Tim <ignored_mailbox@xxxxxxxxxxxx> wrote:
On Sun, 2007-02-04 at 08:28 -0700, David G. Miller wrote:
> I run WEP (will probably go to WPA when I find time to diddle with
> setting it up), filter MACs and don't broadcast ESSID. I know that
> theoretically this set up isn't absolutely secure but I'm guessing
> I've raised the bar high enough that I'll keep the script kiddies,
> access scofflaws and all but the really serious crackers out. Also, a
> quick scan of the APs in the neighborhood indicates there are several
> that are much easier to crack (or just use).
Script kiddies will attempt something just because they can, there
doesn't have to be some dying need to abuse someone's network. So I
wouldn't rely on that.
MAC filtering is utterly useless as a security measure. Anybody can
change their MAC on just about all hardware. It's only of use to make
accidental connections less likely (i.e. by those not trying to break
into your network, but accidentally connecting to the wrong one).
Not broadcasting an ESSID is going to cause more problems than it
allegedly helps with. Each ESSID should be unique, and all the clients
should only try to use the ones they're deliberately configured for. If
it's a common factory default, all and sundry may try to use it. If you
don't deliberately broadcast it, you're not putting off accidental
connections. Script kiddies can use your network even if you don't
broadcast it. If you do broadcast it, then those properly configured
clients will be able to avoid it.
Consensus is that WEP is a complete waste of time, now.
<sarcasm>
So, to your way of thinking, everyone should just run their AP wide open
if they aren't running WPA. Or is WPA not enough?
On a similar vein, should I also leave my keys in my car and my front
door unlocked since someone with the right knowledge can steal my car or
break into my house anyway? Just wondering.
</sarcasm>
My approach has been to put as many impediments as I can think of in the
way of someone attempting to crack my wireless network. I don't pretend
that any one of them or even all of them will keep out a determined,
resourceful cracker. My goal is simply to make cracking my network
difficult enough that the cracker goes to an easier target. Given a
plethora of neighbors with apparently less secure wireless
configurations, this isn't just wishful thinking.
As I pointed out in another post, I also provide some measure of
physical security by putting my AP in my basement. I get a good signal
inside the house and the few places I tend to use the laptop outside the
house (e.g., on the patio) but the signal degrades rapidly at ground
level (let's hear it for a poured concrete foundation with steel
rebar). Someone might be able to get a decent signal from a few
neighbor's roofs but, again, we're back to my impediment strategy. At
some point I'll implement WPA but I'll probably set up a snort box to
sniff my incoming wire before I do that.
Cheers,
Dave
--
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce
