For wireless range limiting, adjusting signal strength is ONE option. In corporate environments I wouldn't reduce it too far otherwise you will have connectivity issues, especially with weaker internal client cards(every card is different). Bitrates limiting is a good option to reduce the connectivity range of your APs while still maintaining a strong enough signal to support your clients. Combination of the two will be useful for him. Here's another point. You can always get past low powered APs using an amplifier and a good yagi, but you can't punch through a wall easily at 54Mbps :-P Depends on what you plan to do, are you worried about neighbors looking at your traffic or connecting to your network?
I've been using atheros chipsets for auditing and research purposes for 4 years now, I love them. I was just stating that a lot of script kiddies still use prism chipsets since a lot of how-to's out there haven't been updated. And yes, I still put the Hermes chipset in the same pool as the prism series.
And of course I'm going to recommend a good IDS/IPS. Even the best infrastructure can't detect some of the newer exploits out there. How will your LWAP infrastructure going to protect you against a Phishing attack or Accidental Association to neighboring AP? And since you're trolling, WEP cloaking is doing very well for us to augment our entire range of IPS functionality.
-N
-----Original Message-----
From: RB [mailto:aoz.syn (at) gmail (dot) com [email concealed]]
Sent: Thursday, April 17, 2008 12:53 AM
To: Nico Darrow
Cc: Charles Hardin; wifisec (at) securityfocus (dot) com [email concealed]; security-basics
Subject: Re: Wireless range limiting
On 4/16/08, Nico Darrow <ndarrow (at) airdefense (dot) net [email concealed]> wrote:
Speak of the devil.
> Here's my recommendation. If you want to limit the range of an AP, then just disable it's lower bitrates.
Interesting suggestion - reducing your effective range by increasing
sensitivity to signal strength and interference doesn't necessarily
operate on the principle of least astonishment, but for some it might
be effective. For the non radio-heads out there, this approach won't
reduce your visibility to clients, just their ability to associate
with your AP from a distance.
> slower B clients with longer transmit windows), but you also get out of reach of most script kiddies with their 802.11b prism2 chipset ;-P
You're at least one major revision behind (two if you consider Orinoco
really was the last 11b darling, after Prism), the great majority of
kiddie cards have been replaced with 11a/g Atheros chipsets.
> Remember nothing beats a good Wireless IDS/IPS :-P
Says the guy that works for a wireless IDS/IPS company. How's that
WEP 'cloaking' doing for you guys, you ever run that and your IPS bit
I've been using atheros chipsets for auditing and research purposes for 4 years now, I love them. I was just stating that a lot of script kiddies still use prism chipsets since a lot of how-to's out there haven't been updated. And yes, I still put the Hermes chipset in the same pool as the prism series.
And of course I'm going to recommend a good IDS/IPS. Even the best infrastructure can't detect some of the newer exploits out there. How will your LWAP infrastructure going to protect you against a Phishing attack or Accidental Association to neighboring AP? And since you're trolling, WEP cloaking is doing very well for us to augment our entire range of IPS functionality.
-N
-----Original Message-----
From: RB [mailto:aoz.syn (at) gmail (dot) com [email concealed]]
Sent: Thursday, April 17, 2008 12:53 AM
To: Nico Darrow
Cc: Charles Hardin; wifisec (at) securityfocus (dot) com [email concealed]; security-basics
Subject: Re: Wireless range limiting
On 4/16/08, Nico Darrow <ndarrow (at) airdefense (dot) net [email concealed]> wrote:
Speak of the devil.
> Here's my recommendation. If you want to limit the range of an AP, then just disable it's lower bitrates.
Interesting suggestion - reducing your effective range by increasing
sensitivity to signal strength and interference doesn't necessarily
operate on the principle of least astonishment, but for some it might
be effective. For the non radio-heads out there, this approach won't
reduce your visibility to clients, just their ability to associate
with your AP from a distance.
> slower B clients with longer transmit windows), but you also get out of reach of most script kiddies with their 802.11b prism2 chipset ;-P
You're at least one major revision behind (two if you consider Orinoco
really was the last 11b darling, after Prism), the great majority of
kiddie cards have been replaced with 11a/g Atheros chipsets.
> Remember nothing beats a good Wireless IDS/IPS :-P
Says the guy that works for a wireless IDS/IPS company. How's that
WEP 'cloaking' doing for you guys, you ever run that and your IPS bit
through the ISM non-interference clause?
[ reply ]