Jason Costomiris on 9 Dec 2007 20:50:23 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Wireless access - from a security expert

  • From: Jason Costomiris <jcostom@gmail.com>
  • To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
  • Subject: Re: [PLUG] Wireless access - from a security expert
  • Date: Sun, 9 Dec 2007 15:50:17 -0500
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to:in-reply-to:content-type:content-transfer-encoding:mime-version:subject:date:references:x-mailer; bh=/BI7gRhxcvcdtfpamxiU64PSj3n9Akc2OdsJH+mAGW4=; b=S5H6YJijApAvguc3Zb6LYn452cOzQ/7X6Y23DT8pJGF9kUztviGRjlZk6x0QkfFycwFMNsk83fkesWNsxEOcEwlVuM+1BCzfBIxoUHBQN7jBqU1Gb1X6/vyWUiFx6sbWMfl2Wr73EfF9MdvU4ahJ83QmugFC9EEa0Ruuyb5I0CU=
  • Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
  • Sender: plug-bounces@lists.phillylinux.org

On Dec 4, 2007, at 10:35 PM, Eric wrote:


This parallels an older discussion here on the PLUG list:

I just read this in the Freakenomics blog:
Q: Is there any benefit to password protecting your home Wifi network? I have IT friends that say the only real benefit is that multiple users can slow down the connection, but they state that there is no security reason. Is this correct?
A: I run an open wireless network at home. There’s no password, and there’s no encryption. Honestly, I think it’s just polite. Why should I care if someone on the block steals wireless access from me? When my wireless router broke last 
month, I used a neighbor’s access until I replaced it.
I guess old Bruce isn't familiar with putting a wifi device into monitor mode, which allows you to capture all the frames being sent & received on that AP.
I'm appalled that Bruce Schneier would come up with that answer. Historically, I've thought of him as a reasonable man with well thought out opinions on data security matters. Either he's just asleep at the wheel on this particular topic, or he's not the expert I once thought him to be.
Some people go completely nuts, segregating their AP from the wired side of the network, requiring a VPN connection for wifi clients, while also deploying WEP/WPA and using MAC filtering. 

I'd say that if you:

1. Use WPA or WPA2 (better than WPA, really - AES is better than TKIP).
2. Forget about WEP - see #1
3. Don't bother with MAC filtering.  It's too easy to overcome [1]
4. If you have the means, use WPA2 "Enterprise", with a RADIUS server, otherwise, simply using a reasonably long passphrase for your WPA PSK would suffice (i.e. not the minimum 8 characters - get closer to 63). 

You'll be completely fine and safe.
[1] - I'll throw a card in monitor mode, get some MAC addrs of your approved clients, then reconfigure my card to use one of your "safe" MAC addresses___________________________________________________________________________ 
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug