Protected WLAN

[Tim]

On Thu, 2011-05-19 at 08:25 -0500, Mikkel L. Ellertson wrote:
> Time to add some more confusion to the pie.

I'm not sure that's a good idea.
> 
> Another security precaution that sort of helps for a home system, if
> you live in a house, is to put the access point in the basement.
> That way, the signal strength outside the house is usually too log
> to let someone connect. You may also have the option of controlling
> the output power of the access point.

Though you're only going by the ordinary antenna in your gear.  A better
antenna may be more than enough to still work with a muffled signal.  So
this isn't a trick that you want to rely on.
> 
> Now for a slightly more realistic setup. My access point allows to
> to control the access it gives to wireless users. I use a setup that
> does not let wireless connections talk to each other, or the
> Internet. You need to set up a VPN to do anything useful.

In essence, you're moving the security from the wireless to other parts
of your network.  If that /other/ thing is safe, then this is (almost)
fine.  Merely connecting to a wireless network, but that network being
unable to communicate any further, does initially make connecting to it
useless.  But if they manage to reconfigure your wireless access point,
they may introduce some compromise to your system.

> most of my network is wired, and the wireless is shut down except when
> I need it. I do not even have to reboot when turning it off or on.

A practical approach.  Though I've found that NetworkManager can throw a
tantrum if it's been unable to connect for a while, and won't reconnect
without manual intervention.  So, you want to fire your WLAN up well
before trying to use it.
> 
> There is one last measure that will really lock down your wireless
> network - put a Faraday cage around your house - nobody will be able
> to crack your network from the outside, monitor your cordless phone,
> etc. The downsides are the cost, and none of your devices will work
> outside the house, and cell phones will not work inside without
> adding some extra equipment.
> 
A properly implemented Faraday cage may well stymie the usual hacker,
but most will probably have faults that would allow the knowledgeable
hacker to get past it.  e.g. You need to RF filter, and shield the power
wiring going into it.

All theories aside, the most that most people will have to deal with
are:  Neighbours accidentally connecting to the wrong unsecured network,
which even the most token effort will prevent.  And the clueless turnkey
hacker, who just wants free internet, and WPA2 with the right options
and a decent passphrase will prevent that.

Unfortunately, various routers default to being completely insecure, or
ticking a simple "enable security" configuration option puts it into
combined WPA (1) *and* WPA2 mode simultaneously (or WEP & WPA), and the
weaker one ruins any attempt at security.  Not to mention the dumb
passwords that some people will use.

-- 
[tim at localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.