Wi-Fi: Essential Checklist

  • Use WPA security. If you don't do this, assume you will get hacked. WEP is essentially worthless. Replace wireless equipment that doesn't support WPA. Seriously. (See Wi-Fi Security)

  • Use a strong WPA passphrase. A good way to do that is with diceware words. (See What Makes for a Strong Password or Passphrase?) Write your passphrase on a label and stick it on the bottom of your wireless router so you won't forget it. (If someone gets to your wireless router, you are compromised regardless.)

  • Make your wireless SSID unique. This helps avoid network collisions. A good way to do this is to use your address, phone number, and/or name for your SSID (making it easy for you to be contacted if something is wrong with your wireless network).

  • Don't bother with SSID hiding or MAC address filtering. They don't do any real good (improve security) but they can cause you grief. (See Wi-Fi Security Myths)

  • Turn off Universal Plug and Play (UPnP) in your wireless router. Because most consumer-grade wireless routers lack UPnP authentication they are vulnerable to attack. (See Problems with UPnP, Lack of Authentication)

  • Set a strong password on the administration interface of your wireless router. Again, diceware is a good way to do that.

  • Turn off remote administration. If your wireless router supports remote administration, turn it off (unless you really know what you're doing).

  • On unsecured Wi-Fi use VPN (Virtual Private Networking). Otherwise your wireless traffic can be snooped and compromised. (See Secure Internet access in a public hotspot)

Reply to
John Navas
Loading thread data ...

Interesting counter point to securing your wireless

John

John Navas wrote:

Reply to
John Mason Jr

Bruce Schneier is a well regarded author of criticism on security issues. He's made a career of writing articles, columns, and two books on the topic. Scan the list of titles and tell me if you see a pattern:

I'll be blunt (because I'm in hurry to leave for a free lunch). Whom would you prefer to believe? The person that has to make the stuff work and keep the paying customers safe and happy? Or the professional author and critic that takes pot shots at the industries attempts to get it right? Pick one.

Do you subscribe to this manner of FUD (fear uncertainty doubt): "This is not to say that the new wireless security protocol, WPA, isn't very good. It is. But there are going to be security flaws in it; there always are." Swell. Leave your access point wide open because your neighbors might need it and because your chances of experiencing a problem is minimal. Never mind with encryption because it *MIGHT* be cracked in the future. While you're at it, leave your car doors unlocked for the same reasons. Door locks are easily picked, so why bother to use them.

Incidentally, the real danger is not DMCA or spammers. It's someone giving themselves a tour of your computer, grabbing whatever seems interesting, because an overwhelming number of machines are running open shares and zero local security (i.e. passwords). Since the wireless LAN is behind the router, the firewall offers zero protection.

More later....

Reply to
Jeff Liebermann

Well since he is CTO of BT Counterpane I would say he and his company are in the business of making security work.

I thought the most imprtant pat of the article was

"If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much.

Yes, computer security is hard. But if your computers leave your house, you have to solve it anyway. And any solution will apply to your desktop machines as well. "

John

Reply to
John Mason Jr

I recently acquired a 2wire 2701HG-B to get around issues with my crappy (free) Creative Briteport DSL modem. I still use my linksys WRT330N for wifi and my lan, but technically I could turn on the wifi on the 2701HG-B. I make the linksys be the DMZ of the 2wire box. But I believe that means my LAN and wifi on the linksys is behind it's own firewall, so enabling open wifi on the 2wire would be safe.

I have some Gemtek P-560s I considered installing on the router ports of the 2wire to give me another level of protection.

Is there some website that hosts manuals on discontinued wifi gear, much like the boat anchor website does for test gear? I have the CD rom that comes with the P-560. It seems Gemtek doesn't maintain documentation on discontinued products.

Reply to
miso

I might add that my local "shares" are nicely and tightly protected too (it's a Mac, we don't really talk that way). My next step is to separate the wireless (guests and the neighbour), put it on a separate route (if that's how you say it) from the wire (me and the oul' Woman and the tv).

Reply to
Warren Oates

In a vacuum, I would tend to pick the professional over the repairman, but I hope one wouldn't have to pick in a vacuum.

I don't think that qualifies as FUD. Not even close.

I'm not sure how you arrived at your conclusion, but I suspect it had a lot to do with your mind being on the free lunch. :)

Pointing out that something isn't perfect is a far cry from advising people not to use it.

Reply to
Char Jackson

Well, I screwed up several times here.

I try to never judge the source, only the content. However, I shoved my foot in my mouth and managed to criticize the source instead of the content. I'll try not to repeat my mistake.

About 2 years ago, I declared (in this newsgroup) that I would never get involved in another security discussion. Well, I blew it and did. Too late. The problem is that in such discussions, there is no right answer. There's no "do this and you'll be secure". There's only best effort, due diligence, perpetual vigilance, and reading endless pages of boring log files. What works well today, is tomorrows security hole.

John Navas posted what I consider to a be a good minimal list of security measures. None of the items listed a prefect, none will be eternally secure, and none offer a guarantee. When someone offers a better list of basic security measures, I might consider recommending an update to the security essentials. Note that the John's Wiki is open to public comments and additions. If you don't like it, change it, or preferably add to it.

Instead of pounding on the solution, perhaps it would be helpful to explain the problem. (Incidentally, this is my pet peeve). Wireless routers are shipped insecure by default. Take any router out of the box, plug it in, do NOTHING, and unless you have AT&T DSL which requires a PPPoE login and password, you're online and on the air. This is great for the customer "out of the box experience" and a total disaster for security. Despite the deluge of articles on wireless security, most customers still don't have a clue. Obviously, something is not working. I have often suggested that manufacturers adopt the method used by 2wire, which requires setting up a login password and creates a unique SSID and WEP/WPA password, or you don't get to use the route.

If the customer absolutely has to run a wide open system, as in a coffee shop, then by all means, let them. However, the default setup should be locked up tight, with passwords and encryption at every turn.

So, rather than solve the problem, we have this brilliant head of a security company, offer that the solution is to ignore the problem completely, and just run a wide open system on the basis of the odds being in favor of nothing bad happening. He's right, in that one can get away with doing almost anything, but only for a short while. Eventually bad karma and stupidity catch up.

(Incidentally: In college, I had a class in traffic engineering. One of the fun exercises was to calculate and later model the probability of a head-on collision by driving the wrong way up various road types and traffic densities. Under certain conditions, one can go for a surprisingly long time before meeting the inevitable).

As for the repairman versus the professional (insert title), my preferences tend to vary. Next time you have a problem with your automobile, try asking an automotive engineer for a usable solution. I've actually done this. I think you'll find that the repairman knows more about how to fix the car than the designer. If you're concerned about my status as a repairman, be advised that I have 3 small medical offices as customers that require HIPAA security compliance. In my admittedly limited experience, there's nothing wrong with the technology. It's how it's used that tends to cause problem. Fixing that is where the repairman is required.

I usually ignore one line pontification and judgments, but since I asked for an opinion, I won't complain. However, you're wrong. What Bruce Schneier has done here is classical FUD. In his first sentence, he compliments WPA and re-affirms that it is good. As an side point, note that he uses negatives two negatives in that statement. The statement is positive, but the sentence construction makes it not so definite. He then goes on to announce that there are going to be problems (without stating what problems) with WPA, for no better reason than there are always problems. Well, if it's not FUD, it's certainly defeatist.

Now, permit me to explain WHY he's doing that. I do the same thing when I have a difficult customer. Instead of promoting my points and recommendations, I proceed to tear down literally everything available. It doesn't matter what hardware or software is on the table, I can find something that *MIGHT* be wrong with it. Note that I don't need to actually find something wrong, just potentially wrong. When I'm done, there's nothing left to chose from. By default, I get to do what I proposed in the first place. Bruce Schneier couldn't find anything specifically wrong with WPA, so the best he could do was imply that there *MIGHT* be something wrong. That's FUD methinks.

Ummm... I didn't write a conclusion. The quoted paragraph is a cynical and sarcastic recommendations. That's my normal mode of operation and does not require the diversion of a free lunch, which incidentally was marginal at best. I did get to play with several Asus eee PC 700 and 900 notebooks. I want one (even if I couldn't type on the keyboard).

The part about leaving the car door open is called an analogy. Leave the WPA security disabled because it might be cracked. Leave the car unlocked because the door locks might be picked. All analogies break down under sufficient scrutiny, but methinks these are sufficiently close to survive.

Did you read the article? Bruce Schneier never actually came out and recommended that one should not use wireless security. Yet the entire article is all about how wonderful and easy things are without that horribly difficult wireless security, and how successful he and others have been running wide open system. There are even recommendations of replacement firmware to make it easier. It's kinda like that with many forms of display advertising. One never ever suggests that the listener or viewer should actually buy something. One just shows a wonderful picture of how happy they will be if they happen to have the product. (Full Disclosure: I have an ancient advertising and marketing background).

Reply to
Jeff Liebermann

Have you ever worked with a security company? I have. There are an amazingly wide range of business functions that can be performed by a security company. It can be code audits, access control, permissions, authorization, authentication, identity management, external security, physical security, patch management, site monitoring, access devices, HIPAA, FASP, log rolling, etc. I probably forgot a few items.

Looks like they do all those and then some. Yep, they're definately qualified.

Impressive list of principals, but missing Bruce Schneier:

So, why does he recommend *LESS* wireless security? Did I miss something here?

Baloney. I could have an adquately secured computah (personal firewall) and still have problems. For example, sending un-encrypted email and passwords (POP3, SMTP, FTP) that are sniffable via wireless or an ethernet tap. The computer is secure, but the transport mechanism is not.

Well, yeah. A laptop is nothing more than a small desktop with a built in UPS (battery). Desktops, laptops, and PDA's should be treated in the same way when dealing with security. Few are.

Reply to
Jeff Liebermann

In part of the article he states he doesn't believe that it is much of a risk that his wireless will be abused

I would consider fixing those type of problems part of making sure that your computer is safe on a public network.

I agree

Reply to
John Mason Jr

Based on the above, I think that you have mis-understood the article in question. Schneier makes the point that what he's trying to protect (as are most people) is his computer(s), and the data on it(them). His effort, therefore, is better spent applying security mechanisms on the computer itself, rather than trying to "protect" access to his network (which, incidentally, he seems perfectly willing to just share).

As an analogy, consider the locks on the doors and windows of a house: if you move into a gated-community, you're likely going to still want locks on your doors and windows. Schneier's point (applied to this analogy), isn't that you shouldn't move into a gated community, but rather that you should protect your house and its contents by applying security measures (locks on doors and windows) directly to the house. You can take it as a given that at some time, someone who doesn't belong in the gated community will find a way in.

Especially with a mobile computer, given that you are more likely to use such a computer on a network that is outside of your control (and that has other users you likely don't know and shouldn't trust), there needs to be strong effort placed on protecting the computer itself, and its data. That protection comes from end-to-end encryption (https, imaps, ssh, TLS/SSL, etc.), not from WEP/WPA/WPA2/802.11i, etc.

Again, I think you've misunderstood his point: When WEP was introduced, it was touted as providing security that was equivalent to wired networking. That turned out (after some time) not to be true. Scheiers point isn't that there "might" be something wrong with WPA (or WPA2), it's that regardless of whether there is a known weakness with it now, as technology improves, the computing power that can be put towards brute-force attacks (and ultimately more calculated attacks) increases, and therefore the degree of security offered by technology that's "good enough" today decreases.

If you think it's all FUD, consider the following (as one example):

formatting link
Scheier's preference is for "easy" access to the network. He claims to like it that way. However, his point is that trying to protect the data on the computer by attempting to secure access to the network is the wrong way to go about it (and in some cases might be seen as duplicated effort). See Bill Cheswick's paper on the design of Internet gateways (which a wireless access point can ultimately be) for another (compatible) explanation (that predates wireless networking; although the details of the technology have changed, the points are still valid, and on a broad scale we have not yet appeared to have learned them):

formatting link

That isn't at all Scheier's point. Leave WPA disabled, because he prefers to share the network access. And by the way, even if WPA is considered a suitable way to secure access to your network at the momen, don't count on it to secure the data on your computer. Referring back to my earlier analogy, that would be like counting on the locked gate at the end of the street to protect your home from being entered by unwelcome strangers.

He's not worrying about securing his wireless network because he's comfortable with how well the computers he has on that network are secured. The effort he invested in securing his computers is returned to him in his ability to not worry about the odd stranger using his wireless network (as someone might take a walk down the street of a gated community).

Now, having said all of that, I keep my own wireless network secured, but all the computers I have that either use it, or are accessible from it, also are secured as well as they can be. I don't count on the wireless security to protect my computers, but I do expect that it will keep most uninvited strangers from using my network.

Reply to
Sylvain Robitaille

Most (all?) modern laptops also provide a means to set a password to control access to the boot-sequence configuration, or in some cases to boot the computer at all. Your demonstration would fail on my laptop (notwithstanding that it wouldn't even find Windows on it), and if you understood the point of the author's (Scheier's) article, you would understand that you would have the same problem with *his* laptop.

The network access point (wireless or otherwise) provides access to the network, not "security". That's the point I read in the article being discussed.

Reply to
Sylvain Robitaille

Trouble is, leaving your network open is like letting someone else run a FREIGHT TRAIN through your suburban back yard.

All this hand waving about security fails to take bandwidth consumption into account. Beyond securing your own resources (and privacy of your network traffic) is making sure the bandwidth you pay for is the bandwidth you get. Not gobbled up by some nitwit downloading tremendous amounts, or a spam botnet inundating everyone else with junk e-mail.

Reply to
Bill Kearney

On Fri, 28 Nov 2008 16:18:57 -0500, John Mason Jr wrote in :

It's simply not possible to "configure my computer to be secure regardless of the network it's on" -- any computer on a network is insecure, period.

Arguing that it's OK to leave the network open because the computer is secure is a bit like arguing that there's no need to drive safely when wearing a seatbelt.

Reply to
John Navas

As I've mentioned several times, the computer can be almost totally protected, but without encrypting the wireless traffic, a simple sniffer can capture unencrypted traffic, passwords, email, etc.

Fine. I park my truck nearby, and setup my telescope, video camera, long range microphone, electronic sniffer, etc. Maybe electronically reconstruct the image on your CRT. Lots of ways to be intrusive, even in a properly locked and secured house. Ready for TEMPEST grade wallpaper and siding?

We can play this game forever. No amount of security is ever sufficient. Given sufficient time, resources, and technology, any level of security can eventually be compromised. That's why I detest such security discussions. There's no right answers, no correct solutions, and no guaranteed results.

However, that's all playing games with logic. What I find offensive about Schneier's article is that he trashes the most basic and easist form of security, which in this case is WPA. To get decent security, the one part of the puzzle that must work is WPA. Everything else can be no more than an additional obstacle, usually of minor importance.

I beg to differ. He first announces that WPA is quite good. Then declares that all such good encryption methods are eventually cracked. On that basis, he somehow justifies running an open system.

Incidentally, I find the double negative in his statement rather intersting. In psychology, that's a sure sign that he's uncertain about his logic.

Clever. There's wide selection of password recovery tools available for assorted applications. There are also brute force WPA crackers that work with fairly short WPA pass phrases.

However, why bother? I can just grab the registry keys and extract a usable WPA hash code (not the actual key) with aircrack-ng, Cain and Able, or others:

Yep. Same with Microsoft. Convenience and easy of use over security and reliability. I'm not sure which is better. It makes no sense to deliver a secure and reliable operating system that nobody can use. Various Linux distributions were like that for a long time until they wised up. I suspect a compromise is best. Wide open security is not my idea of a good compromise between convenience and security.

Sure. *I* also like it that way. Too bad it's not a good way to run a wireless network. I have more problems with my coffee shop open networks, than I ever have with those secured by a proper WPA key. Too many things that can go wrong.

Yep. One of my former (not current) HIPAA customers uses an encrypted database. In theory, one should not be able to view or extract useful data without authorization and authentication. I demonstrated that I could steal the entire drive, transplant it into a different machine, and have access to all the data. They were not thrilled, especially since some of their RAID array was missing. I'll spare you my opinion of their security and software provider. I've had similar fiascos with USB keys, remote access software, and of course, wireless. Also, of the few real data security breaches I've had to deal with in perhaps 25 years of playing repairman, the serious ones were from insider hacking, theft of backup media, and outright theft of the entire system. My current worries are about key loggers, trojans, and defective software upgrades.

I read that 20 years ago. As you note, it's still valid. I'm undecided as to whether it's better to protect the data or control access. Since some of the problems I've had were from inside employee hacking, I'm drifting toward protecting the data, and doing a minimal effort on controlling access, permissions, etc. Dunno. I'm not a security expert, just a repairman.

I again beg to differ. If that was his point, he shouldn't have bothered to mention that WPA and all such security protocols would eventually be cracked. He could have said something like "WPA works and should be used. However, I prefer....etc". Instead, he implies that WPA *MIGHT* be cracked, and uses that as justification for running an open network. I honestly don't care why or how he runs his open network. It's bad advice for the general public, most of whom fail to appreciate the risks and implications.

Ummm... it secures the data transport, not the computer. Now, if you wanted to encrypt the entire drive, that might be useful to discourage those that run open shares (public directories) on their laptops because it's convenient.

I don't see the connection, as WPA only protects the vehicle that gets you in and out of your gated community.

Good. I'm sure he also uses a VPN and SSH to talk to his work computers. Great idea, but somehow missing in his article advocating running an unencrypted network.

I would be worried if he' not worried. Most real security experts that I know, are constantly worried about this or that threat. Every time there's a new exploit announced, there's a flurry of nervous activity. I had one such expert bail out in the middle of lunch when someone detailed a new exploit that he hadn't heard about. I pay security experts to be worried.

Again, wireless security (WPA) will not protect your computer. It will protect your network from sniffing.

Incidentally, many of the laptops that people are buying have a built in fingerprint reader. I think I've delivered about 3 of these in the last few months. In all 3 cases, I set it up for using the fingerprint reader, including showing the owner how to use it, and training it for several of their fingers. 2 months later, none of them are using the reader, and are instead using the backdoor password, which in one case, was prominently displayed on a post-it note. So much for improved access security.

Reply to
Jeff Liebermann

On Fri, 28 Nov 2008 19:24:04 -0800, Jeff Liebermann wrote in :

Perhaps he's just being provocative.

Amen. You have to run VPN to secure traffic on an open wireless network, and it's much more cost and hassle to set up VPN than to configure WPA.

Reply to
John Navas

Methinks you might find it useful to read the article before attempting to criticize my interpretation of the article:

Enough ranting about security. I'm out of time.

Reply to
Jeff Liebermann

On Fri, 28 Nov 2008 22:47:45 -0500, John Mason Jr wrote in :

There's ample evidence that open wireless will be abused, with potentially negative consequences. All it takes is for the kid next door to use your wireless to file share illicit materials (imagine that); the RIAA and MPAA trace it back to your account; your computers get seized and you get sued.

It's a whole lot easier to run WPA than VPN.

Reply to
John Navas

On Sat, 29 Nov 2008 07:54:45 +0000 (UTC), Sylvain Robitaille wrote in :

That would not be a valid point -- WPA does provide real and valuable security. It's called Defense in Depth:

If Bruce wasn't being provocative, he should be embarrassed and ashamed.

Reply to
John Navas

On Fri, 28 Nov 2008 18:06:07 -0500, Warren Oates wrote in :

If you want to run open wireless as a public service, then you should ideally use a wireless router than can strictly segregate the open wireless from your private wireless and wired networks (e.g.,NETGEAR WG302), but unfortunately that's only available in relatively expensive wireless routers (AFAIK).

An alternative is to run two wireless routers, one for yourself secured with WPA, and one for the public unsecured, each with DHCP handing out different blocks of private addresses, and isolate them from each other with VLANs that allow each of them to connect to the Internet but not to each other; e.g.,

Internet | +-------+--------+ |Private Wireless| | Router with | | VLAN isolation | | (e.g., DD-WRT) | +------------+---+ | +-----+ | +----+----+ |Public | |Wireless | |Router | +---------+

Reply to
John Navas

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.