From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id D417D198005 for ; Mon, 25 Feb 2013 06:57:15 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 64733E0796; Mon, 25 Feb 2013 06:57:03 +0000 (UTC) Received: from mail-we0-f169.google.com (mail-we0-f169.google.com [74.125.82.169]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id ECD3BE075F for ; Mon, 25 Feb 2013 06:57:01 +0000 (UTC) Received: by mail-we0-f169.google.com with SMTP id t11so2211705wey.14 for ; Sun, 24 Feb 2013 22:57:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:from:reply-to:to:subject:date:user-agent:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id; bh=+ZBaLDH0p3phX2KycBvboklvGy6BX0P5r3kBnNv8PZ4=; b=TUVqVcFxvaWx8HzJQTR4yBtPkl7g3IxdOhBO9mxFZbmuAoXJkis3Pi9g1vPKjA5vNG dsJZrPmtMJYKV6Yhej2CQtfw00fxUL7112OX/s49Sp1TVf5C8BU1k+sPOgZkiVh38SnX F0g0ccFemC/EZcYVD9ZVBkfMT0pK7cm5p8FFdVTCMpjCYZfpU1u+zIa5/97MFpHZKj0O Qjf+4gmHbtt+otO/2Fn3UFl69KrGCEfArx0xPwYLVcz7AFZrd1M7knhNCr6ICiSh/FMR d40eO5HbXP5hvYKfg5KUwfau52nKYkV8hefTZ8wHzQQTI4Y2VzsCoRRJnCxXnTGXPNR2 ihtg== X-Received: by 10.180.77.9 with SMTP id o9mr10036467wiw.16.1361775420589; Sun, 24 Feb 2013 22:57:00 -0800 (PST) Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230]) by mx.google.com with ESMTPS id fx5sm14470606wib.11.2013.02.24.22.56.58 (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 24 Feb 2013 22:56:59 -0800 (PST) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] [way OT] Authenticating in a wireless home network Date: Mon, 25 Feb 2013 06:56:44 +0000 User-Agent: KMail/1.13.7 (Linux/3.7.9-gentoo; KDE/4.9.5; x86_64; ; ) References: <512AD3E8.6040006@gmail.com> In-Reply-To: <512AD3E8.6040006@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart18917490.eCHvMHzfQE"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201302250656.58002.michaelkintzios@gmail.com> X-Archives-Salt: f7d87c59-2da7-40e9-8df5-3b48592d4261 X-Archives-Hash: 5dcbb125b299c679bc1048ccff45477a --nextPart18917490.eCHvMHzfQE Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Monday 25 Feb 2013 03:00:56 Michael Mol wrote: > On 02/24/2013 09:49 PM, walt wrote: > > I've been connecting my google nexus 7 tablet to my wireless router > > using the standard ssid/password method until last week, when I found > > that my router will allow wireless connections based on the tablet's > > MAC address. > >=20 > > What I don't know is whether the MAC-address authentication method > > will cause the wireless router to skip the password authentication > > entirely and accept the MAC address as 100% sole proof of identity. >=20 > Not unless there's something amazingly broken with it. And by that I > mean it would be newsworthy; the kind of thing Slashdot would jump on > before it sat in their queue five minutes. >=20 > MAC filtering, as it's called, is only trivially more secure than the > network would be without it. It adds just enough inconvenience that it's > unlikely for anyone to get on your network without directed attention or > prior planning for such circumstances. >=20 > > I've heard that MAC address spoofing is easy given the right skills, > > so I don't know if relying solely on MAC address for authentication > > is asking for trouble, or not. > >=20 > > Your opinions are most welcome, the more paranoid the better :) >=20 > WPA-Enterprise is the most effective supported-by-default way to lock > down access to your wireless network...but it requires you to have a > RADIUS server on your network for your AP to check credentials against. > Every user of your network gets their own username and password, which > you configure on whatever authentication server the RADIUS server uses > as a back-end. >=20 > If that sounded confusing to you, it's probably far, far, far more than > you need. >=20 > Otherwise, WPA2-Personal is very good; it's a shared-key authentication > mechanism combined with better encryption and encryption application, as > well as key rotation. Chances are, it's what you're already using. Preshared key (PSK) with WPA2 CCMP/AES is probably all you need for a home= =20 network and you can throw MAC ACL in just for laughs (because as Michael sa= id,=20 that's all it's worth): ifconfig ath0 hw eth XX:XX:XX:XX:XX:XX The WPA2 keys can be (air)cracked with dictionary files and the like, but i= f=20 you have some ridiculously long key, and a changed SSID from the router's=20 default (it is used as salt in calculating the key and many a rainbow table= =20 are built with default SSIDs) it can be infeasibly difficult to crack it. = If=20 you are really paranoid, then using SSL certificates instead of PSKs would= =20 make things even more secure. Changing your key/certificates once a month= =20 would make it very improbable to have your wireless cracked. Of course you could start covering the inside of your walls with aluminium= =20 foil or moving somewhere remote and digging a moat all around your castle, = but=20 I'm not sure your connection is that desirable to warrant it. :-)) =2D-=20 Regards, Mick --nextPart18917490.eCHvMHzfQE Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEABECAAYFAlErCzkACgkQVTDTR3kpaLYChwCg7RFsyDSTGrO5dDnLjtssfERu R4sAoNGOBfhP0/75xbAmMzR7DINl9mC+ =BCZj -----END PGP SIGNATURE----- --nextPart18917490.eCHvMHzfQE--