Wireless Lan Security - Slackware

This is a discussion on Wireless Lan Security - Slackware ; Just a quick question guys and gals. This is an opinion based question, so first of all I would appreciate not getting slammed for a lack of research. I am sure each method of securing your wireless has it's ups ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: Wireless Lan Security

  1. Wireless Lan Security

    Just a quick question guys and gals. This is an opinion based
    question, so first of all I would appreciate not getting slammed for a
    lack of research. I am sure each method of securing your wireless has
    it's ups and downs, and as I have learned lately, even a WPA key can
    be comprimised if it is weak enough in nature. What my thought is,
    instead of using encryption, what about just MAC filtering? I know
    this leaves a little bit of a whole in my security, but if the access
    is restricted to certain MAC addresses, then won't that suffice. How
    easy would it be for someone to figure out a MAC address on my system
    and clone it, or re-write the config file for my router and write in
    thier MAC address. I know the MAC address is something that is
    supposedly hard coded on your hardware, but how firm is it? Any
    advise would be appreciated.

  2. Re: Wireless Lan Security

    crawfordthad@sbcglobal.net wrote:

    > Just a quick question guys and gals. This is an opinion based
    > question, so first of all I would appreciate not getting slammed for a
    > lack of research. I am sure each method of securing your wireless has
    > it's ups and downs, and as I have learned lately, even a WPA key can
    > be comprimised if it is weak enough in nature. What my thought is,
    > instead of using encryption, what about just MAC filtering? I know
    > this leaves a little bit of a whole in my security, but if the access
    > is restricted to certain MAC addresses, then won't that suffice. How
    > easy would it be for someone to figure out a MAC address on my system
    > and clone it, or re-write the config file for my router and write in
    > thier MAC address. I know the MAC address is something that is
    > supposedly hard coded on your hardware, but how firm is it? Any
    > advise would be appreciated.


    You are correct about weak passwords with WPA. However MAC filtering is
    pretty weak since you can code any MAC with some network cards. The most
    secure way is using WPA-Enterprise where you can use EAP-TLS where you give
    a certificate to each client that you want on the network. However this
    solution requires the use of an authentication server i.e. (radius).

    --
    N3cr0M4nc3r
    __________________________________________________ _________________________
    The trouble with programmers is that you can never tell what a programmer is
    doing until it's too late. - Seymour Cray

  3. Re: Wireless Lan Security

    On 2008-01-29, crawfordthad@sbcglobal.net wrote:
    > Just a quick question guys and gals. This is an opinion based
    > question, so first of all I would appreciate not getting slammed for a
    > lack of research. I am sure each method of securing your wireless has
    > it's ups and downs, and as I have learned lately, even a WPA key can
    > be comprimised if it is weak enough in nature. What my thought is,
    > instead of using encryption, what about just MAC filtering? I know
    > this leaves a little bit of a whole in my security, but if the access
    > is restricted to certain MAC addresses, then won't that suffice. How
    > easy would it be for someone to figure out a MAC address on my system
    > and clone it, or re-write the config file for my router and write in
    > thier MAC address. I know the MAC address is something that is
    > supposedly hard coded on your hardware, but how firm is it? Any
    > advise would be appreciated.



    MAC filtering is just shy of worthless if you're interested in *real*
    security. If that's what you're wanting, you might be best to pursue
    the Radius idea given by the first followup. On the other hand...

    It really depends on what you're trying to protect. If you want to
    prevent someone from using the internet connection at all (and thus
    wasting your bandwidth), then something like OpenBSD's authpf will
    work for you (but yeah, you have to run OpenBSD for that), and WPA
    should be plenty adequate.
    If you're trying to protect data on the local network, but don't
    care about other people free-riding your internet bandwidth, then
    it's simple: put the wired lan and the wireless lan on separate
    subnets, and don't allow any communication between them except
    ssh via key authentication.

    Ultimately, it's a balance between security and usability, as it
    always is. You have to decide how much risk you're willing to
    assume and act/react accordingly.

    -RW

  4. Re: Wireless Lan Security

    Hallo, crawfordthad,

    Du meintest am 28.01.08:

    > I am sure each method of securing your wireless
    > has it's ups and downs, and as I have learned lately, even a WPA key
    > can be comprimised if it is weak enough in nature. What my thought
    > is, instead of using encryption, what about just MAC filtering?


    Sorry - that's no slackware problem. And that's a FAQ.

    Viele Gruesse
    Helmut

    "Ubuntu" - an African word, meaning "Slackware is too hard for me".


  5. Re: Wireless Lan Security

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On 2008-01-29, crawfordthad@sbcglobal.net wrote:
    > Just a quick question guys and gals. This is an opinion based
    > question, so first of all I would appreciate not getting slammed for a
    > lack of research. I am sure each method of securing your wireless has
    > it's ups and downs, and as I have learned lately, even a WPA key can
    > be comprimised if it is weak enough in nature. What my thought is,
    > instead of using encryption, what about just MAC filtering? I know
    > this leaves a little bit of a whole in my security, but if the access
    > is restricted to certain MAC addresses, then won't that suffice. How
    > easy would it be for someone to figure out a MAC address on my system
    > and clone it, or re-write the config file for my router and write in
    > thier MAC address. I know the MAC address is something that is
    > supposedly hard coded on your hardware, but how firm is it? Any
    > advise would be appreciated.


    MAC address filtering is just plain stupid. Period. End of
    discussion.

    Why is that you may ask? Well I'll tell you. The MAC address works at
    layer two of the TCP/IP stack (technically it's its own protocol and
    isn't at all tied to TCP/IP; Ethernet works fine with IPX for example).
    When you read my Networking 101 class[0] you'll understand better. The
    MAC address can *never* be encrypted, and is trivially changed on
    nearly all wireless chipsets and operating systems. Regardless of
    whether or not you use WEP or WPA or any other encryption system, MAC
    address filtering will add precious little and just cause you a
    headache. Anyone can spoof one of your valid MAC addresses if he
    captures even 1 packet with a sniffer.

    As for what security would be enough, well... only you can decide. I
    personally like unencrypted wireless that only allows communication
    between the client node and the access point via DHCP, DNS, and openvpn
    (which tunnels out all the data). That gives you real SSL security,
    publi key management, the whole nine yards.

    [0] http://www.lizella.net/networking_101.txt

    - --
    It is better to hear the rebuke of the wise,
    Than for a man to hear the song of fools.
    Ecclesiastes 7:5
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD8DBQFHn2Q4rZS6hX/gvjoRAsnAAKDS6t/vCN9zK5yDv3fixNi4sePXfgCeMuDw
    9RISkWCUWu1tMyMSx2gOyPg=
    =fju8
    -----END PGP SIGNATURE-----

  6. Re: Wireless Lan Security

    On 2008-01-29, +Alan Hicks+ wrote:
    >
    > MAC address filtering is just plain stupid. Period. End of
    > discussion.


    May I modify this statement? MAC address filtering on 802.11 networks
    is stupid. MAC address filtering on a switched network can be effective
    (given that it's not your only security measure!), since the packets
    can't be sniffed as easily by regular users. (MAC address filtering on
    a regular ethernet, e.g. through a hub, is also almost useless.)

    > [0] http://www.lizella.net/networking_101.txt


    I think it's cute that you define "bit bucket".

    --keith

    --
    kkeller-usenet@wombat.san-francisco.ca.us
    (try just my userid to email me)
    AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
    see X- headers for PGP signature information


  7. Re: Wireless Lan Security

    On 2008-01-29, Keith Keller wrote:
    > On 2008-01-29, +Alan Hicks+ wrote:
    >>
    >> MAC address filtering is just plain stupid. Period. End of
    >> discussion.

    >
    > May I modify this statement? MAC address filtering on 802.11 networks
    > is stupid. MAC address filtering on a switched network can be effective
    > (given that it's not your only security measure!), since the packets
    > can't be sniffed as easily by regular users. (MAC address filtering on
    > a regular ethernet, e.g. through a hub, is also almost useless.)


    Grr...I think it's clear, but if not, I mean a *wired* switched network
    in my above comment.

    --keith



    --
    kkeller-usenet@wombat.san-francisco.ca.us
    (try just my userid to email me)
    AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
    see X- headers for PGP signature information


  8. Re: Wireless Lan Security

    On Tue, 29 Jan 2008 10:01:11 -0800, Keith Keller wrote:

    > I think it's cute that you define "bit bucket".


    You think it's "cute", huh?

    Ummm..... hmmmmm......



    --
    "Ubuntu" -- an African word, meaning "Slackware is too hard for me".


  9. Re: Wireless Lan Security

    On Tue, 29 Jan 2008 12:59:41 -0600, Dan C wrote:

    > On Tue, 29 Jan 2008 10:01:11 -0800, Keith Keller wrote:
    >
    >> I think it's cute that you define "bit bucket".

    >
    > You think it's "cute", huh?
    >
    > Ummm..... hmmmmm......


    Hey!

    Is that ``*mm**'' your MDE 'alias' for ``cute''
    or are you simply having a public orgasm at
    seeing "IT world words" used in an "IT world meaning"
    in "this group" at "this time" ;D)

    (Keith, please don't say a word about the "great bit bucket"!-)

  10. Re: Wireless Lan Security

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On 2008-01-29, Keith Keller wrote:
    >> MAC address filtering is just plain stupid. Period. End of
    >> discussion.

    >
    > May I modify this statement? MAC address filtering on 802.11 networks
    > is stupid. MAC address filtering on a switched network can be effective
    > (given that it's not your only security measure!), since the packets
    > can't be sniffed as easily by regular users. (MAC address filtering on
    > a regular ethernet, e.g. through a hub, is also almost useless.)


    Even then it's not a good idea, just a less bad one. Repeat after me:
    Switches are *not* security devices, they are performance devices and
    should not be relied upon to prevent packet snooping.

    Flood any good switches ARP table, and it'll quickly revert to acting
    exactly like a hub. Flood any shoddy switch's ARP table, and it'll
    just crash.

    - --
    It is better to hear the rebuke of the wise,
    Than for a man to hear the song of fools.
    Ecclesiastes 7:5
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD8DBQFHoBzcrZS6hX/gvjoRAob0AKCF6b87t2V8OB8SDGvRtwP/OL7ARgCePVtb
    fgHFLQMILfvOm8hpSe1TAuo=
    =qE6p
    -----END PGP SIGNATURE-----

  11. Re: Wireless Lan Security

    On Mon, 28 Jan 2008 19:13:56 -0800 (PST), crawfordthad@sbcglobal.net
    wrote:

    >Just a quick question guys and gals. This is an opinion based
    >question, so first of all I would appreciate not getting slammed for a
    >lack of research. I am sure each method of securing your wireless has
    >it's ups and downs, and as I have learned lately, even a WPA key can
    >be comprimised if it is weak enough in nature. What my thought is,
    >instead of using encryption, what about just MAC filtering? I know
    >this leaves a little bit of a whole in my security, but if the access
    >is restricted to certain MAC addresses, then won't that suffice. How
    >easy would it be for someone to figure out a MAC address on my system
    >and clone it, or re-write the config file for my router and write in
    >thier MAC address. I know the MAC address is something that is
    >supposedly hard coded on your hardware, but how firm is it? Any
    >advise would be appreciated.

    Download kismet or wireshark, (the latter is easiest to set
    up) and sniff the air. That will show how easy it is to find MAC
    addresses.

    I want a 00:11:22:33:44:55 MAC address ?

    as root:

    /sbin/ifconfig wlan0 hw ether 00:11:22:33:44:55

    and my MAC is now 00:11:22:33:44:55

    check with:
    ifconfig wlan0

    []'s
    LFS - an old European word meaning "slackware was too easy for me"
    :P

+ Reply to Thread