Wireless Security

[lcjjdnh]

I just setup a wireless network in my house, and I'm not really sure how confidant I am with my own ability to protect the network.

As of now I have it set on WPA Pre-Shared Key, TKIP, created a key and set the group renewal key to 600 seconds. I also see that I that I do have other options using some sore of RADIUS server or WEP. Is what I have now a good option, or should I switch it over to one of the other options.

[DaddyTorgo]

WPA is better encryption than WEP. Both can be brute-force cracked, but it's a lot easier to crack WEP then WPA. It'll help if the key you create for WPA is some non-dictionary type set of characters (letters and numbers mixed together, no discernable words in it). You can always write it down in the house, since it's WIRELESS security, and no one will be in your house to find it. RADIUS would be the most secure, but for a simple home network just looking to keep out the script kiddies RADIUS authentication would be overkill. Basically if you have it WPA locked-down with a fairly low renewal rate and have a key that isn't easily guessable then you will be fine, especially if you live in the suburbs somewhere where someone would have to be visible/a neighbor to be close enough to get in.

[lcjjdnh]

Alright, cool, thanks for the help.

[jeff061]

I'd also turn off sid broadcasting and enable MAC address filtering. You will need to list the MAC address for every device you want to connect to your network. To get a MAC address type "ipconfig /all" from a command line, it will be labeled Physical Address.

[Senator]

0.99998 out 0.99999 would-be hackers would pass over ANY encrypted signal. Unless you have personally upset them in some way. So, don't do that.

[jeff061]

Guess it depends how close your neighbors are.

I've got mine set up locked down since I'm in an apartment. Anyone could turn on and let a machine run all day to crack the encryption.

[Senator]

to steal your porn collection?

There are too many unencrypted signals out there to goof with one that is. I have yet to come across someone who had a wireless encrypted that someone took the time to crack. There is no payoff for the effort. And if they did, you just change the encryption.

[jeff061]

It would take much more than 24 hours to steal MY collection sir.

In any case I'm more concerned with traffic sniffing and access to my systems from behind the firewall.

You are right though, if you are only concerned with people driving around and not people who live within striking distance all you need is encryption. Though I'd still disable SID broadcasting, as far as I am concerned the only reason to leave that enabled is if you want a public access point.

[Senator]

More than 24 hours of porn? Maybe you are high risk then!!

You are correct about the apartment issue. You are way more at risk with that many people within striking distance. Good point about SID, turn it off.

[dawgfan]

Related question - how much extra privacy protection do I get from hardware and software firewall solutions? I've ordered a USB hardware firewall device for my laptop, and I've got a software firewall solution as well. Can I feel reasonably secure conducting online banking and transactions from my laptop off a wireless connection with these in place?

[Samdari]

Quote:

Originally Posted by dawgfan

Related question - how much extra privacy protection do I get from hardware and software firewall solutions? I've ordered a USB hardware firewall device for my laptop, and I've got a software firewall solution as well. Can I feel reasonably secure conducting online banking and transactions from my laptop off a wireless connection with these in place?

I think a hardware firewall is much like reasonable wireless encryption - it will keep the vast majority of hackers from getting to information on your hard drive - their are far too many unprotected computers out there to bother with even minimally protected ones.

As for the security of online banking and ordering, I would be far more worried about what happens to the information sent back and forth between the bank, out in "cyberspace" where you can do nothing to protect it. Hell it seems that the most risky thing these days is simply having a bank account, since people interested in acquiring such information now seem to want to steal it in bulk and target banks.

I liken it to living in Oklahoma. Sure, there are lots of Tornadoes out there and they cause devastating damage. But, there is a lot of area too, and your inividual likelihood of being directly affected by it is very small.

[dawgfan]

Thanks. My main concern with online banking and purchasing on a wireless network is with someone "spying" on my connection, but that may be unfounded - my expertise is in graphics, not networking.

[Daimyo]

The info should be secure on the wire since they're likely using 128bit SSLs to encryption all communication between your computer and their web server. The bigger issue right now seems to be if that info is secure when its sitting on their servers (or backup tapes, etc) or when its sitting (or cached) on your computer. Another issue that pops up every now and then is if a malicious third party can "poison" your ISP's name resolution to trick you into giving your info to a perfect, but fake, copy of the bank's website without any security holes on your end or the bank's end.

[flere-imsaho]

If I'm not broadcasting my SSID and I have MAC filtering on, is that enough? Or is the fact that my traffic's unencrypted a problem?

[DaddyTorgo]

Quote:

Originally Posted by flere-imsaho

If I'm not broadcasting my SSID and I have MAC filtering on, is that enough? Or is the fact that my traffic's unencrypted a problem?

big discussion on wireless security on FARK the other day. Apparently people were of the conclusion that turning off SSID isn't very helpful, I forget why cuz it's not really my thing, but I guess because sniffers can still find your network?

[Daimyo]

Turning off SSID doesn't help much because you can still pull the SSID out of legit traffic. You should still do it if you can, but don't rely on it. MAC is similar. 1) it is trivial for someone to spoof your MAC address and if your traffic is unencrypted it is trivial for them to sniff a valid MAC address to spoof with and 2) even if it kept people off your network it does nothing to keep them from eavesdropping on legit traffic between your laptop and the AP. At a minimum for home use you should turn on 128bit WEP (or preferably WPA if available), turn on MAC filtering (if your network has few enough hosts for this to be practical), disable SSID broadcast, and install a host based firewall on each host (such as the built-in XP firewall - check the exceptions though!). If you do those things you should be reasonably safe from outsiders...

I'd also reccomend replacing IE with Firefox, enabling automatic updates, installing good antivirus software, and never clicking a link or attachment in email because if you do the steps above you're much more likely to get compromised from the "inside" rather than from the outside.

[weinstein7]

While we're on the subject, I just installed a wireless network card in my laptop and I'm "borrowing" some bandwith from a neighbor.

How much of a security risk is this for me and is there anything I can do to reduce the risk?

Also, is this considered a severe breach of etiquette? I'm on good terms with most of my neighbors, but I have no idea whose signal this is.

[Daimyo]

Everything you send on your "borrowed" bandwith could potentially be sniffed and seen by the owner of the AP if they were so inclined. Make sure you use SSL (ie HTTPS; SSL is also available for email and other applications) wherever possible and/or VPN if you connect to a work/school network. Also since your machine will be directly accessible to everyone else on that wireless network make sure you use a host based firewall.

I don't know about etiquitte, but there was a post here just the other day about a guy in florida getting arrested for doing this. Apparently, accessing a computer network that you do not have permission to access is a third degree felony.

[weinstein7]

Quote:

Originally Posted by Daimyo

Everything you send on your "borrowed" bandwith could potentially be sniffed and seen by the owner of the AP if they were so inclined. Make sure you use SSL (ie HTTPS; SSL is also available for email and other applications) wherever possible and/or VPN if you connect to a work/school network. Also since your machine will be directly accessible to everyone else on that wireless network make sure you use a host based firewall.

Could you elaborate a bit more on these points?

Oh, and when I installed the wireless card it suggested that I disable the Windows Wireless thingy and use the NetGear one instead, but it didn't tell me how to do that. What am I missing?

[jeff061]

SSL is implemented from the server side, nothing much you can do but be aware of it. Addresses that start with https:// are encrypted connections.

Host based firewall is a software based firewall you install on each computer, like Windows XP SP2 built in firewall(though that is far from the best choice).

I hate software firewalls and rely on my router, smart or not,

[weinstein7]

Ah, gotcha. I installed SP2 last night, although at some point I'm going to try to install the Norton Security package (I forget exactly what it's called.

Thanks for the help guys.

[jeff061]

I was actually a bit limited in my SSL info. He was talking about using it for other apps, I don't know to much about that. I'd guess the person on the recieving end would need to be set up with SSL for whatever app you are using, which may make it impractical in a lot of cases.

Good if you're paranoid, but a little overkill.

[Daimyo]

SSL encrypts traffic at a higher layer than WEP or WPA... you use it anytime you go to an https website. This basically ensures that the traffic is encrypted completely between your computer and the server you're connecting to. You probably use this already if you do online shopping, but you should always confirm that you're using it before entering your credit card or other sensitive info. You can also use SSL for things like email, but you'd need to ask your ISP... its as simple to set up as checking a box in your email client assuming your ISP supports it.

Host based firewall is just a peice of software installed on your computer that limits traffic that can come into your computer from the outside world. This is important because over the last 3 or 4 years there have been a number of viruses/worms that spread by making an inbound connection to your machine without any intervention on your behalf... a firewall (and religious patching) protects you from those things and they're really the biggest threat going. A NAT/router also gives you good protection, but if you have more than one computer on your network the hostbased firewall protects you if one of your other computers gets infected. NAT/router devices are also susceptible to vulnerabilities and the HBF would help in the event your router/NAT was compromised. Also, if you're running a wireless network and someone is able to attach and get network connectivity your router/NAT won't help you at all as they're already behind it. Similarly if you're "borrowing" someone else's wireless your machine is fully exposed to them without one.

If you installed SP2 it should be turned on by default and it is pretty much all you really need. You can go with 3rd part apps like Symantec or Zone Alarm, but for the average user those things are overkill and really slow down your system (they were good 3-4 years ago before they tried to do too much *sigh*). IMO, its pretty silly not to enable the XP firewall (or install similar software) and if you use your computer at all on public networks or wireless APs you don't control without a host based firewall you're really just asking for trouble.

[Coder]

I'm running a D-Link 624 + (only available in Europe) with WEP encryption.. but I don't think it's a problem anymore.. see.. from yesterday morning and on I can't get on to the network without a cable.. didn't change a thing, my laptop just can't get on the nw.. the network appears in the list and everything, I just can't get in without a cable..

I wonder if it's the laptop... I kind of dropped it..