HOWTO: Wireless Security - WPA1, WPA2, LEAP, etc.

[Happibun]

Hello, and thank you for what looks like a phenomenal thread.

I am an utter Noob to Linux, having not even used a Linux machine until 48 hours ago, but always wanted to get started with it. I was given a laptop yesterday with no operating system, so I went for it and installed Gutsy 7.1. All worked beautifully except for wireless networking.

It seems that I have innocently stumbled upon the most problematic area by shear folly and ignorance. Such is life

Anyhow, this is the set up so far:

Dell Latitude 120L Laptop.
Ubuntu 7.10, Gnome.
Broadcom internal network card chipset, running with ndiswrapper.
Netgear DG834GT router with up to date firmware, was set to hidden SSID with MAC filtering on.
Now broadcasting SSID, using WPA-PSK encryption, and MAC filtering.

I have been able to connect wirelessly when the SSID was broadcast, and I had keyed the MAC addresses in to the router. However, I feel I need an extra level of security if I have to broadcast my SSID.
I would prefer to hide my SSID and I really want to keep the MAC filtering on. I'm not too bothered about WPA, the way I see it - MAC filtering is the most secure way to protect my network. I would like the laptop to be able to connect to my network when it boots, without me having to jigger about with he router or terminal each time I want to connect.

Any help would be greatly appreciated.

I'll warn you now that I am not a wireless network expert, and I'm swamped by commands and acronyms. Please be gentle with me

Jo

[wieman01]

@Happibun:

Welcome first of all.

Before we go ahead a couple of comments... MAC filtering isn't really a security feature. It takes experienced users like me 5 seconds to get around it. Hiding SSID is no security feature either, and in fact makes your system less secure. See this for more:

http://blogs.technet.com/steriley/ar...ess-ssids.aspx

Also you are right in that WPA is the way to go. Again it would take me about 15 minutes to crack your WEP key and take control of your network.

Having said that, do you really want to turn off SSID broadcast? I think WPA is fine. And if network manager (the networking applet that you are most likely using) does a good job with SSID broadcast enabled, I'd go for it. Why bother?

That's my most informed opinion.

If you still have troubles with WPA, please do me a favor, open a terminal (command line), type in the following commands and post the results:

sudo iwlist scan

sudo lshw -C network

"-C" is a capital C. Please post the output.

No worries, this is the right thread to ask all these questions. Bear with me (and Ubuntu) and I promise you it will be a very pleasant experience.

[MountainX]

My wireless networking fails to get a valid IP address after I suspend/resume.

I have already tried (without success) the suggestions here:
http://lilserenity.wordpress.com/200...ernate-resume/
The core change recommended, which I did, was:
/etc/default/acpi-support:
Change STOP_SERVICES to read:
STOP_SERVICES="networking"

Here is some info on my system:

Code:

~$ sudo iwlist scan
Password or swipe finger: 
lo        Interface doesn't support scanning.

vmnet1    Interface doesn't support scanning.

vmnet8    Interface doesn't support scanning.

eth0      Interface doesn't support scanning.

eth1      Scan completed :
          Cell 01 - Address: 00:1B:11:68:7C:69
                    ESSID:"my-essid"
                    Protocol:IEEE 802.11bg
                    Mode:Master
                    Channel:1
                    Frequency:2.412 GHz (Channel 1)
                    Encryption key:on
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 9 Mb/s; 11 Mb/s
                              6 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
                              48 Mb/s; 54 Mb/s
                    Quality=92/100  Signal level=-39 dBm  Noise level=-39 dBm
                    IE: IEEE 802.11i/WPA2 Version 1
                        Group Cipher : WEP-40
                        Pairwise Ciphers (2) : WEP-40 TKIP
                        Authentication Suites (1) : PSK
                       Preauthentication Supported
                    Extra: Last beacon: 240ms ago

username@computername:~$ sudo lshw -C network
  *-network               
       description: Ethernet interface
       product: 82566MM Gigabit Network Connection
       vendor: Intel Corporation
       physical id: 19
       bus info: pci@0000:00:19.0
       logical name: eth0
       version: 03
       serial: 00:1e:37:86:99:22
       capacity: 1GB/s
       width: 32 bits
       clock: 33MHz
       capabilities: pm msi bus_master cap_list ethernet physical tp 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
       configuration: autonegotiation=on broadcast=yes driver=e1000 driverversion=7.3.20-k2-NAPI firmware=0.3-0 latency=0 link=no module=e1000 multicast=yes port=twisted pair
  *-network
       description: Wireless interface
       product: PRO/Wireless 3945ABG Network Connection
       vendor: Intel Corporation
       physical id: 0
       bus info: pci@0000:03:00.0
       logical name: eth1
       version: 02
       serial: 00:1c:bf:75:fc:15
       width: 32 bits
       clock: 33MHz
       capabilities: pm msi pciexpress bus_master cap_list ethernet physical wireless
       configuration: broadcast=yes driver=ipw3945 driverversion=1.2.2mp.ubuntu1 firmware=14.2 1:0 () latency=0 link=no module=ipw3945 multicast=yes wireless=unassociated
username@computername:~$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:1E:37:86:99:22  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Base address:0x1840 Memory:fe200000-fe220000 

eth1      Link encap:Ethernet  HWaddr 00:1C:BF:75:FC:15  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:3 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:21 Memory:d7dff000-d7dfffff 

eth1:avah Link encap:Ethernet  HWaddr 00:1C:BF:75:FC:15  
          inet addr:169.254.7.83  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          Interrupt:21 Memory:d7dff000-d7dfffff 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:68 errors:0 dropped:0 overruns:0 frame:0
          TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:6154 (6.0 KB)  TX bytes:6154 (6.0 KB)

If I restart networking, my wireless device will get an IP address and then everything works. Seems like the change I made here doesn't go the trick.
/etc/default/acpi-support:
STOP_SERVICES="networking"

Should I remove this change or alter it? Or should I add the "sudo /etc/init.d/networking restart" command to a startup script as well?

BTW, I do not have the wireless networking icon in the upper right of my screen. How do I fix this? Thanks.

[wieman01]

@MountainX:

I know very little about ACPI. Therefore I cannot advise here. You could certainly create another startup script but I am not certain which run level that would be. I found some stuff here that could be interesting:

http://gentoo-wiki.com/TIP_ACPI_basic_configuration

For general wireless help & support please see this thread:

http://ubuntuforums.org/showthread.php?t=684495

[wieman01]

@MountainX:

I think you would have to put it here:

sudo gedit /etc/acpi/resume.sh

Then add (no 'sudo'):

/etc/init.d/networking restart

Please try and let me know if it works.

[Average Joe]

wieman01, thanks for this nice how-to! I followed your instructions and it works like a charm.

In a previous post you linked to an article that explains that hiding your SSID is not secure at all, and you stated that it makes your system even less secure. Maybe that is true, but why do you, as an expert, then configure your system (in the how-to) such that it does hide your SSID?

I use my wireless network for my laptop at home, and apart from using WPA2, I have configured it such that it hides my SSID, and that it uses MAC address filtering. I understand that those last two measures don't add (much) security to my system when I use it.

However, most of the day my laptop is switched off, and I would think that, since there is no wireless traffic then, it is more secure to hide your SSID and use MAC filtering. Or would it still be possible for an attacker to figure out both my SSID and my MAC address while my computer is switched off? My modem/router is on 24/7.

[wieman01]

wieman01, thanks for this nice how-to! I followed your instructions and it works like a charm.

In a previous post you linked to an article that explains that hiding your SSID is not secure at all, and you stated that it makes your system even less secure. Maybe that is true, but why do you, as an expert, then configure your system (in the how-to) such that it does hide your SSID?

I use my wireless network for my laptop at home, and apart from using WPA2, I have configured it such that it hides my SSID, and that it uses MAC address filtering. I understand that those last two measures don't add (much) security to my system when I use it.

However, most of the day my laptop is switched off, and I would think that, since there is no wireless traffic then, it is more secure to hide your SSID and use MAC filtering. Or would it still be possible for an attacker to figure out both my SSID and my MAC address while my computer is switched off? My modem/router is on 24/7.

Hello,

You are quite right in that my previous advice on turning on SSID broadcast must sound quite ambiguous given the objective of my tutorial, however, I must admit that I have learned in the course of the months and that I was not aware of it by the time I compiled the tutorial.

What comes on top is the fact that a lot of people ask for it, therefore my attempt at explaining how you can achieve it, although I should know better.

The security risk imposed by disabling SSID broadcast are somewhat limited, in particular if you don't do much roaming (see article). To answer your question, yes, MAC filtering and disabling broadcast might make it appear more secure and it makes people feel better, then so be it.

But looking at it from another angle, a system is as secure as the weakest link that holds it together. In terms of wireless security, that would be your security protocol (e.g. WPA2) and your key (PSK). If an attacker can get around these, MAC filtering and a hidden SSID won't help you, either. But if she/he can't, she/he won't even notice you have enabled MAC filtering, and most certainly won't be able to take advantage of the fact that you are broadcast your SSID.

Do you understand what I am trying to get at? Good discussion.

[Average Joe]

Thank you for that explanation. I am using the WPA2 protocol and a strong PSK key, so I feel pretty safe.

Apart from the fact that it just feels more safe to do, I also hide my SSID and use MAC filtering for two reasons:

1) If someone would break in my wireless network, he would have to use my MAC address. I know this is very easy for him to get by just sniffing my network traffic. But it would mean that I would probably lose my connection, since I expect that the MAC address can only work for one computer at a time. Therefore, I would most likely notice that my system would be compromised, and take immediate action.

2) If my SSID is hidden, I would think that in case my computer is off, there are no probe requests from my computer to my non-broadcasting network, and a potential hacker would not be able to retrieve my SSID. Therefore, during the time that I don't use my computer (i.e. it is switched off) I am more safe to attacks on the wireless network.

I understand that the attacker would still need to get around the security protocol, but assuming (for the sake of argument) that he can, I think using MAC address filtering and a hidden SSID has some additional value, that is not only existing in the head of the user.

[wieman01]

Thank you for that explanation. I am using the WPA2 protocol and a strong PSK key, so I feel pretty safe.

Apart from the fact that it just feels more safe to do, I also hide my SSID and use MAC filtering for two reasons:

1) If someone would break in my wireless network, he would have to use my MAC address. I know this is very easy for him to get by just sniffing my network traffic. But it would mean that I would probably lose my connection, since I expect that the MAC address can only work for one computer at a time. Therefore, I would most likely notice that my system would be compromised, and take immediate action.

2) If my SSID is hidden, I would think that in case my computer is off, there are no probe requests from my computer to my non-broadcasting network, and a potential hacker would not be able to retrieve my SSID. Therefore, during the time that I don't use my computer (i.e. it is switched off) I am more safe to attacks on the wireless network.

I understand that the attacker would still need to get around the security protocol, but assuming (for the sake of argument) that he can, I think using MAC address filtering and a hidden SSID has some additional value, that is not only existing in the head of the user.

Hello,

Both valid reasons. This is in fact my own line of thinking as well. Again, it is little extra security and with a strong PSK I doubt an attacker would even have the slightest chance of breaking it and thus compromising your network, but one never knows.

[Average Joe]

I am actually wondering why I cannot use the Network manager (nm-applet) to configure my wireless network.

This applet is now showing up as an icon in my notification area, basically doing nothing. However, since I am using a laptop, I would be convenient for me to use it for easy switching between wireless networks. However, whenever I make some changes with the Network Manager (i.e. switch to roaming) I lose my connection, and what is worse, I lose my settings as well, making me have to recreate the /etc/network/interfaces file from scratch again. This happens even after having saved (and reloaded) the working configuration in nm-applet.

This leaves me with two questions:

1) Is it not possible to use the Network-manager after having followed the how-to in the first post?

2) Is there another way to switch easily between wireless networks?