You really can go too far, and wireless security is a prime example of pointless defence in depth. All that not using a ESSID broadcast, no DHCP, MAC address filtering do is the raise the time and hassle it takes to get on the network. Which means that there is (or soon will be) a script somewhere that will do all this hassle in a few seconds.
The only thing you need to do is to configure well the single defence which can't be subverted: only offer WPA2 with CCMP (which includes AES encryption) for connecting to the access point. For a home you'd use WPA2-PSK (pre-shared key). Make that secret key random and long (more than 40 characters). But there's little security reason not to put that password on a post-it note on the access point for the convenience of visitors. Then you can run ESSID broadcast and DHCP and your valid machines will automatically connect when they see the network. Security and convenience. From a IP point of view, the aim is to limit the broadcasts on the wireless LAN, since 802.11 performs poorly when broadcasting. So the WLAN gets its own routed subnet. It gets DHCP responses containing the address of a Samba WINS server. Then Windows machines don't broadcast service information, but use unicast to register them with the WINS server. [ Note that Windows machines need Xp SP3 or a download for Xp SP2 to run WPA2. Also the authentication is limited to pre-shared key (PSK, which is OK) or protected EAP (PEAP, which has a designed-in security issue). Linux's Network Manager/wpa_supplicant supports WEP/WPA/WPA2 and all authentication methods which uses passwords or secrets. Note that older chipsets won't support AES and performance can suffer when the WPA2 AES encryption is done by software instead. If you find youself being dragged along by the Dungeons and Dragons crowd to the shops one day, then grab a pair of 16-sided dice. Each throw will give one byte of randomness for keys.] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
