Be aware that you will incur a significant overhead by setting up encryption. IIRC it was about 30% when I last set one up at work.
Personally I don't bother with any security on the wireless component of my network. If anyone is stealing my bandwidth it hasn't been noticable.
Why do you think you need it?
There are many variable which determine whether it's an issue. For most home users, 30% less performance than say a max of 22Mbps leaves me with
15Mbps which is *still* faster than my internet connection.If you think that stealing bandwidth is the only concern you should have then think again.
Well for starters, I'd like to collect my email from a client. I don't have the desire to use a web based email client doing SSL from home. I quite like being wireless at home and so I think that being able to collect email via say POP3 is ok for me. However, POP3 is clear text authentication as is the resultant traffic. What a great way to begin an identity theft experiment for someone sniffing.
With the wireless portion encrypted, the simple eavesdropping won't succeed and neither will the kiddie p*rn get downloaded over my connection nor will my connection end up being used by a spammer. I don't consider any of these likely knowing where I live but there's no reason why not.
Those are just examples.
David.
I've been following this thread with some interest as I took my laptop to work on the train the other day, initially I was looking for an access point in the station but noticed a number of open wireless networks which didn't seem to be commercial setups so I kept on scanning during the journey, I reckon I found 40-50 open & unencrypted networks during the 1 hour journey. I found this quite shocking really particularly as the tools are there to make it fairly easy to enable encryption on wireless kit.
I realise that encryption isn't foolproof but it'll deter the casual hacker.
For the effort involved I would:
It should only take a few minutes to set it all up, & once done you can forget all about it.
I'm surprised you found so few. I drove around the city here and in 15 minutes had found 270 of which half were (apparently) unencrypted, some commercial. This was only with netstumbler although I did the same route last week and found 277 with kismet so very little difference.
Yes but again, if it's just the casual hacker that you're looking to deter then:-
Does not deter even a casual hacker who has the intent on spoofing and if it's to avoid people falling onto your network by accident then (4) does this already.
Does not in any way hide the SSID, it's in the frames and kismet, wellenrieter etc pick it up just fine. Just makes it harder for other people to avoid your channel and you end up with interference. Also breaks some client functionality. The only people you're hiding from here are the XP zero config clients and they're not your worry anyway.
Ok but only so as to not look like a target. Nothing like a ripe company with an SSID which matches the company name.
Which deters the accidental person connecting, provides some security and hopefully deters the lazy hacker who may seek other low hanging fruit. This is the only one of the above that is really in the realms of any security despite what you might read on the web, much of it which is several years old in principle and has never been updated.
David.
The majority of ISP's don't provide anything but plain text authentication for POP3 mail servers, some ISPs (e.g. Pipex) require that you log onto their news server (i.e. Giganews) using your main login account details, ..... If I were a Pipex user (which I was once upon a time) then I'd be a bit reluctant to let anyone capture my main login account details since they could then use up my 10GB/month limit from Giganews (i.e. you can log onto Giganews with Pipex login info even if you are not on a Pipex connection - just as you can to most POP3 servers).
So I'd say that there are a couple of very good reasons for doing everything possible to prevent people from sniffing your WLAN traffic.
Which for most home networks would be imperceptible, as they will very rarely use it to anywhere near capacity.
Although it shouldn't be anywhere near that high anyhow.
Because only people who never access anything that needs a password, and never use credit cards on line don't need it.
And even then, they could well find themselves struggling to prove it wasn't them if the person piggybacking on their account starts using the connection for illegal activities.
Or if said person starts breaching your ISPs AQUP, you could well lose your account with no comeback.
There is no reasonable reason NOT to secure your network as much as you can.
Don't assume that just because it's not encrypted, it's also insecure.
The local hospital wireless system is a good example. It shows up as unencrypted. Anyone can connect. However, they're greeted with an SSL encrypted splash web page that demands a user name and password (along with some instructions). Once you login, all traffic is SSL encrypted. It also delivers a magic cookie for temporary authentication making session hijacking difficult. At first glance, this would appear to be insecure, but it's really quite secure.
The same thing with VPN over wireless. The wireless connection is unencrypted. However, all traffic is configured to go to the VPN server. All ports are blocked except those required for the VPN. The only way to get anywhere is to fire up the VPN client. All traffic appears encrypted by the VPN tunnel.
There is an issue with client-to-client security on such systems, but most access points have a "client isolation" feature that prevents unencrypted bridging between connected clients.
While I'm ranting on security, I have a really bad attitude about security by group rather than by individual. Having a common WEP or WPA key for a system is rediculous. The chances of social engineering or simple theft causing the key to leak out is far to risky to even consider WEP or WPA a useable security mechanism. Would you trust your co-worker with *YOUR* system passwords? Encryption should be individualized so that a leak or security breach by one person does not compromise the rest of the users or the rest of the system.
Yes.
Personally, I don't run MAC filtering, WEP, WPA, or anything else... However, the only services you'll get on my wireless LAN are a DNS server and a VPN server. Depending on which firewall I'm using, the only query the DNS server will answer is the VPN server's IP, it doesn't even resolve on it's own, it's just there so that I can use the same VPN icon on my desktop when I'm on my wireless network or when I'm traveling.
Anyone with the ability to break my VPN's encryption will have better things to do then monitor my wireless traffic :)
Maybe I'm just demonstrating my ignorance, but doesn't VPN require a VPN server on the other end? If I was an authorized user on your WLAN, how would I browse the Internet?
So how did you know that these WLANs were really 'open', unless you connected and tried to transfer traffic ?
Alternatively do what I do :-
It only takes a few minutes to set up. Maybe if you were passing you'd find it "quite shocking" since you might mistakenly think it was insecure, but believe me, the VPN I use is far more secure than WEP or WPA-PSK.
[1] Well to be honest if my WLAN gateway does detect uninvited 'guests' on the WLAN, then WPA is automatically enabled with one of several different PSKs and the SSID is automatically changed so that legitimate clients know which PSK to use. The effect on legitimate clients is a brief pause in communication, but since the VPN stays up, no TCP/UDP connections are affected. The effect on uninvited guests (there are two script kiddies in the vicinity who regularly find new 'toys' to play with) is that, hopefully, they get a bit annoyed; and to try and make sure that they do, I often set the WLAN up to use WEP by default, and then let the automatated system switch the encryption to WPA as as soon as they've cracked the WEP key (which is never re-used, of course) and connected to the AP ;-)
You just connect to my VPN server ;-)
LOL that is *not* at all secure! If I was beside your house and you had MAC filtering on, I could watch about 10 packets, get the MAC address of the person using the network, then just change my NIC to match it.
The *ONLY* secure way (NOT WEP!!) is to use WPA with AES (NOT TKIP!!!) - also using WPA with AES means less bandwidth is used in communication, so you're not sacrificing speed to such an extent.
Always amuses me how random comments get made about this subject.
The fact is, it'll likely only be a script-kiddie hacking your network. WPA-PSK or WPA2 personal are fine, and wont realistically be hacked. Fact.
Just because you're a fanny running a VPN does not mean other people should choose this path, you should disable SSID, enable mac filtering, change default SSID name, enable WPA with AES, or WPA2 with AES+TKIP.
Knob.
You commented on how random comments get thrown in, yet then suggest disabling SSID broadcast which has no useful security value and only makes it more difficult to a) troubleshoot connections, b) detect if someone else is on the same channel (if you've all disabled SSID broadcast).
In your previous post, you commented that MAC filtering has no security value, yet bring it up again here?
Random!
BTW, there are other ways to secure WLAN's without using WPA(2) you know and more secure than those too.
David.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.