Wireless on Linux, Part 2
For us valiant Linux sysadmins, wireless networking is complicated by the difficulty of finding supported hardware. (Insert ritual rant about <cussing deleted> hardware vendors that are delighted to glom our money, but scorn to offer support.) Wireless Ethernet may no longer be new-fangled, but that doesn't mean it's all smooth sailing for Linux admins.
In part 1 of this two-article series, we discussed the relatively straightforward stuff — wireless products that work on Linux, wireless speeds, and definitions of the different protocols. Today we'll dive into the slightly more complex issues of chipsets, utilities, wireless access points, and security.
The most certain method of determining if a particular NIC will work on Linux is to check which chipset the NIC uses. A word of caution here — chipsets can change even though the model numbers stay the same. For example, several readers kindly pointed out that the Linksys WPC11/WMP11, which used to be a reference wireless NIC for Linux, now uses a Broadcom chipset, which is completely unsupported in Linux. The moral: take nothing for granted.
When shopping for a NIC, first ask the vendor which chipset the NIC uses. The Lucent/Agere Orinoco and Harris/Intersil Prism chips work great and are well-supported. (Yes, the company names keep changing — like we have nothing better to do than try to keep track.)
Linux has a wonderful set of built-in utilities to dig out the chipset information. These tools are particularly useful for confirming if you were told the truth before purchasing the NIC. With the NIC installed, run lspci. No need to have the drivers installed or to have it configured — just have the NIC plugged in.
lspci -v reports everything that is connected to the PCI bus, including mini-PCIs on notebooks. Be sure to get the newest version of lspci, v2.1.11 (use lspci --version to check which version you're using), as it is much improved. lspci is part of pciutils (see Resources for download links).
For genuine PCMCIA or Cardbus cards, use cardctl ident; for USB cards, run dmesg.
Linux Wireless Utilities
The various NICs come with the usual assortment of configuration utilities. Some of them even work on Linux. Most don't.
Thankfully, Linux has its own set of wireless utilities courtesy of Jean Tourrilhes, author of the Linux Wireless Howto. Packaged as wireless-tools, the latest edition is wireless-tools.26, which contains:
- iwconfig – for manipulating the basic wireless parameters, similar to ifconfig for wired cards
- iwlist – (formerly part of iwspy) for listing addresses, frequencies, bit-rates, etc.
- iwspy – for obtaining per node link quality
- iwpriv – for manipulating the Wireless Extensions specific to a driver
Reasons to Go Slow
If dependability is your goal, stick with straight 802.11b. I don't recommend purchasing multimode NICs yet. Many vendors now ship 802.11b/a/g cards, which sound like a perfectly delightful way to cover all the bases, and to be ready for when there is reliable Linux support for the a and g protocols. Given the sad history of Linux support (insert ritual snort of derision), though, I would wait for a sure thing.
Also, a new standard to replace the now-elderly PCI bus is emerging: ExpressCard. At the moment, it promises to be built on platform-independent standards, be very fast, and cost less to implement. Look for actual products to appear in 2004.
Yes, it's a ways off, so don't hold your breath, but given the reluctance of manufacturers to support Linux on existing wireless products, especially on the higher-speed devices, it may get here first anyway. If it lives up to its promise, writing drivers for different operating systems will be trivial, or possibly even unnecessary.
For Those Who Must Have Speeeed
Far be it for me to stand in the way of those who must live on the bleeding edge. For the fearless speed-demons there are a couple of 802.11a/b/g-on-Linux projects for Atheros and PRISM GT chipsets (see Resources). Atheros dares to support Linux well and publicly — bless them.
Wireless Access Points
With the exception of higher cost, there's no downside to using multi-mode access points. WAPs come with their own embedded operating systems, so OS compatibility is not as much of an issue. But there are still some irritating deficiencies. For example, many access points come with nice management and monitoring utilities that only run on Windows, and units with upgradeable firmware often require Windows to perform the upgrade. Still, although they have their limitations, these APs are usable on Linux.
Look for WAPs that can be configured via a browser interface; these will work anywhere. These APs typically include network settings, user management, WEP (Wired Equivalent Privacy), and support for roaming. Other common options are routing, bridging, DHCP server capabilities, and the ability to function as an Internet gateway.
The downside to units with browser interfaces, especially the lower-cost ones, is you're stuck with them — if you want to ssh in directly and perform cool command-line tricks, too bad; you can't.
Some other things to look for in a WAP:
- Removable antenna. Some units come with nice detachable antennas, for easy upgrading should you desire. Better antennas cost around $70.
- Options for placement on walls or shelves. Many APs have LEDs in odd places, rendering them less than useful. I want my blinky lights easily visible; otherwise, what's the point of having them?
Now we get to the fun part. WEP is pretty much universal. While WEP is universally considered to be weak and easily crackable, it is better than nothing. Never ever go nekkid with wireless; you must use some kind of encryption.
It is truly amazing how you can often struggle to get a decent signal inside your office, while at the same time the dern thing will escape outside for miles with the strength and clarity of a good TV broadcast, just waiting for some weirdo with a Pringles can to intercept it. Even if they don't want your data, I doubt you want them downloading megabytes of porn or worse, launching attacks from your network.
Note that you cannot mix different WEP strengths in your WAPs and NICs — you must use 40-bit with 40-bit, and 128-bit with 128-bit. By the way, 128-bit is really 104-bit, and there's no reason to get all excited over key length, anyway. The weak point is in a 24-bit random number known as an Initialization Vector (IV). This goes out first, to initialize the connection. As any cracker will attest, there's no need to butt heads with a 40- or 104-bit key when you have a nice frail 24-bit target to play with.
Here are some essential steps to take:
- Make sure your firmware is the most recent release available
- Turn off remote administration
- Turn off Service Set Identifier (SSID) broadcasting
- Change the default admin password (duh!)
- Change the default SSID
- Select SSIDs with the same care as a password – don't use anything obvious or descriptive, like your domain name, birthday, dog's name, favorite color...make it hard to guess
- Generate a new encryption key – don't use the default if one is supplied! The default keys are few in number and known to the world
- Generate new keys periodically or when changes occur, such as employees leaving. This truly is less than no fun at all – it means entering the new key into every single wireless device on your network. No Virginia, there is no key management in WEP. On the other hand, it does present you with the opportunity to look diligent. Doubtless a real Linux guru could figure out a way to script it.
The "Wireless Security Blackpaper" is a must-read for wireless LAN admins, even though it barely addresses Linux. It covers the whys and howtos in detail. My favorite part is where it explains, in plain English, what the different numbers really mean when talking about encryption strength. (As always, see Resources for links.)
Really Not That Scary
This all sounds complicated, but it's really not so bad. If you have a good, supported NIC and a newer Linux distribution with a 2.4 kernel, your card should be recognized and the drivers automatically installed. Ethernet configs are old hat; use iwconfig or KWiFiManager. See Resources for two good configuration howtos: "Netgear MA101USB & RedHat 8.0 HOWTO" and "My Linux Wireless Tutorial using Linksys WPC11."
OK, this is a huge wad o' links. Not to worry, given the variety of wireless products, and the paucity of vendor documentation, these links should help you find anything you need:
Wireless Security Blackpaper
WLAN Adapter Chipset Directory
pciutils home page
ExpressCard home page
Linux PCMCIA Information Page
PRISM GT drivers
Atheros 802.11b/g and 802.11a/b/g drivers
Netgear MA101USB & RedHat 8.0 HOWTO (should be helpful for other systems too)
My Linux Wireless Tutorial using Linksys WPC11
The Linux Wireless LAN Howto
KWiFiManager - the wireless LAN client manager for KDE3