On Jan 24, 2008 8:50 AM, John Summerfield <debian@xxxxxxxxxxxxxxxxxxxxxx> wrote: > Jacques B. wrote: > > Jacques > Don't be so touchy. Surely, if someone gave you bad advice you'd want to > hear that is is bad. None of us is perfect. > > > > -- > > Cheers > John My frustration has to do with the fact that someone asked a question on how to secure a wireless connection. I provided advice of measures available within the context of a typical home wireless router. And my reference to low hanging fruit and such and the caveat of the kid next door who has all the time in the world to bang away at your system (vs someone driving by) made it obvious that it's not a 100% guaranteed secure solution. In comes Tim stating that most of what I said was "useless". What I provided are all steps that can be taken on a typical home wireless router. The layers of security (using the term loosely) by themselves for most part provide no security (with the exception of WPA). However combined these layers will frustrate efforts of a script kiddy/less sophisticated hacker hopefully enough that they will move on to the next target. I agree that it will do little other than mildly entertain a more sophisticated hacker. Following Jim's advice if all you enable is WPA, then you've made things that much more convenient for the unsophisticated hacker (and the sophisticated one as well of course). Much like even a deadbolt and a lock will not stop a determined thief, neither will any of the measures available on your typical home wireless router. That does not mean we should not even bother implementing the various measures available to us if they are within our abilities to do so. Closing & locking the windows is another step to securing a home. A burglar can very, very easily break the window if they want to get in. Does that mean we shouldn't bother with that because it's essentially "useless"? The other reason you should take all the steps I recommended is because if someone does manage to connect, it will be very clear that it was not accidental and that the wireless AP was not meant for public use. Proving criminal intent becomes that much easier because of all the hurdles the person had to jump in order to connect to your AP. Yes cracking encryption should be enough to establish intent. Someone could argue that they thought they were cracking their own AP (under the guise of doing some penetration testing on their own system or perfecting their skills because they are a security consultant). That becomes much less of a plausible argument if the person had to go through multiple hurdles along the way. No, it's not perfect. But I definitely disagree that it's completely useless. Unless the feature introduces a vulnerability in the process or significantly degrades the performance of your network, it's not useless (and in some cases serious degradation is tolerable if the resulting security is much greater and necessary due to the sensitivity of the data on the network) . To what depth you deploy the various options I threw out will depend on your abilities and your personal views on this issue. Perhaps some have been tasked with deploying and managing more complex layers of network security for too long. Just because it's not up to the standard used by a corporation does not make it worthless. Jacques B.
