Quote:
Originally posted by g0tr00t
Question: How do I lock down my AP to keep wardrivers out?
Answer:
|
Stick the AP outside your network. Use a crossover cable to connect it to a Linux server that is completely locked down on that NIC (netstat -n -a should show nothing listening) except whatever tunneling you want to use (IPSEC, SSH, etc). A second NIC is connected to your secure network for authenticated/encrypted users to access. That way, even if someone wants to associate to your AP, they're not going to do jack. If they sniff your wireless traffic (with or without WEP), they just see encryption that isn't broken. If you have WEP + IPSEC or SSH, they'll just be pissed when they get enough WEP packets to see that it's all Protocol 50 (IPSEC) or tcp/22 (SSH).
The only secure way to use WEP alone is with EAP and that brings much more trouble and cost. With EAP, you're just changing your WEP key fast enough so that never enough packets are seen to statistically break WEP. Also, you've got different WEP keys per host, making it all the harder to crack.
Cisco sells some nice gear for EAP (they call it LEAP or Cisco EAP) but if you want to buy Cisco just get a VPN3000 Concentrator off eBay for $2K and stick all your APs on a VLAN outside of it. Not to mention you can use this to terminate your regular internet VPN traffic.