Differences between version 3 and previous revision of WirelessNetworkSecurityNotes.
Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 3 | Last edited on Monday, January 17, 2005 10:38:51 am | by JohnMcPherson | Revert |
| Older page: | version 2 | Last edited on Wednesday, September 15, 2004 9:23:26 pm | by DanielLawson | Revert |
@@ -1,11 +1,99 @@
-''(AddToMe: This page needs a lot of work
.)''
+Don
't rely on [WEP] to secure your network. Even with 128-bit or 256-bit keys it is trivial to crack
.
-!Tips for Securing Wireless Networks
+!!! VPN/tunnel
+Use a secure tunnel/[VPN] from wireless clients over the wireless network onto your real network.
-* Don't rely on
[WEP
] to secure
your network
. Even with 128-bit or 256-bit keys it is trivial to crack
.
+Put your WLAN hosts behind a firewall to protect your wired LAN from wireless intruders. Install
[pptpd(8)
] on this firewall box and force wireless hosts
to securely tunnel into
your wired LAN
. See the WirelessNetworkSecurityHowto
.
-* Put your WLAN hosts behind
a firewall
to protect
your wired LAN from
wireless intruders
. Install [pptpd
(8
)]
on this firewall box
and force
wireless hosts to securely tunnel
into your wired LAN
. See
the WirelessNetworkSecurityHowto
.
+
+!!! WPA
+To use the more secure WPA encryption rather than WEP, install the
+__wpasupplicant__ package. This provides
a program that encrypts data sent
to your wireless card
. Unfortunately it can be difficult to set up, partly because it uses a lot of acronyms that you need to understand, and partly because of incompatibilities between wireless equipment.
+
+WPA-PSK means use a __P__re-__S__hared __K__ey - ie both the AccessPoint
+and the client know a shared secret.
+
+The main config file is /etc/wpa_supplicant.conf.
+
+Here is an example config file.
+<verbatim>
+
+# my wireless card (Atheron-based) and AP (Asus 6030) don't get on very
+# well if this is set to 2
+eapol_version=1
+
+# some default settings - see the example
+# /usr/share/doc/wpasupplicant/examples/wpa_supplicant.conf.gz (debian) file
+ap_scan=1
+fast_reauth=1
+
+network={
+
ssid="MY SSID"
+
+ # priority that wpasupplicant should try to connect to this
+ # network block
(out of all blocks listed in this config file
)
+ # 9 is highest, 0 is lowest
+ priority=9
+
+ # my AP is set up to require WPA-PSK authentication
+ # defaults to WPA-PSK WPA-EAP
+ key_mgmt=WPA-PSK
+
+ # The password to use for WPA-PSK authentication.
+ # this has to match the password
on the AP, obviously
+ psk="shared secret password"
+
+ # the order to try encryption algorithms in.
+ #pairwise=AES TKIP
+
+ # broadcast/multicast group ciphers for WPA
+ # default is CCMP(AES counter) TKIP WEP104 WEP
+ # but my card/AP combination doesn't seem to work if it tries CCMP
+ # so I'll override
this setting
+ group=TKIP
+}
+</verbatim>
+
+Now after your card is running (but not configured), you can set up your
+connection/configuration to use WPA encryption by running
+<verbatim>
+wpa_supplicant -B -i''ath0'' -D''madwifi''
+</verbatim>
+replacing ''ath0'' with the correct interface (eth0, eth1,
and so on) for
+your machine, and ''madwifi'' with the correct driver for your
wireless
+card. -B means fork and go
into the background. "__wpa_supplicant -h__" lists the following supported drivers:
+* hostap
+* prism54
+* madwifi
+* atmel
+* wext
+* ndiswrapper
+* ipw2100
+
+If you want to try and debug why things aren't working, you can try the following from the command line:
+ wpa_supplicant -dd -t -K -i''interface'' -D''device''
+
+!! Configuring
your distro for WPA
+! Debian Sarge/Sid (and Ubuntu?)
+
+<tt>apt-get install wpasupplicant</tt>
+
+Create /etc/wpa_supplicant
.conf either from the example above, or based
+on /usr/share/doc/wpasupplicant/examples/wpa_supplicant.conf.gz.
+
+Here is a snippet from my /etc/network/interfaces file.
+(This __replaces__ the snippet for WEP you can find on the WirelessSetupNotes page.)
+<verbatim>
+iface ath0 inet dhcp
+
pre-up wpa_supplicant -B -iath0 -Dmadwifi
+ down skill wpa_supplicant
+</verbatim>
+Note that it probably isn't necessary to get rid of
the wpa process after removing the interface, but it means that there aren't multiple processes if
+you remove/insert the card several times.
+
+!Other distros
+People who use other distros should put stuff here
.
----
Part of CategoryWireless
