LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 06-19-2004, 09:55 PM   #1
srenar
Member
 
Registered: Jul 2003
Posts: 31

Rep: Reputation: 15
how to secure your wireless network


This was an experiment under slackware linux and windblows to secure my home wireless network.

In your wirless router
step 1. turn off "Broadcast ESSID"
step 2. turn off "DHCP"
step 3. use a "non-standard address scheme"
step 4. change the "ESSID" from "default" to anything other than "default"
step 5. Enable WEP
step 6. Enable MAC Filtering

On you computers
step 1. staticly configure the clients on your network
step 2. use a software firewall in the clients on your network

use this script to configure your linux machine and place in your rc.d directory, then make an entry in your rc.local script to run this one.
#####################################################
#!/bin/sh

# Change these settings as needed
INTERFACE=ethx
IPADDR=xxx.xxx.xxx.xxx
BCAST=xxx.xxx.xxx.xxx
GATEWAY=xxx.xxx.xxx.xxx
NMASK=xxx.xxx.xxx.xxx
NETWORK=xxx.xxx.xxx.xxx

ESSID=yourwirelessessid
WEP=your_WEP_KEY

#####Comment out the lines you DO NOT need based on your configuration######
#To comment out a line in this script put the "#" without the " before or after it.###
#For example the line that reads "#/sbin/dhcpcd $INTERFACE" is commented out.###
#Notice the "#"before the command.This means that this line will be ignored.###

#####################################################
###These 2 lines are used to set up your wireless WEP key & ESSID###########
/usr/sbin/iwconfig $INTERFACE essid $ESSID
/usr/sbin/iwconfig $INTERFACE enc $WEP
#####################################################

#####################################################
######Use this line if your ethernet is configured through DHCP#############
#/sbin/dhcpcd $INTERFACE
#####################################################

#####################################################
######Use these 3 lines if you have configured your ethernet connection
######as a static connection
/sbin/ifconfig $INTERFACE $IPADDR broadcast $BCAST netmask $NMASK allmulti
/sbin/route add -net $NETWORK netmask $NMASK gw $GATEWAY dev $INTERFACE
/sbin/route -A inet add default gw $GATEWAY $INTERFACE
#####################################################

statically configure your windblows clients as necessary

now you should have as secure as possble wireless network. especially if you use all non-standard settings.

The security comes in that the fact that the intruder will have to guess your ESSID,WEP key, your non-standard ipaddress scheme and then try to clone one of your MAC Addresses to connect to your network. all this in combination with not broadcasting a DHCP resonse will make it not worth the intruders time to persue hacking into your network.

remember these steps will severely impede an intruders attempt to use your network, but in the end, if they want in bad enough they'll proabaly find away to do it.
 
Old 06-20-2004, 12:06 AM   #2
Mephisto
Member
 
Registered: Oct 2002
Location: Washington D.C, USA
Distribution: Slack 12, Etch, Gutsy
Posts: 453

Rep: Reputation: 30
Some may disagree, but turning off DHCP and using a "non-standard address scheme" won't make a significant difference. Also turning off broadcasting may help, though it can cause problems as well.

If all you are trying to do is keep out casual intruders, MAC filtering plus WEP should be sufficient. In order for a potential intruder to connect with these two features enabled he is going to need to get your WEP key. The most likely way to get this is by sniffing your own traffic and getting the key from that. Once he/she has the key, address range and SSID are easy to obtain and really do not constitute additional work. MAC filtering is also easy to fool, though a casual war driver might have problems with it so it is worth doing if your configuration allows it.

My main problem with WEP is it gives a false sense of security. For all practical purposes a WEP connection should be considered the equivalent to connecting from a public access point. Any information sent relying on only wep for security can be deciphered by a persistent attacker. (Think ftp passwords, remote X sessions, etc...) Again though, for casual intruders WEP plus MAC filtering is fine. If you really want to secure it as much as possible, force all wireless connections to use IPSec. It can still be beaten by a determined intruder, but the threshold required is much higher.
 
Old 06-20-2004, 01:16 AM   #3
2Gnu
Senior Member
 
Registered: Jan 2002
Location: Southern California
Distribution: Slackware 14.0
Posts: 1,874

Rep: Reputation: 49
Run Kismet and see how well your theories hold up.

Disabling SSID broadcast does not make the access point invisible (except to NetStumbler or a similarly crude tool), nor does it hide the SSID. The access point must, by design, respond to a probe request with its SSID.

MAC addresses are always passed in cleartext, never encrypted. They are immediately available to a listener, along with the IP address of the AP and clients.

WEP is flawed, but more difficult to crack than many would have you believe. Short of WPA or some other 802.1x-based protection, WEP with frequently changed keys is still your best protection.
 
Old 06-20-2004, 07:31 AM   #4
SBing
Member
 
Registered: Mar 2004
Posts: 519

Rep: Reputation: 35
Quote:
Originally posted by 2Gnu
MAC addresses are always passed in cleartext, never encrypted. They are immediately available to a listener, along with the IP address of the AP and clients.
Out of curiosity, is it okay for two network devices to be on the same network which report the same MAC address? I imagine it is but?

Steve
 
Old 06-20-2004, 09:26 AM   #5
tank728
Member
 
Registered: Sep 2003
Posts: 142

Rep: Reputation: 16
I agree with Mephisto. Turning on WEP and MAC address filtering is perfect for keeping the casual intruder out, but if someone with skill wants to get in, they are going to all it takes is time. Another thing that I did not see mentoined was upgrading the firmware one your router. Also after you do that, the vender of your router might have upgraded/added new functionality such as WPA (Wifi Protected Access). WPA is the successor to WEP and does not suffer from the holes/vunerablities in WEP. Granted your drivers for your Wifi card have to support WPA as well. But WPA was designed in mind with just a update of software/firmware/driver not new hardware, so most things should be compabable.

-tank
 
Old 06-20-2004, 12:56 PM   #6
Mephisto
Member
 
Registered: Oct 2002
Location: Washington D.C, USA
Distribution: Slack 12, Etch, Gutsy
Posts: 453

Rep: Reputation: 30
Quote:
Originally posted by SBing
Out of curiosity, is it okay for two network devices to be on the same network which report the same MAC address? I imagine it is but?

Steve
The basic rules are that an interface should have only one MAC and a given IP address should have only one MAC. What we are discussing though is two devices in the same network segment with the same MAC address. In the case of wireless I believe it would work, but it may cause network problems. Basically both clients would receive all the data going to and from the MAC. On a conventional ethernet switch you would not be able to have two interfaces with the same MAC of course. But a wireless access point is by it's nature a hub.

For a simple example of bypassing WEP controls you might read this: http://www.oreillynet.com/lpt/a/4081 The amount of traffic needed to crack a key is really the determining factor on how long it would take. (low traffic = long time, high traffic = short time) As Tank728 mentioned, WPA is more secure and a better option than WEP if hardware and drivers support it

Last edited by Mephisto; 06-20-2004 at 01:00 PM.
 
Old 06-20-2004, 08:55 PM   #7
srenar
Member
 
Registered: Jul 2003
Posts: 31

Original Poster
Rep: Reputation: 15
it's great to see all the responses to this thread, it helps me learn more about the subject at hand. thanks to all of you for your input and helpfull suggestions.

steve
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
cannot connect to secure wireless network with Fedora 3 raindogs Linux - Wireless Networking 5 09-15-2005 11:30 AM
how secure is my network? msound Linux - Security 8 06-27-2005 08:12 PM
wireless cafe -- redhat linux 9.0 -- secure? Laptop2250 Linux - Security 4 08-26-2004 03:43 PM
To Secure my Wireless LAN with NoCat using RADIUS riaz2000 Linux - Security 1 11-23-2003 12:34 AM
How secure is my Network Irish Whiskey Linux - Security 3 03-26-2003 05:07 PM


All times are GMT -5. The time now is 03:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration