My *nix world

Wireless security settings

If you have a home wireless access point and you are not sure which wireless security settings to choose, then read bellow.

Today wireless access point devices offers more than one security mode. You could choose between NONE, WEP, WPA (v1),WPA (v2) and WPA Enterprise with RADIUS authentification.

Do not choose NONE, except when you want to provide network connection to all your neighbors.

WEP is a deprecated standard, don't use it! As a security mechanism it provides a key encrypted with a weak algorithm (that's why it's a deprecated standard, anyway).

WPA(v1 ) or just WPA1 is hard to be cracked if you use, for example, 14 random letters or pass-phrase with 5 randomly chosen words. It comes with TKIP and AES encryption protocols. Choose AES if possible.

WPA(v2 ) or just WPA2 (aka WPA Personal) is a better version of WPA1 that implements AES-CCMP algorithm as a mandatory feature. I recommend you to choose CCMP and not TKIP.

For WPA Enterprise (aka WPA with RADIUS authorization) you will need a RADIUS server. You have to be authenticated in order to be accepted by your AP as a trusted connection. For a home user this is too much. Stick to WPA2 and a long random pass-phrase.

The most of AP offers the option to not broadcast your SSID, as a supplementary security feature. It will hide your AP only from novices. Someone that know what is doing do not need your AP SSID to crack your AP. So, if you stick to WPA + long pass-phrase then you can forget about this "hidden SSID" as it provides more setup problems than security.

OK, so you have decided to set your AP with WPA2 with CCMP and a long random pass-phrase and no hidden SSID. Goooood!

As a Linux user I use WPA Supplicant in order to connect my AP. WPA Supplicant is a free software that implements these security standards for Linux, FreeBSD, NetBSD and Windows.

The WPA Supplicant configuration file can be found at:

/etc/wpa_supplicant/wpa_supplicant.conf

You can find also there a configuration template file named wpa_supplicant.conf.template. This template mentions about every possible option that wpa_supplicant offers.

#####################################################
# IMPORTANT: hidden SSID doesn't improve security
# So far the best security is WPA2+AES (AES aka CCMP)

# All options are described at:
#     /etc/wpa_supplicant/wpa_supplicant.conf.template
####################################################

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel

network={
               ssid="fooBar" # whatever SSID you might have

               bssid=00:22:bb:4c:e3:5f # if your AP has a MAC use it
               priority=10 # the higher the better

               key_mgmt=WPA-PSK
               pairwise=CCMP # CCMP stronger than TKIP
               group=CCMP # CCMP stronger than TKIP
               proto=WPA2 # WPA2 is just a alias for RSN
               psk="j57Y0KrT42IMIZ" # very long random pass-phrase

               # wpa_ptk_rekey=600 # for paranoids
               # scan_ssid=1 # only if you have hidden SSID
}

# ap_scan=2 # use only when hidden SSID

A setup like this is hard to get cracked even by experts. It's simple but effective.

Now, if you think that this article was interesting don't forget to rate it. It shows me that you care and thus I will continue write about these things.

 
The following two tabs change content below.
Wireless security settings

Eugen Mihailescu

Founder/programmer/one-man-show at Cubique Software
Always looking to learn more about *nix world, about the fundamental concepts of math, physics, electronics. I am also passionate about programming, database and systems administration. 16+ yrs experience in software development, designing enterprise systems, IT support and troubleshooting.
Tagged on: , ,

One thought on “Wireless security settings

Leave a Reply

Your email address will not be published. Required fields are marked *