Matthew Rosewarne on 9 Dec 2007 22:23:56 -0000 |
On Sunday 09 December 2007, Jason Costomiris wrote: > I guess old Bruce isn't familiar with putting a wifi device into > monitor mode, which allows you to capture all the frames being sent & > received on that AP. I'm quite sure Bruce is aware that it's trivial to sniff all wireless traffic. What he is saying is that there really isn't much difference between having a wire and a wireless network, since people can also sniff from wired networks too. Proper security should be implemented regardless of the physical medium, so there is no need for physical-layer encryption. > 1. Use WPA or WPA2 (better than WPA, really - AES is better than TKIP). > 2. Forget about WEP - see #1 > 3. Don't bother with MAC filtering. It's too easy to overcome [1] > 4. If you have the means, use WPA2 "Enterprise", with a RADIUS server, > otherwise, simply using a reasonably long passphrase for your WPA PSK > would suffice (i.e. not the minimum 8 characters - get closer to 63). 1 & 2. The only reasonably effective protection is WPA2 with AES, and even then it's much better to use a proper VPN. Anything else just makes it harder for innocent people to get a connection, but just slows down the intruders by a few minutes. Since the security provided is in name only, you might as well be a good neighbour and allow others access. 3. MAC filtering is a joke. 4. You could do that, or even better, make the wireless a DMZ, and access your "internal" network over a decent VPN. That way, you can share your network AND have actual security. Attachment:
signature.asc ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|