Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Enthusiast Zone > Networking > Internet Sharing can disrupt network?

Internet Sharing can disrupt network?
Thread Tools
Atheist
Mac Elite
Join Date: Sep 2006
Location: Back in the Good Ole US of A
Status: Offline
Reply With Quote
Jun 25, 2010, 08:50 AM
 
My cube at work has crappy WiFi connectivity so I was going to share the ethernet connection on my laptop via Airport so my iPhone can connect to the internet. Upon checking the Internet Sharing checkbox I was presented with this:



Can anyone enlighten me about this potential network disruption?
( Last edited by Atheist; Jun 25, 2010 at 09:05 AM. )
     
Cold Warrior
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status: Offline
Reply With Quote
Jun 25, 2010, 11:41 AM
 
It's a longshot but in theory I suppose it could happen. However, I've done this on a number of networks and never had issues. Chances are high it will work just fine.

The larger concern is your work's IT policies -- retransmitting their hardline ethernet over wifi could expose their network in ways that they are not aware of (because they didn't have a role in reviewing or setting up your Internet Sharing). In some places this is a fireable offense, so please tread carefully.
     
Atheist  (op)
Mac Elite
Join Date: Sep 2006
Location: Back in the Good Ole US of A
Status: Offline
Reply With Quote
Jun 25, 2010, 12:08 PM
 
Thanks for the info. I'll give it a shot.
     
Tuoder
Mac Elite
Join Date: Mar 2006
Location: Here
Status: Offline
Reply With Quote
Jun 27, 2010, 01:19 AM
 
Password-protect it and don't broadcast the SSID. At my work, you aren't allowed to do this, but people do it anyway.
     
Cold Warrior
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status: Offline
Reply With Quote
Jun 27, 2010, 10:49 AM
 
Originally Posted by Tuoder View Post
Password-protect it and don't broadcast the SSID. At my work, you aren't allowed to do this, but people do it anyway.
That does almost nothing for security. No traffic is encrypted and client machines are totally exposed.

Even if one encrypts the Airport sharing, the only option is WEP, which is worthless against a semi-knowledgeable attacker (WEP can be broken in 60 seconds or so).

If I walked into an office and saw open wifi points into their work LAN, I'd think twice about doing business there if it involved any personal or proprietary data I cared about.
     
Tuoder
Mac Elite
Join Date: Mar 2006
Location: Here
Status: Offline
Reply With Quote
Jun 27, 2010, 07:07 PM
 
Originally Posted by Cold Warrior View Post
That does almost nothing for security. No traffic is encrypted and client machines are totally exposed.

Even if one encrypts the Airport sharing, the only option is WEP, which is worthless against a semi-knowledgeable attacker (WEP can be broken in 60 seconds or so).

If I walked into an office and saw open wifi points into their work LAN, I'd think twice about doing business there if it involved any personal or proprietary data I cared about.
When I said to password-protect it, I meant to encrypt it. Is there a way to password-protect it without encrypting it?

Not broadcasting the SSID and encrypting is not fool-proof, but no security is. WEP is easy to crack, but it is an extremely small subset of people who would even attempt it.

Or, to state it differently, find me someone who could find a hidden network and break through WEP, wouldn't be able to do the same by brute-forcing WPA2 Personal with an additional couple of weeks.
     
Cold Warrior
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status: Offline
Reply With Quote
Jun 27, 2010, 08:15 PM
 
Originally Posted by Tuoder View Post
When I said to password-protect it, I meant to encrypt it. Is there a way to password-protect it without encrypting it?
Not with the OS X sharing prefs, but I've seen it on dedicated routers.
Not broadcasting the SSID and encrypting is not fool-proof, but no security is. WEP is easy to crack, but it is an extremely small subset of people who would even attempt it.
That's like saying I'll leave the keys in my Ferrari with the top down in Times Square. Crime isn't that bad, just a small subset of people. One is all it takes, then the business computers are all cracked, databases stolen, VOIP systems compromised, and a local newspaper article running a story about it.

Or, to state it differently, find me someone who could find a hidden network and break through WEP, wouldn't be able to do the same by brute-forcing WPA2 Personal with an additional couple of weeks.
I can't, because it's not possible. Max out your WPA2 passphrase and throw in some random numbers and characters, and WPA2 cannot be broken. Not by brute force. Dictionary attack is the only attack for WPA2, but a solid passphrase protects against that.

WEP however is completely broken in the algorithm, and a huge password does no good because it is inherently weak.
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Jun 27, 2010, 09:54 PM
 
The primary effect of not broadcasting your SSID is that some clients-even those you may want to-cannot see your network to join it. On the other hand, the SSID is out there anyway, as part of some of the header information in data packets, so the bad guys, those attempting to capture your traffic so they can infiltrate your network, can see it.

As Cold Warrior says, WEP is as broken as it gets; it was based on a flawed implementation of what would otherwise be a very strong encryption algorithm, and that flaw made it simply useless. Further, there is a fixed maximum length of WEP keys-13 bytes. You cannot get any more out of WEP. Apple's implementation of ASCII-to-Key was to take the raw byte values of the first 13 characters entered as a "password" and simply ignore the rest. WEP was supposed to use the RC4 streaming cypher to protect the traffic, but an error in how that cypher was used with an initialization vector made even that very robust cypher useless. Unfortunately this was standardized and incorporated in the 802.11b standard before anyone had the opportunity to do a thorough enough investigation to identify this flaw.

WPA and WPA2, on the other hand, use a solid implementation of an AES-based encryption process that has been mathematically proven to be secure. As Cold Warrior points out, the only attack that has any hope of success is a dictionary attack-against the key generation algorithm-and it is only ever successful with VERY short passpharases/keys that include dictionary words. A completely random passphrase that is very long (I use the maximum 63 characters), and that contains all allowable characters,is exceptionally robust.

Glenn -----OTR/L, MOT, Tx
     
Tuoder
Mac Elite
Join Date: Mar 2006
Location: Here
Status: Offline
Reply With Quote
Jun 28, 2010, 11:50 AM
 
Originally Posted by Cold Warrior View Post
Not with the OS X sharing prefs, but I've seen it on dedicated routers.
That's like saying I'll leave the keys in my Ferrari with the top down in Times Square. Crime isn't that bad, just a small subset of people. One is all it takes, then the business computers are all cracked, databases stolen, VOIP systems compromised, and a local newspaper article running a story about it.

I can't, because it's not possible. Max out your WPA2 passphrase and throw in some random numbers and characters, and WPA2 cannot be broken. Not by brute force. Dictionary attack is the only attack for WPA2, but a solid passphrase protects against that.

WEP however is completely broken in the algorithm, and a huge password does no good because it is inherently weak.
That's not an apt metaphor at all. It would be more like saying "Lock your doors, but a moat is probably overkill."

WEP isn't very good at all. I could get in with 15 minutes of time. Any password-protected system can be bruteforced given enough time. The vast majoriy of unauthorized users of a network are just people looking for a hotspot. People are mostly just trying to find the easiest way to do that.

No pro is crusading to get you specifically, they're going after the easiest target. When being chased by an alligator, you don't have to run the quickest, you only have to run faster than you fattest friend.

Originally Posted by ghporter View Post
The primary effect of not broadcasting your SSID is that some clients-even those you may want to-cannot see your network to join it. On the other hand, the SSID is out there anyway, as part of some of the header information in data packets, so the bad guys, those attempting to capture your traffic so they can infiltrate your network, can see it.

As Cold Warrior says, WEP is as broken as it gets; it was based on a flawed implementation of what would otherwise be a very strong encryption algorithm, and that flaw made it simply useless. Further, there is a fixed maximum length of WEP keys-13 bytes. You cannot get any more out of WEP. Apple's implementation of ASCII-to-Key was to take the raw byte values of the first 13 characters entered as a "password" and simply ignore the rest. WEP was supposed to use the RC4 streaming cypher to protect the traffic, but an error in how that cypher was used with an initialization vector made even that very robust cypher useless. Unfortunately this was standardized and incorporated in the 802.11b standard before anyone had the opportunity to do a thorough enough investigation to identify this flaw.

WPA and WPA2, on the other hand, use a solid implementation of an AES-based encryption process that has been mathematically proven to be secure. As Cold Warrior points out, the only attack that has any hope of success is a dictionary attack-against the key generation algorithm-and it is only ever successful with VERY short passpharases/keys that include dictionary words. A completely random passphrase that is very long (I use the maximum 63 characters), and that contains all allowable characters,is exceptionally robust.
I've mostly responded to this above. The purpose of not broadcasting SSIDs in this case, is jsut to keep from being noticed, and to keep any random idiot from hopping on or generating the motivation to figure out how to get on.
     
msuper69
Professional Poster
Join Date: Jan 2000
Location: Columbus, OH
Status: Offline
Reply With Quote
Jun 28, 2010, 01:03 PM
 
Wow! You're using a Cube at work.
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Jun 28, 2010, 08:47 PM
 
Originally Posted by Tuoder View Post
I've mostly responded to this above. The purpose of not broadcasting SSIDs in this case, is jsut to keep from being noticed, and to keep any random idiot from hopping on or generating the motivation to figure out how to get on.
If you're running WPA or WPA2, no random idiot will have any success in trying to hop on, no matter how motivated he is. To me the benefit (allowing others who have your permission to see your network) outweighs the rather remote possibility that others with evil intentions could somehow break WPA to get on your network.

It's your network, but in a practical sense not broadcasting the SSID is without value.

Glenn -----OTR/L, MOT, Tx
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 10:34 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,