thanks for your comments. it's just a fairly typical situation, with
people in the vicinity with wireless laptops and a desire to take
reasonable precautions either at work or home. and a few laptops that
can legitimately connect. this is just one layer of the defence, i'm
not particularly paranoid nor do i lose sleep over it, i'm happy that
there is sufficient protection. it is more that i noted that i wasn't
able to create a connection with aes rather than a desire or requirement
to. and since there have been no responses saying how to do so, i'll
take it all to signal it's time to move on to the next thing!
Cheers,
Roger
Jim Cheetham wrote:
On Fri, Jan 23, 2009 at 10:01 AM, Roger Searle <[email protected]> wrote:
Comments on TKIP+AES vs TKIP vs AES alone would also be welcome, since
perhaps TKIP+AES is generally very adequate, being more than TKIP alone?
What are you protecting against? What devices are you going to connect
to the network?
The smaller devices that want to connect to wireless networks (I'm
thinking of phones and games consoles) can't always do all of the
fancy encryption. So make sure that you know what they're going to
support before getting carried away.
All encryption mechanisms are vulnerable to different attacks, the
ones that are "safe" now will be crackable in a few months time. And
as a general rule, firmware can't be upgraded quickly enough to react.
So if you really want to be secure, you should not trust the wireless
encryption alone.
If all you have is larger devices (i.e. Linux, OS X or Windows
machines) then you can downgrade the security state of the network
itself, possibly even leaving it open (which makes it easy for friends
to use their kit at your place). Run a VPN (IPSec is also supported in
some smaller devices, like iPhones) from each machine back to a
server, and tell your firewall to block or rate-limit anything that
isn't VPNd.
There is also another guideline -- which is to not become too
paranoid. In general, there are so few people out there who really
want to leech bandwidth, and so many open networks, that even WEP is
effective at convincing them to leave you alone. But WEP is trivially
crackable, so any WPA2 at this stage should be enough to raise the bar
enough to make them move on. You can't make a 'perfect' network, so
don't worry about it too much :-)
-jim
