[geeks] cheap 802.11?

David L Kindred (Dave) d.kindred at telesciences.com
Fri Feb 28 16:43:20 CST 2003 

>>>>> "Gary" == Gary Nichols <gary at linuxforce.org> writes:

    Gary> On Fri, 28 Feb 2003, David L Kindred (Dave) wrote:
    >> Besides, WEP should still always be configured as your
    >> least-common-denominator and first line of defense, should it
    >> not?  The first thing I was ever taught about security is
    >> "defense in depth".

    Gary> Absolutely.

Actually, I meant it as a rhetorical question, but that's okay.  I was
thinking of the case where people don't use something at all because it
isn't perfect, when it may just well have been Good Enough.

    Gary> 1> Don't broadcast your ESSID please. [0]

It's a shame this option didn't exist since day one.  It probably makes
sense to change the ESSID periodically too, anything to slow the bad
guys down.

    Gary> 2> Use 128-bit WEP (with a decent key) and change your key
    Gary> 2> periodically!

We really need help from the vendors (dare I say even from MS) to
facilitate this.  The process of changing the key is just too much more
painful than it should be, especially with a roaming workforce and
"remote" APs.  If there were an easy client program to load a new key,
or support for "current" and "pending" keys, it would be much nicer.
Perhaps even better would be some sort of key-per client scheme, so you
wouldn't have to do a simultaneous cut-over.

    Gary> 3> Use encryption between client and gateway just past the access
    Gary> 3> point.

Only works if all of the clients can handle it.

    Gary> 4) FIrewall off your AP from your network only allowing the
    Gary> secure traffic.

Usage and traffic logging here will help too, even if it doesn't prevent
a problem it will let you catch it.

    Gary> 5> Bonus: add a honeypot to your wireless realm and watch the
    Gary> fun!

In my mind a honeypot is just more work...I'm short on time as it is.

    Gary> [0] If your AP vendor doesn't give you this option in the
    Gary> firmware, upgrade your firmware or choose another brand.  No
    Gary> point in advertising yourself to everyone!

The hard part here is gaining access to the "remote" APs.  I think too
many of the APs were rushed to market without ever being "finished",
thus requiring too many upgrades.


-- 
David L. Kindred <mailto:d.kindred at telesciences.com>
Unix Systems & Network Administrator
Telesciences, Inc. <http://www.telesciences.com>
Support: <http://support.telesciences.com>
2000 Midlantic Drive, Suite 410, Mt. Laurel, NJ 08054
Tel: +1.856.866.1000 ext. 4184
Fax: +1.856.866.0185
---

More information about the geeks mailing list