quick wifi question

Aratama_Bashi · 2nd November 2009, 9:36 AM

hey all

does using an ACL on wifi, in addition to the security/encryption, make the network a little bit more secure, or a lot more secure?

tia

muzzymurray · 2nd November 2009, 3:33 PM

I personally wouldn't bother. There is no way anyone should be reasonably able to crack WPA+AES. Even WPA+TKIP with a good password is probably impossible with current techniques.

caspian · 2nd November 2009, 4:08 PM

if anyone feels like going all |337 at this stage, note the use of the word "reasonable". TKIP with a strong password will provide more than adequate protection unless you're protecting something commercial, in which case there would be commercial solutions available.

danyell · 2nd November 2009, 4:12 PM

Quote:

Originally Posted by caspian

if anyone feels like going all |337 at this stage, note the use of the word "reasonable". TKIP with a strong password will provide more than adequate protection unless you're protecting something commercial, in which case there would be commercial solutions available.

thirded

AES also adds additional overhead, therefore diminishing throughput. don't broadcast you ssid, lock down mac address ACL, strong password !@$FReeN0itsN0t%F(()blahblah$%DDisag00ds1ze1821#

done for you

Aetherone · 2nd November 2009, 7:28 PM

Quote:

Originally Posted by Aratama_Bashi

an ACL on wifi

Will be about as useful as SSID hiding or MAC limits ... <3 seconds of delay for anyone capable and ~10 minutes for anyone wanting to break in with access to google.

WPA in some form with a long password and non-stock SSID is the way to go.

Aratama_Bashi · 3rd November 2009, 12:00 PM

thaks guys, appreciate it.

Quote:

Originally Posted by danyell

thirded

AES also adds additional overhead, therefore diminishing throughput. don't broadcast you ssid, lock down mac address ACL, strong password !@$FReeN0itsN0t%F(()blahblah$%DDisag00ds1ze1821#

done for you

but now you know my password!!!

heheh

alvarez · 3rd November 2009, 12:45 PM

Quote:

Originally Posted by Aetherone

Will be about as useful as SSID hiding or MAC limits ... <3 seconds of delay for anyone capable and ~10 minutes for anyone wanting to break in with access to google.

WPA in some form with a long password and non-stock SSID is the way to go.

Second, this is the best realistic approach.
SSID hiding and MAC filtering are useless its takes seconds to break them. Security through obscurity is no security at all.

I would be using AES also, The effect on throughput would be marginal, and it is wireless we are talking about, Its more than fast enough to share internet and if he wanted through put he would be using Ethernet.

And to answer the original question, it depends on how its implemented. MAC filtering is useless, You could make a subnet with only the allowed amount of computers which is a bit more practical, from there you are looking at enterprise solution's which are a whole other kettle of fish.

callan · 3rd November 2009, 10:57 PM

**sigh.

AES is faster, and TKIP, whilst not technically cracked, can be (at least theretically) tapped/monitored.

There is no reason NOT to use AES for wireless and, being both more secure AND faster, you'd be a doofus to keep TKIP enabled.

Ooroo
Callan

Edit: hiding SSID's, and using ACL's is totally and utterly useless, from a security perspective. You should always change your SSID from the default (as a hash of the SSID is used as "salt" for encrypting network traffic, and using default SSID's thus compromise the cryptographic integrity, and shorten the time needed to crack a WPA key) but leave it broadcast - It's handy to set up gear, and does not compromise your setup (IE if your setup relies on SSID being hidden, you're fucked - it can always be sniffed.

Aetherone · 4th November 2009, 5:59 AM

Quote:

Originally Posted by callan

a hash of the SSID is used as "salt" for encrypting network traffic, and using default ... shorten the time needed to crack a WPA key

Two words are enough to descibe why - "rainbow tables".

ps. the correct term should be "brute force". WPA does not have any vulnerability so elegant as to be described as a "crack".

Doc-of-FC · 4th November 2009, 7:28 AM

Quote:

Originally Posted by danyell

AES also adds additional overhead, therefore diminishing throughput.

Quote:

Originally Posted by callan

**sigh.

AES is faster, and TKIP, whilst not technically cracked, can be (at least theretically) tapped/monitored.

There is no reason NOT to use AES for wireless and, being both more secure AND faster, you'd be a doofus to keep TKIP enabled.

+1

danyell, do some throughput tests and you will find that AES is indeed far superior to TKIP, most wireless access points do the Rijndael encryption in hardware, TKIP is software only.

if your wireless infrastructure crashes or freaks out on WPA2-AES (I've seen D-link devices do this), its faulty.

callan · 4th November 2009, 8:25 AM

I suppose, responding to the OP's question. - No - adding an ACL to your wireless access point won't sensibly increase your security. It will make it a lot harder to administer and, if the network is already compromised to the point that MAC addresses are an issue, does nothing to make the network more secure - MAC addresses can be both trivially SNIFFED, and SPOOFED.

Don't bother.

Ooroo
Callan

HUMMER · 4th November 2009, 9:22 AM

most people would not bother with a locked wifi when there are plenty open wifi's around.

caspian · 4th November 2009, 10:10 AM

I bother, but hidden SSID and WPA-TKIP does me just fine - and there's ACL, DHCP off, client IP pool lockdown and other methods left if required.

as I said earlier about these conversations spearing off into pointless |337ness, the vast, vast majority of the time there is simply no need. all you're doing in an urban environment is stopping some random who just bought a laptop with wifi from leeching, you're not going to be fending off an attack.

HUMMER · 4th November 2009, 10:32 AM

Quote:

Originally Posted by caspian

I bother, but hidden SSID and WPA-TKIP does me just fine - and there's ACL, DHCP off, client IP pool lockdown and other methods left if required.

as I said earlier about these conversations spearing off into pointless |337ness, the vast, vast majority of the time there is simply no need. all you're doing in an urban environment is stopping some random who just bought a laptop with wifi from leeching, you're not going to be fending off an attack.

exactly. OP its not like you have government secrets that you are keeping in your PC. most people will not bother to break into your secured wifi when theres plenty of open ones as most are only there to leech.

caspian · 4th November 2009, 7:55 PM

hell, I can find three unsecured networks from here with the poxy inbuilt laptop antenna, and if I fling the card and external antenna in it the count goes to six. and I haven't gotten off my arse from my desk yet.

protip - if you're wardriving, the houses with the fat drop wire have cable.

actually considerably slower then my ADSL2+, but if that goes down at an inopportune moment it's not a great difficulty to find some...

2nd November 2009, 3:33 PM	#2
muzzymurray Member Join Date: Aug 2003 Location: Perth Posts: 407	I personally wouldn't bother. There is no way anyone should be reasonably able to crack WPA+AES. Even WPA+TKIP with a good password is probably impossible with current techniques. __________________ My 802.11 Research Be the change you want to see in the world - Gandhi

2nd November 2009, 4:08 PM	#3
caspian Member Join Date: Mar 2002 Location: Melbourne Posts: 3,080	if anyone feels like going all \|337 at this stage, note the use of the word "reasonable". TKIP with a strong password will provide more than adequate protection unless you're protecting something commercial, in which case there would be commercial solutions available. __________________ Vogon poetry forum member #42.

3rd November 2009, 10:57 PM	#8
callan Member Join Date: Aug 2001 Location: melbourne Posts: 1,752	*sigh. AES is faster, and TKIP, whilst not technically cracked, can be (at least theretically) tapped/monitored. There is no reason NOT to use AES for wireless and, being both more secure AND faster, you'd be a doofus to keep TKIP enabled. Ooroo Callan Edit: hiding SSID's, and using ACL's is totally and utterly useless, from a security perspective. You should always change your SSID from the default (as a hash of the SSID is used as "salt" for encrypting network traffic, and using default SSID's thus compromise the cryptographic integrity, and shorten the time needed to crack a WPA key) but leave it broadcast - It's handy to set up gear, and does not compromise your setup (IE if your setup relies on SSID being hidden, you're fucked - it can always be sniffed. __________________ Christianity: The belief that a cosmic Jewish zombie claiming he was his own father can make you live forever, if you symbolically eat his flesh, and telepathically tell him you accept him as your master. Last edited by callan; 3rd November 2009 at 11:03 PM.*

4th November 2009, 8:25 AM	#11
callan Member Join Date: Aug 2001 Location: melbourne Posts: 1,752	I suppose, responding to the OP's question. - No - adding an ACL to your wireless access point won't sensibly increase your security. It will make it a lot harder to administer and, if the network is already compromised to the point that MAC addresses are an issue, does nothing to make the network more secure - MAC addresses can be both trivially SNIFFED, and SPOOFED. Don't bother. Ooroo Callan __________________ Christianity: The belief that a cosmic Jewish zombie claiming he was his own father can make you live forever, if you symbolically eat his flesh, and telepathically tell him you accept him as your master.

4th November 2009, 10:10 AM	#13
caspian Member Join Date: Mar 2002 Location: Melbourne Posts: 3,080	I bother, but hidden SSID and WPA-TKIP does me just fine - and there's ACL, DHCP off, client IP pool lockdown and other methods left if required. as I said earlier about these conversations spearing off into pointless \|337ness, the vast, vast majority of the time there is simply no need. all you're doing in an urban environment is stopping some random who just bought a laptop with wifi from leeching, you're not going to be fending off an attack. __________________ Vogon poetry forum member #42.

4th November 2009, 7:55 PM	#15
caspian Member Join Date: Mar 2002 Location: Melbourne Posts: 3,080	hell, I can find three unsecured networks from here with the poxy inbuilt laptop antenna, and if I fling the card and external antenna in it the count goes to six. and I haven't gotten off my arse from my desk yet. protip - if you're wardriving, the houses with the fat drop wire have cable. actually considerably slower then my ADSL2+, but if that goes down at an inopportune moment it's not a great difficulty to find some... __________________ Vogon poetry forum member #42.