Security Basics mailing list archives
Re: wirless connection security issues
From: "Jarrod Frates" <jfrates.ml () gmail com>
Date: Mon, 31 Jul 2006 11:02:12 -0700
On 7/28/06, Cherian Thomas <cherian.in () gmail com> wrote:
I am pretty much a newbie into this wireless arena and therefore ignorant of the best security practices. Can you suggest me methods to setup a "secure" wireless environment? Consider me paranoid :-)
There are a couple of points to consider. How paranoid do you want to be? Truly paranoid would implement a locked-down, dedicated, external RADIUS server authenticated with a token-based one-time password architecture over PEAP/EAP-TLS to provide the WPA2 key for securing the connection. :) However, this is probably overkill at the moment for you. Most popular security measures (MAC filtering, disabling BSSID broadcast, etc) are pointless in light of the ease of learning these through casual traffic listening. In fact, they are probably now more of an annoyance than a security measure, especially if you have a friend over who wants to connect to your network. Troubleshooting the inability to connect can become bothersome when it's being blocked by settings that add no real security. At the basic level, you should disable WEP and WPA, and enable WPA2. WPA2 is available in all current firmware revisions for the WRT54GL, and the three largest third-party firmwares (Sveasoft, OpenWRT, and DD-WRT) all implement it, though at least in the case of OpenWRT you need to install an additional, proprietary module for it to work. The shared key should be a hard-to-guess passphrase or a random alphanumeric of at least 32 characters (maximum is 63, IIRC), changed on a basis of three to six months. When you configure this, if appropriate, you'll want to use AES, not RC4, and CCMP, not TKIP, if the separate options are presented. Once you have this, you can begin layering other protections, such as the RADIUS server, certificates for the various EAP types that you might use, rotating keys... There are a lot of things that you can do. One point to consider is that all hostile traffic that does get on your network goes through your wired PC due to your infrastructure, and this presents a possible attack vector from systems that get on the wireless network, even if you expect and allow them to be on. Do you know *for certain* that your friends' systems do not have any malware that might try to contact other systems on the network -- including your own? Something to think about as you consider your topology. While it doesn't translate directly to your multiple-provider setup, my architecture has the wireless router out in front, connected to the cablemodem, and other systems are kept behind another router which also uses NAT. This provides a DMZ of sorts on the outside, though the traffic routing can sometimes become a real pain. I hope that helps you set a path. Jarrod --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- wirless connection security issues Cherian Thomas (Jul 31)
- RE: wirless connection security issues Dunigan, Michael (Jul 31)
- Re: wirless connection security issues Jarrod Frates (Jul 31)