[PLUG] Wireless Access Point Security

Tim tim-pdxlug at sentinelchicken.org
Sun Apr 25 00:10:33 UTC 2010 

Hello all,

Many of the other posters covered several points on what I'm about to
say, but I'll summarize my thoughts briefly.  I've done a number of
wireless penetration tests in the past and I keep up with many of the
cryptographic details related to the current protocols.


> > We talked about that at the clinic and ruled it out as a false sense
> > of security since someone with the right equipment could observe
> > what MAC addresses are being used and spoof one of them.

This is very true.  It is trivial to spoof MAC addresses under Linux,
without any special equipment.  MAC address filtering provides the
security of Telnet, so it's not worth the effort and maintenance.


> At some point you need to compare the cost of all these security
> measures to their supposed benefit. What is the probability that
> anyone cares enough about gaining access to your network that they'd
> go to all the trouble of sniffing out the SSID, MAC addresses,
> cracking your WEP, etc.? Rather quite low, I'd bet. It may be a better
> use of your time to focus on host security instead.

The problem with this argument is the assumption that doing this stuff
is "hard".  Even if the attacks are complex for a computer, if
push-button tools let you do it with little effort and maybe a few
hours of sniffing/cracking, then the bar is still pretty low.  

What would an attacker want from Richard's network?  Who knows.  Maybe
just free bandwidth, or a way to anonymize other illegal activities.
Maybe the gain isn't worth the effort, but with many insecure wireless
(WEP included) networks, the effort is really small to begin with.

Here's what I recommend for security:

- Forget about signal strength and when it might drop off.  This only
  stops people who don't have big antennas.

- Don't bother with WEP.  It's essentially completely broken in
  multiple ways.

- Avoid WPA1 if you can.  It's a badly designed protocol with elements
  of backward compatibility from WEP.  It's not totally broken yet,
  but there are certain attacks and published tools out there.

- WPA2 (specifically CCMP) should be solid.

- Be sure to pick a network SSID which is not common.  Then pick a
  good password for the network.  In order to brute-force a password
  with WPA, one needs to incorporate the SSID into the process, so
  precomputation attacks on your network can be thwarted by picking an
  uncommon SSID.  (In other words, don't leave it as "linksys" or
  something like that.)

- If your AP software doesn't support WPA1/2, then consider
  firewalling off access and only allow routing via OpenVPN.  It's
  quite good and not terribly difficult to set up.


Hope that helps Richard and anyone else with a wireless network.
tim

More information about the PLUG mailing list