View Source: WirelessNetworkSecurityNotes - Waikato Linux Users Group

Edit PageHistory Diff Info LikePages
Don't rely on [WEP] to secure your network. Even with 128-bit or 256-bit keys it is trivial to crack.

If you want to ignore this because you are testing or don't care you can pass the [WEP] key to the driver as follows:
<verbatim>
iwconfig eth2 enc yourhexkey
</verbatim>

!!! VPN/tunnel
Use a secure tunnel/[VPN] from wireless clients over the wireless network onto your real network.

Put your WLAN hosts behind a firewall to protect your wired LAN from wireless intruders.  Install [pptpd(8)] on this firewall box and force wireless hosts to securely tunnel into your wired LAN.  See the WirelessNetworkSecurityHowto.


!!! WPA
To use the more secure [WPA] encryption rather than WEP, install the
[wpasupplicant|http://hostap.epitest.fi/wpa_supplicant/] package. This provides a program that encrypts data sent to your wireless card. Unfortunately it can be difficult to set up, partly because it uses a lot of acronyms that you need to understand, and partly because of incompatibilities between wireless equipment. There is a good mailing list accessible from the previous wpasupplicant link which is very helpful.

WPA-PSK means use a __P__re-__S__hared __K__ey - ie both the AccessPoint
and the client know a shared secret.

The main config file is /etc/wpa_supplicant.conf.

Here is an example config file.
<verbatim>

# my wireless card (Atheron-based) and AP (Asus 6030) don't get on very
# well if this is set to 2
eapol_version=1

# some default settings - see the example
# /usr/share/doc/wpasupplicant/examples/wpa_supplicant.conf.gz (debian) file
ap_scan=1
fast_reauth=1

network={
  ssid="MY SSID"

  # priority that wpasupplicant should try to connect to this
  # network block (out of all blocks listed in this config file)
  # 9 is highest, 0 is lowest
  priority=9

  # my AP is set up to require WPA-PSK authentication
  # defaults to WPA-PSK WPA-EAP
  key_mgmt=WPA-PSK

  # The password to use for WPA-PSK authentication.
  # this has to match the password on the AP, obviously
  psk="shared secret password"

  # the order to try encryption algorithms in.
  #pairwise=AES TKIP

  # broadcast/multicast group ciphers for WPA
  # default is CCMP(AES counter) TKIP WEP104 WEP
  # but my card/AP combination doesn't seem to work if it tries CCMP
  # so I'll override this setting
  group=TKIP
}
</verbatim>

Now after your card is running (but not configured), you can set up your
connection/configuration to use WPA encryption by running
<pre>
wpa_supplicant -B -i''ath0'' -D''madwifi''
</pre>
replacing ''ath0'' with the correct interface (eth0, eth1, and so on) for
your machine, and ''madwifi'' with the correct driver for your wireless
card. -B means fork and go into the background. "__wpa_supplicant -h__" lists the following supported drivers:
* hostap
* prism54
* madwifi
* atmel
* wext
* ndiswrapper
* ipw

If you want to try and debug why things aren't working, you can try the following from the command line:
 wpa_supplicant -dd -t -K -i''interface'' -D''device''

!! Configuring your distro for WPA
! Debian Sarge/Sid (and Ubuntu?)

<tt>apt-get install wpasupplicant</tt>

Create /etc/wpa_supplicant.conf either from the example above, or based
on /usr/share/doc/wpasupplicant/examples/wpa_supplicant.conf.gz.

Here is a snippet from my /etc/network/interfaces file.
(This __replaces__ the snippet for WEP you can find on the WirelessSetupNotes page.)
<verbatim>
iface ath0 inet dhcp
  pre-up wpa_supplicant -B -iath0 -Dmadwifi
  down skill wpa_supplicant
</verbatim>
Note that it probably isn't necessary to get rid of the wpa process after removing the interface, but it means that there aren't multiple processes if
you remove/insert the card several times.


!Ubuntu 6.06 (Dapper)
Instead of doing "<tt>pre-up wpa_supplicant ...</tt>", ubuntu starts wpa on boot. Edit the <tt>/etc/default/wpasupplicant</tt> file:
<verbatim>
ENABLED=1
OPTIONS="-w -Dipw -ieth1 -c /etc/wpa_supplicant.conf"
</verbatim>
changing the option for -D and -i as appropriate.

In 6.06, my old config of using "-Dipw" for my Centrino-based laptop no longer worked - I had to use "-Dwext" instead for the generic wireless driver.

You could also try installing the __network-manager__ package, but this is a bit flaky for now.

!Other distros
People who use other distros should put stuff here.

----

Part of CategoryWireless
10 pages link to WirelessNetworkSecurityNotes:
Last edited on Thursday, August 3, 2006 9:13:10 am by JohnMcPherson
Edit PageHistory Diff Info LikePages