* [gentoo-user] [way OT] Authenticating in a wireless home network
@ 2013-02-25 2:49 walt
2013-02-25 3:00 ` Michael Mol
0 siblings, 1 reply; 4+ messages in thread
From: walt @ 2013-02-25 2:49 UTC (permalink / raw
To: gentoo-user
I've been connecting my google nexus 7 tablet to my wireless router
using the standard ssid/password method until last week, when I found
that my router will allow wireless connections based on the tablet's
MAC address.
What I don't know is whether the MAC-address authentication method
will cause the wireless router to skip the password authentication
entirely and accept the MAC address as 100% sole proof of identity.
I've heard that MAC address spoofing is easy given the right skills,
so I don't know if relying solely on MAC address for authentication
is asking for trouble, or not.
Your opinions are most welcome, the more paranoid the better :)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] [way OT] Authenticating in a wireless home network
2013-02-25 2:49 [gentoo-user] [way OT] Authenticating in a wireless home network walt
@ 2013-02-25 3:00 ` Michael Mol
2013-02-25 6:56 ` Mick
0 siblings, 1 reply; 4+ messages in thread
From: Michael Mol @ 2013-02-25 3:00 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1875 bytes --]
On 02/24/2013 09:49 PM, walt wrote:
> I've been connecting my google nexus 7 tablet to my wireless router
> using the standard ssid/password method until last week, when I found
> that my router will allow wireless connections based on the tablet's
> MAC address.
>
> What I don't know is whether the MAC-address authentication method
> will cause the wireless router to skip the password authentication
> entirely and accept the MAC address as 100% sole proof of identity.
Not unless there's something amazingly broken with it. And by that I
mean it would be newsworthy; the kind of thing Slashdot would jump on
before it sat in their queue five minutes.
MAC filtering, as it's called, is only trivially more secure than the
network would be without it. It adds just enough inconvenience that it's
unlikely for anyone to get on your network without directed attention or
prior planning for such circumstances.
>
> I've heard that MAC address spoofing is easy given the right skills,
> so I don't know if relying solely on MAC address for authentication
> is asking for trouble, or not.
>
> Your opinions are most welcome, the more paranoid the better :)
>
>
WPA-Enterprise is the most effective supported-by-default way to lock
down access to your wireless network...but it requires you to have a
RADIUS server on your network for your AP to check credentials against.
Every user of your network gets their own username and password, which
you configure on whatever authentication server the RADIUS server uses
as a back-end.
If that sounded confusing to you, it's probably far, far, far more than
you need.
Otherwise, WPA2-Personal is very good; it's a shared-key authentication
mechanism combined with better encryption and encryption application, as
well as key rotation. Chances are, it's what you're already using.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 555 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] [way OT] Authenticating in a wireless home network
2013-02-25 3:00 ` Michael Mol
@ 2013-02-25 6:56 ` Mick
2013-02-25 21:21 ` Michael Mol
0 siblings, 1 reply; 4+ messages in thread
From: Mick @ 2013-02-25 6:56 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 3000 bytes --]
On Monday 25 Feb 2013 03:00:56 Michael Mol wrote:
> On 02/24/2013 09:49 PM, walt wrote:
> > I've been connecting my google nexus 7 tablet to my wireless router
> > using the standard ssid/password method until last week, when I found
> > that my router will allow wireless connections based on the tablet's
> > MAC address.
> >
> > What I don't know is whether the MAC-address authentication method
> > will cause the wireless router to skip the password authentication
> > entirely and accept the MAC address as 100% sole proof of identity.
>
> Not unless there's something amazingly broken with it. And by that I
> mean it would be newsworthy; the kind of thing Slashdot would jump on
> before it sat in their queue five minutes.
>
> MAC filtering, as it's called, is only trivially more secure than the
> network would be without it. It adds just enough inconvenience that it's
> unlikely for anyone to get on your network without directed attention or
> prior planning for such circumstances.
>
> > I've heard that MAC address spoofing is easy given the right skills,
> > so I don't know if relying solely on MAC address for authentication
> > is asking for trouble, or not.
> >
> > Your opinions are most welcome, the more paranoid the better :)
>
> WPA-Enterprise is the most effective supported-by-default way to lock
> down access to your wireless network...but it requires you to have a
> RADIUS server on your network for your AP to check credentials against.
> Every user of your network gets their own username and password, which
> you configure on whatever authentication server the RADIUS server uses
> as a back-end.
>
> If that sounded confusing to you, it's probably far, far, far more than
> you need.
>
> Otherwise, WPA2-Personal is very good; it's a shared-key authentication
> mechanism combined with better encryption and encryption application, as
> well as key rotation. Chances are, it's what you're already using.
Preshared key (PSK) with WPA2 CCMP/AES is probably all you need for a home
network and you can throw MAC ACL in just for laughs (because as Michael said,
that's all it's worth):
ifconfig ath0 hw eth XX:XX:XX:XX:XX:XX
The WPA2 keys can be (air)cracked with dictionary files and the like, but if
you have some ridiculously long key, and a changed SSID from the router's
default (it is used as salt in calculating the key and many a rainbow table
are built with default SSIDs) it can be infeasibly difficult to crack it. If
you are really paranoid, then using SSL certificates instead of PSKs would
make things even more secure. Changing your key/certificates once a month
would make it very improbable to have your wireless cracked.
Of course you could start covering the inside of your walls with aluminium
foil or moving somewhere remote and digging a moat all around your castle, but
I'm not sure your connection is that desirable to warrant it. :-))
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] [way OT] Authenticating in a wireless home network
2013-02-25 6:56 ` Mick
@ 2013-02-25 21:21 ` Michael Mol
0 siblings, 0 replies; 4+ messages in thread
From: Michael Mol @ 2013-02-25 21:21 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 322 bytes --]
On 02/25/2013 01:56 AM, Mick wrote:
> On Monday 25 Feb 2013 03:00:56 Michael Mol wrote:
[snip]
>
> Of course you could start covering the inside of your walls with aluminium
> foil
My house has plaster-and-lathe walls and aluminum siding.
Frankly, it works out to about the same thing. >.<
[snip]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 555 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-02-25 21:22 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-02-25 2:49 [gentoo-user] [way OT] Authenticating in a wireless home network walt
2013-02-25 3:00 ` Michael Mol
2013-02-25 6:56 ` Mick
2013-02-25 21:21 ` Michael Mol
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox