Blair Armeau

30 – Wireless Security

Please note… This information no longer exists at the referenced locations.  This is only a copy of what was available in 2003.

Basic Linux Training™

Wireless Security

Bill Eastman

Wi-Fi (also known as 802.11) has several different versions, the most commonly deployed is 802.11b. Using Wi-Fi is like a radio – people could drive by and if your network isn’t secured, then they will get an IP address and will be able to access your whole network.

There are various options for securing your wireless network. This will cover two of the simpler ones. The first one is Wired Equivalent Privacy (WEP), which is designed to provide a wireless LAN with a security level equal to what is found on a wired Ethernet network. There are currently three different levels of WEP. They are 64-bit, 128-bit, and 256-bit. The WEP option you choose to use must be the same on the computers with wireless cards and the Access Port. Not all wireless cards or access ports support all levels of WEP.

If you have WEP enabled, when a computer boots up, it won’t receive an IP address automatically. On my laptop, which currently is running Red Hat 8.0, I created a file named rc.local which is executed after all the other init scripts and it gets an IP address. Note that in the script below that the MAC address, all passwordphrases, all hex passwords are all fake (you really didn’t think I would use my real information, did you?) The file is below:

#!/bin/sh
if (ifconfig | grep "00:11:22:33:44:55") then
   if (iwgetid eth0 | grep "homenet") then
     iwconfig eth0 key A111-B222-C333-D444-E555-F555-G666-H7
     dhclient
   elif
    (iwgetid eth0 | grep "friendshouse") then
     iwconfig eth0 key s:thepassword45
     dhclient
   fi
fi

I’ll explain each line below:

The first line checks to see if my wireless card is in. If it is, the script continues else it ends.

Next it checks the essid for the locations I use WEP at. If it finds one, then it sets the correct key on the laptop, and request a dhcp lease.

If it doesn’t find any of the essid’s that I use WEP at, then it does nothing, as the laptop already has an IP address. There are two different ways of specifying the WEP. I used both of them above. The first one, you enter the hex values of the key. The second method is to use the s:passphrase (the phrase that was used to generate the WEP).

WEP isn’t perfect but it is better than no security. In addition to using WEP at home, I’m also filtering on the Media Access Control address (MAC address), a hardware address that uniquely identifies each node of a network. If the MAC address isn’t in the access list of the acceptable MAC addresses, then the computer will not get an IP address.

The cable modem router I have has an 802.11b access port that supports 64-bit and 128-bit WEP and also supports mac filtering. The way mac filtering is implemented on my cable modem router, it applies to both the wired (RJ-45) and wireless nodes.

In addition to cable modem routers with Access Port built in, there are also stand alone Access Ports.

Cable modem routers including Access Port and stand alone Access Port are made by a variety of manufactures, including: (in no particular order) Linksys, dlink, USR, SMC.

Some of the AP’s will say they will do 22 megabit or 54 megabit. As far as I know, these increased speeds don’t work with Linux. They work in Windows, but require the wireless cards be made by the same manufacture as the AP. If they aren’t, then it falls back to standard 802.11b.

Note that a 802.11b wireless card will NOT work with a 802.11a AP, but it will work with a 802.11g AP. 802.11g wireless cards might work with 802.11b AP. I don’t know if Linux supports 802.11g yet. I do know that as of the last time I checked, 802.11a card support for Linux was still in development.

Copyright © 2003 Bill Eastman. All Rights Reserved.
Reproduction or redistribution without prior written consent is strictly prohibited. Address comments and inquiries to info@basiclinux.net.