Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 22 Oct 2014, 08:40
All times are UTC - 4
 Forum index » House Training » HOWTO ( Solutions )
HOW-TO have a more secure wireless network (counterintuitiv)
Moderators: Flash, Ian, JohnMurga
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
Page 1 of 1 Posts_count  
Author Message
rarsa


Joined: 29 May 2005
Posts: 3053
Location: Kitchener, Ontario, Canada

PostPosted: Thu 19 Jun 2008, 00:50    Post_subject:  HOW-TO have a more secure wireless network (counterintuitiv)  

In a nutshell
- Use the highest WPA encryption your devices allow
- Use a full phrase as your pass phrase with spaces, and numbers, upper and lower case. e.g. "Snow white and the 7 Dwarfs".
- Set your router to broadcast the SSID (counterintuitive but true!)


The long explanation:

Regarding encryption:
- Open connections are the riskiest of them all. Like having a house without doors, with your wallet on the table and the keys of the car hanging on the wall.
- WEP gives a false sense of security as it can be cracked in minutes. So for all purposes is no security at all.
- WPA is the best encryption for now

Using a complex passphrase:
- This is your main defense
- You can tape it under the router if you want. After all: if someone has access to the router any other security is useless.

Broadcasting the SSID:
When not broadcasting the SSID the router is broadcasting the id beam anyway, just without the SSID name. So people will know that you have a wireless network.
But... all the devices that have been configured to connect to the router will broadcast the SSID. as if they were shouting "are you my router?"

This opens a big vector of attack as someone may intercept that request, identify the network you want to connect to and spoof it so now you are connected to the rouge network.

So, even as it is counterintuitive always set your router to broadcast the SSID. This way the security is handled by the encryption mechanism and not by false security by obscurity.

Additionally, several wireless devices and drivers have trouble with hidden SSIDs just because fixing it is low priority. after all, everyone should be broadcasting the SSID, isn't it?

_________________
http://rarsa.blogspot.com Covering my eclectic thoughts
http://www.kwlug.org/blog/48 Covering my Linux How-to

Edited_time_total
Back to top
View user's profile Send_private_message Visit_website 
JustGreg

Joined: 24 May 2005
Posts: 695
Location: Connecticut USA

PostPosted: Thu 19 Jun 2008, 08:24    Post_subject:  

Thank you, Rasa for the excellent tips. I use two of the three items. I will be implementing the third. I having been using WPA2 encryption with Puppy for a couple of years now. It does work well with my equipment which use the RALINK RT73 chip set. Thank you, Tempestuous for your efforts to ensure it does!

If you live in a urban area, then you should use the best encryption. You do not want someone to use your network to do something illegal. Depending where the router is located, WIFI networks can be detected a good distance away.

If the WPA network does broadcast its SSID then based on the wpa_supplicant documentation, one should set "ap_scan=1" in the wpa_supplicant.conf or wpa_supplicant2.conf file. I posted here:
http://www.murga-linux.com/puppy/viewtopic.php?t=29205
the results of some testing.

_________________
Enjoy life, Just Greg
Live Well, Laugh Often, Love Much

Edited_time_total
Back to top
View user's profile Send_private_message 
HairyWill


Joined: 26 May 2006
Posts: 2949
Location: Southampton, UK

PostPosted: Thu 19 Jun 2008, 08:46    Post_subject:  

I particularly like the rational for publishing your SSID. While I can think of reasons for not doing so, they have nothing to do with security.
_________________
Will
contribute: community website, screenshots, puplets, wiki, rss
Back to top
View user's profile Send_private_message 
nic2109

Joined: 01 Jan 2007
Posts: 406
Location: Hayslope, near Middlemarch, Midlands, England

PostPosted: Tue 05 Aug 2008, 04:08    Post_subject:
Sub_title: The Devil himself agrees with you
 

This is SO counter-intuitive that I was forced to seek corroboration.

I found some in The Devil's Own documentation at http://technet.microsoft.com/en-gb/library/bb726942.aspx.

In amongst the Windows-specific stuff they make the valuable point that if you ever connect to a network with a hidden SSID (and save the settings) and travel around with your equipment (e.g. Laptop or Blackberry, or PDA), you will then be broadcasting that SSID wherever you are.

In many situations that won't really matter, but if you have connected to a network that is supposed to be secure (but has failed to take this advice) then you will reveal an potentially "interesting" SSID to malicious listeners who might be able to deduce where it is located and set up a spoof network by broadcasting the "stolen" SSID. Which is not a very good plan.

_________________
Nick
Back to top
View user's profile Send_private_message 
rarsa


Joined: 29 May 2005
Posts: 3053
Location: Kitchener, Ontario, Canada

PostPosted: Tue 05 Aug 2008, 11:27    Post_subject:
Sub_title: The Devil himself agrees with you
 

nic2109 wrote:
This is SO counter-intuitive that I was forced to seek corroboration.
When I learned about this, I also had to corroborate with several sources (incluiding MS) before posting this.

Thank you for the link, I should have linked my sources.

_________________
http://rarsa.blogspot.com Covering my eclectic thoughts
http://www.kwlug.org/blog/48 Covering my Linux How-to
Back to top
View user's profile Send_private_message Visit_website 
nic2109

Joined: 01 Jan 2007
Posts: 406
Location: Hayslope, near Middlemarch, Midlands, England

PostPosted: Tue 05 Aug 2008, 17:32    Post_subject:  

Reading on in Microsoft's Technet articles suggests that the same is true of MAC address filtering.
Quote:

Do Not Use MAC Address Filtering

Some wireless APs allow you to configure a list of media access control (MAC) addresses of allowed wireless clients. The MAC address is a unique number assigned to your wireless network adapter by its manufacturer. This feature, known as MAC address filtering, has the goal of providing protection by only allowing communication with wireless clients using known MAC addresses.

However, MAC address filtering requires that you configure the wireless AP with the list of allowed MAC addresses and maintain that list for new wireless clients and devices. Additionally, MAC address filtering is a weak form of protection. An unsophisticated malicious user can easily capture data traffic sent to or from allowed wireless clients on your wireless network, determine an allowed MAC address, and then configure their own wireless adapter to use the allowed MAC address.

For these reasons, Microsoft strongly recommends that rather than trying to keep unauthorized wireless users from using your wireless network with MAC address filtering, that you prevent unauthorized access by using the strongest possible authentication and encryption option as described in the "Use Authentication and Data Encryption" section of this article.

http://technet.microsoft.com/en-us/library/bb727047.aspx#ECAA


As with SSID broadcasting the strong advice is that you should NOT rely on filtering alone because of the risk of spoofing, but the general advice would seem to be not do it at all!

On the documentation front while Wikipedia is OK Microsoft's is much more thorough. It's where some of their billions have gone - to everyone's benefit.

_________________
Nick
Back to top
View user's profile Send_private_message 
Display_posts:   Sort by:   
Page 1 of 1 Posts_count  
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
 Forum index » House Training » HOWTO ( Solutions )
Jump to:  

Rules_post_cannot
Rules_reply_cannot
Rules_edit_cannot
Rules_delete_cannot
Rules_vote_cannot
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0688s ][ Queries: 12 (0.0092s) ][ GZIP on ]