On 05/19/2011 08:53 AM, Tim wrote: > On Thu, 2011-05-19 at 08:25 -0500, Mikkel L. Ellertson wrote: >> Time to add some more confusion to the pie. > > I'm not sure that's a good idea.
Probably not. >> >> Another security precaution that sort of helps for a home system, if >> you live in a house, is to put the access point in the basement. >> That way, the signal strength outside the house is usually too log >> to let someone connect. You may also have the option of controlling >> the output power of the access point. > > Though you're only going by the ordinary antenna in your gear. A better > antenna may be more than enough to still work with a muffled signal. So > this isn't a trick that you want to rely on. Not a trick you want to rely on, but one that may add a bit more protection. Remember, the access point still has to be able to receive your signal, and make it out. With the access point below ground level, it rends to frustrate most attackers. Add a directional antenna to the router, and it frustrates them more. While I am not relying on it for security, only 2 houses can get line-of-site with my router with the standard antenna. And only from the second story on the side closest to my place. >> >> Now for a slightly more realistic setup. My access point allows to >> to control the access it gives to wireless users. I use a setup that >> does not let wireless connections talk to each other, or the >> Internet. You need to set up a VPN to do anything useful. > > In essence, you're moving the security from the wireless to other parts > of your network. If that /other/ thing is safe, then this is (almost) > fine. Merely connecting to a wireless network, but that network being > unable to communicate any further, does initially make connecting to it > useless. But if they manage to reconfigure your wireless access point, > they may introduce some compromise to your system. > No, I am adding another layer to my security. First they have to attack when I have wireless enabled. Then they have to crack the wireless security to get at the network. On most home systems, they now have access to the entire system, and the Internet. On my system, they have access to the access point, with its built in security. (Not great, but does require cracking the user/password to gain access.) At this point, they either have to crack the router, or crack the firewall on the machine providing VPN access. The interface for that is one of two NICs on that machine, and VPN access is the only thing open on that NIC. Or have gained access to one of the VPN client keys and be able to use it. (Bad pass-phrase, no pass-phrase, or written down pass-phrase.) It probably will not stop a really determined cracker, but it will keep the script kiddies out. And the logs will probably show someone rattling the locks, so I can keep a closer eye on things. It would probably be quicker and easier to gain physical access and get access to the system that way. In any case, except for the challenge, it is not worth the effort just to gain access to my network. I like defense in depth - you have to crack the first layer before you find out about the second layer. This may even give me time to fix the first layer, depending on how long cracking the second layer takes. Actually, the first layer of defense is the physical location of the access point - it makes monitoring the wireless traffic difficult. The second layer is that the wireless is turned off most of the time. The third layer is the WPA-2 wireless security. The forth layer is either access point security, or VPM server security. After that, it gets easy - you have access to the Internet, and a couple of my printers. Or you can go to work on cracking the security of the machines on the network. >> most of my network is wired, and the wireless is shut down except when >> I need it. I do not even have to reboot when turning it off or on. > > A practical approach. Though I've found that NetworkManager can throw a > tantrum if it's been unable to connect for a while, and won't reconnect > without manual intervention. So, you want to fire your WLAN up well > before trying to use it. True - I fire up the WLAN before I boot the machine needing it. I also have a USB drive with the connection information. I thought of using a CD, but I tend to change the settings after I have given an outsider access to the system. >> >> There is one last measure that will really lock down your wireless >> network - put a Faraday cage around your house - nobody will be able >> to crack your network from the outside, monitor your cordless phone, >> etc. The downsides are the cost, and none of your devices will work >> outside the house, and cell phones will not work inside without >> adding some extra equipment. >> > A properly implemented Faraday cage may well stymie the usual hacker, > but most will probably have faults that would allow the knowledgeable > hacker to get past it. e.g. You need to RF filter, and shield the power > wiring going into it. > Well, the power lines are filtered in any case. I have some commutations going over the wiring that does not like outside interference. That is also keeps signals from going out is an added benefit. I also have a hole-house surge suppressor at the panel. Defense in depth works for more then just network security. > All theories aside, the most that most people will have to deal with > are: Neighbours accidentally connecting to the wrong unsecured network, > which even the most token effort will prevent. And the clueless turnkey > hacker, who just wants free internet, and WPA2 with the right options > and a decent passphrase will prevent that. > I know. My setup is overboard. But I did it more as a learning tool on network security in depth, and how to crack my own network. (The home networks around here are too easy to crack - they did not teach me much.) > Unfortunately, various routers default to being completely insecure, or > ticking a simple "enable security" configuration option puts it into > combined WPA (1) *and* WPA2 mode simultaneously (or WEP & WPA), and the > weaker one ruins any attempt at security. Not to mention the dumb > passwords that some people will use. > I know - I am sometimes guilty of using weak passwords myself. If I do not really care if someone can get access, I do not put a lot of effort into the password. One the other hand, I had to retire one part of my throw-away passwords because my sister got a dog with the same name. (First and last name of a high school girlfriend with a special character made an easy to remember but hard to guess password for some things...) Now, I do have a couple of devices that are only capable of WEP, but they have their own private wireless network in my workshop. It has an old Pentium server, a wireless A access point, and a wireless B access point. No access to the other of the network or the Internet. On top of that, it is usually shut down, unless I want to play. Mikkel -- I haven't lost my mind. It's around here...somewhere. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
