Re: [NTLK] WEP vs Airport

From: Jim Anderson (jiman_at_microsoft.com)
Date: Wed Apr 23 2003 - 10:11:49 PDT


Jon wrote:
<snip>
> Now turn on WEP (40 bit) on the airport, fix the password on the=20
> powerbook and add a hex key to the Newton. Ain't nothing goin nowhere.
>=20
> Try WEP (128 bit) on the airport, fix the password and a new (very=20
> long) hex key. Now some things work:
<snip>
> BTW I used the mac addresses in the back of the orinoco cards=20
> to add to=20
> the restrict list on the airport and it worked! Basically this=20
> restricts which mac addresses are permitted to attach to the=20
> airport -=20
> I haven't seen this mentioned anywhere else but it works fine.

        I just set up my own wireless network a couple of weeks ago, and
I did a bunch of reading up on wireless security. The gist is that the
main reason you want to close your wireless network is to prevent random
folks from using your internet connection to send spam or download nasty
pr0n. Since most wireless APs run wide open (no WEP key, no white list
of MAC addresses), any security you add to yours will make you a much
less attractive target than the guy down the street. Seriously. I took
my Powerbook to work on the bus a few times, and just sat their running
Kismet and watching all the open APs pop up.
        The general consensus on WEP is that it isn't a particularly
good form of encryption. Any size WEP key can be found by sampling
enough packets (the bigger your WEP key, the more packets), but this is
basically just an inconvenience to a dedicated cracker. Setting up a
white list of MAC addresses like you did is much better, especially if
your AP just ignores any packets from a MAC address it doesn't allow (I
don't recall if airports do this). If you turn off SSID broadcasting (I
also don't know if you can do this with an airport), more the better.
        Basically, securing your AP is just a matter of making it really
inconvenient to crack. If you disable SSID, wardrivers won't see it. If
you use a MAC address white list, someone will have to figure out your
white list and spoof a MAC address to even connect. Using WEP means that
they'd then have to capture packets for a while before they could use
your wireless network. The more of these things you do, the more
inconvenient you make it for people to try and crack you.
        Personally, I think just using a MAC address white list like you
do is probably plenty. If I was having problems getting the various
devices to play nice with WEP, I'd just skip it and stick to the white
list.
        The other half of wireless security involves securing your AP
itself against crackers. If it supports remote administration, you might
want to either disable it, or set it to be accessable only to your
private network. Definitely set an admin password. If you don't do this,
then someone could bypass all your nifty security by changing your
airport settings themselves!

        What I did for my own network was to set up the AP as a dumb hub
sitting behind my existing firewall, responding to IP addresses in my
private network IP space. Remote admin is set to only be accessible from
the private network, and has a strong password. The AP uses 128 bit WEP
(if I was using it as a router, I'd prolly use a MAC white list like you
do instead), and broadcasts a non-default SSID (for me, turning this off
was too inconvenient). I don't use DHCP, and I've specified a white list
of private IP addresses that are valid to the firewall. While this isn't
terribly secure, it's better than 90% of the APs I've seen in the
neighborhood, so it's probably good enough. I could do more, but I don't
want to make it too inconvenient for me to use. The way it's set up now,
my Powerbook can automatically see it and connect when I wake it up.

        Hope that helps,
Jim Anderson

Blardy blar blar blar...

-- 
This is the NewtonTalk list - http://www.newtontalk.net/ for all inquiries
List FAQ/Etiquette/Terms: http://www.newtontalk.net/faq.html
Official Newton FAQ: http://www.chuma.org/newton/faq/


This archive was generated by hypermail 2.1.5 : Wed Apr 23 2003 - 10:30:00 PDT