[ previous ] [ next ] [ threads ]
 
 From:  "Magne Andreassen" <magne dot andreassen at bluezone dot no>
 To:  "'John Voigt'" <1geek at jvoigt dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] FW: MAC filtering on wireless interfaces
 Date:  Sat, 6 Dec 2003 20:22:04 +0100
John Voigt wrote:
> 
> > Since MAC address spoofing is a rather common technique
> > to pass by WLAN "Security" I would not recommend using it.
> 
> Just because MAC spoofing is rather simple to do and can be 
> easily demonstrated hardly makes it common - I've been 
> running WLANs for several years and have never had anyone 
> hack someone elses MAC.  You need to differentiate between 
> those who just want to use this as a tool and those who play 
> with networks for fun or personal improvement (learning.)
> >
> > Use an IPSEC over WLAN tunnel instead. I myself allow 
> traffic shaped 
> > HTTP / HTTPS for geeks who still have fun standing in front 
> of my door 
> > and want to get online.
> >
> > Apart from that, the whole internal infrastructure uses 
> IPSEC to reach 
> > the internal machines.
> 
> Many of the users of monowall are not capable of managing an 
> IPSEC based setup as evidenced by the number of questions 
> posted here about how to make it work.  Don't discount a 
> simple improvement that gives some security just because 
> there is a better (though more complicated) one.
> 
> WLANs are inherently insecure but a balance between the 
> effort required to secure and the value of the data at risk 
> must be made.  Just because WEP is fairly easily broken is 
> not a reason to turn it off.  MAC filtering has it's place 
> among other useful security tools.  IPSEC is more secure.  
> Seriously valuable data should not be accessible from WLANs at all.
>

First of all, most persons using m0n0wall and reading this list, 
should have no problem coping with PPTP or IPSEC on m0n0wall. There 
are posts in this list explaining this quite good, and most readers 
are willing to help out anyone with problems. Ok, MAC filtering is a 
no-brainer, but the security advantages you get with IPSEC/PPTP is 
worth the while in many cases. And I cant see what is wrong in
recommending this instead of MAC filtering.

I understand that in most cases one wont bother to deal with the
security issues for a WLAN at home, but my opinion is that this is
wrong.
A "unsecured" WLAN can be exploited, and can result in many others
than just the owner to be affected.
Just think of all those unprotected *DSL connected computers out
there who is a easy target for viruses and spammers. Maby not a big
issue for the owner, a reinstall of windoze is quick and dirty,
but for the friends who lost valuable data beacuse your computer
sendt a virus, or got a whole lot of spam in their inbox, it is a big 
deal.

WLAN's are indeed the weakest point in many LAN around the world,
and sloppy setups seems to be a trend.
WEP was supposed to solve this, but what a bummer! First of all
it is simpel to crack, second, it is often not used at all.
I agree that WEP and MAC filtering is better that nothing at all,
but why would we recommend the users of m0n0wall to use a less 
secure approach, just beacuse we wont bother to explain how to 
set up the more secure solution?

By all means, use (at least) WEP or MAC filtering(or both?), but 
one should be aware how easy these "security" features are exploited!
My point is, the less secured WLAN, the higher the possibillity you 
are going to be exploited sometime or another.

I'm not saying that IPSEC/PPTP is the answer to a 100% secure WLAN, of
course not, but it is way more secure than WEP and MAC filtering.

IPSEC/PPTP might be a bit cumbersome to setup for the novice, but if
that 
documentation project comes along ;) , I think most of the target 
usergroup for m0n0wall should be able to do this.
If not, most users on this list is more than happy to help out(I
think?)...

"It's good thing to be a little paranoid..."


Magne