best practices to secure home's network

My home has broadband internet connection. 2 computers are connected with wireless router, and I have multiple laptops are using Wi-Fi adapters that talk to wireless router. I guess it is a typical home's networking infrastructure.

I want to know what's the best practices to secure the home's network?

any good articles for references?

please advise. thanks!!

Reply to
strutsng
Loading thread data ...

Step one: use Linux; not MS.

Reply to
ray

WPA security for your wireless combined with a software firewall for each machine only allowing internal traffic file & printer access. Port forward if you need Remote Desktop enabled. Good antivirus and antispyware software on each PC and keep them well maintained. That's about as good as it gets for a home user.

Microsoft has these suggestions for Protecting your computer from the various things that could happen to you/it:

Protect your PC

formatting link

Although those tips are fantastic, there are many things you should know above and beyond what is there. Below I have detailed out many steps that can not only help you clean-up a problem PC but keep it clean ,secure and running at its top performance mark.

I know this text can seem intimidating - it is quite long and a lot to take in for a novice - but I assure you that one trip through this list and you will understand your computer and the options available to you for protecting your data much better - and that the next time you review these steps, the time it takes will be greatly reduced.

Let's take the cleanup of your computer step-by-step. Yes, it will take up some of your time - but consider what you use your computer for and how much you would dislike it if all of your stuff on your computer went away because you did not "feel like" performing some simple maintenance tasks - think of it like taking out your garbage, collecting and sorting your postal mail, paying your bills on time, etc.

I'll mainly work around Windows XP, as that is what the bulk of this document is about; however, here is a place for you poor souls still stuck in Windows 98/ME where you can get information on maintaining your system:

Windows 98 and 'Maintaining Your Computer':

formatting link
Windows ME Computer Health:
formatting link
Pay close attention to the sections: (in order) - Clean up your hard disk - Check for errors by running ScanDisk - Defragment your hard disk - Roll back the clock with System Restore

Also - now is a good time to point you to one of the easiest ways to find information on problems you may be having and solutions others have found:

Search using Google!

formatting link
(How-to:
formatting link
)

Now, let's go through some maintenance first that should only have to be done once (mostly):

Tip (1): Locate all of the software you have installed on your computer. (the installation media - CDs, downloaded files, etc) Collect these CDs and files together in a central and safe place along with their CD keys and such. Make backups of these installation media sets using your favorite copying method (CD/DVD Burner and application, Disk copier, etc.) You'll be glad to know that if you have a CD/DVD burner, you may be able to use a free application to make a duplicate copy of your CDs. One such application is ISORecorder:

ISORecorder page (with general instructions on use):

formatting link
Yes - it is BETA software - but very useful and well tested.

More full function applications (free) for CD/DVD burning would be:

DeepBurner Free

formatting link
CDBurnerXP Pro
formatting link
Another Option would be to search the web with Pricewatch.com or Dealsites.net and find deals on Products like Ahead Nero and/or Roxio.

Tip (2): Empty your Temporary Internet Files and shrink the size it stores to a size between 128MB and 512MB..

- Open ONE copy of Internet Explorer.

- Select TOOLS -> Internet Options.

- Under the General tab in the "Temporary Internet Files" section, do the following: - Click on "Delete Cookies" (click OK) - Click on "Settings" and change the "Amount of disk space to use:" to something between 128MB and 512MB. (Betting it is MUCH larger right now.) - Click OK. - Click on "Delete Files" and select to "Delete all offline contents" (the checkbox) and click OK. (If you had a LOT, this could take 2-10 minutes or more.)

- Once it is done, click OK, close Internet Explorer, re-open Internet Explorer.

Tip (3): If things are running a bit sluggish and/or you have an older system (1.5GHz or less and 256MB RAM or less) then you may want to look into tweaking the performance by turning off some of the 'resource hogging' Windows XP "prettifications". The fastest method is:

Control Panel --> System --> Advanced tab --> Performance section, Settings button. Then choose "adjust for best performance" and you now have a Windows 2000/98 look which turned off most of the annoying "prettifications" in one swift action. You can play with the last three checkboxes to get more of an XP look without many of the other annoyances. You could also grab and install/use one (or more) of the Microsoft Powertoys - TweakUI in particular:

formatting link

Tip (4): Understanding what a good password might be is vital to your personal and system security. You may think you do not need to password your home computer, as you may have it in a locked area (your home) where no one else has access to it. Remember, however, you aren't always "in that locked area" when using your computer online - meaning you likely have usernames and passwords associated with web sites and the likes that you would prefer other people do not discover/use. This is why you should understand and utilize good passwords.

Good passwords are those that meet these general rules (mileage may vary):

Passwords should contain at least six characters, and the character string should contain at least three of these four character types: - uppercase letters - lowercase letters - numerals - nonalphanumeric characters (e.g., *, %, &, !, :)

Passwords should not contain your name/username. Passwords should be unique to you and easy to remember.

One method many people are using today is to make up a phrase that describes a point in their life and then turning that phrase into their password by using only certain letters out of each word in that phrase. It's much better than using your birthday month/year or your anniversary in a pure sense. For example, let's say my phrase is: 'Moved to new home in 2004' I could come up with this password from that: 'Mv2n3whmN04'

The password tip is in the one time section, but I highly recommend you periodically change your passwords. The suggested time varies, but I will throw out a 'once in every 3 to 6 months for every account you have.'

Tip (5): This tip is also 'questionable' in the one time section; however - if properly setup - this one can be pretty well ignored for most people after the initial 'fiddle-with' time.

Why you should use a computer firewall..

formatting link
You should, in some way, use a firewall. Hardware (like a nice Cable Modem/DSL router) or software is up to you. Many use both of these. The simplest one to use is the hardware one, as most people don't do anything that they will need to configure their NAT device for and those who do certainly will not mind fiddling with the equipment to make things work for them. Next in the line of simplicity would have to be the built-in Windows Firewall of Windows XP. In SP2 it is turned on by default. It is not difficult to turn on in any case, however:

Enable/Disable the Internet Connection Firewall (Pre-SP2):

formatting link
More information on the Internet Connection Firewall (Pre-SP2):
formatting link
Post-SP2 Windows Firewall Information/guidance:
formatting link
The trouble with the Windows Firewall is that it only keeps things out. For most people who maintain their system in other ways, this is MORE than sufficient. However, you may feel otherwise. If you want to know when one of your applications is trying to obtain access to the outside world so you can stop it, then you will have to install a third-party application and configure/maintain it. I have compiled a list with links of some of the better known/free firewalls you can choose from:

BlackICE PC Protection (~$39.95 and up)

formatting link
Jetico Personal Firewall (Free)
formatting link
Kerio Personal Firewall (KPF) (Free and up)
formatting link
Outpost Firewall from Agnitum (Free and up)
formatting link
Sygate Personal Firewall (Free and up)
formatting link
Symantec's Norton Personal Firewall (~$25 and up)
formatting link
ZoneAlarm (Free and up)
formatting link
You should find the right firewall for your situation in that list and set it up.

Every firewall WILL require some maintenance. Essentially checking for patches or upgrades (this goes for hardware and software solutions) is the extent of this maintenance - you may also have to configure your firewall to allow some traffic depending on your needs.

** Don't stack the software firewalls! Running more than one software firewall will not make you safer - it would possibly negate some protection you gleamed from one or the other firewall you run.

Now that you have some of the more basic things down.. Let's go through some of the steps you should take periodically to maintain a healthy and stable windows computer. If you have not done some of these things in the past, they may seem tedious - however, they will become routine and some can even be automatically scheduled.

Tip (6): The system restore feature is a new one - first appearing in Windows ME and then sticking around for Windows XP. It is a useful feature if you keep it maintained and use it to your advantage. Remember that the system restore pretty much tells you in the name what it protects which is 'system' files. Your documents, your pictures, your stuff is NOT system files - so you should also look into some backup solution.

Whenever you think about it (after doing a once-over on your machine once a month or so would be optimal) - clear out your System Restore and create a manual restoration point.

'Why?'

Too many times have I seen the system restore files go corrupt or get a virus in them, meaning you could not or did not want to restore from them. By clearing it out periodically you help prevent any corruption from happening and you make sure you have at least one good "snapshot". (*This, of course, will erase any previous restore point you have.*)

- Turn off System Restore.

formatting link
- Reboot the Computer. - Review the first bullet to turn on System Restore - Make a Manual Restoration Point.
formatting link
That covers your system files, but doesn't do anything for the files that you are REALLY worried about - yours! For that you need to look into backups. You can either manually copy your important files, folders, documents, spreadsheets, emails, contacts, pictures, drawings and so on to an external location (CD/DVD - any disk of some sort, etc) or you can use the backup tool that comes with Windows XP:

How To Use Backup to Back Up Files and Folders on Your Computer

formatting link
Yes - you still need some sort of external media to store the results on, but you could schedule the backup to occur when you are not around, then burn the resultant data onto CD or DVD or something when you are (while you do other things!)

A lot of people have wondered about how to completely backup their system so that they would not have to go through the trouble of a reinstall.. I'm going to voice my opinion here and say that it would be worthless to do for MOST people. Unless you plan on periodically updating the image backup of your system (remaking it) - then by the time you use it (something goes wrong) - it will be so outdated as to be more trouble than performing a full install of the operating system and all applications.

Having said my part against it, you can clone/backup your hard drive completely using many methods - by far the simplest are using disk cloning applications:

Symantec/Norton Ghost

formatting link
Acronis True Image
formatting link

Tip (7): You should sometimes look through the list of applications that are installed on your computer. The list may surprise you. There are more than likely things in there you know you never use - so why have them there? There may even be things you know you did *not* install and certainly do not use (maybe don't WANT to use.)

This web site should help you get started at looking through this list:

How to Uninstall Programs

formatting link
A word of warning - Do NOT uninstall anything you think you MIGHT need in the future unless you have completed Tip (1) and have the installation media and proper keys for use backed up somewhere safe!

Tip (8): Patches and Updates!

This one cannot be stressed enough. It is SO simple, yet so neglected by many people. It is especially simple for the critical Windows patches! Microsoft put in an AUTOMATED feature for you to utilize so that you do NOT have to worry yourself about the patching of the Operating System:

How to configure and use Automatic Updates in Windows XP

formatting link
However, not everyone wants to be a slave to automation, and that is fine. Admittedly, I prefer this method on some of my more critical systems.

Windows Update

formatting link
Go there and scan your machine for updates. Always get the critical ones as you see them. Write down the KB###### or Q###### you see when selecting the updates and if you have trouble over the next few days, go into your control panel (Add/Remove Programs), insure that the 'Show Updates' checkbox is checked and match up the latest numbers you downloaded recently (since you started noticing an issue) and uninstall them. If there was more than one (usually is), uninstall them one by one with a few hours of use in between, to see if the problem returns. Yes - the process is not perfect (updating) and can cause trouble like I mentioned - but as you can see, the solution isn't that bad - and is MUCH better than the alternatives.

Windows is not the only product you likely have on your PC. The manufacturers of the other products usually have updates. New versions of almost everything come out all the time - some are free, some are pay and some you can only download if you are registered - but it is best to check. Just go to their web pages and look under their support and download sections. For example, for Microsoft Office you should visit:

Microsoft Office Updates

formatting link
(and select 'Check for Updates' and/or 'Downloads' for more)

You also have hardware on your machine that requires drivers to interface with the operating system. You have a video card that allows you to see on your screen, a sound card that allows you to hear your PCs sound output and so on. Visit those manufacturer web sites for the latest downloadable drivers for your hardware/operating system. Always get the manufacturers' hardware driver over any Microsoft offers. On the Windows Update site I mentioned earlier, I suggest NOT getting their hardware drivers - no matter how tempting.

How do you know what hardware you have in your computer? Break out the invoice or if it is up and working now - take inventory:

Belarc Advisor

formatting link
EVEREST Home Edition
formatting link
Once you know what you have, what next? Go get the latest driver for your hardware/OS from the manufacturer's web page. For example, let's say you have an NVidia chipset video card or ATI video card, perhaps a Creative Labs sound card or C-Media chipset sound card...

NVidia Video Card Drivers

formatting link
ATI Video Card Drivers
formatting link
Creative Labs Sound Device
formatting link
C-Media Sound Device
formatting link
Then install these drivers. Updated drivers are usually more stable and may provide extra benefits/features that you really wished you had before.

As for Service Pack 2 (SP2) for Windows XP, Microsoft has made this particular patch available in a number of ways. First, there is the Windows Update web page above. Then there is a direct download site.

Direct Download of Service Pack 2 (SP2) for Windows XP

formatting link
If all else fails - grab the full download above and try to use that. In this case - consider yourself a 'IT professional or developer'.

Tip (9): What about the dreaded word in the computer world, VIRUS?

Well, there are many products to choose from that will help you prevent infections from these horrid little applications. Many are FREE to the home user and which you choose is a matter of taste, really. Many people have emotional attachments or performance issues with one or another AntiVirus software. Try some out, read reviews and decide for yourself which you like more:

( Good Comparison Page for AV software:

formatting link
)

AntiVir (Free and up)

formatting link
avast! (Free and up)
formatting link
AVG Anti-Virus System (Free and up)
formatting link
eset NOD32 (~$39.00 and up)
formatting link
eTrust EZ Antivirus (~$29.95 and up)
formatting link
Kaspersky Anti-Virus (~$49.95 and up)
formatting link
McAfee VirusScan (~$11 and up)
formatting link
Panda Antivirus Titanium (~$39.95 and up)
formatting link
(Free Online Scanner:
formatting link
RAV AntiVirus Online Virus Scan (Free!)
formatting link
Symantec (Norton) AntiVirus (~$11 and up)
formatting link
Trend Micro (~$49.95 and up)
formatting link
(Free Online Scanner:
formatting link

Most of them have automatic update capabilities. You will have to look into the features of the one you choose. Whatever one you finally settle with - be SURE to keep it updated (I recommend at least daily) and perform a full scan periodically (yes, most protect you actively, but a full scan once a month at 4AM probably won't bother you.)

Tip (10): The most rampant infestation at the current time concerns SPYWARE/ADWARE. You need to eliminate it from your machine.

There is no one software that cleans and immunizes you against everything. Antivirus software - you only needed one. Firewall, you only needed one. AntiSpyware - you will need several. I have a list and I recommend you use at least the first five.

First - make sure you have NOT installed "Rogue AntiSpyware". There are people out there who created AntiSpyware products that actually install spyware of their own! You need to avoid these:

Rogue/Suspect Anti-Spyware Products & Web Sites

formatting link
Also, you can always visit this site..
formatting link
more updated information.

Install the first five of these: (Install, Run, Update, Scan with..) (If you already have one or more - uninstall them and download the LATEST version from the page given!)

Lavasoft AdAware (Free and up)

formatting link
(How-to:
formatting link
)

Spybot Search and Destroy (Free!)

formatting link
(How-to:
formatting link
)

Bazooka Adware and Spyware Scanner (Free!)

formatting link
(How-to:
formatting link
)

SpywareBlaster (Free!)

formatting link
(How-to:
formatting link
)

IE-SPYAD2 (Free!)

formatting link
(How-to:
formatting link
)

CWShredder Stand-Alone (Free!)

formatting link
Hijack This! (Free!)
formatting link
(Log Analyzer:
formatting link
)

ToolbarCop (Free!)

formatting link
Microsoft AntiSpyware BETA (in testing stages - Free!)
formatting link
(How-to:
formatting link
)

Browser Security Tests (Free Tester)

formatting link
Popup Tester (Free Tester)
formatting link
The Cleaner (~$49.95 and up)
formatting link
Sometimes you need to install the application and reboot into SAFE MODE in order to thoroughly clean your computer. Many applications also have (or are) immunization applications. Spybot Search and Destroy and SpywareBlaster are two that currently do the best job at passively protecting your system from malware. None of these programs (in these editions) run in the background unless you TELL them to. The space they take up and how easy they are to use greatly makes up for any inconvenience you may be feeling.

Please notice that Windows XP SP2 does help stop popups as well.

Another option is to use an alternative Web browser. I suggest 'Mozilla Firefox', as it has some great features and is very easy to use:

Mozilla Firefox

formatting link

So your machine is pretty clean and up to date now. If you use the sections above as a guide, it should stay that way as well! There are still a few more things you can do to keep your machine running in top shape.

Tip (11): You should periodically check your hard drive(s) for errors and defragment them. Only defragment after you have cleaned up your machine of outside parasites and never defragment as a solution to a quirkiness in your system. It may help speed up your system, but it should be clean before you do this. Do these things IN ORDER...

How to use Disk Cleanup

formatting link
How to scan your disks for errors
formatting link
How to Defragment your hard drives
formatting link
I would personally perform the above steps at least once every three months. For most people this should be sufficient, but if the difference you notice afterwards is greater than you think it should be, lessen the time in between its schedule.. If the difference you notice is negligible, you can increase the time.

Tip (12): SPAM! JUNK MAIL! This one can get annoying, just like the rest. You get 50 emails in one sitting and 2 of them you wanted. NICE! (Not.) What can you do? Well, although there are services out there to help you, some email servers/services that actually do lower your spam with features built into their servers - I still like the methods that let you be the end-decision maker on what is spam and what is not. I have two products to suggest to you, look at them and see if either of them suite your needs. Again, if they don't, Google is free and available for your perusal.

SpamBayes (Free!)

formatting link
Spamihilator (Free!)
formatting link
As I said, those are not your only options, but are reliable ones I have seen function for hundreds+ people.

Tip (13): ADVANCED TIP! Only do this once you are comfortable under the hood of your computer!

There are lots of services on your PC that are probably turned on by default you don't use. Why have them on? Check out these web pages to see what all of the services you might find on your computer are and set them according to your personal needs. Be CAREFUL what you set to manual, and take heed and write down as you change things! Also, don't expect a large performance increase or anything - especially on today's 2+ GHz machines, however - I look at each service you set to manual as one less service you have to worry about someone exploiting.

Black Viper Service Configuration Tips

formatting link
Configuring Services
formatting link
Task List Programs
formatting link
Processes in Windows NT/2000/XP
formatting link
There are also applications that AREN'T services that startup when you start up the computer/logon. One of the better description on how to handle these I have found here:

Startups

formatting link

If you follow the advice laid out above (and do some of your own research as well, so you understand what you are doing) - your computer will stay fairly stable and secure and you will have a more trouble-free system.

Reply to
Shenan Stanley

The main thing you can do about the wireless connection is to make sure you are using WPA and NOT WEP for encryption. Then use a strong preshared key for WAP and wireless network cards of at least ten random characters including uppercase, lowercase, numeric, and punctuation. Though WPA is considered fairly secure I would still periodically change the PSK such as maybe every 90 days or so. Make sure that you change the default password for your WAP and I would make sure that remote management of it is disabled. Other stuff like changing your ssid, stopping it from being broadcast, and mac filtering can also be done but are of little value security wise. For Windows XP I would also check the wireless properties and disable adhoc wireless networking and configure your preferred networks to be your network so that you don't inadvertently connect to another wireless network that could be infected.

Beyond wireless use other best practices such as a firewall though your WAP probably has one, use a quality malware detection and removal program that is kept current with the latest definitions and that scans all emails, and keep current with critical security updates at Windows Updates that scan be done automatically. Scan your computers with Microsoft Baseline Security Analyzer to check for missing updates and basic vulnerability check. Do not use your administrator account when you do not need it - particularly for web browsing. Make regular backups of important data to off computer media such as cdrom or dvd. Use the principal of least privilege when configuring share and ntfs permissions so that users do not have write or delete permissions to a share or folder if they do not need it. Lastly make sure you use strong passwords [eight characters and complex] as weak or no passwords are the main cause of security problems of all sorts and use your logon password for that only and never anything else. If for instance you use it for your email account or web page access it may be trivial for someone else that has access to your computer to recover it. If you want to secure in more depth read the Threats and Countermeasures Guide from Microsoft if it applies to your operating systems at the second link below. --- Steve

formatting link
--- MBSA
formatting link
--- Microsoft Small Business Security Guidance. Much of this can help in securing a home network.

Reply to
Steven L Umbach

snipped-for-privacy@gmail.com wrote in news:1128999001.987347.159320 @o13g2000cwo.googlegroups.com:

Here you go and so much for the Linux loud mouth. That crap is full of holes too just like the rest of the crap O/S(s) written by fallible Human Beings.

formatting link
Duane :)

Reply to
Duane Arnold

a) Make sure that you use encryption. 128 bit WEP if nothing better is available, or WPA if it is.

b)Connect betweent the machines using ssh, not telnet. c) Set up a firewall to let in the minial traffic for what you want to do.

Looks like it might be OK, despite the incomprehensibility of the suggestor.

Reply to
Unruh

But this was posted to alt.os.linux.networking. Not sure what an extensive discussion about Windows is about, except that some of the suggestions are good in general.

Reply to
Unruh

use a linux firewall between your isp and router.

Reply to
Justice

What is the weakness of WEP, and the likelihood that somone will actually crack my 128-bit WEP? I ask because several years ago I went to the trouble of setting up airsnort on Linux and attempting to crack my (at the time) 40- or 64-bit encryption. (details here:

formatting link
I wasn't able to crack WEP with my ordinary network traffic; I had to set up four simultaneous ping sessions with very large packets, after which it took about 50 minutes. In actual use I don't think my network sees enough traffic to provide enough interesting packets to Airsnort to crack it. And that is with 40-bit. I have not tried it with 128-bit.

Dave

formatting link

Reply to
dlwilson

Unfortunately it was cross posted to several groups, mostly Windows, one Linux.

Google seems to be down on the OP's machine.

Reply to
David Taylor

How To Crack WEP

formatting link
Search using Google!
formatting link
(How-to:
formatting link
)

Reply to
Shenan Stanley

By today's standards it is considered fairly weak and a real risk. I have not tried cracking it myself. However with better technologies such as WPA it makes sense to use them. The probability of any one user having their WEP cracked will depend on multiple factors including the value placed on the target. However if you have someone living next door that does not want to pay for internet access and is patient enough they may take the time to try and crack your WEP keys. Dynamic WEP that is used with 802.1X and a radius/IAS server is still fairly secure if you have the WEP keys changed often which is automated. --- Steve

Reply to
Steven L Umbach

1 - on wireless router enable WPA shared key. Make the key at least 8 characters of alpha, numeric, and symbols. Change every 1 or 2 months. 2 - enable mac filtering in router.

3 - disable SSID broadcast.

4 - On each PC, use up to date anti-virus and desktop firewall.

5 - Test your internal/external boundary at

formatting link

6 - On Windows use Firefox/Thunderbird instead of IE/Outlook.

Dan

Reply to
Nospam

Hardly. "1. Change the System ID" won't have any real effect on security.

Reply to
John Navas

Shenan Stanley wrote: [...]

What a great article. I will have to get another notebook and see if I can break my neighbor's WEP (with his knowledge -- he likes that sort of thing).

The article describes using a deauthorization attack as part of a technique generate more packets. I have never heard of a deauthorization attack before, but it seems to fall under the category of denial-of-service. Is there any defense against it? Yes, I did a google on it, and found this article

formatting link
all it really seems to say is that it is easy to see when you are being deauth'd and it would be easy to modify an 802.11x implementation (not the protocol spec) to avoid the attack. So in practical terms, how do I avoid a deauth attack while using my Netgear wireless router and Orinoco wireless card?

Dave

formatting link

Reply to
dlwilson

Layered Security is essential. The bad guys are very good at breaking thru any individual precautions that you might take, so use multiple protections.

Take extra precautions with WiFi.

Reply to
Chuck

Step two: do you _really_ need wireless?

Reply to
Charlie Gibbs

WPA-PSK encryption is adequate for home networks. Most 11g devices come with WPA-PSK. If you want to get fancy you can add RADIUS or some other authentication technique.

Reply to
johnny

The end of wireless as we know it is at hand. Repent your evil ways and prepare for the coming of yet another deluge of acronyms. Though thou sacrifice upon the altar of fallen standards, thy petition for data safety is in vain, for the priests only deliver complexity, and little safety. Best to await the coming of the messiah, who shall lead the multitudes to a land of perfect cryptography, infinite bandwidth, readable standards, and omniscient tech support. Meanwhile, learn, read, and suffer your way towards enlightenment.

If you're going to use my favorite method of spreading FUD (fear, uncertainty, and doubt), then at least offer the recommended solution to the WPA security problems. I wouldn't want to see another internet rumor start here.

If the user selects a WPA pre-shared key that's longer than 20 characters (63 chars maximum) and is not found in a typical word list dictionary, then WPA-PSK is fairly safe from dictionary attack.

The WPA security problems also only apply to WPA-PSK and do not apply to WPA-RADIUS, WPA-TKIP, and WPA-2.

Reply to
Jeff Liebermann

Unfortunately, WPA-PSK is vulnerable attack. See

Weakness in Passphrase Choice in WPA Interface By Glenn Fleishman By Robert Moskowitz Senior Technical Director ICSA Labs, a division of TruSecure Corp

... The offline PSK dictionary attack ... Just about any 8-character string a user may select will be in the dictionary. As the standard states, passphrases longer than 20 characters are needed to start deterring attacks. This is considerably longer than most people will be willing to use.

This offline attack should be easier to execute than the WEP attacks. ... Using Random values for the PSK

The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large number for human entry; 20 character passphrases are considered too long for entry. Given the nature of the attack against the 4-Way Handshake, a PSK with only 128 bits of security is really sufficient, and in fact against current brute-strength attacks, 96 bits SHOULD be adequate. This is still larger than a large passphrase ... ... Summary ... Pre-Shared Keying is provided in the standard to simplify deployments in small, low risk, networks. The risk of using PSKs against internal attacks is almost as bad as WEP. The risk of using passphrase based PSKs against external attacks is greater than using WEP. Thus the only value PSK has is if only truly random keys are used, or for deploy testing of basic WPA or 802.11i functions. PSK should ONLY be used if this is fully understood by the deployers.

See also: Passphrase Flaw Exposed in WPA Wireless Security

Wi-Fi Protected Access. Security in pre-shared key mode

Cracking Wi-Fi Protected Access (WPA)

WPA Cracker

Reply to
John Navas

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.