DaZZa <[EMAIL PROTECTED]> writes:
> On Tue, Jun 17, 2008 at 2:49 PM, Rick Welykochy <[EMAIL PROTECTED]> wrote:
>>> You should make sure you take the simple steps which *everyone*
>>> running wireless should do.
>>>
>>> 1) Disable SSID broadcast
>>> 2) Disable DHCP unless you absolutely *have* to use it.
>>
>> Already do the above two. SSID should only be used for public nets,
>> I presume. And no DHCP.
>
> Only for nets you *want* to be open for potential unauthorised use.
Hiding the SSID doesn't add any significant security because...
> Even in "public" nets, I disable it, and require potential users to
> come ask for the SSID before connecting.
...you can sniff it out of the air, using tools such as kismet.
You may get less drive-by connection attempts, but it will not secure
the network any further.
Oh, and neither will avoiding DHCP: it is a trivial inconvenience, since
kismet and friends will sniff your network details over the air also.
>>> 3) Make the Wireless subnet as small as you can possibly go for the
>>> number of machines you have. The one I use at home is set to
>>> 192.168.25.0 with a 255.255.255.252 netmask - leaving room for only
>>> the router's IP address, and the one machine I have running wireless.
>>> The cable LAN segment has a completely different range.
>>
>> Excellent advice. Thanks. I am completely statically addressed here
>> with a number of machines. I'll partition the address space and separate
>> out the cabled LAN.
That shouldn't make much difference to security, because by the time
someone has broken it to have access to the IP level you have already
lost, more or less.
This will make it marginally inconvenient for someone to abuse your
service, but only marginally. Just like DHCP it really doesn't add
anything but momentary inconvenience.
[...]
>>> 4) Use WPA or WPA2. WEP is badly broken, and was cracked years ago.
>>
>> Will do. It's long overdue. Laziness == !Secure.
>
> Yup. No argument with that one.
These will add real security and are very valuable. I like WPA2
"Enterprise", backed with a real username and password database, and a
real authentication protocol, but a shared key is probably good enough.
[...]
>> But I will remain vigilant and implement as much security as
>> possible.
>
> Constant vigilance!
Heh. :)
Regards,
Daniel
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
