[X4U] How do I maximize wireless network security

Sun Feb 20 16:16:12 PST 2005

On Feb 20, 2005, at 6:15 pm, Kevin Hoskins wrote:
>
> I am creating a wireless network for my G5 and iBook. I have an 
> Airport Extreme base station and an Airport Extreme card in each 
> computer. From the experienced folks, I would like to see a list of 
> settings and procedure for setting them that ensures maximum security 
> of the wi-fi transmission. I already know that limiting the network to 
> just what I want is as simple as specifying the MAC addresses. But 
> what measures (which features and their settings; which encryption 
> protocol) do I have to take to ensure that the transmission is not 
> intercepted and "read?"

I haven't used the Airport basestation myself, as I live in the UK 
where most broadband is supplied as ADSL - we usually use a wireless 
basestation with a DSL modem built-in. But I've installed a number of 
these for customers and the security principles are the same.

Restricting wireless access by MAC address is, as you have gathered, 
pretty poor security. Whilst a casual user would be unable to hop on 
your network, someone with only a couple of years' Linux experience 
could trivially read all your email, were he malicious enough to 
monitor your WLAN.

With only MAC-restricted security it's a little harder to spoof your 
MAC address & start downloading from NastyPr0n.com over your 
connection, but not very much so - there are teenagers in your town 
with the skills (or 5k1||z, for that matter) for achieving this. If you 
live in the USA you should be concerned that you, as the account 
holder, could be subpoenaed by the RIAA should someone hijack your 
account for downloading music.

For most home wireless networks, any level of encryption is pretty much 
adequate - it'll ensure that cracking your network is more trouble than 
it's worth. I install all my customers' networks using 128-bit WEP 
encryption, but most of them use Windows - since I guess WPA will be 
easy to admin on Apple Airport (tm), you're probably a bit better off 
using that.

For the record, I cracked my neighbour's 64-bit WEP in about a week of 
processing time shared between my DP G4 1.25 & my G4 1.33 Powerbook. I 
did use the slowest method (brute force) and experimental (probably 
inefficient) software - but he didn't help himself by choosing 
11:22:33:44:55:66 as a key - FF:FF:FF:FF:FF:FF would have taken me 
much, MUCH longer to get around to trying. I'd have to Google to tell 
you with confidence to what degree but 128-bit WEP encryption should 
harder - I have an idea that it's not actually a decent factor, but 
only twice as hard. Nevertheless, I consider WEP to be plenty to deter 
your attackers - a decent WEP 128 key would have taken me several weeks 
to crack using my method; unless you have valuable confidential data, 
it's probably not worth anyone's time or effort to crack it.

 From what I've read WPA is a chunk stronger than WEP - PROVIDED YOU 
CHOOSE A LONG ENOUGH KEY. I've read that the biggest flaw in WPA is 
choosing your dog's maiden name as the password, which'll make it less 
secure than WEP, as WEP enforces a password of at least 40-bits. If you 
choose "InXanaduDidKhublaKahnAStatelyPleasureDomeDecree" (I have no 
idea whether WPA allows spaces, so I'll assume not) or some other lyric 
you should be able to sleep very safely at night.

Stroller.