I have a feeling that I shouldn't be responding to this, but here goes... gerph;266945 Wrote: > Whether you (or others) view them as no security or not, I still > think... You are of course free to implement whatever security you feel is appropriate for your network. Doesn't make it more secure - but it may make you feel more secure. And really, that is the danger.
My major objection to this (and other bogus security measures) is that they are often mentioned (not by you, I hasten to add) as being necessary - but before any mention of 'proper' wireless security measures, by which I mean encryption, which in the IEEE schemes also includes authentication. gerph;266945 Wrote: > ...clearly if you feel strongly enough to lecture those who are > technical enough to be doing the Jive testing... I'm quite willing to acknowledge your superior knowledge of Jive. But please don't assume that others are not also 'technical enough' - that would be a mistake. I must confess to using non-technical terms when referring to WPA, since although it's a marketing term of the Wi-Fi Alliance, it's widely used. But what is "WPA2 TKIP"? Might I suggest IEEE 802.11i as light bedtime reading :) [No, I didn't miss the smiley. Don't miss mine either] ceejay;266999 Wrote: > In a given situation, what are the chief risks and how do you protect > against them? Indeed. As you imply, security is a process of risk management - identifying risks, and assessing and mitigating against them. In the case of wireless security the major risks are of unauthorised access (mitigated by authentication) and compromised privacy (mitigated by encryption). Both of these are satisfied by WPA and WPA2 (I use this terminology as shorthand for the less familiar RSNA / CTR with CBC-MAC Protocol (CCMP) etc), which despite (in non-IEEE 802.1X usage) using a PSK, provide both robust authentication and encryption. WEP is still included in IEEE 802.11i as a Pre-RSNA technique, despite its compromised authentication and weak encryption. The weakness of WEP and its vulnerability to cracking has been well publicised; it is perhaps not appreciated that it provides better security that MAC address filtering. ceejay;266999 Wrote: > ...the chances are quite high that there is someone within range who has > the skills to break anything less than WPA2 To the very best of my knowledge, TKIP using a long passphrase (IEEE 802.11i recommends > 20 characters) has not been cracked. You are safe when using WPA-PSK - but use a long, non-dictionary passphrase. You are safe when using both WPA2 and (when using an appropriate passphrase) when using WPA(1). But as is widely appreciated, you are not safe when using WEP, which can be cracked using commonly available tools. However, this does require a concerted effort - and it is not possible to 'accidentally connect' to a network which uses WEP. ceejay;266999 Wrote: > My main risk is that one of them, in ignorance, attaches to my network > instead of theirs and, in the process of blundering around, does some > damage. For this risk MAC filtering is a perfectly adequate > protection. You use the analogy of an internal door lock. I suggest that the analogy for MAC address filtering is more like removing the number from the front door. The house still has a number, those who know it can still find the house, the mail still gets delivered. And reading the address on the outside of an envelope immediately reveals the house number. It really is no protection - not adequate at all. Indeed it's easier to implement WEP encryption (which offers some degree of protection) than to implement MAC address filtering, and will ensure that accidental connection is impossible. Suffice to say that MAC address filtering is not included in IEEE 802.11i; WEP encryption is. [Aside: in this variant of the 'house' analogy, SSID 'hiding' would be akin to turning off the porch light.] You may feel that MAC address filtering is easy to set up, but that depends on the scale of the network. Up to 10 devices perhaps; more than this, or with a changing device population, it becomes a right pain. For example, my network consists of small 'clusters' of devices (typically 2 PCs, 1 print server) connected to an Ethernet switch. Also connected to the switch is an Ethernet-wireless bridge, which provides wireless network access for all devices behind the switch. The IEEE 802.11 MAC frame has 4 address fields - when using bridging, all 4 are used, which means that not only must the (wireless) MAC address of the bridge be specified to the MAC address filter, but also the (Ethernet) MAC address of all devices behind the switch. Apart from all the devices that I have for business use, for family use the 'clusters' typically have 1 PC, 1 games console, 1 print server. And of course there's my newly acquired NAS and SB3. Together this adds up to an awful lot of MAC addresses, not counting the laptop population which fluctuates from day to day. Frankly, that's an awful lot of configuring on the router... I raise this as a small illustration of why MAC address filtering - apart from being, IMNSHO, worthless as a 'security' measure - is impractical even on a modest sized network. ceejay;266999 Wrote: > ...people who have had wireless problems and, in the process of > troubleshooting, have had to temporarily turn encryption off. A good point - but one which should be addressed by risk assessment. My view (perhaps cavalier, since I haven't undertaken any assessment and am not aware of individual circumstance) is that the risk is sufficiently low that that 'no encryption' for a short period is a minimal risk. YMMV of course. Kind regards -- rperkin ------------------------------------------------------------------------ rperkin's Profile: http://forums.slimdevices.com/member.php?userid=15079 View this thread: http://forums.slimdevices.com/showthread.php?t=43210 _______________________________________________ jive mailing list [email protected] http://lists.slimdevices.com/cgi-bin/mailman/listinfo/jive
