Hey all, On Sat, Jul 10, 2004 at 12:43:49AM -0400, J. Erik Hemdal wrote: > > On Fri, 9 Jul 2004, Rick Stevens wrote: > > > Terry Linhardt wrote: > > > > I'm running Core 2, and from a laptop using a wireless (802.11-B) > > > > card to reach a WAP. I have absolutely no problems in using a > > > > wireless configuration *provided* I broadcast my SSID. But, as > > > > soon as I no longer broadcast my SSID my wireless card > > cannot "find" the WAP. > > > > Two questions: > > > > 1) How can I configure my system to access my WAP by it's > > assigned ID. > > > I'm not sure you can. The ESSID is required or your card > > can't find > > > the network in the first place. You might be able to bypass it by > > > forcing "CHANNEL=" in your ifcfg-wlan0 file, but I won't > > guarantee it. > > > BTW, what's your aversion to broadcasting your ESSID? If you use a > > > WEP key, your network isn't really that succeptible to attack. > > I think that if the WAP doesn't broadcast, then the station > > needs to specify the correct SSID. If the WAP does broadcast > > then the station can "adopt" the broadcast SSID. > Yes, and the client (your laptop) needs to know the channel you're using > (often this is channel 6 by default). Basically, when the access point > fails to broadcast, the clients need to know everything about the connection ^^^^^^^^^^^^^^^^^^ Fails to broadcast the ESSID. It's still transmitting beacons. Kismet picks them up REAL GOOD. Maybe you are thinking of Ad Hoc mode (which is something totally different and Kismet will still pick that up once traffic begins). > before it will work. SSID alone won't do it. You can set the channel by > correctly fiddling with redhat-config-network and editing the proper > interface. Use system-config-network on FC2. Turning off ESSID is virtually worthless from a security standpoint (and some access points won't even let you do it). Try running Kismet for a while and you'll find out. As soon as you get even a decent amount of traffic to the AP, Kismet will capture the ESSID from the traffic. So, what did you really gain by not broadcasting the ESSID? Under some circumstances, you can even actively probe a "cloaked" network and uncover its ESSID. > > It's not clear to me what the point of broadcasting is if you > > then install WEP keys. > This makes connection a little easier. Some access points will deliver a > WEP key automatically, so that you have encrypted transfers on a network > that is publicly-available. That's not WEP. That gets into WPA and/or 802.11i and/or 802.1x and some other proprietary schemes. Mostly, with public access points, it will be WPA for which you need the supplicant client. > > > > 2) On a related security issue, how can I make use of WEP > > encryption. > > > Make sure your WAPs all have the same key (MINIMUM 128-bit > > encryption) You've only really got two choices, 40 bit and 128 bit. 40 bit is the old, deprecated, export grade encryption. 128 bit uses the RC4 stream cipher with a 104 bit key from you (which is why it's 26 hex digits if you use hex mode) and a 24 bit "initialization vector that it generates on a packet by packet basis. If you've got a reasonably modern AP, the AP will chose IVs (which are pretty much arbitrary) in such a way as to avoid the weak key scheduling problem with RC4 used in WEP. Best way to know is to run Kismet for a while and see if it captures any "weak encrypted packets". WEP still has its problems (still subject to the known plaintext codebook attack) but you have to capture massive amounts of data (~2Gig) for which you know both the plaintext and ciphertext. WPA PSK (WPA Pre-Shared Key) has its own problems and may even be weaker if you use a short passphrase (minimum 17 characters or it can be busted by capturing just a few packets). > The encryption level is going to be set by the minimum encryption that all > your wireless clients can support. In my experience, Windows XP doesn't > support 128-bit encryption. This might prevent you from going to stronger > encryption. This is incorrect. W2K use to only support 128-bit encryption if you installed the "high encryption pack" but that went away back in an early service pack (SP2? SP3?). AFAIK... Windows XP has pretty much always supported 128-bit encryption. Even if the initial version did not (I THINK it did), you can't run Windows XP without SP1 (soon to be SP2 - PLEASE INSTALL WHEN IT COMES OUT) and all the security roll-ups on the Internet without getting infected in minutes, so you either have 128 bit encryption or you have much bigger problems. > > > Like I said, I'm not sure you need to hide your ESSID in the first > > > place. You don't. > Probably for the same reason you set up a firewall rather than closing all > your ports. You can't hack a network you can't see.\ Now THAT'S a load of bull. You can see that network just fine and Kismet can find it just fine. It can see your beacon and identify an active network that is not broadcasting its ESSID (aka - Red Flag! Watch this network!) and it can capture the ESSID from live traffic. And don't say you can't hack a network you can't see. LOTS of networks get hacked every day that hackers can't see. Worms do that real good. Worms and hacks get behind NAT devices everyday. Took the "whitty worm" (which I tracked) less than 10 seconds to slip behind a NAT firewall and get into a "network it couldn't see". Hiding the ESSID does not hide the network (hell, it doesn't even really hid the ESSID). Hiding the network doesn't prevent hacking. Turning off the ESSID does not accomplish any significant security. Use WPA with a strong password, if you have it available. If not, use 128 bit WEP and use Kismet to test your access points for strong scheduling of IVs (replace or upgrade if they don't). You should be pretty solid. > Erik Mike -- Michael H. Warfield | (770) 985-6132 | mhw@xxxxxxxxxxxx /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Attachment:
pgpKANED4BXHC.pgp
Description: PGP signature