Slashdot Mirror
On The Current State of WiFi Security
An anonymous reader writes "A Flexbeta article covers the basics of WiF security. The article mentions mentions various ways of securing a WiFi network, how easy it is to crack WEP, and what the IEEE is doing about WiFi security. From the article: 'In order to address the security issues of WEP and the current Wi-Fi standards of 802.11a/b/g, the Institute of Electrical and Electronics Engineers (IEEE) is developing a new standard that is called 802.11i. This standard was developed with security in mind. The new standard implements new security entitled Wi-Fi Protected Access (WPA), which takes advantage of the Temporal Key Integrity Protocol (TKIP), is easier to setup using a pre-shared key, and can use RADIUS authentication.'"
I've been using WPA with TKIP over 802.11g for almost 2 years now. It works great.
(This is with Windows XP and a Microsoft MN-700.)
None of which will matter if people do not put passwords on their networks that arent "default" "administrator" or "home." Oh, first post!
This sig has not been evaluated by the FDA. It is not designed to diagnose, treat, prevent, or cure any disease.
... of non-news. WPA has been available for a while now.
Security minded design is wonderful, but like all security won't this just be broken as soon as it is rolled out?
(First post...yay)
In case of fire, break glass and RUN!
correct me if I am wrong, but doesn't .11g have WPA TKIP, I know my computer and router support it
/. is not to be used by individuals with high blood pressure or a history of heart attacks
So, exactly where is the news in the article? I was hoping to see something new and/or interesting. I could have written this article myself... years ago.
Good thing they mention it twice.
The real contender is WPA2, which employs the far stronger AES symmetric algorithm in place of RC4, and adds much-desired features such as fast roaming:
WPA2 overview.
If your hardware supports it, use WPA2. If not, settle for nothing less than WPA, as WEP is a joke and trivial to break into.
"The problem with our economy is that our budget is balanced by people who aren't" - A.E.N.
Wireless security is a huge issue these days. When I set up my wireless network, I made sure to get equipment capable of working with WPA encryption, and turned the SSID off, etc. From where I am sitting right now, however, I can access 2 of my neighbor's unsecured, unencrypted Wi-Fi networks. And that will always be the problem. We have the capability to secure wirless networks these days with a reasonable degree of security, but people just refuse to do it.
You don't say... You don't say...
Standard setup for the average home network user seems to be
Take box home
Plug in box
let windows xp do it's thing
Use.
Clearly for these advances to be of any use, customers must be informed of their necessity and setup must be kept as simple as possible (helped, i suprisedly add, by XPSP2's wireless configuration app)
The technology is all well and good, as long as it's being used.
Go ahead and search, you will never find it all, I am baking muffins as I speak. - ComicBook Guy
Decent article, although the multitude of ads gives Adblock quite a workout.
Does anyone know when/if WPA is going to be included in upcoming Linux releases? As it is now, the WPA Supplicant is the only to use WPA in Linux.
"Ask not what your country can do for you." --John F. Kennedy
I read a lot about wi-fi security. However, it keeps coming down to, why should I care? Yes, at work it is important to be very security aware. However, at home, I really don't care if someone is using my connection. If they are doing something that is hogging bandwidth, when I want to use it, I can boot them. My computer is protected and on the other side of a firewall. Information that passes over the router does not touch any storage device. So, back to the question, why should I care? (as a home user)
When my folks go to the car lot, they know to look at the Buicks. When they go to Best Buy, they don't know they're looking at the equivalent of a crotch rocket motorcycle that will surely get them killed.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
doesn't .11g have WPA TKIP
The 802.11g spec does not mandate WPA; however, most modern cards and APs support it. While WPA has no known serious weaknesses, choose WPA2-compatible hardware if you're yet to purchase wireless equipment.
"The problem with our economy is that our budget is balanced by people who aren't" - A.E.N.
As many people are saying, there is no point in advancing encryption standards if the average end user will not use it.
On many sites, you sign up, and get given a random password. How hard would it be for manufacturers to ship AP's with a WPA enabled with a random password/key which is printed on the back of the user manual? (this is a genuine question) XP asks for a password when u try to connect to it automatically, and if you are using linux etc then you know know what the deal is anyway.
According to Bruce Schneier, the security risks if WiFi are vastly exaggerated.
Karma: Positive (probably because of superiour intellect)
And I did RTFA.
What's the bottom line for my home network? I've got WPA on my 802.11g network. I changed the default passwords, etc. Is there any realistic chance of being compromised?
Also, as an individual and not a business, what motivation would someone have for doing so?
Best Windows Freeware
There are still too many wireless devices that only support WEP. The WiFi card for my Palm T3 being one of those, rendering it useless within our firm where WPA is required.
If you don't want to repeat the past, stop living in it.
I've never bothered with any security measures at all. Not too long ago, I was working on a friend's MAC laptop that had a wireless built-in. I popped open the browser and what do you know... Internet access, because my access point was right there.
Now... How insecure is this really? And what does it really mean? It's not like the access point has unlimmitted range. I don't even think my nextdoor neighbor could hijack my connection. Should I worry that some dude is gonna park in front of my house and start leeching my connection?
My site
My films
Windows' PEAP supplicant is CRAP. It doesn't work right. The only one that works even moderately well is odyssey, by funk software. M$ says they will make a better supplicant, but i'll believe it when I see it.
While I applaud attempts to secure WiFi, it would seem that wireless will always add another channel of vulnerability to any IT system, especially because WiFi is so often deployed inside the firewall. WiFi system are generally vulnerable to both internet-based attacks and wireless attacks. And even if the 802.11i protocol "secure," there is little guarantee that both the AP and the client wifi transceiver have a secure implementation of the protocol or that the user configures the system in a secure fashion.
As inconvenient as wires are (and even they are not totally secure), they do reduce the amount of one personal information freely broadcast into the ether.
Two wrongs don't make a right, but three lefts do.
What if I only use SSH over a non-encrypted connection (and don't do non-SSH-tunneled routing)?
This is on of the most pathetic and unresearched articles ever posted, and that is a BIG statement to make. Zonk did you even read what the submission was or is just so slow today that you'll post anything? If you really want some interesting reading on WiFi security then go check out the http://www.shmoo.com/shmoo-fu.pdf Shmoo Fu article presented at DefCon and Black Hat in part for some really interesting WiFi security details.
The article doesn't do any justice to the main problem:
Most routers, AP's and clients are not that available for updates.
For instance, there is no less than 3 wisp's in our area that claim to be secure, and get this 'more secure' than a wired line.
What do they use to get this amazing security? WEP, not pre-shared or enhanced, or rotating keys, plain old WEP.
Did they have this equipment up 3 years ago, and clearly didn't know right?
Nope, this is new equipment, new cisco ap's, they choose to buy other equipment that can't be secured.
Even those in the know apparently don't care, or are too worried about learning new terms and setup procedures.
i quit reading when i came to this gem:
"making it perceptible to interference"
I'm not even sure how shit like this gets posted. Editors need to learn to be fucking editors, and not bloggers.
The entire discussion of what's wrong with the IV usage under WEP is wrong. As is the "vulnerabilities" of CRC-32. It has no cryptographic purpose: it's intent is to ensure data integrity (i.e., not corrupted due to radio interference).
Anyone with any professional wireless experience knows that MAC filtering is a useless security measure, and shouldn't be bothered with.
There's more, but there's no real need to waste words on this tripe.
"A Flexbeta article covers the basics of WiF security.
Sorry but at a glance I read that as WTF security
# ~: no sigs today
http://www.flexbeta.net/main/printarticle.php?id=1 03
... should be the gold standard for businesses concerned with wireless security. We use this at work; EAP-TTL, signed certs, radius authentication, constant WEP rekeying.
Reading the article, I got the strong impression that I was reading a mediocre high-school research paper. The author is basically just parroting a bunch of well-known, easily discoverable basic information about Wi-Fi. The facts are cursory at best; and the article not only doesn't cover any new ground, it doesn't cover the old established ground particularly well.
#DeleteChrome
I've been using WPA/TKIP with a pre-shared key for several months...
... trying to secure wifi isn't going to help anybody at this point. WEP is more a deterent than a security measure and in the end thats all it has become. WPA was a wacky bolt-on later and it's supported in all configurations or in every software setting.
There seems to be a lot of effort being put forth to secure wifi, and the question I have is why bother? Why not treat wifi the same as you treat the internet? Firewall all access to it, and if you want access to the internal network you have to vpn into it. Run your programs you care about with encryption turned on (use imap/s instead of imap, pop/s instead of pop, smtp/s instead of smtp).
All the money being spent trying to come up with a hardware solution is just going to cause all wifi hardware to be incompatible, more burdonsome to use, and a lot more expensive.
How about if the wireless routers don't use "admin" for both the username and password. I've hit quite a few networks named "default" and found that the web-interface was up by default, with the default passwords.
I'd put more blame on companies that put "out-of-the-box" ahead of security... ship the damn thing secured and have it run a "first-time setup" utility from CD-ROM for the newbies.
I'd love to use WPA but from what I understand WPA doesn't work in repeater mode (or maybe that's just with g networks) and my house needs two access points to cover everywhere I need access.
http://www.ezwv.com/wireless.html
While we know it's not the case, they are spreading the misinformation and making it a bad image when someone does get hacked.
Now who here thinks that wireless is more secure?
Funny, I know a person who intentionally leaves his wifi at home open so if any of his neighbors want to use it they can. Personally I think it is a stupid idea, because if someone uses it for a nefarious purpose (terrorism, kiddy porn, etc) it his hardware they will seize. I told him this, and he said "they cant do that, I'm running an ISP." Of course that would make him an unlicensed utility and they would still seize his property. If he beat the case he would get it all back, but that would not stop them from seizing his computers. A lot of people just don't understand that what they will do is determined when the police knock on your door, and what they can do is determined when the case goes to court.
Insert Generic Sig Here:
From a non-network-geek kind of view it seems that the standard security systems are seriously missing in options and tough to configure. It seems like there isn't a good option for "no authentication, but encrypt everything please" (kind of akin to https) or simple password/phrase authentication, as opposed to asking people to type in these massive hex strings or handcoding in their MAC addresses.
So even beyond the fact the encryption ain't much good, open networks tend to win out because everything else is so painful to setup.
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
Any further questions?
I'm going to be setting up a wireless nextwork for my family in the next couple of weeks. I've never used anything wifi based so I'm a little clueless. So I'm intrested in knowing what needs to be done to secure it etc. So could anyone give me some useful links? It's just a small network for 2-3 PCs and maybe a lap top at most, I have full access and control of all three PCs (including installing the network cards myself). So any advice/good sites/hints/tips/hardware suggestions(good quality not top end latest fad stuff)?
I like muppets.
Flexbeta is running a contest, asking readers to submit articles for publication. Each article published gives the author a chance to win a top-end ATI graphics card. There are several other smaller prizes.
:)
He's just trying to win something. He's certainly not a subject matter expert
It's virtually impossible to keep unauthorized parties off of your AP using out of the box software.
WEP? Known cryptographic challenges, can be cracked in a trivial amount of time using automated tools.
Access list of MAC addresses? Almost every wireless NIC allows you to watch traffic, and many allow you to reprogram the MAC address. You can watch someone authenticate at Starbucks, record their MAC address, then when they walk away, you just set your MAC address to theirs and you continue using their open session. I can't imagine why it wouldn't work.
802.11i is not "being developed" it is a fully ratified standard. Check Wikipedia or if you are feeling REALLY ambitious, flip through a 108 slide PowerPoint overview of the standard.
Heck, the WPA portion was released well prior to ratification of the standard and is incorporated into many home WiFi Ap's, routers etc.
Please be patient, I'm a work in progress! --Alan Jackson
I'm not worried about serious hackers. I'm worried about the kids next door. I don't it to be completely secure, I need it secure enough that it's more convenient to bother someone else down the street.
There's a saying among scuba divers, how do you fend off a hungry shark with a 2 inch knife? You stab your buddy and swim away.
Never confuse volume with power.
Here we use AES encyption with WPA-PSK authentication. I figured that would have started to become the standard now. Our firm feels so confident with AES that we leave our wireless routers powered up 24/7. Has anyone heard of any problems with this, or are they just re-invented the wheel in order to have something to do.
For the past few years, we've all been hearing about how vulnerable WEP is and how it can be cracked with the secret decoder ring found in a cracker jack box. Yes, there were weak IV's in the initial implementation. But these have been removed from rotation by nearly all vendors. So I'd like some feedback with real experience cracking 128bit WEP using recent firmware loads on cards and AP's.
Here's how you fix wifi.
Wires.
Maybe you've heard of them.
I'd have to check again, but I believe that a/b/g could better be described as standards for carrier freguencies and i is the security protocol. So you could have an a with i protocol or b or g. I believe that refering to it as simply i with reference to a/b/g is a misnomer.
Anyway i is something that has been talked about for more than a year and none of the manufacturers seem to be willing to add it to their systems. Maybe they think that they can sell g to everyone and then they'll start advertising more about the security issues of wireless and sell routers with g and i. Makes sense business wise.
"(...)the Institute of Electrical and Electronics Engineers (IEEE) is developing a new standard that is called 802.11i."
which was approved one year ago, and covered on Slashdot then.
And every other week we get the same "WiFi security basics" article.
Why not have a section for that only? Just so I can filter it out.
...according to the opinion of the vast majority of posters.
I am very small, utmostly microscopic.
For example, he doesn't seem to know what an IV is, and suggests there's something fundamentally wrong with them:
If I didn't know better, I'd draw the conclusion, "Wow, stay away from these things called initialization vectors. Oh no! My DriveCryptLeetMagicFantastico uses this thing called AES-CBC that requires initialization vectors! It must be broken!"
He also says that CRC32 is a good measure to increase protection, except that it's just poorly implemented in WEP.
There are many better write-ups on WEP security available, like this one.
send_me_stuff@myway.com
Is it just me or is WiFi becoming overfilled with different standards. It was just a couple days ago that /. had the story on 802.11n http://hardware.slashdot.org/article.pl?sid=05/08/ 02/1247236&tid=193/
now they are talking about .11i and we already have 3 different ones in use.
I don't want to have to buy 4 different routers to ensure that every device I have works.
I thought the point of standards was to bring everyone together on one format.
I recently got my first laptop, and did some wifi hardware research. What I wound up buying are products from AirLink101(.com). I got a Super-G card for my laptop, and two Super-G access points. One is set up as an access point, and the other is set up as a bridge (receives the signal from the AP, goes out the cable into my switch, and into my desktop machines with NICs but no wireless cards; I didn't want to have to buy wireless cards for anything but the laptop). These products support WPA with AES, and work quite well through several walls between the AP and the NIC. Two antennas on the AP/bridge units, and they're removable, so one could add better antennas if needed. This is the only wireless AP I know of that can be configured as a bridge - you normally need to buy a more expensive bridge to get bridge functionality. Also note - these are Super-G units, not just G (108Mbps, not 54). They use the Atheros (sp?) chipset, so should be Super-G compatible with anything else using that chipset.
Prices? The AP/bridge units were $70 each at outpost.com. I can't remember how much the laptop card was - $30 or $40 as I recall, very reasonable.
You will be able to find cheaper wifi hardware, but it won't be Super-G, and it won't be this capable.
Build a lightweight VPN server into every router, such as Openvpn which uses TLS/HMAC and RSA keys. The router could easily generate and distribute the keys (over the wire) for wireless encapsulation.
There was a case of a guy downloading child pron in Toronto by driving around at night and finding open WiFi networks (You know the ones.... Their SSID's are Linksys and Default). Apparently when he was caught, he was naked from the waist down looking at explicit images. (Ooh. Bad image)
I point this out as I used to work for a VAR that sold WiFi products to businesses who would just order the products and throw them up onto their network rather than pay us to come in and properly install and secure the environment (which was usually Windows based). When this happened and I pointed it out to them that this could be them (or something worse might happen, such as the cops knocking on your door because they traced the downloads to their net connection), they changed their tune in a hurry and let us secure the networks.
Places like Best Buy should hand this article out to their customers. That would reduce the problem in a hurry.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
So why haven't I improved things?
Simple. Even though I'm a pretty technical Linux user, I've been unable to really feel confident going out and buying 802.11g stuff with WPA, because the existing documentation on the net is pretty bad.
I'm waiting for the mythical "someone else" to set up a nice, straight-forward site that says "here are the cards you can buy at store X which support Linux and don't require binary drivers, patched kernels, and other crap" Sure, there are lists of chipsets, but the actual stores don't list the chipset in particular products often, and the vendors often have multiple versions of the same card with different chipsets.
I think a lot of the problem is the actual hardware industry itself. 802.11b wasn't hard to get Linux support for, but because of the software controlled radio in 802.11g chipsets, it's a bit tricker legally.
And don't get me started on Bluetooth. I got a new phone which has it, and I'd love to buy a little USB Bluetooth dongle so I can play with it, but right now the main Linux Bluetooth page has been asked to take down their list of devices known to work under Linux, because someone in the Bluetooth SIG complained the devices weren't technically qualified. (link) What a load of crap! So instead of getting a dongle which might not work, I'm just not going to get one at all. Everyone loses.
PCMCIA Firewire card is marginally easier, but again, trying to track down and actual card for sale which matches the user-reported specs and models is pretty damn hard. I spent conservatively 3 hours online and in Fry's reading before I got a card which works great until you eject it and panic the kernel.
I guess where I'm going with this rant is that wireless security (in the non-Windows world) would probably be better if the "standards" followed went a bit deeper and were more open to allowing outsiders to confidently buy products. All I'm asking for is a label or a sticker on the box telling me what chipset and version the device uses. It's not hard, and it shouldn't be a secret. Anyone technically savvy to make a purchasing decision based on chipset is technically savvy to figure out what chipset is in a device once they've bought it and spread the word.
Wow... my first rant. Sorry about that....
I connect the wireless access points to a dedicated ethernet card on my gateway computer. That way all wireless traffic must pass through the gateway and it is easy to require ESP for the wireless link.
I use the "onion layers" approach to security.
-
MAC address filtering
-
Turn off SSID broadcast (and make SSID hard to guess)
-
WAP (with randomly chosen key)
-
IPSEC ESP (with another randomly chosen key)
-
Packet filter at gateway host
This should be enough to make most leaches go on down the street and find an easier target.http://www.microsoft.com/downloads/info.aspx?na=90 &p=&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=6 62BB74D-E7C1-48D6-95EE-1459234F4483&u=http%3A%2F%2 Fdownload.microsoft.com%2Fdownload%2F9%2Fe%2Fb%2F9 eb62d0b-61f0-4c9e-9c52-e3bef96d9e7f%2FWindowsXP-KB 893357-v2-x86-ENU.exe
If you wanna get rich, you know that payback is a bitch
(I appologize in advance)
A Flexbeta article covers the basics of WiF security.
Apparently it sucks because someone already stole the last "i".
Developers: We can use your help.
I am confused, doesn't a combination of MAC address filtering, WPA security, and not broadcasting your SSID virtually eliminate hacks?
I use WEP to keep the casual user out and then VPN (IPSEc and PPTP) to keep everyone else out. Works great.
The war with islam is a war on the beast
The war on terror is a war for peace
IPSec SHA256 AH AES128 ESP
We setup such a configuration at DEFCON and despite various attacks against both AP and client, including evil twin, WDS exploits, traffic replay, etc. the network was absolutely impenetrable.
The only secure configuration I would consider would be WPA2 with RADIUS authentication. Pre-shared key is vulnerable to dictionary attacks so be sure to key with a good random string if you use this mode.
Note that this "article" was submitted as a Flexbeta contest entry. And just how 'leet could the author be, having only discovered Airsnort now?
Keep in mind that WPA by itself does not imply security. WPA with a weak passphrase is much easier to crack than WEP, as it only requires a few packets to be captured.
Unless you have only one or at most a few wireless clients that setup can be fine. In all other cases you should use something else then PSK
Since just about any extant technology can be used to share data, such as downloading a file via http or ftp or sending attachments vial email, where exactly does this end? If a pirated music file is sent as an attachment with an email, does it suddenly make email illegal too?
P2P is simply a more convenient form of file transfer. That's all. This measure must be opposed!
A post which was never moderated up has been modded down as "Overrated."
The slashcode should really prevent that sort of thing. It's obviously not "overrated" if it has never been "rated" at all.
What they fail to realize is that if the hacker is smart enough to break WPA, then MAC filtering is useless because any hacker smart enough to break WPA is smart enough to break MAC filtering.
So parent was right. MAC filtering is useless.
*Caveat, I HAVE NO AFFILIATION TO WITOPIA OR FULL MESH, just have had good results personally.
There is no "I" in B-O-R-G.
The way I handle security on my wireless network is simple. I don't feel that there's any good way for me to secure it, without buying new hardware (for WPA2). Therefore, I don't secure it. The SSID is being broadcast, there are no MAC filters -- but there is a password on the AP itself. It runs on an isolated network segment that has internet access without authentication, but doesn't have access to my private servers without a VPN.
At this point, many people probably think that I'm insane. I don't think that I am. Here's my reasoning. With only WEP available to me at the moment (due to hardware limitations that I'm not willing to spend money to solve), it's not securable in any sense of the word. As it stands, if I did use what security mechanisms I could, and somebody bypassed said security, my legal defense, as a person paid to do security work, would be that my security was broken. While that may be the truth, I doubt the ability of the general public to believe it, assuming that something illegal was done through my connection.
There are various reasons for not using WPA or WPA2 -- for one, I have a Tivo (in an unwired area of my house), and it doesn't seem to handle anything but WEP, which I consider worse than useless. Also, I'm using an *old* Linksys NAT box as an AP (it does no routing), and it doesn't support WPA either. The Tivo's the deal breaker.
Really, it's easier for me to call it an open network and be willing to deal with the consequences of that than to deal with the potential consequences of securing it. I'm paranoid, and I know too many people who have been royally screwed by the US "justice" system.
I am a registered user, but it's probably better to post this anon.
My Wireless network at home is set up so the only thing anyone sees is my VPN ports open on my server. In order to get into my home network, you have to login to the VPN. So I have my authentication and encryption. The only problem is if I need to VPN into a customer site. Then I just use my desktop PC anyway. Works fine for me!
Here's a link to get you started!
Comment removed based on user account deletion
Tivo is the reason that I use WEP. Tivo does not support a wireless adapter that supports WPA (or there is no way to enable WPA from the TIVO box, even if the adapter does support WPA).
How many people are out there running WEP because they have TIVOs wirelessly connected?
The real "Libtards" are the Libertarians!
However, there is a neighbor just a few houses down who has an unprotected network. I think that would be a far better target...
wireless = insecure.
that's one of the reasons that i won't use wifi (the other being the piss poor transmission rates).
i think the people behind the wifi standard seriously don't want security in the implementation. how else do you explain why after umpteen revisions, we cannot get any amount of decent (not defeated in seconds by a war driver) security?
Science : Proprietary , Knowledge : Open Source
I think the problem is that the total abortion that was FreeSWAN, put all geeks permanently off of IPSEC. Unless IPSEC has been improved beyond belief, I certainly won't bother with it.
I use SSH for everything, because it is easy to set up, it is known to be secure and it has wonderful debug capabilities built in.
Oh well, what the hell...
WEP stands for "Wired Equivalent Privacy", and was always intended to be just solid enough that someone who cracked it could have tapped the wires with equal effort.
Bad threat modeling, since the two attacks aren't equivalent, but there's a lesson to take away.
Your wired network is vulnerable to the well-dressed person who walks in and is "early for his appointment" so the receptionist invites him to wait in the conference room. Your wired network is pathetically vulnerable to the guy in overalls and a tool belt who says he needs access to the wiring closet.
A visiting janitor or copier repair tech could dive under a desk and install a little box that calls home over IRC for instructions like "run dsniff" or "send me a list of shares".
Penetration testing consultancies make a living off walking into vacant offices and plugging in their laptops.
If you write security policies like "no wireless" you're missing the point.
Some linksys models also support wireless bridging.
Is using a couple linksys wireless bridges together, claiming that they won't talk to anything else but another linksys bridge, any good at security, or is that just as usefull/less as WEP?
If Windows was patched so it complained loudly every time a user connected to an unsecured wireless network and offered to help set it up correctly it would reduce the number of wide open installs.
The Open Source folk could help by producing an appropriate 'Wizard' for KDE and Gnome for M$ to copy. It might be best to BSD licence it so they can!
Community Wireless doesn't mean sharing with all, but with your community.. There are many ways to do this.. 802.1x.. http://nocat.net/ is another And that is waht community wireless groups do.. the build systems of authentication for their communities to access their networks. Simple really
Hi;
Here's an idea I came up with for corporate network WIFI sec. Stupid easy, and cheap. Go to hardware or Fry's and buy a cheap AC timer, you know the sort you hook to your lights when you go on vacation and they turn on and off depending on time of day / day of week. Hook your access point to it.
Its stupid and simple but given our office operates about 60 hours a week, that means the other 108 hours we don't have a big risk.
Oh, and we put our wifi on a subnet with dhcp that gives neither DNS nor wifi and is in fact a public I space but not ours (therefore it confuses dumb people). We give each Windows user a preconfigured VPN connectoid that points to the cisco router that is the firewall. The only traffic permited, which makes the vpn gateway be local. Add ACLs to permit only source / dest traffic to the vpn on the vpn ports. Once VPN'd in, you get a private IP that can route. We get strong encryption (IPSEC/L2TP with PSK), real accounting, and a reasonable level of ease of use.
Any way, its stupid simle and secure as we can get it.
GeekMarine
- At home, I don't mind if guests use my system, but I want my connections encrypted to prevent eavesdropping, and I'd like the system to allow any machine I've got to connect however it can if it doesn't support all the same options (e.g. I'd like old WEP-only stuff to get IP connectivity even if my main connections are using WPAx or whatever.) My connection to my office runs IPSEC anyway, and my email runs SMTP-over-SSL, but that doesn't mean I want anybody with a Netstumbler or Airsniffer to be able to watch what addresses I'm connecting to or what web pages I'm reading.
- At work, obviously we only want authorized users to connect to anything inside the firewall, so making them use a password is ok, and we want encryption. The obvious solution is to put wireless *outside* the firewall as well as using whatever tools the wireless offers. (In reality, we've got wires to all our desks, and the wireless is a toy in the lab as well as supporting occasional visitors, so if it runs encryption that's only because somebody was playing with the encryption recently. But if we did use it for production, it'd be firewalled.)
- Some older equipment wanted to support authentication without encryption, because they perceived encryption as requiring too much horsepower to fit on a PCMCIA card, in spite of how amazingly simple and low-impact RC4 is, and also because the US Government was still pretending that if they allowed encryption, Commie Spies might get it. (Also, some people had this idea that stronger encryption required more horsepower, which is wrong for RC4 - the key setup stage crunches the key bits into an initial table, and then everything else is identical from there.)
So am I missing something about the standards, or is there a way to get encryption without also requiring authentication.All the APs I've tried so far seem to only give you encryption if you're also using authentication and passwords. That's annoying, and I can't tell from the documentation if that's the only option, or if it's required by the standards, or if it's just inadequate documentation (with my Netgear 802.11b, it's such appallingly bad documentation that it's not possible to tell. With my 3Com, the documentation's much better, but maybe there's something I'm missing, and it's too easy to use the "Set the slide switch to 'AP' and it Just Works" option, which gives a bridging-mode unencrypted AP that transparently passes through my firewall's DHCP support.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks