Buying a Wireless Access Point for my home network... security question

[Blayze]

Im going to buy a access point and hook it up to my already wired network

I was wondering about security for the machines that will be connected wireless. Is there anything I can do to protect myself so that someone else can't access my network and information.

I want to protect myself and I don't want my network showing up in other peoples homes, etc...

 

[WarSong]

You can enable 128-bit WEP and MAC authentication. Some let you disable broadcasting of the SSID also.

 

[rw120555]

There have been some articles lately about people accessing 100s of networks that had zero security, so you're smart to be thinking about this. WEP and Mac address filtering won't protect you from a dedicated attack, but they'll keep out the casual sniffer. WEP may slow your system down, but personally I mainly use wireless for internet access -- if I need high speed access I plug my laptop into a wired connection.

Other tips:

Choose hard to guess key for the WEP. I just use random characters which I can't even remember. If you lose the code you can always reset your wap.

Your wap will likely have a default password a user must type in before s/he can configure it -- change that password.

Remember that it isn't just the machines with wireless connections that are vulnerable, it is all the machines that are part of the same network.

Be careful about your file sharing -- I'm probably too lax in that I have a lot of things with read access, but I'm pretty careful about write privileges. I'm actually more worried about the kids screwing stuff up than I am outside attackers.

If you don't need the WAP all the time (e.g. you mostly use it for occasional laptop use) then turn it off when it isn't needed.

 

[Blayze]

the WAP will mainly be used for laptop access and some access to the other machine (its a system that everyone uses so people will come at different times wanting to do stuff)

It will be for internet access, no games, etc... the only shares will be the printer, and one shared folder that will be read only (for my personal use).

how much does WEP slow down your system?

 

[rw120555]

You can go to practicallynetworked.com for reviews and other info. With my Netgear ME102, WEP supposedly doesn't slow down the connection at all. In practice, I find that, for whatever reason, my laptop usually connects at around 6 mbps and sometimes as little as 1 or 2 mbps, depending on where I am. If I were concerned about it, I could probably figure out how to improve the connection, but in practice it doesn't matter much since even the slowest connections are faster than my dsl. At least, I never notice changes in internet speed.

 

[sml]

WEP, even in a 128-bit implementation relies on a weak segment of the RC4 keyspace and hence is inherently susceptible to passive analysis and penetration; vendors like Cisco get around this with EAP extensions to the protocol, but this is a band-aid solution. Bottom line: don't trust your wireless connection. I recommend using WEP in its 128-bit iteration anyways [it's better than nothing] and coupling it with an IPSEC layer for packet authentication and data encryption assurance.

 

[JackMDS]

Wireless is not very secure. However the big noise is generally came out when the guys at PC Mag. found many cooperation residing in the same small environment (NYC) running Wireless systems at default on no protection, and thus totally exposed.

Take into consideration your environment. The range of 801.11b is not so great. If you have a Laptop, or Wireless PDA you can actually map your range. and evaluate your risk.

If the concern is casual Security, i.e. no body is "after you", and there is no "big secrets" on your Hard Drive.

1. Restrict your wireless communication, by allowing communicating with the MAC numbers of your Wireless Clients.

2. Change the default setting of the Wireless Access point. I.e. give the Wireless Network a unique name (SSID)

3. Change the Default channel from 6 to some thing else.

Next step (if necessary) use WEP.

Take into consideration that WEP reduces the bandwidth of the Wireless connection (some time a lot)

 

[sml]

I can not think of a circumstance where you would want to turn wep OFF. you aren't pushing >> 11mbit through your DSL/Cable line anyways, who cares about a 5-10% performance hit?

 

[JackMDS]

I can not think of a circumstance where you would want to turn wep OFF. you aren't pushing >> 11mbit through your DSL/Cable line anyways, who cares about a 5-10% performance hit?

Well in my case the Wireless is part of a functional Network not just Interent sharing, thus a transfer of 5-8Mb/sec. is most helpful.

A lot of entry level Wireless equipment experience loses of 40% due to enabled WEP.

 

[rw120555]

I think it would be nice if there was an easy way to have wireless ONLY provide internet access. Wireless is just part of my network, and I mostly got it just so I could work with my laptop in convenient locations. I'd love to have some way to easily switch between internet only and full network access -- maybe have a little button on the WAP.

 

[stash]

I dont live in apartment building in the middle of a city, so I guess my situation might be different than others, but I dont see the need to run WEP on my network. I lock down all my computers using permissions etc, so if someone gets on the wlan, they'll only being using my RR bandwith, which I dont care about.

And since I live in a pretty quiet neighborhood, I'm not really worried about people war-drving. I do use mac-authentication, and some other things, but a determined hacker could still get on. WEP (in its current form) isnt going to help much either, it will only slow them (and you ) down.

 

[Agamar]

How are these people getting into these wireless networks???? Our Orinoco AP1000, with the gold card installed, will only reach about 50ft thru the wall. Most of our buildings are 15,000 sf +. One hallway can be as long as 250 + ft. I just can't see somebody actually being able to get close enough to the AP to be useful.

 

[bUnMaNGo]

man all this stuff is scaring me... so far I've changed my ssid, the default channel, and enabled 128-bit wep encryption, but it doesn't feel like it's enough. For the wireless network at school we don't even use WEP encryption and they say that they've disabled telnet and tell us to use SSH, which I already do. Does this mean that I shouldn't check my email using Outlook and use AIM over a wireless connection at school? That is, without some SSH tunneling? Would someone be able to sniff my email/AIM passwords easily? What about on the web- for example, Yahoo mail- Would using their "secure" login feature be wise? I understand that SSH is an end-to-end secure connection but what about Yahoo's "secure" login?

 

[stash]

Your email user and pass can be sniffed over any medium (not just wireless) if you choose the standard login in yahoo (and all other non-ssl or ssh POP mail)

 

[rw120555]

Your email user and pass can be sniffed over any medium (not just wireless) if you choose the standard login in yahoo (and all other non-ssl or ssh POP mail)

Gee STaSH, that should make everybody feel a lot better

I'll see if I can find the link, but basically what these magazine guys did was get a lot better antenna than you've got in your home, drove around and detected all these zillions of networks that were completely unprotected; and when protection was on, they were still using the factory defaults. Also Best Buy was recently embarrassed when somebody bought some wireless gizmo at a store, went out in the parking lot, and proceeded to monitor all their store transactions that were going through an unprotected network.

The good news, though, is that with all these unprotected networks around, why should anybody waste more than 5 minutes on you if you have even nominal security set up? Sure, WEP and all can be cracked, but it takes at least a little while to do.

Here is a recent PC Mag article about wireless security measures.

 

[stash]

Gee STaSH, that should make everybody feel a lot better

I try....

But really, many people have no idea how easy it is to get their sensitive information over a network. Raising awareness is a good thing

 

[rw120555]

If I were trying to market a rival technology, say HomePna, I might try to stress the security aspects. But, I think HPNA is vulnerable too. Somebody could go to your outside phone box in the middle of the night, plug in to your lines, and have access to your whole network. (More likely, they could make calls all across the world -- it has always seemed to me that that could be a major problem, but I've never heard of it happening.)

One of the biggest security things going for most people is that nobody particularly cares about them. They'll be happy to steal your credit card or whatever if you happen to be an easy target, but they won't make a point about going after you in particular. So, do what you can to make yourself a little more of an obstacle so they'll go after the easy ones.

 

[rw120555]

For more sleepless nights...

Wi-Fi's Achilles heel
Wireless attacks: Wave a white flag?
Where wireless is most vulnerable

 

[bex0rs]

http://arstechnica.com/paedia/w/wireless/security-1.html

~bex0rs