Wireless security settings


Please note that this blog has been moved.

Now it has its own domain: mynixworld.info🙂

If you want to read the latest version of this article (recommended) please click here and I open the page for you.

If you have a home wireless access point and you are not sure which security settings to choose, then read bellow.

Today wireless access point devices offers more than one security mode. You could choose between NONE, WEP, WPA (v1),WPA (v2) and WPA Enterprise with RADIUS authentification.

Do not choose NONE, except when you want to provide network connection to all your neighbors.

WEP is a deprecated standard, don’t use it! As a security mechanism it provides a key encrypted with a weak algorithm (that’s why it’s a deprecated standard, anyway).

WPA(v1 ) or just WPA1 is hard to be cracked if you use, for example, 14 random letters or pass-phrase with  5 randomly chosen words. It comes with TKIP and AES encryption protocols. Choose AES if possible.

WPA(v2 ) or just WPA2 (aka WPA Personal) is a better version of WPA1 that implements AES-CCMP algorithm as a mandatory feature. I recommend you to choose CCMP and not TKIP.

For WPA Enterprise (aka WPA with RADIUS authorization) you will need a RADIUS server. You have to be authenticated in order to be accepted by your AP as a trusted connection. For a home user this is too much. Stick to WPA2 and a long random pass-phrase.

The most of AP offers the option to not broadcast your SSID, as a supplementary security feature. It will hide your AP only from novices. Someone that know what is doing do not need your AP SSID to crack your AP. So, if you stick to WPA + long pass-phrase then you can forget about this “hidden SSID” as it provides more setup problems than security.

OK, so you have decided to set your AP with WPA2 with CCMP and a long random pass-phrase and no hidden SSID. Goooood!

As a Linux user I use WPA Supplicant in order to connect my AP. WPA Supplicant is a free software that implements these security standards for Linux, FreeBSD, NetBSD and Windows.

The WPA Supplicant configuration file can be found at:

/etc/wpa_supplicant/wpa_supplicant.conf

You can find also there a configuration template file named wpa_supplicant.conf.template. This template mentions about every possible option that wpa_supplicant offers.

#####################################################
# IMPORTANT: hidden SSID doesn't improve security
# So far the best security is WPA2+AES (AES aka CCMP)

# All options are described at:
#   /etc/wpa_supplicant/wpa_supplicant.conf.template
####################################################

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel

network={
        ssid="fooBar" # whatever SSID you might have

        bssid=00:22:bb:4c:e3:5f # if your AP has a MAC use it
        priority=10 # the higher the better

        key_mgmt=WPA-PSK
        pairwise=CCMP # CCMP stronger than TKIP
        group=CCMP # CCMP stronger than TKIP
        proto=WPA2 # WPA2 is just a alias for RSN
        psk="j57Y0KrT42IMIZ" # very long random pass-phrase

        # wpa_ptk_rekey=600 # for paranoids
        # scan_ssid=1 # only if you have hidden SSID
}

# ap_scan=2 # use only when hidden SSID

A setup like this is hard to get cracked even by experts. It’s simple but effective.

 

About Eugen Mihailescu

Always looking to learn more about *nix world, about the fundamental concepts of arithmetic, algebra and geometry. I am also passionate about programming, database and systems administration.
This entry was posted in linux, security. Bookmark the permalink.

One Response to Wireless security settings

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s