding it locked and
>> go away.
> 
> No, the common thief will just force their way in.  Unless you fortify
> your house (which is actually illegal, here), one house is as just about
> as easy as another to break in.  One window, a weak door, etc.
> 
> These analogies are never good.  You're trying to correlate two
> completely unrelated things.
> 
>> The only places that I know of that have unsecured networks are coffee
>> shops and maybe the occassional food establishment.
> 
> Most of which are almost too useless to use.  Too slow, by virtue of how
> crap they are, or because they've been hacked and left infested.
> 
>> Other than that, lock the damn door and secure it.  Adding MAC
>> whitelists is but one of five steps.. We've discussed the other two to
>> the end.
> 
> MAC filtering isn't any part of security.  It's as secure as a padlock
> made out of butter in the middle of summer.  (Since you like bad
> analogies.)
> 
> Really MAC filtering is only barely useful as the most basic of
> management tools.  e.g. You have a video game or mobile phone that
> automatically tries to log into a nearby network, and it's a pain to
> configure (or you can't).  So you blacklist it, and have your net ignore
> it.  But that can only work if whoever uses those devices doesn't
> reconfigure them to counteract your blacklist.
> 
> People keep promulgating useless and timewasting methods for securing
> networks.  Which is bad enough, in itself, as it wastes everyone's time
> implementing them and then trying to get the network working despite it.
> But worse that it gives people false senses of security.
> 
> I don't do any of these useless things, never have, never will, they'll
> never make my network any securer.
> 
Time to add some more confusion to the pie. If you want security by
obscurity, you could use wireless a instead of b/g/n - Most people
no longer use it, the gear is cheap to buy used, and I have only
seen it built into a few high-end laptops. I have also seen a few
access points that will support it, along with the more usual protocols.

Another security precaution that sort of helps for a home system, if
you live in a house, is to put the access point in the basement.
That way, the signal strength outside the house is usually too log
to let someone connect. You may also have the option of controlling
the output power of the access point.

Now for a slightly more realistic setup. My access point allows to
to control the access it gives to wireless users. I use a setup that
does not let wireless connections talk to each other, or the
Internet. You need to set up a VPN to do anything useful.

As soon as I find the time, I want to upgrade the software, so I can
give the wireless users a different subnet, and block everything not
required to set up a VPN to my server.

Neither method is totally secure, but the standard cracking programs
will not handle it. So the script kiddies will go somewhere else. On
the other hand, it offers more of a challenge to a knowledgeable
cracker, so it does have its down side. I do have one more measure
that will slow them down - most of my network is wired, and the
wireless is shut down except when I need it. I do not even have to
reboot when turning it off or on.

There is one last measure that will really lock down your wireless
network - put a Faraday cage around your house - nobody will be able
to crack your network from the outside, monitor your cordless phone,
etc. The downsides are the cost, and none of your devices will work
outside the house, and cell phones will not work inside without
adding some extra equipment.

This is by no means an exhaustive list, but I am not going to go
into more advanced things like using a VPN router, with true routing
turned on, and a separate wireless access point on its own subnet,
etc...

Mikkel--

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!