Wireless on Linux, Part 2 - Page 3
September 23, 2003
Now we get to the fun part. WEP is pretty much universal. While WEP is universally considered to be weak and easily crackable, it is better than nothing. Never ever go nekkid with wireless; you must use some kind of encryption.
It is truly amazing how you can often struggle to get a decent signal inside your office, while at the same time the dern thing will escape outside for miles with the strength and clarity of a good TV broadcast, just waiting for some weirdo with a Pringles can to intercept it. Even if they don't want your data, I doubt you want them downloading megabytes of porn or worse, launching attacks from your network.
Note that you cannot mix different WEP strengths in your WAPs and NICs — you must use 40-bit with 40-bit, and 128-bit with 128-bit. By the way, 128-bit is really 104-bit, and there's no reason to get all excited over key length, anyway. The weak point is in a 24-bit random number known as an Initialization Vector (IV). This goes out first, to initialize the connection. As any cracker will attest, there's no need to butt heads with a 40- or 104-bit key when you have a nice frail 24-bit target to play with.
Here are some essential steps to take:
- Make sure your firmware is the most recent release available
- Turn off remote administration
- Turn off Service Set Identifier (SSID) broadcasting
- Change the default admin password (duh!)
- Change the default SSID
- Select SSIDs with the same care as a password – don't use anything obvious or descriptive, like your domain name, birthday, dog's name, favorite color...make it hard to guess
- Generate a new encryption key – don't use the default if one is supplied! The default keys are few in number and known to the world
- Generate new keys periodically or when changes occur, such as employees leaving. This truly is less than no fun at all – it means entering the new key into every single wireless device on your network. No Virginia, there is no key management in WEP. On the other hand, it does present you with the opportunity to look diligent. Doubtless a real Linux guru could figure out a way to script it.
The "Wireless Security Blackpaper" is a must-read for wireless LAN admins, even though it barely addresses Linux. It covers the whys and howtos in detail. My favorite part is where it explains, in plain English, what the different numbers really mean when talking about encryption strength. (As always, see Resources for links.)
Really Not That Scary
This all sounds complicated, but it's really not so bad. If you have a good, supported NIC and a newer Linux distribution with a 2.4 kernel, your card should be recognized and the drivers automatically installed. Ethernet configs are old hat; use iwconfig or KWiFiManager. See Resources for two good configuration howtos: "Netgear MA101USB & RedHat 8.0 HOWTO" and "My Linux Wireless Tutorial using Linksys WPC11."
OK, this is a huge wad o' links. Not to worry, given the variety of wireless products, and the paucity of vendor documentation, these links should help you find anything you need:
Wireless Security Blackpaper
WLAN Adapter Chipset Directory
pciutils home page
ExpressCard home page
Linux PCMCIA Information Page
PRISM GT drivers
Atheros 802.11b/g and 802.11a/b/g drivers
Netgear MA101USB & RedHat 8.0 HOWTO (should be helpful for other systems too)
My Linux Wireless Tutorial using Linksys WPC11
The Linux Wireless LAN Howto
KWiFiManager - the wireless LAN client manager for KDE3