Daniel beat me to the punch on all counts, and have to agree. Locking down MAC addresses and not using DHCP are probably the most easily circumventing - the former can be done by just configuring you NIC with that MAC address, and overriding a fixed IP address is basically as trival as responding to ARP requests quicker than the real guy ;-)
I have to admit I am slightly lazy at home and using WEP - my previous excuse was that I had some devices that didn't support WEP (and that WPA support on Linux was poor) but I think I probably can't call on that one now. Martin On Tue, Jun 17, 2008 at 3:10 PM, Daniel Pittman <[EMAIL PROTECTED]> wrote: > DaZZa <[EMAIL PROTECTED]> writes: > > On Tue, Jun 17, 2008 at 2:49 PM, Rick Welykochy <[EMAIL PROTECTED]> > wrote: > >>> You should make sure you take the simple steps which *everyone* > >>> running wireless should do. > >>> > >>> 1) Disable SSID broadcast > >>> 2) Disable DHCP unless you absolutely *have* to use it. > >> > >> Already do the above two. SSID should only be used for public nets, > >> I presume. And no DHCP. > > > > Only for nets you *want* to be open for potential unauthorised use. > > Hiding the SSID doesn't add any significant security because... > > > Even in "public" nets, I disable it, and require potential users to > > come ask for the SSID before connecting. > > ...you can sniff it out of the air, using tools such as kismet. > > You may get less drive-by connection attempts, but it will not secure > the network any further. > > Oh, and neither will avoiding DHCP: it is a trivial inconvenience, since > kismet and friends will sniff your network details over the air also. > > >>> 3) Make the Wireless subnet as small as you can possibly go for the > >>> number of machines you have. The one I use at home is set to > >>> 192.168.25.0 with a 255.255.255.252 netmask - leaving room for only > >>> the router's IP address, and the one machine I have running wireless. > >>> The cable LAN segment has a completely different range. > >> > >> Excellent advice. Thanks. I am completely statically addressed here > >> with a number of machines. I'll partition the address space and separate > >> out the cabled LAN. > > That shouldn't make much difference to security, because by the time > someone has broken it to have access to the IP level you have already > lost, more or less. > > This will make it marginally inconvenient for someone to abuse your > service, but only marginally. Just like DHCP it really doesn't add > anything but momentary inconvenience. > > [...] > > >>> 4) Use WPA or WPA2. WEP is badly broken, and was cracked years ago. > >> > >> Will do. It's long overdue. Laziness == !Secure. > > > > Yup. No argument with that one. > > These will add real security and are very valuable. I like WPA2 > "Enterprise", backed with a real username and password database, and a > real authentication protocol, but a shared key is probably good enough. > > [...] > > >> But I will remain vigilant and implement as much security as > >> possible. > > > > Constant vigilance! > > Heh. :) > > Regards, > Daniel > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Regards, Martin Martin Visser -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
