[ale] wpa_supplicant on hidden SSIDs

Alex Carver agcarver+ale at acarver.net
Fri Sep 27 15:47:28 EDT 2013


On 9/27/2013 10:27, Brian MacLeod wrote:
> On 9/27/13 11:02 AM, Alex Carver wrote:
> 
>> Not a long time, I know.  But long enough that I'll notice you.  I
>> know the pitfalls but I'm making the decision that my traffic
>> habits would make it difficult for anyone but an extremely
>> determined person to get past the lower level security.  Someone
>> would have to spend a considerable amount of time every day war
>> driving my place to catch me on wireless.  Enough time that I will
>> certainly notice the effort (or at the very least having captured
>> you on camera multiple times).
> 
> 
> I don't know the camera situation, and how often those get reviewed.
> If you have that kind of time, then you are welcome to do so, and
> welcome to spend time doing things on your wireless that equally do
> nothing for security.

The cameras are automatic but that's an entirely different topic.  But
saying things like a MAC filter does nothing for security is the
equivalent of saying a lock on a door does nothing for the house
security.  Are there ways in (the window or another door perhaps)[1]?
Sure, there are and someone determined enough to do it can get in.  The
lock is an impediment to casual snoopers or some that are not quite as
determined or have limited time/resources.  The idea is to throw up as
many obstacles as possible and filter people out by skill.  Start with
the simple obstacles and move upwards from there.  The easy people get
defeated with the lower level security (MAC filter, hidden SSID).  The
obstinate people get hit with solving the encryption keys and whatever
other security may lie beyond that.



> My suggestion would be to not bother, do WPA2, _AND_ set up a VPN
> server between your wireless and wired networks.  Use of the wireless
> requires a connection to the VPN box via revocable self-signed
> certificates.  That box then does the routing of verified clients, and
> anything unverified gets exactly squat.
>
> That would do real verifiable security, allow you to learn something
> very useful (because we're quickly finding that we need skilled VPN
> operators now), rather than trying to find network devices that will
> allow you to leave your SSID hidden and still be easily connectable.

I never said I didn't have strong encryption on the AP (I do), all I
said was I wanted a hidden SSID.  One has nothing to do with the other.

As for VPN, I can't do VPN on all clients.  Not every client of the
wireless network is a full computer.  Only two out of six are full
computer clients -- the laptops.  That's not to say the wireless clients
have full access to the rest of the network either.  There's plenty of
other filtering going on that limits what each wireless device can
access in general and all the services inside have security on them
(e.g. key authentication for SSH access to internal hosts).

So sure, I've got the alarm system in the house, I've got the guards
with guns, I've got everything chained to the walls or floors.  But I'm
still going to put a lock on the door and a sign that says "Go away".
For most people, the lock and the sign will be enough to move on
somewhere else.


[1] An alternate analogy would be gates and gate arms at parking lots.
For most people the gate arm and signage would be sufficient to keep
them from sneaking in.  A slightly more determined person might try to
lift the gate arm but have little time before someone notices.  A truly
determined person is just going to crash the gate and go in so the next
level defenses are there to handle those people.



More information about the Ale mailing list