LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-08-2008, 07:25 AM   #1
meruwireless
LQ Newbie
 
Registered: Mar 2008
Posts: 1

Rep: Reputation: 0
Requirements for secure wireless environment


What is the one most important thing you feel is neccessary for a secure wireless environment.

Last edited by Tinkster; 03-08-2008 at 10:58 PM.
 
Old 03-08-2008, 08:29 AM   #2
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288
Use WPA_PSK, but even with this you'll get hacked eventually unless you change the key often.
 
Old 03-08-2008, 08:42 AM   #3
wildar
Member
 
Registered: Jan 2007
Distribution: Mandriva 2008, Mandrake 2005, Ubuntu 8.04.1
Posts: 239

Rep: Reputation: 30
In addition to enabling WPA or WEP, you may want to consider enabling MAC filtering. This can restrict connection to only systems you add to the list.
 
Old 03-08-2008, 09:06 AM   #4
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738
Off-topic but relevant:

Riding home on the bus yesterday, I started scanning for hotspots. Every 1/4 mile or so, I could see at least one new one with the WEP key disabled. At a local internet cafe, I discovered that the admin page for their router had no password set up. I advised the staff, but have not been back to check.

I wonder if these are the same people who go out and BUY Norton or McAfee to protect their computers? We have now raised at least two generations of computer-inept citizens---brought to you by a school system that sometimes thinks "computer class" means training in how to run MSWord.
 
Old 03-08-2008, 09:24 AM   #5
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
IMHO it's not about the single most important thing, but doing everything you need to do to be secure. If you're using a consumer grade wireless router I would advise using WPA2 if you possibly can, and be sure to change the default password, using a strong password. Given the research into wireless router vulnerabilities currently going on (check out http://www.gnucitizen.org/ ), I would also strongly suggest disabling UPnP even though that might make some things less convenient.

Based on what I've read (I am no expert here, if you have any links that say otherwise, H_TeXMeX_H, I'd appreciate you posting them) I would disagree with H_TeXMeX_H's gloomy assessment. Apparently the underlying encryption of WPA is sound, but if an attacker can observe the first four packets of a connection (which is easy) then he can do an offline dictionary attack on your passphrase. So the trick is to make it complicated enough that it will take him many millennia to find a match. Ideally you would use 64 random hexadecimal characters. But as that can be inconvenient to remember, at least use a passphrase with an absolute minimum of 20 characters (more is better), using the usual guidelines for good passwords. (Include upper case, lower case, numbers and punctuation/special characters, throw in unusual twists, no personal info, etc.)

Also, restricting by MAC address is of questionable usefulness since a) MAC addresses can be spoofed, and b) acceptable MAC addresses can easily be obtained by eavesdropping.

(I see that pixellany has posted while I was writing this. He gave perfect examples of what not to do.)

Last edited by blackhole54; 03-08-2008 at 09:30 AM. Reason: typos, clarification
 
Old 03-08-2008, 10:00 AM   #6
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677
  • Use WPA_PSK or better encryption. Don't use WEP, it is broken.
  • Disable WAN configuration
  • Disable Wireless configuration
  • Disable uPNP
  • Change the default password on the router. Use a strong password
  • Use a 32 byte random key for the PSK
  • Use a NAT router. It will act as an edge firewall. ( This probably is your AP )
  • Keep the firmware updated on the router. This will supply security patches.
  • Assign the wireless interfaces to the external zone and enable the firewalls on all hosts. Only open ports you need.

Don't bother with trying to hide the essid. It will slow down your traffic and won't do any good because your devices broadcast it in every packet, so not having the router broadcast its ESSID wouldn't add to security.

I don't know about MAC filtering. If the MAC addresses are broadcast in the open as well, then this may not help deter a wireless hacker, but it could help prevent inadvertent leaks from your LAN from going out on the internet.

Here is a oneliner that I use to generate a key:
Code:
dd if=/dev/random bs=32 count=1 | od -tx1 | sed '3d;s/^.\{8\}//;s/ //g' | tr -d '\n'; echo

Last edited by jschiwal; 03-08-2008 at 10:15 AM.
 
Old 03-08-2008, 12:02 PM   #7
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288
Quote:
Originally Posted by blackhole54 View Post
Based on what I've read (I am no expert here, if you have any links that say otherwise, H_TeXMeX_H, I'd appreciate you posting them) I would disagree with H_TeXMeX_H's gloomy assessment.
Well, um, there are many how-tos:
http://docs.lucidinteractive.ca/inde...eless_Networks
http://www.grape-info.com/doc/linux/...ck-ng-0.6.html
http://www.smallnetbuilder.com/content/view/30278/98/

It does take a while tho, but if you have a powerful laptop or can offload some of the work onto a more powerful computer, it doesn't take long.

NOTE: I do NOT endorse the illegal use of such information, there's also a similar disclaimer on the sites I posted, so ... hopefully that's enough disclaimers to keep me out of trouble.
 
Old 03-08-2008, 03:05 PM   #8
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by meruwireless
What is the one most important thing you feel is neccessary for a secure wireless environment.
How about a VPN? (In other words, securing your traffic without hoping WEP, WPA, etc. is sufficient.)
 
Old 03-08-2008, 05:50 PM   #9
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677
A VPN to what? Between each host on your LAN?
 
Old 03-08-2008, 06:29 PM   #10
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Nah -- to your AP itself. Here's an example (slightly dated): http://www.linux.com/articles/49990

OP solicited advice for securing a wireless environment. Securing (encrypting) your wireless traffic properly is still my answer.
 
Old 03-08-2008, 07:28 PM   #11
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677
Using a vpn to the AP will require using a computer for the AP and not a stock NAT wireless router.
Some NAT routers have vpn support but that is on the WAN side. If you were away from home, you could connect to your home network over the internet through a vpn tunnel and then work that way. That would protect you from the other users at a wireless hotspot.

Using wpa2 & certificates will use a private key instead of a preshared key. A PSK is shared among all the users of a wireless network. That is OK for the home, but not in a business environment. The weakness in wpa-psk isn't in the encryption. It is in the authentication. The "sharing" of the key among each host on the network poses risks. When you have several users & hosts you don't want to do that. If one user were to loose their laptop or become compromised on the internet, the key could fall into an enemy's hands.

I think a hacker would have better luck compromising a host in the network via the internet and then obtaining the secrets needed. So come to think of it, mac filtering may be somewhat useful, but using certificates would probably be better. Maybe a combination if that is possible of matching certificates with the mac.

This give you an idea of why most businesses simply prohibit all wifi. They need to wake up about using wireless phones and bluetooth.

Last edited by jschiwal; 03-09-2008 at 07:11 AM.
 
Old 03-08-2008, 09:54 PM   #12
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
MAC address filtering is not a good security mechanism. MAC addresses are broadcasted (easy to capture) and trivial to spoof.

OP hasn't really provided any context for his question. We don't know if he wishes to protect his home office data or more sensitive information.

------------------

Actually, I just noticed OP's sig -- appears to be spam.

reported...

Last edited by anomie; 03-08-2008 at 09:55 PM.
 
Old 03-08-2008, 11:00 PM   #13
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
And as this is a first post by a member with a kind of
"leading" nick-name and a very topical thread in the same
regard I agree, and have disabled his SIG in the first post
for the time being.



Cheers,
Tink
 
Old 03-09-2008, 04:35 AM   #14
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
@H_TeXMeX_H

Thanks for the links. After anomie's observation, I guess this thread is just for "fun" now. (I thought the OP's wording of "one most important thing" sounded strange, but I guess it makes sense as an advertising slogan.) I've developed a bit of an interest in this topic as I was given a wireless "router" a while back. While I would like to try to crack my own passphrase, I am not really willing to buy the extensive dictionaries developed for that.

These articles seem consistent with what I have already read for WPA. The second article shows a screenshot where the computer running the cracking software was capable of about 140 trial passphrases/second. That works out to a little more than 10^7 per day. This is consistant with what I have read. So if the space that needed to be searched was 10^15 (for point of reference only, that's somewhat less than what you get with eight random printable ASCII characters), that would require some serious computing power to crack! So it seems to me it comes down to a sufficiently long and complex passphrase compared to the dictionaries (with search priorities) and mangling rules available. Or am I still missing something?

@jschiwal,

Actually, I said that MAC address filtering likely would not be effective.
 
Old 03-09-2008, 05:14 AM   #15
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288
Quote:
Originally Posted by blackhole54 View Post
While I would like to try to crack my own passphrase, I am not really willing to buy the extensive dictionaries developed for that.

These articles seem consistent with what I have already read for WPA. The second article shows a screenshot where the computer running the cracking software was capable of about 140 trial passphrases/second. That works out to a little more than 10^7 per day. This is consistant with what I have read. So if the space that needed to be searched was 10^15 (for point of reference only, that's somewhat less than what you get with eight random printable ASCII characters), that would require some serious computing power to crack! So it seems to me it comes down to a sufficiently long and complex passphrase compared to the dictionaries (with search priorities) and mangling rules available. Or am I still missing something?

Of course, in your example 10^15 would be the maximum number of passwords that had to be searched through, it really never comes to this, especially since most people have very simple, common passwords. Indeed, I think if you put a complex enough password, and change it once in a while, there shouldn't be a real problem. You just have to understand that it's still crackable within a given period of time, so what you can do is make it take as long as possible to crack, maybe the haxxor will give up thinking it's not worth it .

I'm pretty sure I saw some free dictionaries somewhere, I can't seem to find the link now tho.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How can i be secure with a wireless connection Criatura83 Linux - Security 2 12-05-2007 03:20 PM
How to secure wireless network pixietoon Linux - Wireless Networking 4 05-18-2006 12:51 PM
Secure Wireless Internet on openSuSE 10 Purgetroy Linux - Wireless Networking 3 03-25-2006 04:30 PM
Connecting to other secure wireless Dirichlet Linux - Laptop and Netbook 1 12-23-2005 10:26 PM
how to secure your wireless network srenar Slackware 6 06-20-2004 08:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration