All this talk of locking networks down is odd for an open source community. (Business networks are different) I run dd-wrt running nocat auth w/ 5 wds nodes placed around the block. At any given time i have a half dozen people who I don't know doing I don't know what on my network. I don't block p2p, smtp .... anything. I even have my printer on the network w/ instructions on how to print to it. Am I personally at risk? Yes. But I think it is a small price to pay to cultivate an open community where information isn't kept from others. -bazooka 2008/1/24 Mikkel L. Ellertson <mikkel@xxxxxxxxxxxxxxxx>: > Dave Ihnat wrote: > > > > Similarly, leaving SSID on doesn't stop the determined hacker with tools. > > But none of the common WiFi connection agents on laptops will show a > > non- broadcast SSID; you have to go out, get the tools, and work on it. > Well, the connection management for XP that came with my Toshiba > laptop do show access points that do not broadcast their SSID. I > would have to check, but I think the connection management software > supplied by AT&T if you have their WiFi service will also do this. > (I have to connect to an AT&T access point to re-activate the software.) > > > Restricting MAC addresses can easily be overcome--but you have to have > > gotten the tools to do so. > Getting around the blocking of a specific MAC address is easy with > the standard tools on both Linux and Windows. To discover the MAC > addresses in use does require a bit of work, but the software is so > easy to find. So that is about like closing your door - it keeps > people from wandering in, but not much else. So it may or may not be > worth the effort. If you have visitors that you want to give access, > it is a lot more complicated then just giving then a USB key with > the network configuration, or a pass phrase so that they can hook > up. You also have to copy their MAC address to the router. > > What I am trying to say is that things like this can be handy in > keeping honest people honest, but they may not be worth the trouble. > Things like disabling the SSID can cause you trouble without adding > any benefit. Changing the default SSID will stop accidental > connections, and allow auto-connection by authorized computers. But > you are not talking about something that will slow down someone > trying to crack your network. The danger is in someone thinking that > it will, and not taking real security precautions. > > It can also backfire on you, in that it can make you a more tempting > target for someone that is learning to crack wireless networks, > because it is more of a challenge then an open network, but is not > as intimidating as a WPA protected network. (Or I got this neat > script that is supposed to grab the SSID and MAC address of the > wireless connection. Here is one that is not broadcasting its SSID, > lets try it out.) > > > DHCP--eh, it's too convenient to get rid of. > > Logging--preferably with forwarding to an internal system--is useful. > > But after all of these, let the cracker find the WPA encryption behind > > all the lightweight stuff. You've got to have someone who really wants > > into your network at that point. > > > The trick is to secure your wireless network without making it too > inconvenient for you to use. After all, if you wanted it totally > secure, you would turn off the wireless part of the router > completely, or only turn it on when you need it. You can also take > some of the more complicated measures, like only allowing VPN > connections between computers on your network, or putting a firewall > between the wireless router and the rest of hte local network. > > > Mikkel > -- > > Do not meddle in the affairs of dragons, > for thou art crunchy and taste good with Ketchup! > > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
