[gentoo-user] Locking down a wireless network

[gentoo-user] Locking down a wireless network

[Grant]

My Gentoo router's wireless network is encrypted via WPA and doesn't
DHCP.  I'd like to take this a step further in case my WPA key gets
hacked.  Can I issue only certain IPs to certain MAC addresses?

Does WPA2 require hardware support?

- Grant

Re: [gentoo-user] Locking down a wireless network

[Dan Cowsill]

On 1/29/09, Grant <emailgrant@gmail.com> wrote:
> My Gentoo router's wireless network is encrypted via WPA and doesn't
>  DHCP.  I'd like to take this a step further in case my WPA key gets
>  hacked.  Can I issue only certain IPs to certain MAC addresses?
>
>  Does WPA2 require hardware support?
>
>
>  - Grant
>
>

What you're looking for is called 'MAC address filtering' and I
imagine it is very doable.  Having never done it before myself (with a
Gentoo router) the best I can do is point you at Google and wish you
the best of luck.

It's been a little while since I worried about my WPA2 wireless
getting hacked.  Apparently, a vulnerability in TKIP was recently
discovered that made WPA2 networks using that encryption less secure.
It would still take a lot of doing on the attacking party's end to do
it though.  Have you considered setting up WPA2 Enterprise, with the
RADIUS server and whatnot?

D

Re: [gentoo-user] Locking down a wireless network

[Paul Hartman]

On Thu, Jan 29, 2009 at 11:40 AM, Grant <emailgrant@gmail.com> wrote:
> My Gentoo router's wireless network is encrypted via WPA and doesn't
> DHCP.  I'd like to take this a step further in case my WPA key gets
> hacked.  Can I issue only certain IPs to certain MAC addresses?
>
> Does WPA2 require hardware support?

I don't think so. It should just be a driver/firmware update if you've
got some device that supports WPA and not WPA2. The AES encryption of
WPA2 requires a little more hardware power than WEP or WPA normally
uses, but I don't think it needs any special chip or anything like
that.

You can also do VPN over your wifi connection, and require it for
access to the rest of your network or the internet. At least then if
someone hacks your wireless key, they still can't do anything without
having your VPN certificate.

Re: [gentoo-user] Locking down a wireless network

[Grant]

>> My Gentoo router's wireless network is encrypted via WPA and doesn't
>> DHCP.  I'd like to take this a step further in case my WPA key gets
>> hacked.  Can I issue only certain IPs to certain MAC addresses?
>>
>> Does WPA2 require hardware support?
>
> I don't think so. It should just be a driver/firmware update if you've
> got some device that supports WPA and not WPA2. The AES encryption of
> WPA2 requires a little more hardware power than WEP or WPA normally
> uses, but I don't think it needs any special chip or anything like
> that.
>
> You can also do VPN over your wifi connection, and require it for
> access to the rest of your network or the internet. At least then if
> someone hacks your wireless key, they still can't do anything without
> having your VPN certificate.

It sounds like VPN may be the strongest thing going.  Could I turn off
WPA and keep everything hidden within the VPN?  Could I use a password
instead of a certificate for access?  Is the only downside that the
client needs to have VPN software installed?

- Grant

Re: [gentoo-user] Locking down a wireless network

[Saphirus Sage]

Grant wrote:
>>> My Gentoo router's wireless network is encrypted via WPA and doesn't
>>> DHCP.  I'd like to take this a step further in case my WPA key gets
>>> hacked.  Can I issue only certain IPs to certain MAC addresses?
>>>
>>> Does WPA2 require hardware support?
>>>       
>> I don't think so. It should just be a driver/firmware update if you've
>> got some device that supports WPA and not WPA2. The AES encryption of
>> WPA2 requires a little more hardware power than WEP or WPA normally
>> uses, but I don't think it needs any special chip or anything like
>> that.
>>
>> You can also do VPN over your wifi connection, and require it for
>> access to the rest of your network or the internet. At least then if
>> someone hacks your wireless key, they still can't do anything without
>> having your VPN certificate.
>>     
>
> It sounds like VPN may be the strongest thing going.  Could I turn off
> WPA and keep everything hidden within the VPN?  Could I use a password
> instead of a certificate for access?  Is the only downside that the
> client needs to have VPN software installed?
>
> - Grant
>
>   
That's not much of a downside, VPN encryption (IPsec, SSL, L2TP, and
maybe PPTP) is usually more secure than that datalink-layer WPA or WPA2
anyway. As for if you can set it up without a certificate, I believe
that PPTP and L2TP can operate with nothing more than a "shared secret".
But, a certificate just makes it all the more secure. And yes, your
transmitted data will still be encrypted in a VPN even if you're using
an open wireless hotspot.

Re: [gentoo-user] Locking down a wireless network

[Grant]

>> My Gentoo router's wireless network is encrypted via WPA and doesn't
>> DHCP.  I'd like to take this a step further in case my WPA key gets
>> hacked.  Can I issue only certain IPs to certain MAC addresses?
>>
>> Does WPA2 require hardware support?
>
> I don't think so. It should just be a driver/firmware update if you've
> got some device that supports WPA and not WPA2. The AES encryption of
> WPA2 requires a little more hardware power than WEP or WPA normally
> uses, but I don't think it needs any special chip or anything like
> that.
>
> You can also do VPN over your wifi connection, and require it for
> access to the rest of your network or the internet. At least then if
> someone hacks your wireless key, they still can't do anything without
> having your VPN certificate.

Actually, VPN would rule out my wifi cell phone I bet.

- Grant

Re: [gentoo-user] Locking down a wireless network

[Saphirus Sage]

Grant wrote:
>>> My Gentoo router's wireless network is encrypted via WPA and doesn't
>>> DHCP.  I'd like to take this a step further in case my WPA key gets
>>> hacked.  Can I issue only certain IPs to certain MAC addresses?
>>>
>>> Does WPA2 require hardware support?
>>>       
>> I don't think so. It should just be a driver/firmware update if you've
>> got some device that supports WPA and not WPA2. The AES encryption of
>> WPA2 requires a little more hardware power than WEP or WPA normally
>> uses, but I don't think it needs any special chip or anything like
>> that.
>>
>> You can also do VPN over your wifi connection, and require it for
>> access to the rest of your network or the internet. At least then if
>> someone hacks your wireless key, they still can't do anything without
>> having your VPN certificate.
>>     
>
> Actually, VPN would rule out my wifi cell phone I bet.
>
> - Grant
>
>   
Yeah, it probably would. If you want to keep using the wifi mobile, you
may be stuck with whatever layer 2 security options it supports; most
likely WPA2 then.

Re: [gentoo-user] Locking down a wireless network

[Paul Hartman]

On Thu, Jan 29, 2009 at 2:39 PM, Grant <emailgrant@gmail.com> wrote:
>>> My Gentoo router's wireless network is encrypted via WPA and doesn't
>>> DHCP.  I'd like to take this a step further in case my WPA key gets
>>> hacked.  Can I issue only certain IPs to certain MAC addresses?
>>>
>>> Does WPA2 require hardware support?
>>
>> I don't think so. It should just be a driver/firmware update if you've
>> got some device that supports WPA and not WPA2. The AES encryption of
>> WPA2 requires a little more hardware power than WEP or WPA normally
>> uses, but I don't think it needs any special chip or anything like
>> that.
>>
>> You can also do VPN over your wifi connection, and require it for
>> access to the rest of your network or the internet. At least then if
>> someone hacks your wireless key, they still can't do anything without
>> having your VPN certificate.
>
> Actually, VPN would rule out my wifi cell phone I bet.

Maybe not -- I don't know what kind of phone you've got. I have a
Nokia N95 which runs Symbian OS 9 and there are 3 VPN clients that I
know of (and the first one is free):

http://www.businesssoftware.nokia.com/mobile_vpn_downloads.php
http://www.ncp-e.com/en/vpn-szenarien-produkte/vpn-produkte/secure-entry-client.html
http://www.symvpn.com/Products/ProductInfo.aspx?ProductId=17

I believe Windows Mobile devices have VPN support built in, but I've
never tried it. For iPhone or other phone OS i have no idea as I've
never actually used them.

Paul

Re: [gentoo-user] Locking down a wireless network

[Saphirus Sage]

Paul Hartman wrote:
> On Thu, Jan 29, 2009 at 2:39 PM, Grant <emailgrant@gmail.com> wrote:
>   
>>>> My Gentoo router's wireless network is encrypted via WPA and doesn't
>>>> DHCP.  I'd like to take this a step further in case my WPA key gets
>>>> hacked.  Can I issue only certain IPs to certain MAC addresses?
>>>>
>>>> Does WPA2 require hardware support?
>>>>         
>>> I don't think so. It should just be a driver/firmware update if you've
>>> got some device that supports WPA and not WPA2. The AES encryption of
>>> WPA2 requires a little more hardware power than WEP or WPA normally
>>> uses, but I don't think it needs any special chip or anything like
>>> that.
>>>
>>> You can also do VPN over your wifi connection, and require it for
>>> access to the rest of your network or the internet. At least then if
>>> someone hacks your wireless key, they still can't do anything without
>>> having your VPN certificate.
>>>       
>> Actually, VPN would rule out my wifi cell phone I bet.
>>     
>
> Maybe not -- I don't know what kind of phone you've got. I have a
> Nokia N95 which runs Symbian OS 9 and there are 3 VPN clients that I
> know of (and the first one is free):
>
> http://www.businesssoftware.nokia.com/mobile_vpn_downloads.php
> http://www.ncp-e.com/en/vpn-szenarien-produkte/vpn-produkte/secure-entry-client.html
> http://www.symvpn.com/Products/ProductInfo.aspx?ProductId=17
>
> I believe Windows Mobile devices have VPN support built in, but I've
> never tried it. For iPhone or other phone OS i have no idea as I've
> never actually used them.
>
> Paul
>
>   
The iPhone has support for L2TP, PPTP and minor support for IPSec (if
ti's through cisco), all standard in the firmware releases.

Re: [gentoo-user] Locking down a wireless network

[Grant]

>>>> My Gentoo router's wireless network is encrypted via WPA and doesn't
>>>> DHCP.  I'd like to take this a step further in case my WPA key gets
>>>> hacked.  Can I issue only certain IPs to certain MAC addresses?
>>>>
>>>> Does WPA2 require hardware support?
>>>
>>> I don't think so. It should just be a driver/firmware update if you've
>>> got some device that supports WPA and not WPA2. The AES encryption of
>>> WPA2 requires a little more hardware power than WEP or WPA normally
>>> uses, but I don't think it needs any special chip or anything like
>>> that.
>>>
>>> You can also do VPN over your wifi connection, and require it for
>>> access to the rest of your network or the internet. At least then if
>>> someone hacks your wireless key, they still can't do anything without
>>> having your VPN certificate.
>>
>> Actually, VPN would rule out my wifi cell phone I bet.
>
> Maybe not -- I don't know what kind of phone you've got. I have a
> Nokia N95 which runs Symbian OS 9 and there are 3 VPN clients that I
> know of (and the first one is free):
>
> http://www.businesssoftware.nokia.com/mobile_vpn_downloads.php
> http://www.ncp-e.com/en/vpn-szenarien-produkte/vpn-produkte/secure-entry-client.html
> http://www.symvpn.com/Products/ProductInfo.aspx?ProductId=17
>
> I believe Windows Mobile devices have VPN support built in, but I've
> never tried it. For iPhone or other phone OS i have no idea as I've
> never actually used them.
>
> Paul

Thanks Paul, mine is a Nokia N82 and I'm checking into that now.

- Grant

Re: [gentoo-user] Locking down a wireless network

[Grant]

>>>> My Gentoo router's wireless network is encrypted via WPA and doesn't
>>>> DHCP.  I'd like to take this a step further in case my WPA key gets
>>>> hacked.  Can I issue only certain IPs to certain MAC addresses?
>>>>
>>>> Does WPA2 require hardware support?
>>>
>>> I don't think so. It should just be a driver/firmware update if you've
>>> got some device that supports WPA and not WPA2. The AES encryption of
>>> WPA2 requires a little more hardware power than WEP or WPA normally
>>> uses, but I don't think it needs any special chip or anything like
>>> that.
>>>
>>> You can also do VPN over your wifi connection, and require it for
>>> access to the rest of your network or the internet. At least then if
>>> someone hacks your wireless key, they still can't do anything without
>>> having your VPN certificate.
>>
>> Actually, VPN would rule out my wifi cell phone I bet.
>
> Maybe not -- I don't know what kind of phone you've got. I have a
> Nokia N95 which runs Symbian OS 9 and there are 3 VPN clients that I
> know of (and the first one is free):
>
> http://www.businesssoftware.nokia.com/mobile_vpn_downloads.php
> http://www.ncp-e.com/en/vpn-szenarien-produkte/vpn-produkte/secure-entry-client.html
> http://www.symvpn.com/Products/ProductInfo.aspx?ProductId=17
>
> I believe Windows Mobile devices have VPN support built in, but I've
> never tried it. For iPhone or other phone OS i have no idea as I've
> never actually used them.
>
> Paul

It looks like those 3 do work on an N82, but at least the 3rd one can
only connect to Windows VPN servers currently.  VPN configuration on
any of them sounds like it can be a major hassle though.

Is there a way to get reliable info on how many systems are connected
to my wireless network?  I'm running a Gentoo router.

- Grant

Re: [gentoo-user] Locking down a wireless network

[Paul Hartman]

On Fri, Jan 30, 2009 at 10:25 AM, Grant <emailgrant@gmail.com> wrote:
>>>>> My Gentoo router's wireless network is encrypted via WPA and doesn't
>>>>> DHCP.  I'd like to take this a step further in case my WPA key gets
>>>>> hacked.  Can I issue only certain IPs to certain MAC addresses?
>>>>>
>>>>> Does WPA2 require hardware support?
>>>>
>>>> I don't think so. It should just be a driver/firmware update if you've
>>>> got some device that supports WPA and not WPA2. The AES encryption of
>>>> WPA2 requires a little more hardware power than WEP or WPA normally
>>>> uses, but I don't think it needs any special chip or anything like
>>>> that.
>>>>
>>>> You can also do VPN over your wifi connection, and require it for
>>>> access to the rest of your network or the internet. At least then if
>>>> someone hacks your wireless key, they still can't do anything without
>>>> having your VPN certificate.
>>>
>>> Actually, VPN would rule out my wifi cell phone I bet.
>>
>> Maybe not -- I don't know what kind of phone you've got. I have a
>> Nokia N95 which runs Symbian OS 9 and there are 3 VPN clients that I
>> know of (and the first one is free):
>>
>> http://www.businesssoftware.nokia.com/mobile_vpn_downloads.php
>> http://www.ncp-e.com/en/vpn-szenarien-produkte/vpn-produkte/secure-entry-client.html
>> http://www.symvpn.com/Products/ProductInfo.aspx?ProductId=17
>>
>> I believe Windows Mobile devices have VPN support built in, but I've
>> never tried it. For iPhone or other phone OS i have no idea as I've
>> never actually used them.
>>
>> Paul
>
> It looks like those 3 do work on an N82, but at least the 3rd one can
> only connect to Windows VPN servers currently.  VPN configuration on
> any of them sounds like it can be a major hassle though.

I haven't tried it, but the Telexy SymVPN has just released a new
version which supposedly supports linux PPTP VPN now.

http://www.telexy.com/Support/Publications.aspx?codeid=A75XR35VU2

There is a free trial.

Re: [gentoo-user] Locking down a wireless network

[Mark Knecht]

On Thu, Jan 29, 2009 at 9:40 AM, Grant <emailgrant@gmail.com> wrote:
> My Gentoo router's wireless network is encrypted via WPA and doesn't
> DHCP.  I'd like to take this a step further in case my WPA key gets
> hacked.  Can I issue only certain IPs to certain MAC addresses?
>
> Does WPA2 require hardware support?
>
> - Grant

My LinkSys wireless router supports MAC address filtering. I can add a
MAC address to the allowed list and disallow everything else. It works
for us so far, until someone manages to somehow find out an allowed
MAC address and pretends to be that address. I'll deal with that
should it ever happen. Unlikely I think...

It is a little extra work adding a new device in as I have to discover
its address but that's OK with me.

I don't think is typically done in hardware as the specs change and
hardware designers are reluctant to put the gates in. More likely it's
done in firmware on a router like mine, or software if you're using
some Gentoo box to do a job like this.

- Mark

Re: [gentoo-user] Locking down a wireless network

[Paul Hartman]

On Thu, Jan 29, 2009 at 12:11 PM, Mark Knecht <markknecht@gmail.com> wrote:
> On Thu, Jan 29, 2009 at 9:40 AM, Grant <emailgrant@gmail.com> wrote:
>> My Gentoo router's wireless network is encrypted via WPA and doesn't
>> DHCP.  I'd like to take this a step further in case my WPA key gets
>> hacked.  Can I issue only certain IPs to certain MAC addresses?
>>
>> Does WPA2 require hardware support?
>>
>> - Grant
>
> My LinkSys wireless router supports MAC address filtering. I can add a
> MAC address to the allowed list and disallow everything else. It works
> for us so far, until someone manages to somehow find out an allowed
> MAC address and pretends to be that address. I'll deal with that
> should it ever happen. Unlikely I think...
>
> It is a little extra work adding a new device in as I have to discover
> its address but that's OK with me.
>
> I don't think is typically done in hardware as the specs change and
> hardware designers are reluctant to put the gates in. More likely it's
> done in firmware on a router like mine, or software if you're using
> some Gentoo box to do a job like this.

Well, using kismet to sniff out active MAC addresses of clients and
access points is dead simple, and MAC spoofing is even easier (emerge
net-analyzer/macchanger). Obviously trying to use a MAC that's already
active could result in collisions/IP conflict so the drive-by wifi
hijackers probably won't get much use of it, but if someone is doing
an attack on you they can wait for your laptop to be turned off or
wireless traffic idle, and then hop on that MAC and get in your
network. Even that should not be a problem if you've got eveything
else secured (like, if you allow passwordless entry to samba shares
from local address, and someone gets on your wireless, that could be
bad unless you put wifi in a different vlan or whatever). I don't have
mine set up that sophisticated, I am putting my faith in WPA2 being
strong enough to keep out intruders. I know I should probably be more
careful but I'm trusting and lazy. :) My internal devices are not
necessarily protected from each other.

I don't use MAC filtering, but I have the DHCP leases tied to MAC
addresses; I don't restrict it only to those addresses though. I have
a range (192.168.0.101-109) for reserved IP addresses, and dynamic
from 110+. My main desktop has 2 NICs and Wifi, second desktop has 2
NICs, Laptop has NIC & Wifi, cell phone has Wifi, land phone is Voip,
I have a second wireless router set up as a wireless bridge to which
my Xbox, Xbox 360 & Slingbox are attached, as well as any visitors who
happen to need to plug in a laptop in my living room. :) I let some of
my devices get dynamic IPs just because it doesn't matter (vonage,
slingbox, xbox 360) but the PCs I like to have well-defined addresses.

Re: [gentoo-user] Locking down a wireless network

[Stroller]

On 29 Jan 2009, at 17:40, Grant wrote:

> My Gentoo router's wireless network is encrypted via WPA and doesn't
> DHCP.  I'd like to take this a step further in case my WPA key gets
> hacked.

What makes you think your WPA key is likely to get hacked?

As I'm reading it, if you use a long random password & unique SSID WPA  
is quite secure.

It should be possible to implement WPA2 on a Linux-based AP. I would  
use 64 random hex digits for your PSK & stop worrying about it.

MAC address filtering is worthless. I would install a DHCP server &  
save yourself the hassle of setting IP addresses on any devices that  
are used elsewhere. Anyone who breaks WPA (which I consider extremely  
unlikely assuming the criteria I've described) is not going to be  
troubled by such measures.

Stroller.