|
While I'm lunching...
Aye, change the SSID. Pre-built hashes are easily available to make dictionary WPA cracking a breeze.
MAC filtering is almost useless, but it adds a small layer. The downside is tracking the equipment vs. MAC if your equipment changes much. Most WAPs don't provide a name field for the address so you have to track it separately.
Disabling SSID broadcast is another barely useful security measure. Tools that watch for the packets expose them automatically. Disabling broadcast can also cause problems with crappy client code. If you're having troubles associating new equipment with a WAP try enabling the broadcast temporarily.
Use WPA with AES if your stuff supports it, TKIP otherwise. Don't trust anything important over WEP. Certainly don't shackle a net with it because of a few dinosaurs. Replace the ancient equipment, update your drivers, and move forward.
DHCP doesn't help security. While it can show unauthorized users in the lease table, for consumer equipment, enabling DHCP doesn't mean someone can't assign a static and stay out of the table. It does make casual connections very simple. Neighbors do this to each other all the time without even knowing. (until they can't print - hey, why isn't my printer showing up?)
If you need to track users without DHCP or with the useless tools provided by most WAPs, use external tools that work by tracking associations. It's much more reliable, and shows who's trying to get in as well as who's already inside.
Off again...
__________________
There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195
|