Re: [gentoo-user] [way OT] Authenticating in a wireless home network

[Mick <michaelkintzios@gmail.com>]

[-- Attachment #1: Type: Text/Plain, Size: 3000 bytes --]

On Monday 25 Feb 2013 03:00:56 Michael Mol wrote:
> On 02/24/2013 09:49 PM, walt wrote:
> > I've been connecting my google nexus 7 tablet to my wireless router
> > using the standard ssid/password method until last week, when I found
> > that my router will allow wireless connections based on the tablet's
> > MAC address.
> > 
> > What I don't know is whether the MAC-address authentication method
> > will cause the wireless router to skip the password authentication
> > entirely and accept the MAC address as 100% sole proof of identity.
> 
> Not unless there's something amazingly broken with it. And by that I
> mean it would be newsworthy; the kind of thing Slashdot would jump on
> before it sat in their queue five minutes.
> 
> MAC filtering, as it's called, is only trivially more secure than the
> network would be without it. It adds just enough inconvenience that it's
> unlikely for anyone to get on your network without directed attention or
> prior planning for such circumstances.
> 
> > I've heard that MAC address spoofing is easy given the right skills,
> > so I don't know if relying solely on MAC address for authentication
> > is asking for trouble, or not.
> > 
> > Your opinions are most welcome, the more paranoid the better :)
> 
> WPA-Enterprise is the most effective supported-by-default way to lock
> down access to your wireless network...but it requires you to have a
> RADIUS server on your network for your AP to check credentials against.
> Every user of your network gets their own username and password, which
> you configure on whatever authentication server the RADIUS server uses
> as a back-end.
> 
> If that sounded confusing to you, it's probably far, far, far more than
> you need.
> 
> Otherwise, WPA2-Personal is very good; it's a shared-key authentication
> mechanism combined with better encryption and encryption application, as
> well as key rotation. Chances are, it's what you're already using.

Preshared key (PSK) with WPA2 CCMP/AES is probably all you need for a home 
network and you can throw MAC ACL in just for laughs (because as Michael said, 
that's all it's worth):

  ifconfig ath0 hw eth XX:XX:XX:XX:XX:XX


The WPA2 keys can be (air)cracked with dictionary files and the like, but if 
you have some ridiculously long key, and a changed SSID from the router's 
default (it is used as salt in calculating the key and many a rainbow table 
are built with default SSIDs) it can be infeasibly difficult to crack it.  If 
you are really paranoid, then using SSL certificates instead of PSKs would 
make things even more secure.  Changing your key/certificates once a month 
would make it very improbable to have your wireless cracked.

Of course you could start covering the inside of your walls with aluminium 
foil or moving somewhere remote and digging a moat all around your castle, but 
I'm not sure your connection is that desirable to warrant it.  :-))
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]