07-06-2005, 10:01 PM | #1 | ||
College Prospect
Join Date: Oct 2000
Location: NJ
|
Wireless Security
I just setup a wireless network in my house, and I'm not really sure how confidant I am with my own ability to protect the network.
As of now I have it set on WPA Pre-Shared Key, TKIP, created a key and set the group renewal key to 600 seconds. I also see that I that I do have other options using some sore of RADIUS server or WEP. Is what I have now a good option, or should I switch it over to one of the other options. |
||
07-06-2005, 10:07 PM | #2 |
Hall Of Famer
Join Date: Oct 2002
Location: Massachusetts
|
WPA is better encryption than WEP. Both can be brute-force cracked, but it's a lot easier to crack WEP then WPA. It'll help if the key you create for WPA is some non-dictionary type set of characters (letters and numbers mixed together, no discernable words in it). You can always write it down in the house, since it's WIRELESS security, and no one will be in your house to find it. RADIUS would be the most secure, but for a simple home network just looking to keep out the script kiddies RADIUS authentication would be overkill. Basically if you have it WPA locked-down with a fairly low renewal rate and have a key that isn't easily guessable then you will be fine, especially if you live in the suburbs somewhere where someone would have to be visible/a neighbor to be close enough to get in.
|
07-07-2005, 07:50 AM | #3 |
College Prospect
Join Date: Oct 2000
Location: NJ
|
Alright, cool, thanks for the help.
|
07-07-2005, 07:59 AM | #4 |
Grizzled Veteran
Join Date: Nov 2003
Location: MA
|
I'd also turn off sid broadcasting and enable MAC address filtering. You will need to list the MAC address for every device you want to connect to your network. To get a MAC address type "ipconfig /all" from a command line, it will be labeled Physical Address.
Last edited by jeff061 : 07-07-2005 at 07:59 AM. |
07-07-2005, 08:15 AM | #5 |
FOFC's Elected Representative
Join Date: Oct 2000
Location: The stars at night; are big and bright
|
0.99998 out 0.99999 would-be hackers would pass over ANY encrypted signal. Unless you have personally upset them in some way. So, don't do that.
__________________
"i have seen chris simms play 4-5 times in the pros and he's very clearly got it. he won't make a pro bowl this year, but it'll come. if you don't like me saying that, so be it, but its true. we'll just have to wait until then" imettrentgreen "looking at only ten games, and oddly using a median only, leaves me unmoved generally" - Quiksand Last edited by Senator : 07-07-2005 at 08:16 AM. |
07-07-2005, 08:19 AM | #6 |
Grizzled Veteran
Join Date: Nov 2003
Location: MA
|
Guess it depends how close your neighbors are.
I've got mine set up locked down since I'm in an apartment. Anyone could turn on and let a machine run all day to crack the encryption. |
07-07-2005, 08:22 AM | #7 |
FOFC's Elected Representative
Join Date: Oct 2000
Location: The stars at night; are big and bright
|
to steal your porn collection?
There are too many unencrypted signals out there to goof with one that is. I have yet to come across someone who had a wireless encrypted that someone took the time to crack. There is no payoff for the effort. And if they did, you just change the encryption.
__________________
"i have seen chris simms play 4-5 times in the pros and he's very clearly got it. he won't make a pro bowl this year, but it'll come. if you don't like me saying that, so be it, but its true. we'll just have to wait until then" imettrentgreen "looking at only ten games, and oddly using a median only, leaves me unmoved generally" - Quiksand |
07-07-2005, 08:27 AM | #8 |
Grizzled Veteran
Join Date: Nov 2003
Location: MA
|
It would take much more than 24 hours to steal MY collection sir.
In any case I'm more concerned with traffic sniffing and access to my systems from behind the firewall. You are right though, if you are only concerned with people driving around and not people who live within striking distance all you need is encryption. Though I'd still disable SID broadcasting, as far as I am concerned the only reason to leave that enabled is if you want a public access point. Last edited by jeff061 : 07-07-2005 at 08:29 AM. |
07-07-2005, 08:41 AM | #9 |
FOFC's Elected Representative
Join Date: Oct 2000
Location: The stars at night; are big and bright
|
More than 24 hours of porn? Maybe you are high risk then!!
You are correct about the apartment issue. You are way more at risk with that many people within striking distance. Good point about SID, turn it off.
__________________
"i have seen chris simms play 4-5 times in the pros and he's very clearly got it. he won't make a pro bowl this year, but it'll come. if you don't like me saying that, so be it, but its true. we'll just have to wait until then" imettrentgreen "looking at only ten games, and oddly using a median only, leaves me unmoved generally" - Quiksand |
07-07-2005, 01:45 PM | #10 |
Grizzled Veteran
Join Date: Oct 2000
Location: Seattle
|
Related question - how much extra privacy protection do I get from hardware and software firewall solutions? I've ordered a USB hardware firewall device for my laptop, and I've got a software firewall solution as well. Can I feel reasonably secure conducting online banking and transactions from my laptop off a wireless connection with these in place?
|
07-07-2005, 02:14 PM | #11 | |
Roster Filler
Join Date: Jan 2002
Location: Cicero
|
Quote:
I think a hardware firewall is much like reasonable wireless encryption - it will keep the vast majority of hackers from getting to information on your hard drive - their are far too many unprotected computers out there to bother with even minimally protected ones. As for the security of online banking and ordering, I would be far more worried about what happens to the information sent back and forth between the bank, out in "cyberspace" where you can do nothing to protect it. Hell it seems that the most risky thing these days is simply having a bank account, since people interested in acquiring such information now seem to want to steal it in bulk and target banks. I liken it to living in Oklahoma. Sure, there are lots of Tornadoes out there and they cause devastating damage. But, there is a lot of area too, and your inividual likelihood of being directly affected by it is very small.
__________________
http://www.nateandellie.net Now featuring twice the babies for the same low price! |
|
07-07-2005, 02:17 PM | #12 |
Grizzled Veteran
Join Date: Oct 2000
Location: Seattle
|
Thanks. My main concern with online banking and purchasing on a wireless network is with someone "spying" on my connection, but that may be unfounded - my expertise is in graphics, not networking.
|
07-07-2005, 07:10 PM | #13 |
College Starter
Join Date: Oct 2000
Location: Berkeley
|
The info should be secure on the wire since they're likely using 128bit SSLs to encryption all communication between your computer and their web server. The bigger issue right now seems to be if that info is secure when its sitting on their servers (or backup tapes, etc) or when its sitting (or cached) on your computer. Another issue that pops up every now and then is if a malicious third party can "poison" your ISP's name resolution to trick you into giving your info to a perfect, but fake, copy of the bank's website without any security holes on your end or the bank's end.
Last edited by Daimyo : 07-07-2005 at 07:14 PM. |
07-07-2005, 09:32 PM | #14 |
Coordinator
Join Date: Sep 2004
Location: Chicagoland
|
If I'm not broadcasting my SSID and I have MAC filtering on, is that enough? Or is the fact that my traffic's unencrypted a problem?
|
07-07-2005, 09:39 PM | #15 | |
Hall Of Famer
Join Date: Oct 2002
Location: Massachusetts
|
Quote:
big discussion on wireless security on FARK the other day. Apparently people were of the conclusion that turning off SSID isn't very helpful, I forget why cuz it's not really my thing, but I guess because sniffers can still find your network? |
|
07-08-2005, 12:55 AM | #16 |
College Starter
Join Date: Oct 2000
Location: Berkeley
|
Turning off SSID doesn't help much because you can still pull the SSID out of legit traffic. You should still do it if you can, but don't rely on it. MAC is similar. 1) it is trivial for someone to spoof your MAC address and if your traffic is unencrypted it is trivial for them to sniff a valid MAC address to spoof with and 2) even if it kept people off your network it does nothing to keep them from eavesdropping on legit traffic between your laptop and the AP. At a minimum for home use you should turn on 128bit WEP (or preferably WPA if available), turn on MAC filtering (if your network has few enough hosts for this to be practical), disable SSID broadcast, and install a host based firewall on each host (such as the built-in XP firewall - check the exceptions though!). If you do those things you should be reasonably safe from outsiders...
I'd also reccomend replacing IE with Firefox, enabling automatic updates, installing good antivirus software, and never clicking a link or attachment in email because if you do the steps above you're much more likely to get compromised from the "inside" rather than from the outside. |
07-08-2005, 09:03 AM | #17 |
High School JV
Join Date: Oct 2004
Location: Rochester, NY
|
While we're on the subject, I just installed a wireless network card in my laptop and I'm "borrowing" some bandwith from a neighbor.
How much of a security risk is this for me and is there anything I can do to reduce the risk? Also, is this considered a severe breach of etiquette? I'm on good terms with most of my neighbors, but I have no idea whose signal this is. |
07-08-2005, 09:52 AM | #18 |
College Starter
Join Date: Oct 2000
Location: Berkeley
|
Everything you send on your "borrowed" bandwith could potentially be sniffed and seen by the owner of the AP if they were so inclined. Make sure you use SSL (ie HTTPS; SSL is also available for email and other applications) wherever possible and/or VPN if you connect to a work/school network. Also since your machine will be directly accessible to everyone else on that wireless network make sure you use a host based firewall.
I don't know about etiquitte, but there was a post here just the other day about a guy in florida getting arrested for doing this. Apparently, accessing a computer network that you do not have permission to access is a third degree felony. Last edited by Daimyo : 07-08-2005 at 09:54 AM. |
07-08-2005, 10:23 AM | #19 | |
High School JV
Join Date: Oct 2004
Location: Rochester, NY
|
Quote:
Could you elaborate a bit more on these points? Oh, and when I installed the wireless card it suggested that I disable the Windows Wireless thingy and use the NetGear one instead, but it didn't tell me how to do that. What am I missing? Last edited by weinstein7 : 07-08-2005 at 10:25 AM. |
|
07-08-2005, 10:26 AM | #20 |
Grizzled Veteran
Join Date: Nov 2003
Location: MA
|
SSL is implemented from the server side, nothing much you can do but be aware of it. Addresses that start with https:// are encrypted connections.
Host based firewall is a software based firewall you install on each computer, like Windows XP SP2 built in firewall(though that is far from the best choice). I hate software firewalls and rely on my router, smart or not, |
07-08-2005, 10:52 AM | #21 |
High School JV
Join Date: Oct 2004
Location: Rochester, NY
|
Ah, gotcha. I installed SP2 last night, although at some point I'm going to try to install the Norton Security package (I forget exactly what it's called.
Thanks for the help guys. |
07-08-2005, 11:00 AM | #22 |
Grizzled Veteran
Join Date: Nov 2003
Location: MA
|
I was actually a bit limited in my SSL info. He was talking about using it for other apps, I don't know to much about that. I'd guess the person on the recieving end would need to be set up with SSL for whatever app you are using, which may make it impractical in a lot of cases.
Good if you're paranoid, but a little overkill. |
07-08-2005, 05:07 PM | #23 |
College Starter
Join Date: Oct 2000
Location: Berkeley
|
SSL encrypts traffic at a higher layer than WEP or WPA... you use it anytime you go to an https website. This basically ensures that the traffic is encrypted completely between your computer and the server you're connecting to. You probably use this already if you do online shopping, but you should always confirm that you're using it before entering your credit card or other sensitive info. You can also use SSL for things like email, but you'd need to ask your ISP... its as simple to set up as checking a box in your email client assuming your ISP supports it.
Host based firewall is just a peice of software installed on your computer that limits traffic that can come into your computer from the outside world. This is important because over the last 3 or 4 years there have been a number of viruses/worms that spread by making an inbound connection to your machine without any intervention on your behalf... a firewall (and religious patching) protects you from those things and they're really the biggest threat going. A NAT/router also gives you good protection, but if you have more than one computer on your network the hostbased firewall protects you if one of your other computers gets infected. NAT/router devices are also susceptible to vulnerabilities and the HBF would help in the event your router/NAT was compromised. Also, if you're running a wireless network and someone is able to attach and get network connectivity your router/NAT won't help you at all as they're already behind it. Similarly if you're "borrowing" someone else's wireless your machine is fully exposed to them without one. If you installed SP2 it should be turned on by default and it is pretty much all you really need. You can go with 3rd part apps like Symantec or Zone Alarm, but for the average user those things are overkill and really slow down your system (they were good 3-4 years ago before they tried to do too much *sigh*). IMO, its pretty silly not to enable the XP firewall (or install similar software) and if you use your computer at all on public networks or wireless APs you don't control without a host based firewall you're really just asking for trouble. |
07-08-2005, 05:54 PM | #24 |
College Prospect
Join Date: Nov 2000
Location: Gothenburg, Sweden
|
I'm running a D-Link 624 + (only available in Europe) with WEP encryption.. but I don't think it's a problem anymore.. see.. from yesterday morning and on I can't get on to the network without a cable.. didn't change a thing, my laptop just can't get on the nw.. the network appears in the list and everything, I just can't get in without a cable..
I wonder if it's the laptop... I kind of dropped it..
__________________
IFL - Vermont Mountaineers ~ I am an idiot, walking a tight rope of fortunate things ~ |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
|
|