Both items 3 & 4 are of minimal to no value as far as security measures are concerned. The best measure is using WPA, which you have done, with a very long and random key. Personally I use WPA-PSK (TKIP) with a >25 character totally random ASCII key...
...
Actually, it is *precisely* true.
Okay, so you are saying that it keeps the harmless people out, and only those who are most likely to do you real harm can get in. Not good.
Generally that is a good thing too.
And if it is, he's using WPA to keep them out. Because SSID, MAC filtering and WEP certainly won't.
That isn't a case of being a good neighbor, it's a case of being a smart neighbor. If they don't see your network, they can't plan to avoid it. So, they look, and see everyone except you, and plonk down right on the same channel you chose. They just happen to have a big antenna and good receivers, so you don't bother them at all, but they cause just enough interference to reduce your bit rate from 54 to 4 Mbps, but only intermittantly.
Not good!
What for?
Sure. Protection that causes *you* far more inconvenience than it does someone intent on hacking into your network!
Not good...
What Al told the O.P. isn't really true. Disabling SSID and enabling MAC filtering will thwart all but the most devious and dedicated hackers who are out crusiing the neighborhhod packet sniffing and looking to break in-- a very small number of people indeed. The average Joe won't even see his network-- much less get in.
It's like the lock on your front door or your car door. It can be defeated-- but only by those who really want to do that and have the technical knowhow and tools.. The O.P. has good enough security for most situations most of the time.
And BTW, use WPA-PSK AES security rather than TKIP-- much stronger and much tougher to defeat--- even by a techonerd....
Doc
Well, first lets be clear on what I said and that was..."The best measure is using WPA, which you have done..."
Now I agree that WPA using AES is better, but WPA, whatever flavor you use is better than WEP. It simply depends on what your hardware supports. Mine supports WPA (TKIP), but not AES...
Secondly, security through obscurity is simply no security... Not to mention some clients simply can not connect to a wireless network if the SSID is not broadcast. That is a fact...
Later...
I've set up a wireless network at home for the first time, having hopefully read up enough on security to make this a 'safe' proposition. What I'd like to know is, having taken these steps, can I consider my wireless network to be fully secure to all intents and purposes (given that I'm just an ordinary person living in a low-population density suburb (rather than, say, a corporate user at high risk of attack)?
I have a Linksys WRT54G router connected to always-on broadband, and have taken the following steps:
Does this sound reasonable? Should I really worry about accessing online banking wirelessly for example, any more than when accessing it from a wired PC?
So far I haven't been successful with 5 & 6. I take the MAC address is the numbers/letters on the card that slots into the Notebook adjacent to the serial number? Group renewal, I was wondering what that was to?
Thanks
I would just add that you use a long nonsense passphrase as your encryption key. An example is:
p8Y38LdIzIG3_AUqzQTwLfMyL2TSWAqgKlh9izvmI9DrE2EMGTb7F3Y2sNxS4MG
I agree that disabling the SSID is a good thing. When people with Wi-Fi click on "view wireless networks"... they will not see you. Their curiosity will not be peeked to the point where they start thinking... "I wonder who that is... I wonder if my computer hacker friend Fred can get into this network?" The argument against hiding the SSID is that you are not being a good neighbor and those folks won't know to avoid your channel. So... you can take the attitude that you will police the neighborhood and avoid other Wi-Fi channels that are in use. Of course you may not be the only one with that attitude and channel conflicts can occur. So what to do. I hide my SSID. I also use MAC filtering. Why not... it's easy and one more layer of protection.
Lobster wrote in news:3z0re.7460$ snipped-for-privacy@newsfe5-win.ntli.net:
When you access a security-sensitive site e.g. online banking or shopping checkout, you will** be using a secure HTTPS connection irrespective of how you connect. That means data is encrypted end-to- end between your PC and the bank or store.
If you have set up your wireless LAN to provide WPA encryption, the data is encrypted a second time whilst in transit on your wireless LAN, using a key that is typically changed every 60 minutes. So the answer to your question is "No".
** If not, consider changing - NOW!
I agree. Still, and I know it's paranoia, when I make puchases online or do my online banking, I use a wired connection.
Thanks to all for the replies; I'm quite reassured now! And I can see that I can beef up my security another notch by using a better WPA key, and by switching from TKIP to AES, which my router also supports.
Might as well throw in my worthless opinions and suggestions.
Dump the Linksys firmware and switch to an alternative:
Alternative firmware can have multiple ways to access the WRT54G. Besides the web interface, there's SSH2, telnet, SNMP, and PPTP. All of these have passwords. SNMP has two (read and write). Do NOT assume that they are all identical or that changing one will change the others. Check all of them.
There's your chance to be creative.
Waste of time and causes problems with some wireless clients. It also pisses me off because I have to dig out my Linux Kismet application to find other users on what I would expect to be an unpolluted channel. If you're spewing RF, it's considered "polite" to tell the world that you're around.
I can spoof any MAC address in about 2 seconds.
So far, nobody has been able to decrypt WPA-PSK with either RC4 or AES encryption (with non-trivial pass phrases). I guess that means nobody is going to hack your system. However, give me 30 seconds on your laptop and I'll steal your WPA pass phrase, which some vendors still stupidly plant in the registry in plain text. That's what's wrong with WPA-PSK (pre-shared key). So, you're safe as long as nobody has physical access to your WRT54G or client computah.
Group renewal means that every 3600 seconds (1 hr), the encryption key is re-negotiated with all clients. Methinks that's a bit long for roaming clients and hot spots, but probably just fine for home use.
Enabling the firewall and configuring it are two different animals. Having a personal firewall is a good idea. However, it interferes with many services. So, the Windoze Firewall has "Exceptions" which are essentially holes in the firewall. Pay special attention to the "Windoze File and Print" exception and which interfaces are allowed to access shares. Having a firewall that looks like Swiss Cheeze is not a good idea.
It's good enough. However, you're worrying about the wrong things. The real threat are keyboard loggers, spyware, and trojan horse programs. These will send your keystrokes, credit card numbers, and useful info to the forces of evil on the internet. There's nothing that a Windoze firewall, wireless encryption, or security band-aids that will prevent these from arriving on your machine. Put some time and effort into identifying, removing, and blocking your computah from spyware infections, and your banking will be safe. Also, pay special attention to how you access your online bank's URL. There are plenty of URL redirectors and web and DNS hijackers around that redirect your banks web page to the forces of evil's phishing site.
What difference does it make *where* you are, if you have WPA enabled what value is there to causing yourself problems with SSID and MAC addressing?
Not a great deal, but you *do* have to put the address of each and every interface you want to use into the table. Every new one has to be added.
It's a waste of time that gets *nothing* of value if WPA is enabled.
Taking a moment's reflection, Lobster mused: | | 3. Disabled SSID broadcast
Unnecessary due to #5 below, SSID is still attached, unencrypted, to every packet. So, those who could attempt to crack your encryption already have your SSID. Might as well broad cast it to stay within spec (less connectivity issues), and keep neighbours from setting their wireless up on the same channel you are using ... thus causing interference.
| 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed | to connect wirelessly)
Unnecessary due to #5 as well. MAC address is attached to every frame, unencrypted. So, anyone who can capture your packets can easily determine what MACs are allowed.
| 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds, | whatever that means!)
Use AES if your client software allows it. If you are using the XP zero config connector, AES does not work with it. But, in that case, TKIP is fine. Group renewal is the interval that the WPA keys are regenerated automatically between server and client. This is how they patched the vulnerability of WEP.
| Does this sound reasonable? Should I really worry about accessing | online banking wirelessly for example, any more than when accessing it | from a wired PC?
Other than my comments above, yes. It's reasonable. I wouldn't worry about accessing online banking. With WPA enabled, you are encrypted. Also, the banking website should have SSL encryption. So, you are doubly encrypted.
Taking a moment's reflection, J.H. Holliday mused: | | What Al told the O.P. isn't really true. Disabling SSID and enabling | MAC filtering will thwart all but the most devious and dedicated | hackers who are out crusiing the neighborhhod packet sniffing and | looking to break in-- a very small number of people indeed. The | average Joe won't even see his network-- much less get in.
I'm afraid it is true. Because WPA enabled will thwart *everyone*. So, SSID hiding and MAC filtering become useless and redundant ... and can cause issues.
John Steele
(of basic security measures)
Actually, I think what he was saying was that it will keep casual hackers out. Thats necessary though not sufficient.
Actually it may be sufficient too - depends on who you are, where you are and what you do with your network. If you're the NCSA I'd suggest stronger security. If you're a log cabin in deepest Saskachewan, I'd suggest you are getting paranoid.
What inconvenience?
That is not necessarily true. I am currently using WPA-PSK (AES cipher). The equipment I am utilizing is the Netgear WG511T card in conjunction with the D-Link DWL2100AP (rev C) using the latest firmware release for both devices.
Mark it is dishonest to edit someone's statement to make it say something different than it actually said in context.
"What difference does it make *where* you are, if you have WPA enabled what value is there to causing yourself problems with SSID and MAC addressing?"
That *if* is not insignificant, and obviously is the point of my comment. With WPA enabled, it makes *no* difference where you are as far as SSID or MAC filtering as far a security goes.
You didn't address my statement with your comments.
However, I would suggest that if you have a base and three astronauts on the moon, security is *far* more important than you seem to think. Wifi security for me is not life and death, but for a walk on the moon, it could be.
I don't agree that having wireless at the FBI building in DC is insane either. My bet is they do. And they probably have intentionally put in a non-trivial security flaw too! And then bait it with something juicy... :-)
Nah. Regardless, would just make it more of a PITA, having to add it here *and* there.
So use WPA, as suggested, and stop spinning wheels with silliness about hiding the SSID and editing MAC tables in multiple places.
If you're a wireless base station on the Moon, servicing three astronauts in RVs, I submit that any security is overkill.
If you're the FBI building in DC, I submit that even *having* wireless is insanely insecure.
FWIW anyone running a reasonably set up network of any size where it would actually *be* a pain, already has to do this in their DHCP server in order to control leases.
Personally I consider this a good security measure. Before J Random Newguy can attach his PDA or whatever to your network, he needs to apply for you to enable his MAC.
Security is not only technology, its procedures and processes too.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.