How secure is secure? Wireless...

[SunnyD]

Well, I'm slowly moving towards adding a few wireless devices to my home. In doing so, I'm well aware of my network security issues as a whole. Hell, those don't change whether you do or don't have wires.

Of course at home, we're not talking about a robust corporate solution though. I'm using a Microsoft MN-700 Wireless-G router that I picked up on clearance for $10 which seems up for the task, both ways.

My question, however, is how secure can you get with the current incarnation of wireless?

So far I:

• Don't broadcast the SSID

• Use WPA with a fairly long passphrase

• Will be running MAC address filtering

I'm fairly confident that in my ghetto neighborhood that I won't be getting wardriven, but hey. Is this enough? Is there more I should look at? Suggestions?

 

[n0cmonkey]

It's currently unknown how secure WPA is.

 

[SunnyD]

Originally posted by: n0cmonkey
It's currently unknown how secure WPA is.

Well, that sound like it may be a good thing. Since I know not a lot of cards even support WPA...

 

[JackMDS]

Semi official WPA2 are getting released in the next few weeks/months.

Link to: WEP, WPA, and the Future (802.11i).

Link to: Wireless Security.

Link to: Network Segregation - Adding security to Wireless Network (or to any peer to peer Network).

:sun:

 

[Jon855]

It's very unsecure, I wouldn't suggest wireless when you culd be using wired. But if wireless is a must then, I would advise that you use WPA + WEP and 256Bit encryption, along with software file encryption also with a public keys and mac address enabled. This is how I run my home Wi-fi

 

[MulLa]

You can run WPA and WEP together? I never knew you could do that!

 

[InlineFive]

WPA + WEP is impossible. WPA is just the authentication protocol, the encryption protocol is the one that follows after the "+" sign. WPA is currently paired with TKIP (stronger form of WEP) or AES (whole different algorithm, much stronger).

 

[SleepWalkerX]

why don't you just setup mac filtering?

 

[Aves]

Originally posted by: SleepWalkerX
why don't you just setup mac filtering?

Spoofing a MAC is trivial. That's not to say that you shouldn't do it but you shouldn't rely on it.


I did/use the following:

Use a long unique SSID
Disable SSID broadcast
WPA+AES
AP isolation
Only allow 802.11g devices on the network
MAC filtering
IP filtering
No DHCP

I still wouldn't use it for anything I thought I needed to protect.

 

[Need4Speed]

my wireless security:

1. Disable SSID broadcast, set SSID to random caps and lowercase
2. Enable WPA security on WAP, using RADIUS authentication against freeRadius
3. strong WPA secret
4. wireless network is on a separate subnet from my wired network and physically separate using ASL
5. no DHCP in wireless zone
6. MAC address filtering on Wireless
7. PPTP VPN to the wired network should I ever need access to filesharing

here is some more detailed info on the key machines on the network:
http://forums.anandtech.com/messageview...atid=36&threadid=1551697&enterthread=y

 

[SaigonK]

Bah...just buy yourself a vpn box, and then run it form the client to the AP...no WEP/WPA needed..your encryption is as tough as you need it....

 

[Jon855]

Originally posted by: PorBleemo
WPA + WEP is impossible. WPA is just the authentication protocol, the encryption protocol is the one that follows after the "+" sign. WPA is currently paired with TKIP (stronger form of WEP) or AES (whole different algorithm, much stronger).

That's correct however with my set-up, it's possible, i use two wi-fi routers. and they communicate with eachother, so in effect you got to break through both of them to get what you need but also then youw ill have to face the files themselves which usually are encryoted with 256bit Blowfish. {the important files are anyways} It's possible. However if I were stating that by using one router however it will be impossible.

 

[Boscoh]

Can you explain how that works?

The way I'm seeing it right now:
AP1 - WPA (TKIP)
AP2 - WEP

I only have to connect to AP2 and break WEP to get into your network.....

I'm not seeing where the "you got to break through both of them" comes into play....

 

[Jon855]

Oh what I'm saying is that I have one router that's connected to my other pc and that other pc is connected to my other router and that's what i'm connecting to from. Get it now? Sorry if I have to make things complicated. Router #1 ---> PC#1 ----> ROuter#2----->Me

 

[SunnyD]

Well, seeing as the whole issue for me is the inability to wire (I live in an apartment), it makes it near impossible to do custom solutions as to what we're seeing posted here. Not only that, I am only talking about 2 or 3 computers on my network at any given time - currently this box, my laptop and my vonage box are occupying the network. Eventually when I have a house, we'll be wiring for a physical network throughout. But I will still have an AP for "roaming" devices.

 

[InlineFive]

I would strongly advise against using wireless for your Vonage adapter. From what I see that might be asking for trouble, with lots of latency.

 

[lapierrem]

Depends how bad you are trying to hide your illegal porn.
I swear, some people are seriously paranoid. If you don't want your stuff to get seen, don't use wireless, period. If someone wants in to your network, they will be in eventually regardless of what you set. And if you're using heavy encryption on something and doing wireless networking, you are pretty much asking someone to go out of their way to find out what it is you are trying to hide. If your files are that important to national security, or not getting arrested, then you shouldn't be using wireless, regardless of how convienient it is

 

[imported_Cooch]

Originally posted by: Jon855
It's very unsecure, I wouldn't suggest wireless when you culd be using wired.

It's only unsecure if you don't take the necessary to lock it down and make it secure. Wireless is the wave of the future. Entire cities are renovating their structure so that anyone, at any time can access the internet wirelessly. There are plenty of websites/ tutorials available on the internet which show you step by step how you can make a wireless network more secure and keep the hackers at bay.

 

[SunnyD]

Originally posted by: PorBleemo
I would strongly advise against using wireless for your Vonage adapter. From what I see that might be asking for trouble, with lots of latency.

My vonage adapter is wired, not wireless. I use a mixed network, it's just that I am soon going to have some equipment in the living room, where as my network connection, router, modem and hardware are in a bedroom on the other side of the apartment.

I need some way to bridge the gap, hence, wireless.

 

[Boscoh]

Originally posted by: Cooch

Originally posted by: Jon855
It's very unsecure, I wouldn't suggest wireless when you culd be using wired.

It's only unsecure if you don't take the necessary to lock it down and make it secure. Wireless is the wave of the future. Entire cities are renovating their structure so that anyone, at any time can access the internet wirelessly. There are plenty of websites/ tutorials available on the internet which show you step by step how you can make a wireless network more secure and keep the hackers at bay.

As long as wireless uses RF, and until someone invents unsniffable point-to-point wireless communications that the general public can use then wireless will always be insecure. You can do whatever you want to lock it down, but I can load up a program and capture every single one of your packets without messing around with encryption keys or connecting to your router. Then, I have all the time in the world to crack your algorithm and get at the data inside the encrypted packets.

You'll never make it secure, and thats not really the point. The point is to do as much as you can to make it as difficult as possible for the person to even see your RF transmissions, then make it as difficult as possible for them to break the encryption on it, then make it as difficult as possible for them to authenticate and get into your network...and then once all that is said and done, the encryption keys change and the hacker has to do it all over again (key rotation). It's about making it so inconvenient that they wont want to mess with it, or spend years upon years trying.

But if you had something I wanted really bad, I'd just sit there with my sniffer and collect your packets then throw them into my brute force cluster and let it crunch the keys on those packets for a few years (assuming you're using AES) and see what happens...although with AES, it should take a lot longer than a few years. But if you had something that someone wanted that bad, they'd probably just hire the mafia to come get it from you .

 

[SaigonK]

Originally posted by: Boscoh

Originally posted by: Cooch

Originally posted by: Jon855
It's very unsecure, I wouldn't suggest wireless when you culd be using wired.

It's only unsecure if you don't take the necessary to lock it down and make it secure. Wireless is the wave of the future. Entire cities are renovating their structure so that anyone, at any time can access the internet wirelessly. There are plenty of websites/ tutorials available on the internet which show you step by step how you can make a wireless network more secure and keep the hackers at bay.

As long as wireless uses RF, and until someone invents unsniffable point-to-point wireless communications that the general public can use then wireless will always be insecure. You can do whatever you want to lock it down, but I can load up a program and capture every single one of your packets without messing around with encryption keys or connecting to your router. Then, I have all the time in the world to crack your algorithm and get at the data inside the encrypted packets.

You'll never make it secure, and thats not really the point. The point is to do as much as you can to make it as difficult as possible for the person to even see your RF transmissions, then make it as difficult as possible for them to break the encryption on it, then make it as difficult as possible for them to authenticate and get into your network...and then once all that is said and done, the encryption keys change and the hacker has to do it all over again (key rotation). It's about making it so inconvenient that they wont want to mess with it, or spend years upon years trying.

But if you had something I wanted really bad, I'd just sit there with my sniffer and collect your packets then throw them into my brute force cluster and let it crunch the keys on those packets for a few years (assuming you're using AES) and see what happens...although with AES, it should take a lot longer than a few years. But if you had something that someone wanted that bad, they'd probably just hire the mafia to come get it from you .

Tell you what...i will fire up my wireless LAN, and you see if you can capture any packets and decode them while I run my vpn connection....

 

[Rainsford]

Here's my wireless setup. Keep in mind that computer security is my field of study (and work in a few short months!), and I'm not too worried

SSID disabled
DCHP server only hands out IPs to registered MAC addresses (seperate system from the AP)
AP is set with WPA AES with a 30 (I think?) character random password

There are no known problems with WPA as long as you use a good password, and AES is very good as far as encryption goes. If the NSA wanted in, they could probably get in. Beyond them, I doubt it.