|
|||
Wireless Security
Hello
I am wondering what the best practices are for wireless open bsd access points. (a openbsd server on the network with just a wireless card installed) How can I make it a 'hidden' network (not broadcasting the SSID) How can I filter on MAC addresses? Most reliable pci card? (i saw the list on the FAQ) Any other tips (or useful examples) would be greatly appreciated. |
|
||||
Non-broadcast SSID is not a security feature and will not protect a network. There are no best practices that attempt security via obscurity.
It is my understanding that filtering by MAC address on OpenBSD can only be performed on bridge(4) interfaces. Since bridge interfaces are passed through pf(4) filters twice -- once on input, and once on output -- you may block unwanted MAC address traffic either in, or out, or both directions. Filtration must be done by tagging the Ethernet frames. See the Tagging section of the PF User's Guide here: http://www.openbsd.org/faq/pf/tagging.html WEP encryption is considered broken by the industry and should not be used for secure communication. WPA/WPA2, if supported by your network device, is the preferred best practice for secure 802.11 communications. Alternatives to WPA to consider may include ipsec(4) and authpf(8), or combinations. |
|
|||
Wow thanks for the response! I have been reading a lot about the items you have listed above.
I know its not a security feature, but is it possible to not broadcast the SSID with openbsd? I would like to have this feature if possible. |
|
||||
From ifconfig(8). Please read both paragraphs.
Code:
nwflag flag Set specified flag. The flag name can be either `hidenwid' or `nobridge'. The `hidenwid' flag will hide the network ID (ESSID) in beacon frames when operating in Host AP mode. It will also prevent responses to probe requests with an unspecified network ID. The `nobridge' flag will disable the direct bridging of frames between associated nodes when operating in Host AP mode. Setting this flag will block and filter direct inter-station communications. Note that the `hidenwid' and `nobridge' options do not provide any security. The hidden network ID will be sent in clear text by associating stations and can be easily discovered with tools like tcpdump(8) and hostapd(8). |
|
||||
As an example, EverydayDiesel, I manage two WiFi networks at my home. One network uses WPA2 with pre-shared keys, the other is an "open" WiFi subnet where the 802.11 frames are sent in plaintext. However, it is not "open" to other subnets or to the Internet - security is managed by IPSec and PF:
|
|
|||
Quote:
I haven't found a decent wifi usb or pci adapter locally, so I'm running my wireless on a dlink $30 "router" plugged in to a standard NIC. I want to upgrade this ASAP. |
|
|||
Quote:
I REALLY like this methodology and will revisit some of these items later. For now I have to get my current up to speed |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Wireless Troubles | divadgnol67 | OpenBSD General | 6 | 23rd September 2010 12:12 PM |
wireless not working. | bsdnewbie999 | OpenBSD General | 17 | 19th July 2009 03:06 AM |
BSDAnywhere wireless Q | tony333 | OpenBSD General | 12 | 5th April 2009 02:15 AM |
Wireless Card on T61 | disappearedng | FreeBSD General | 1 | 13th July 2008 12:54 AM |
Gui for Wireless LAN? | PatrickBaer | FreeBSD General | 2 | 13th June 2008 12:25 AM |