HOW-TO have a more secure wireless network (counterintuitiv)

How to do things, solutions, recipes, tutorials
Post Reply
Message
Author
User avatar
rarsa
Posts: 3053
Joined: Sun 29 May 2005, 20:30
Location: Kitchener, Ontario, Canada
Contact:

HOW-TO have a more secure wireless network (counterintuitiv)

#1 Post by rarsa »

In a nutshell
- Use the highest WPA encryption your devices allow
- Use a full phrase as your pass phrase with spaces, and numbers, upper and lower case. e.g. "Snow white and the 7 Dwarfs".
- Set your router to broadcast the SSID (counterintuitive but true!)


The long explanation:

Regarding encryption:
- Open connections are the riskiest of them all. Like having a house without doors, with your wallet on the table and the keys of the car hanging on the wall.
- WEP gives a false sense of security as it can be cracked in minutes. So for all purposes is no security at all.
- WPA is the best encryption for now

Using a complex passphrase:
- This is your main defense
- You can tape it under the router if you want. After all: if someone has access to the router any other security is useless.

Broadcasting the SSID:
When not broadcasting the SSID the router is broadcasting the id beam anyway, just without the SSID name. So people will know that you have a wireless network.
But... all the devices that have been configured to connect to the router will broadcast the SSID. as if they were shouting "are you my router?"

This opens a big vector of attack as someone may intercept that request, identify the network you want to connect to and spoof it so now you are connected to the rouge network.

So, even as it is counterintuitive always set your router to broadcast the SSID. This way the security is handled by the encryption mechanism and not by false security by obscurity.

Additionally, several wireless devices and drivers have trouble with hidden SSIDs just because fixing it is low priority. after all, everyone should be broadcasting the SSID, isn't it?
Last edited by rarsa on Thu 19 Jun 2008, 17:41, edited 1 time in total.
[url]http://rarsa.blogspot.com[/url] Covering my eclectic thoughts
[url]http://www.kwlug.org/blog/48[/url] Covering my Linux How-to

JustGreg
Posts: 782
Joined: Tue 24 May 2005, 10:55
Location: Connecticut USA

#2 Post by JustGreg »

Thank you, Rasa for the excellent tips. I use two of the three items. I will be implementing the third. I having been using WPA2 encryption with Puppy for a couple of years now. It does work well with my equipment which use the RALINK RT73 chip set. Thank you, Tempestuous for your efforts to ensure it does!

If you live in a urban area, then you should use the best encryption. You do not want someone to use your network to do something illegal. Depending where the router is located, WIFI networks can be detected a good distance away.

If the WPA network does broadcast its SSID then based on the wpa_supplicant documentation, one should set "ap_scan=1" in the wpa_supplicant.conf or wpa_supplicant2.conf file. I posted here:
http://www.murga-linux.com/puppy/viewtopic.php?t=29205
the results of some testing.
Last edited by JustGreg on Thu 19 Jun 2008, 19:47, edited 1 time in total.
Enjoy life, Just Greg
Live Well, Laugh Often, Love Much

User avatar
HairyWill
Posts: 2928
Joined: Fri 26 May 2006, 23:29
Location: Southampton, UK

#3 Post by HairyWill »

I particularly like the rational for publishing your SSID. While I can think of reasons for not doing so, they have nothing to do with security.
Will
contribute: [url=http://www.puppylinux.org]community website[/url], [url=http://tinyurl.com/6c3nm6]screenshots[/url], [url=http://tinyurl.com/6j2gbz]puplets[/url], [url=http://tinyurl.com/57gykn]wiki[/url], [url=http://tinyurl.com/5dgr83]rss[/url]

nic2109
Posts: 405
Joined: Mon 01 Jan 2007, 20:24
Location: Hayslope, near Middlemarch, Midlands, England

#4 Post by nic2109 »

This is SO counter-intuitive that I was forced to seek corroboration.

I found some in The Devil's Own documentation at http://technet.microsoft.com/en-gb/libr ... 26942.aspx.

In amongst the Windows-specific stuff they make the valuable point that if you ever connect to a network with a hidden SSID (and save the settings) and travel around with your equipment (e.g. Laptop or Blackberry, or PDA), you will then be broadcasting that SSID wherever you are.

In many situations that won't really matter, but if you have connected to a network that is supposed to be secure (but has failed to take this advice) then you will reveal an potentially "interesting" SSID to malicious listeners who might be able to deduce where it is located and set up a spoof network by broadcasting the "stolen" SSID. Which is not a very good plan.
[color=darkblue][b][size=150]Nick[/size][/b][/color]

User avatar
rarsa
Posts: 3053
Joined: Sun 29 May 2005, 20:30
Location: Kitchener, Ontario, Canada
Contact:

#5 Post by rarsa »

nic2109 wrote:This is SO counter-intuitive that I was forced to seek corroboration.
When I learned about this, I also had to corroborate with several sources (incluiding MS) before posting this.

Thank you for the link, I should have linked my sources.
[url]http://rarsa.blogspot.com[/url] Covering my eclectic thoughts
[url]http://www.kwlug.org/blog/48[/url] Covering my Linux How-to

nic2109
Posts: 405
Joined: Mon 01 Jan 2007, 20:24
Location: Hayslope, near Middlemarch, Midlands, England

#6 Post by nic2109 »

Reading on in Microsoft's Technet articles suggests that the same is true of MAC address filtering.
Do Not Use MAC Address Filtering

Some wireless APs allow you to configure a list of media access control (MAC) addresses of allowed wireless clients. The MAC address is a unique number assigned to your wireless network adapter by its manufacturer. This feature, known as MAC address filtering, has the goal of providing protection by only allowing communication with wireless clients using known MAC addresses.

However, MAC address filtering requires that you configure the wireless AP with the list of allowed MAC addresses and maintain that list for new wireless clients and devices. Additionally, MAC address filtering is a weak form of protection. An unsophisticated malicious user can easily capture data traffic sent to or from allowed wireless clients on your wireless network, determine an allowed MAC address, and then configure their own wireless adapter to use the allowed MAC address.

For these reasons, Microsoft strongly recommends that rather than trying to keep unauthorized wireless users from using your wireless network with MAC address filtering, that you prevent unauthorized access by using the strongest possible authentication and encryption option as described in the "Use Authentication and Data Encryption" section of this article.

http://technet.microsoft.com/en-us/libr ... .aspx#ECAA
As with SSID broadcasting the strong advice is that you should NOT rely on filtering alone because of the risk of spoofing, but the general advice would seem to be not do it at all!

On the documentation front while Wikipedia is OK Microsoft's is much more thorough. It's where some of their billions have gone - to everyone's benefit.
[color=darkblue][b][size=150]Nick[/size][/b][/color]

Post Reply