Hello,

Comparatively speaking, how secure is a wireless home network - say, in a residential area? Would more security measures need to be provided than with a wired network?

This kinda sounds like homework. ;)

Anyway, as you seem to have been living under a rock... most residential, and even commercial networks are vulnerable to attacks, most people buy a wireless router/access point, plug it in.. and assume that's all they had to do.

Many networks are unencrypted and have no sort of authentication system... but users aren't entirely at fault, the available encryption techniques are mostly insecure..

WEP, (Wired Equivalent Privacy) was cracked.. years ago, I believe it takes only seconds to find someones key these days.

WPA/WPA2, is a little better.. but I know very little about it...

I'm not an expert, I'm sure there are more qualified people here... up until recently I had no wireless equipment, I've setup a few AP's for fun.. with OpenBSD+authpf.

All unauthenticated traffic was.. served a bogus error page. :)

Would more security measures need to be provided than with a wired network?
Yes, obviously... it's far easier to gain unauthorized access to a wireless network, you would notice someone walking into home and tapping into your Ethernet cables while munching on a twinkie and downloading illegal stuff. :D

Bruce Schneier, security expert, leaves his wide open saying he's not concerned. I don't know how many people would want to sit in their car outside my house stealing bandwidth, or that my neighbors know how to do that, but we're such bandwidth hogs ourselves that I just allow the MAC addresses for the 4 computers we own that use it.

@bsdfan666--what if he's not munching a twinkie, how would I notice him?

My building has a couple of people with unsecured wireless networks--I remember once my wife sent a print job several times before we realized she'd lost connection to our LAN. I *really* hope that the unsecured network doesn't have a printer at 192.168.1.49 or whatever our printer IP is.

My building has a couple of people with unsecured wireless networks--I remember once my wife sent a print job several times before we realized she'd lost connection to our LAN. I *really* hope that the unsecured network doesn't have a printer at 192.168.1.49 or whatever our printer IP is.

Though they are network printers, you do need to install the printer driver, unless they are the same brand and model (very unlikely), so dont worry :p

I personally use RADIUS at home and havent detected any break-in attempt so far, which means nobody gives a damn about my wireless :(

Would more security measures need to be provided than with a wired network?
Besides the fact that cracking is relatively easy, there is nothing stopping anyone from sitting out in a parking lot with a stronger access point from serving bogus Web pages just to harvest account names & passwords.

So think twice about doing online banking while at the local coffee shop.

There are 3 or 4 wireless networks in my area, depending on signal strength of the most distant.... Only two use encryption and one of them is mine.


In regards to a "residential area" as you put it, I think it depends on the area. For example, where I am, let's just say bra size is larger then brain size for both sexes, computer geeks are more rare then finding rhodium in your backyard, peoples understanding of cracking follows Clarke's third law (http://en.wikipedia.org/wiki/Clarke's_three_laws), which the've never heard of... And anyone smart enough to use tools to make it simple, are more then far enough displaced from here that I don't need to line my bedroom walls with RADAR absorbent material to feel safe.



In your area the inverse could be true, on you would know.



Compared to a wireless network, it's the same problem but in a very different way. If someone gets into your home, they can always unplug one of your computers and get on your network, even easier if your using DHCP. With a wireless network, they don't have to get physical access to your network in order to join it. "Wireless Equivalent Privacy" is just what it says it is, equivalent privacy to what you get over Ethernet/Token Ring systems (at least I assume so, since I've never used Token Ring). It's just enough security that the you have to 'want to' break in in order to do so. WPA/WPA2 and other methods provide tougher encryption but anything can be cracked given enough time and effort.


I'm not sure how many consumer wireless routers and AP allow you to place wireless clients in a separate virtual networks (http://en.wikipdia.org/wiki/Virtual_network) or not. But if your system can do so without interfering with your needs, you might look into it. Most consumer APs should allow you to restrict connections based on MAC (for what it's worth) /or segregate wireless clients off from the wired network, I would hope.



The problem with wireless is just that, it's wireless technology. Take what measures you can if you use it, and think carefully what you let pass. From my laptop to my AP, the wireless connection is encrypted and things 'of importance' that have to go across the wifi link are usually conducted via SSH, HTTPS, or likewise some encrypted protocol.



In the hopes of avoiding the "Hey wait, this isn't my network..." kind of situations. I configured my systems to only connect to my WLAN automatically and in the case of my laptop, I usually disable that automation when traveling, then encrypt the information in case of theft.

@i8google2, yes, I know they'd have to have the same model printer, but sometimes, accuracy should be sacrificed for humor. As she was printing a Japanese document, it would have been even better.

Hello,

Thanks guys. That's what I thought, but I started to doubt myself. The only use I would have for a wireless connection right now would be to be able to get a laptop and sit out on the deck while using it.

But, for now I guess I'll save the money on the laptop and just stick to a good 'ol RJ45 connection for the time being. Maybe in another year or two, I might reconsider.

Again, thanks for the input.

ah, I'm always late to the party!

If you are running a wireless laptop to your LAN, establishing a VPN connection will get over the worries you may have with wireless hacks.

About checking your bank account at a coffee shop... if your online banking doesn't run over SSL, I wouldn't use it anywhere in the first place ;) , but if does, you shouldn't have a real issue.

About checking your bank account at a coffee shop... if your online banking doesn't run over SSL, I wouldn't use it anywhere in the first place ;) , but if does, you shouldn't have a real issue.

Im a bit suprised about this statement, given what you have posted in this forum, you appears to be an experienced sys admin(no offence). Dont even think about SSL >= security, access can be gained over SSL.

WEP=BAD NEWS, it is almost worse than leaving your network open because it gives a false sense of security. WPA/WPA2 is pretty dang good if you choose a good key. If you happen to get one of the 802.11n routers, be sure to enable security because the range on those things is much larger. perhaps I'm just paranoid, but I do live in an apartment and it is WAY to easy to hop onto someone's network. OH, and here is a nasty little story about businesses and wireless networks (from 2002 but stillcreepy (http://www.msnbc.msn.com/id/3078572/))

Im a bit suprised about this statement, given what you have posted in this forum, you appears to be an experienced sys admin(no offence). Dont even think about SSL >= security, access can be gained over SSL.


No offense taken, in fact I appreciate the comment. But when you mention your wariness about SSL security, are you referring to a "man-in- the-middle" or attack? I think that those are do-able for sure, but I assume a low risk on them. Of course, low-risk is not no-risk, and I have not personally shopped online or done any online banking from a wireless hotspot. Also, the risk for a "man-in-the-middle" is also present on wired network paths, not just wireless, but again, the risk is low, and depends on the target website's implementation of SSL.

More to the point, I think that unless the site you are going to with sensitive information has properly implemented SSL (is completely SSL'd throughout the site and not just on authentication) then you shouldn't be visiting that site with sensitive information in the first place.

But if you are referring to something else... let me know. But my assumptions about SSL are that since it's encrypted traffic, and barring any insecure implementations of SSL, it's a secure way to communicate (aside from outlandish uber-hacker gangs and rogue governments... but if that's a realistic fear I wouldn't get online in the first place ;) )

Here's a fun article about cracking SSL itself. (http://www.markwieczorek.com/technology/HowlongdoesittaketocrackS.html) I believe this refers to USA-export encryption, not domestic (which is stronger.) Here's another (http://www.ripnroll.com/ssl_security.htm). This one (http://www.cs.bham.ac.uk/~mdr/teaching/modules03/security/students/SS8a/SSLTLS.html) is a more technical paper that describes the toughness of SSL.

I have to backup fridder.
I already posted that there are enough default installed WiFi in a city neighbourhood to always get an Internet connection.
Stealing bandwidth? Well, if you leave your wallet for anyone to grab it, don't be surprised your cash will be gone.
Proper MAC address plus key authentification is just like keeping your wallet in your pocket.
Unfortunately, some ISPs will regularly "update" the modem settings as they want to remain "user friendly". Whatever you specify on ISPs modems should be checked on a regular basis.
"User friendly" meaning you are a Vista Home user, with the Windows firewall set and ISP provided Norton anti-virus installed, WiFi set as an access point for everybody including yourself as you are too stoopid to run WiFi-radar and get connected. Only objective, reduce phone support traffic.

No offense taken, in fact I appreciate the comment. But when you mention your wariness about SSL security, are you referring to a "man-in- the-middle" or attack? I think that those are do-able for sure, but I assume a low risk on them. Of course, low-risk is not no-risk, and I have not personally shopped online or done any online banking from a wireless hotspot. Also, the risk for a "man-in-the-middle" is also present on wired network paths, not just wireless, but again, the risk is low, and depends on the target website's implementation of SSL.

More to the point, I think that unless the site you are going to with sensitive information has properly implemented SSL (is completely SSL'd throughout the site and not just on authentication) then you shouldn't be visiting that site with sensitive information in the first place.

But if you are referring to something else... let me know. But my assumptions about SSL are that since it's encrypted traffic, and barring any insecure implementations of SSL, it's a secure way to communicate (aside from outlandish uber-hacker gangs and rogue governments... but if that's a realistic fear I wouldn't get online in the first place ;) )



Yes, the attack over SSL is MiM (man in the middle). SSL itself is practically impossible to crack, but it doesnt mean you are safe when surfing with https sites at all. The MiM doesnt attempt to crack SSL, in stead, with bogus private & public keys, it pretends to be the trusted party (the https site) you are supposed to deal with. So, consequencely, you blindly give your private info to the bad guy.

I wouldnt say its a low risk. Believe it or not, it would take a script kiddie only ~5mins in total (including the time to download software) to finish every step needed to retrieve the password over SSL. Also, it requires zero technical knowledge. All you have to do is point and click as per instruction. If the program is widespread one day, it would be a disaster.

Yes, the attack over SSL is MiM (man in the middle). SSL itself is practically impossible to crack, but it doesnt mean you are safe when surfing with https sites at all. The MiM doesnt attempt to crack SSL, in stead, with bogus private & public keys, it pretends to be the trusted party (the https site) you are supposed to deal with. So, consequencely, you blindly give your private info to the bad guy.

I wouldnt say its a low risk. Believe it or not, it would take a script kiddie only ~5mins in total (including the time to download software) to finish every step needed to retrieve the password over SSL. Also, it requires zero technical knowledge. All you have to do is point and click as per instruction. If the program is widespread one day, it would be a disaster.

With all due respect, I think you over-estimate the ease with which a MITM attack is conducted. Again, I don't argue that it's possible, or that it happens, just the probability that it's conducted on a regular basis, even at your local Starbucks. A hotel actually would be a better place to conduct such attacks, but even then, it's not that simple. The real weakness in all of this is the user's ability to surf intelligently (and as a result, securely.) But this is a another discussion entirely.

Hello,

I finally got a wireless gateway for use with my laptop. Here is the security I currently have:


1) ssid name is unusual - 7-8 characters - mix of caps, lowercase, numbers, control characters
2) ssid broadcast turned off
3) using WPA-PSK (wpa_supplicant on NetBSD didn't seem to like WPA2-PSK - gateway doesn't support Enterprise)
4) passcode is 24 characters - mix of caps, lowercase, and numbers (didn't like it when I put control characters in there, so I left them out)
5) gateway has built-in firewall (for whatever good there default setup is)
6) using MAC filtering where my laptop's MAC is the only one allowed on the wireless


I'm planning to setup my own firewall (probably PF, once I have time to learn how to configure it) in the future, but for now, is that decent security? Anything else I can do?

Hello,

I finally got a wireless gateway for use with my laptop. Here is the security I currently have:


1) ssid name is unusual - 7-8 characters - mix of caps, lowercase, numbers, control characters
2) ssid broadcast turned off
3) using WPA-PSK (wpa_supplicant on NetBSD didn't seem to like WPA2-PSK - gateway doesn't support Enterprise)
4) passcode is 24 characters - mix of caps, lowercase, and numbers (didn't like it when I put control characters in there, so I left them out)
5) gateway has built-in firewall (for whatever good there default setup is)
6) using MAC filtering where my laptop's MAC is the only one allowed on the wireless


I'm planning to setup my own firewall (probably PF, once I have time to learn how to configure it) in the future, but for now, is that decent security? Anything else I can do?

Are you trying to tell us that you how insecure is your home network :p
or you are trying to ask us what you really need to do to make it really secure?

Are you trying to tell us that you how insecure is your home network :p
or you are trying to ask us what you really need to do to make it really secure?

That is the security I have implemented so far. I'm asking how secure (or insecure - I hope not :eek:) that is and what else I can do to make it really secure?

That is the security I have implemented so far. I'm asking how secure (or insecure - I hope not :eek:) that is and what else I can do to make it really secure?

man VPN and IPsec

man VPN and IPSEC

O.K. - I found IPSEC and will read up on it. I couldn't find VPN - I saw OpenVPN (openvpn.net) in pkgsrc; is that what you are referring to?

Also, will this work with the gateway (AT&T 2701HG-B) that also needs to communicate via wired to the tower that is currently running Slackware and the laptop when I feel like plugging it in? The gateway is the access point, not the laptop - and the gateway doesn't have too many options (it's a consumer DSL) - I just wonder if the gateway can handle this.

O.K. - I found IPSEC and will read up on it. I couldn't find VPN - I saw OpenVPN (openvpn.net) in pkgsrc; is that what you are referring to?

Also, will this work with the gateway (AT&T 2701HG-B) that also needs to communicate via wired to the tower that is currently running Slackware and the laptop when I feel like plugging it in? The gateway is the access point, not the laptop - and the gateway doesn't have too many options (it's a consumer DSL) - I just wonder if the gateway can handle this.

OpenVPN is one of many different implementation of Virtual Private Network (VPN). It is very popular among Linux users. You do not want that one. It is very poor implementation which violates many RFC. You want IPsec.

Cheers,
OKO

Or have a look at authpf http://netbsd.gw.com/cgi-bin/man-cgi?authpf++NetBSD-4.0 ;)

OpenVPN ... you do not want that one. It is very poor implementation which violates many RFC. Cheers, OKO

Pardon?

... I'm asking how secure (or insecure - I hope not :eek:) that is and what else I can do to make it really secure?

Since you have secured the network with WPA2, then disabling the SSID broadcast and MAC address filters are merely annoyances for you if you ever want to add more computers. "Disabling" the SSID broadcast does not disable all the signals it sends out so people still can see your network (many wireless cracking programs find it automagically). MAC addresses are always sent "in the clear" which means there is no encryption, so anyone who can even get one packet off your wireless communications between yourself and the router will know your MAC address and be able to clone it.

That being said, WPA2 at least right now, is only able to be cracked through brute force, so if you have a very strong key, I would say you are good to go. Of course, if you like experimenting, setting up OpenBSD with authpf and ipsec is always a fun weekend project for an alternative method of securing your router....

Cheers,

Alphalutra1

Point 2 and 6 are nonsense, myths of the net. WPA2 is good but if possible use VPN.

...Of course, if you like experimenting, setting up OpenBSD with ...

I guard my WiFi using ssh with the "-w" option and disable WEP/WPA altogether (yields better throughput and superior security). See my old post @ http://www.daemonforums.org/showthread.php?t=141

While IPSec is the gold standard, it's tricky and the ssh is/was a lot easier (for our context).

/S

I guard my WiFi using ssh with the "-w" option and disable WEP/WPA altogether (yields better throughput and superior security). See my old post @ http://www.daemonforums.org/showthread.php?t=141

While IPSec is the gold standard, it's tricky and the ssh is/was a lot easier (for our context).

/S
wow, that's awesome! I think I'm up for trying that in the next coming weekends with thanksgiving and all. Thanks for the tip!

Cheers,

Alphalutra1

I guard my WiFi using ssh with the "-w" option and disable WEP/WPA altogether (yields better throughput and superior security). See my old post @ http://www.daemonforums.org/showthread.php?t=141

While IPSec is the gold standard, it's tricky and the ssh is/was a lot easier (for our context).

/S

Even if you ssh into the gateway, what's to prevent others from getting in? I might be missing something (and probably more than just one thing ;)), but that seems to secure your connection between your computer and the gateway and not the gateway from outside intruders.

Even if you ssh into the gateway, what's to prevent others from getting in? I might be missing something (and probably more than just one thing ;)), but that seems to secure your connection between your computer and the gateway and not the gateway from outside intruders.
A carefully written pf ruleset would prevent wireless users from accessing the rest of your network.. and even your gateway.

If all you allow is SSH connectivity.. clients would be required to authenticate.. so unless they stole your key & passphrase, you should be safe.

Also, in that sort of setup... typically you wouldn't want to use password-only authentication.. as it would be brute forcible. ;)

Point 2 and 6 are nonsense, myths of the net. WPA2 is good but if possible use VPN.

This is not true- it's just that when employed as main line of security (without the other steps) you are not actually secure. Think of these two points when used with the others as 'shoring up your defenses'.


- SSID Broadcast: If the SSID is always being broadcast then a war-driver will see the network within a short period of time even when there are no clients using it. When the SSID broadcast is turned off, someone has to be using it at the time for a war driver to see the network.

- MAC filtering: if a client is not using the network, and the intruder spoofs the MAC address, then this line of defense is not relevant. But imagine you are using your MAC address when an intruder attempts to spoof yours for their own connection to the gateway- that leads to very funky, broken connections, and can tip off a user that something is amiss. Think of it as a tripwire.

So, to summarize, these steps taken on their own is not a wise path. But looking for the single "Holy Grail" of security isn't, either. Once your single 'ultimate solution' has a chink in it's armor, you are almost as insecure as using the above methods on their own. Using as many techniques at your disposal, on the other hand, will make things more difficult for an intruder, and can sometimes tip you off that there is even an intruder lurking in the first place.

Even if you ssh into the gateway, what's to prevent others from getting in? I might be missing something (and probably more than just one thing ;))

If you look at the pf.conf fragment in the old post, it allows ssh traffic only on the wifi interface.

It's encrypted and authenticated traffic only.

/S

If all you allow is SSH connectivity.. clients would be required to authenticate.. so unless they stole your key & passphrase, you should be safe.

Bingo.:)

Also, in that sort of setup... typically you wouldn't want to use password-only authentication.. as it would be brute forcible. ;)

Key & passphrase only.

Double bingo!:):)


/S

- SSID Broadcast: If the SSID is always being broadcast then a war-driver will see the network within a short period of time even when there are no clients using it. When the SSID broadcast is turned off, someone has to be using it at the time for a war driver to see the network.
Also think of it like security through obscurity, that is all what hiding SSID is useful for. It also can increase latency, but it is not important in OP case.

Comparing with wired, wireless networks are not very safe/useful under DOS attacks. And anything can't help you in this situation, except if you invest some money in your home decoration :D

Also think of it like security through obscurity, that is all what hiding SSID is useful for.


Purger:),

At least M$ got that one right;) To stay on the same note, I am shopping for SGI O2 to do my online banking. SGI O2+OpenBSD, I call that real security through obscurity.

Bok,
OKO