Slashdot Mirror

← Back to Stories (view on slashdot.org)

Enhanced WiFi Security Patch For FreeBSD

Posted by timothy on from the sekrit-treehouse-password dept.

Dan writes "Roland van Laar has a new, significant wi-fi patch for FreeBSD 5.1 and higher. The patch, available for download and testing, blocks clients with an empty or 'ANY' ssid and disables ssid broadcasting using the underlying firmware feature. SSID (Service Set ID) is used to identify wireless clients to a wireless / wired gateway. Wireless devices from the same manufacturer generally ship with the same default SSID. A beacon is a type of packet/frame that contains the SSID of a network. It is used to sync clocks on client devices and to make it easy for new network clients to see what networks are available. Preventing others from using your ssid is a means (although not foolproof!) of securing your wireless network."

12 of 59 comments (clear)

  1. SSIDs? by Trbmxfz · · Score: 1, Interesting

    I suppose it's good news that there are people who do care about Wifi security.

    However, I'm wondering: how much security does SSID-based blocking add (could individuals forge SSIDs, or would they have to be organizations with cash and determination?)? Shouldn't all connections on a wireless network use a strong encoding (SSH or such)?

    How do real people provide and use services that are normally insecure (NFS comes to mind) over Wifi?

    1. Re:SSIDs? by squiggleslash · · Score: 5, Informative
      How do you mean "forge" SSIDs?

      An SSID is just a small text string, typically a short word, used to identify networks. Typically you can ask your PC to list available networks and it'll provide you with a list of SSIDs, the joke being that most of them will have the names "DEFAULT", "BELKIN", etc. You configure your wireless hub to have a particular name, and then you'll be able to easily select yours. If you hide it, as the article suggests (not a particularly original feature, I'd guess most wireless hubs allow you to hide SSIDs, mine does), then it's still useful as you manually can tell your PC which network to connect to (eg enter the name) and it'll still find it despite the fact you've hidden the SSID.

      If someone was to try to masquerade their network as yours - say, give their network the same name as yours so that you might connect to it by accident - then they could do so, but any other wireless security you'd have switched on would automatically defeat it (within reason - WEP, for example, is probably the most popular 802.11 security technology, but it's infamously insecure.)

      --
      You are not alone. This is not normal. None of this is normal.
    2. Re:SSIDs? by _Sharp'r_ · · Score: 2, Informative

      Basically the way real people who care about security use Wifi securely is that they don't treat is like it's secure.

      The simplest implementation of that is to design your network under the assumption that any Wifi portions are about as secure as the general Internet.

      In other words, stick the Wifi network on it's own outside your firewalled "internal" network and use a VPN client to connect your laptop or whatever to the real network. The gateway for the Wifi network would in this case usually be a firewall/VPN server.

      If someone gets on the Wifi network, they can't do anything with your encrypted packets and they can't get anywhere past the firewalled connection to anything else.

      --
      The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
    3. Re:SSIDs? by jbplou · · Score: 1

      For business this solution is good. For home use wep is good enough. if you rotate your ssid and wep keys you will be fine, most of your neighors probably aren't nerds enough to hack past wep. Plus wardrivers will move on to the next access point which most likely has the ssid broadcasting to linksys or belkin or something like that. but if I were really concerns about security I would probably setup 3 or 4 fake access points to confuse would be intruders.

    4. Re:SSIDs? by MrChuck · · Score: 1
      For home use wep is good enough.

      Then "for home use, no encryption is good enough".

      There IS no security in WEP.

      Presume it.

      It's as secure as leaving your key under the mat and hoping your neighbor doesn't notice (ok break onto my LAN and you don't get much (vs. the house)). But telling people that WEP is "ok" is just irresponsible.

      That said, I generally use SSH and the only cleartext on my wireless net is webbrowsing.

      OS X, Unix and even that other OS all support IPSec. PPTP is even better.

      Bad dot'er. No food pellets.

    5. Re:SSIDs? by jbplou · · Score: 1

      Like I said for home use WEP is good enough, most of my neighbors would not even know how to connect to my router if I gave them the web key.

    6. Re:SSIDs? by MrChuck · · Score: 1
      Here's to hoping you block outbound port 25, don't use common (1819) addresses and don't use DHCP.

      It just sucks when someone with not tons of effort can send a billion spams out your box one afternoon.

  2. Card support? by utlemming · · Score: 1

    This is a great addition nontheless. If you can hide your SID then some warfaring punk can't find you easy. But then again you probably are using WEP or WPA or whatever the encyrption of the week is, so that is a nonissue. Now, I would be impressed if more wireless cards were supported. I am getting sick and tired of using my windows machine to down load my FreeBSD software toys.

    --
    The views expressed are mine own and do not express the views of my employer.
    1. Re:Card support? by stox · · Score: 2, Informative

      You might want to take a look at FreeBSD 5-Current. The framework for loading NDIS drivers has recently been added. That may be the solution to your problem. I have not used it yet, myself, so I can't comment on how well it does the job.

      --
      "To those who are overly cautious, everything is impossible. "
  3. A step in the right direction by RubberDuckie · · Score: 2, Informative

    I'll have to give this a try. While it does not make WiFi secure, it is a small step to making it a bit more secure. At least this way, if I'm not using my wireless network (which is most of the time), it's not broadcasting SSID's for people to sniff.

    On a side note, it's a real shame that a useful article has garnered mostly trolls and flamebait as responses. Sigh...

  4. Wireless Leiden - the Why :-) by dirkx · · Score: 1
    Some people question the need for this; just some background as to why we in Wireless Leiden need this patch :-)

    The issue is that througout the city we have omni antenna's - where -anyone- can associate with - and directional antennas which provide the interlinks between nodes (although the network covers a medium sized city - we use no copper; all interlinks are wireless).

    On these interlinks we only want node-to-node traffic.

    As the network is totally open (no username, password or any thing) - we have no easy way to educate our users to use the right 'omni' antenna's, other than descriptive names. I.e. we do not catch them early enough.

    So often people associate with the interlinks rather than the omni (if a beam passes over their house) - and then complain, or are surprized, that DHCP does not give them an address.

    This problem is made worse by some windows userinterface tools which will automatically re-select networks based on some internal metric.

    So what we wanted was to 'hide' the interlinks. So that clueless users are not accidentally ensnared. Rolands patch does exactly this.

    Dw

  5. I love FreeBSD. by readpunk · · Score: 1

    I love FreeBSD, but I have a question. When on earth is anyone going to recognize the fact that there is a serious problem with the wi driver for dwl650 pcmcia cards? So many of us have them and yet the current driver for it, after a small amount of usage causes a full system lock up. Anyone have any info on that? I'd like to see the drivers for widely used software perfected before setting up default security for those who don't know how to on their access points.

    The question beg's to be asked, shouldn't someone capable of installing and using FreeBSD be knowledgeable enough to secure their wifi ap?

    --

    ./revolution