Securing a home wireless network

[gibsonpa]

I have been using lastpass for password management..and it can generate secure passwords. Also, there is a tech show/podcast at twit tv called security now...that is good. I added it to my online feed in sage.

[reggie14]

Quote:

Originally Posted by GKusnick

And even worse at remembering them. You want something you can remember without having to write it down.

The problem is, people are pretty bad at remembering any sort of password. A lot of people only remember them if they're words, which is a definite no-no here (though, not so bad in other situations, despite conventional wisdom).

There's really not much danger in writing down your WPA passphrase. Just keep it somewhere safe. If you get lots of visitors that you wouldn't trust on your network that might mean hidden in a drawer. If you let everyone on your network anyway, there's probably not much harm to just putting it on a notepad stuck to your router.

You're mostly concerned about unknown attackers from outside. If someone gets into your house they can just directed hook up to your network and do any nasty deeds (unless you only use managed switches and 802.1x authentication).

[matt91]

Quote:

Originally Posted by eric3a

I am assuming you live in higher density area where you don't know/trust your neighbors and potential visitors.

I live in a city, and eventhough I'm in a single family house, there are 15 or so Wifi signals available if i sit on my 2d or 3rd story near a window. With that many, without a lot of triangulation, it's hard to know which house is using which SSID.

However, I'm surprised at the number of that make it easy for someone to know which house to sit outside of to get the best signal. That is, the SSID contains part of the address, or the last name or something else easily identifiable.

So, for those who live where there is a lot of wifi activity, I think that using a SSID that doesn't clearly identify which house is yours is probably an easy "fix" to slow down the drive-by hacker who is just looking for open or WEP signals to play with.

[Nelbert]

Is everyone really trying to remember wireless passwords or writing them down? It's so long between needing to use it I couldn't even tell you what mine is, but I've not needed it when we've got new laptops.

If you get a wireless point with WPS, or whatever the marketing department has labelled it has you don't need to remember your wireless password anyway. (Doesn't help with consoles or set-top boxes though )

It was designed to avoid end users having to remember passwords, which mean they use simple ones, or write them down because they can't remember them.

Our work router has a pin you enter in the client during wps setup. WPS setup is initiated on the router usually either by pushing a button on the physical router during setup, or manually by clicking a link in the web interface.

[eric3a]

Quote:

Is everyone really trying to remember wireless passwords or writing them down?

Nah.
I can remember "12345" without having to write it down. Plus it's the same as my credit card PINs, my garage access code, my bike lock, my suitcases and the access to Druidia's atmosphere.

In reality: Guilty. Yeah if you know where to look I've got some passwords mnemonics written down. Some of the ones I have to have for work have such crazy rules I don't know any other choice. At least it's not "post-it"s on the monitor, and I don't write the actual passwords down, but a mnemotechnic phrase or indicator so I can remember them. Hopefully the mnemonic is only easy for me?

I would guess that unless you're a special target of interest in which case I'd go all out, all you need to do is not become a target of opportunity. Not make it too easy for the guy who wants to try it on, so they go and log in at someone else's place where they left the admin/admin default access.

To me it's a standard security problem, and the fact that it's a network rather than a bank or a car doesn't change the overall concepts.
Any car can be stolen nowadays, especially modern all computerized ones, so realistically there is little you can do if someone really wants yours, but the aim isn't to prevent that theft, but to push the thief towards an easier target.
Now if someone tried getting in my system repeatedly or I became aware of it, I'd quickly take out my spare/backup router and an old tattered computer I've got laying around and only connect that machine to it. I'd have fun with what I'd put on that machine.

Eric

[RocKKer]

Quote:

Originally Posted by Nelbert

Is everyone really trying to remember wireless passwords or writing them down?

You could store them in Password Safe, then you only have to remember one, the others can be copied with a click or 2.

[Slipshod]

Quote:

Originally Posted by blade

Another thing to remember is that if someone can't get a signal they can't even begin to hack your network. Some routers and WAPs allow you to adjust the signal strength. Placing the router in a central location and reducing the signal strength as much as possible while still maintaining a good signal where you'll be using it is a good way to reduce the risk of being hacked.

If your router doesn't allow you to adjust the signal strength consider intentionally putting it somewhere to reduce the signal. For example my WAP is in my basement. I can still get good signal anywhere in my house and on my deck, but it does reduce the chance that a neighbor or someone sitting in a car down the street is going to be able to attempt a connection.

Turning down the power isn't an effective security strategy. If the attacker is serious enough to target your network even though you have WPA2-PSK enabled with a strong password, a dip in signal strength isn't going to stop them. All it takes is a cheap directional antenna, and they can sit across the street and pickup everything in your house.

You're better off keeping your power based on your coverage and capacity needs, which probably means maximum unless you are in a very small apartment.

And I'm going to second what everyone else has said already. Use WPA2-PSK, use a long string with mixed characters and a mnemonic that allows you to remember it (it doesn't need to be random, it just needs to not be easily dictionary attacked), and if you're really concerned about friends on your network you should setup a seperate NAT router as a guest network (or get one that allows you to seperate them).

Use Windows Vista or 7 so your PC doesn't advertise all the SSIDs you connect to to everyone in earshot. People can try to spoof those SSIDs and your PC will try to connect to them automatically.

Don't hide your SSID. This doesn't help, and you have to disable the more secure behavior in Vista/7 (mentioned previous) in order to connect.

Do be careful with the wireless networks you connect to. Hotels and hotspots are breeding grounds for worms/viruses. Make sure you always have a personal firewall on before connecting to a new network.

And if you see an SSID named "Free Public WiFi", don't use it.

[blade]

Quote:

Originally Posted by Slipshod

Turning down the power isn't an effective security strategy. If the attacker is serious enough to target your network even though you have WPA2-PSK enabled with a strong password, a dip in signal strength isn't going to stop them. All it takes is a cheap directional antenna, and they can sit across the street and pickup everything in your house.

I have to disagree. It can be an effective part of a security plan and is used by some government agencies that I've audited in the past. A dip in signal strength means a reduction in range even if someone is using a directional antenna. They may still be able to sit across the street and attempt to hack your network, but they're not going to be able to park halfway down the block and do it. I don't know about you, but if I see a stranger sitting in a parked car across the street from my home it's going to raise suspicion not only from me, but my neighbors as well. Now if they're able to drive down the street a bit and park away from the homes they're going to draw much less attention.

I agree the neighbor living across the street or right next door might still get a good enough signal to attempt to hack me with a directional antenna; however, reducing the signal could very well prevent the guy 2 or 3 houses down from sitting in his home attempting a hack.

Reducing the signal strength isn't likely going to make it so that no one can get a signal from outside the home. The point is to reduce the radius at which outsiders can get a signal. This forces the hacker to be physically closer to your network meaning fewer surrounding homes can get a signal or the guy in the parked car must be closer to the home making it more likely someone is going to become suspicious.

I would expect my wireless home network to most likely be attacked by a bored neighbor kid than a serious hacker trying to commit a crime. So if reducing the power prevents the kid from sitting in his bedroom with a directional antenna pointed out his windows from getting a signal then I consider it a viable part of a security plan.

Quote:

You're better off keeping your power based on your coverage and capacity needs, which probably means maximum unless you are in a very small apartment.

Nowhere did I mention reducing the coverage area below what is needed. The percentage of your routers power you need depends on the router. My sister's home is around 2400 sq feet and with her old router I had the power set at about 50% and she had coverage over the entire house and her back porch. It was wireless G and stayed between 48-54 mbps if I remember correctly. Her new router doesn't allow adjustment without 3rd party firmware so it's at the factory setting and the coverage is about the same as the old one was at 50%.

[reggie14]

Reducing/controlling the usable range of wireless networks is generally accepted as an industry best practice for wireless security. While I think it has limited usefulness as a security measure, it probably does have a place in government and enterprise environments. A government agency or corporation might have some control over its immediate physical surroundings. For instance, I work on a closed campus that has a few hundred meters of buffer space before you get anywhere the general public can go. We have buildings with thick walls, to the point where I barely get a cell phone signal from my office. We actually can pretty effectively lock down our wireless signals so it would be impractical for anyone to access our wireless networks from outside our area of physical control.

A home user in an urban or even suburban environment has no chance of doing that. Assuming you'd like to get a strong signal from everywhere in your house with your laptop, smart phone and tablet, someone with a decent wifi card with a high-gain antenna can probably pick up a strong enough signal to do some wifi cracking from a couple houses away- maybe more. Sure, that limits potential attackers to people that live close to you or people driving by. In all likelihood, your neighbors are probably your only plausible threat. But its going to be awfully hard to set up your AP so they can't see it. And if you're really that concerned about drive-by wifi cracking, I have a hard time understanding why your concerns would be alleviated by the need to be within a few hundred feet or so.

Ultimately, messing around with power levels to control wireless propagation in a home environment just seems like way too much of a headache for the increased security you get. If you absolutely positively have to use WEP, then maybe its worth the effort. But you really should be safe enough if you just use WPA/WPA2 with a decent passphrase.

[brainbone]

Quote:

Originally Posted by reggie14

If you absolutely positively have to use WEP, then maybe its worth the effort.

If you absolutely positively must use WEP, you may as well leave your wireless network open.

Making sure you're not pushing out too much power in a home network is also helpful in not adding too much to 2.4ghz/5ghz noise pollution (being a nice neighbor), but, unless you're in a rural area, many times you need to crank up the tx power just to rise above the noise.

Strong passwords and WPA/WPA2 is where to concentrate your focus.

[Slipshod]

Quote:

It can be an effective part of a security plan and is used by some government agencies that I've audited in the past. A dip in signal strength means a reduction in range even if someone is using a directional antenna. They may still be able to sit across the street and attempt to hack your network, but they're not going to be able to park halfway down the block and do it. I don't know about you, but if I see a stranger sitting in a parked car across the street from my home it's going to raise suspicion not only from me, but my neighbors as well. Now if they're able to drive down the street a bit and park away from the homes they're going to draw much less attention.

Using WEP and not broadcasting your SSID used to be considered effective security measures. Just because it's widely believed to be effective doesn't mean it is. My point is more that you are limited in the amount you can turn it down and still have a working network, and that limit makes is trivial to overcome with a directional antenna and an amp. Even a crappy homemade pringles "cantenna" is about 12dB of gain. If you cut your APs power output to 1/4 of max (~20dB-6dB=14dB), I'm still effectively quadruple max power with the cantenna (14dB+12dB=26dB). Add an amp and I'm up a couple more multiples.

Turning down the power is a classic example of "security through obscurity". It's a flawed security policy in general, and basically useless for security in a home environment. If you need your network to be more secure than WPA2-PSK (which enterprises do), you should be using 802.1x authentication (aka WPA2 Enterprise) with AES encryption. And if you're really paranoid, certificates or RSA tokens for credentials.

Quote:

Originally Posted by brainbone

Making sure you're not pushing out too much power in a home network is also helpful in not adding too much to 2.4ghz/5ghz noise pollution (being a nice neighbor), but, unless you're in a rural area, many times you need to crank up the tx power just to rise above the noise.

That's not really how things work... If one AP sees anything else transmitting on it's channel (AP or otherwise), it will defer transmission until the channel is free. You're ability to transmit isn't influenced by your TX power. The best way to be a good neighbor is to use 5GHz (or the least-used channel out of 1,6, or 11 on 2.4GHz), and then to reduce the amount of time you spend actually transmitting. If you turn your power down, you'll be more likely to have the AP transmit at a lower data rate than max (especially w/ 11n APs - they drop rates quickly). The lower data rates take more "air time" away from everyone else. If you keep your network optimized for speed you'll improve your neighbor's performance because you'll be spending less time transmitting on the air to transfer an identical amount of data. 10megabytes at 10megabits is twice as much airtime as 10 megabytes at 20 megabits.

[blade]

Quote:

Originally Posted by Slipshod

Using WEP and not broadcasting your SSID used to be considered effective security measures. Just because it's widely believed to be effective doesn't mean it is.

I'm sure one day people will be saying the same thing about WPA2. Does that mean we shouldn't be using it now because someday in the future it will be deemed ineffective? Back when WEP was the best encryption available to the average Joe and people were less knowledgeable on how to find networks that didn't broadcast their SSID it made sense to take those measures.

Quote:

My point is more that you are limited in the amount you can turn it down and still have a working network, and that limit makes is trivial to overcome with a directional antenna and an amp. Even a crappy homemade pringles "cantenna" is about 12dB of gain. If you cut your APs power output to 1/4 of max (~20dB-6dB=14dB), I'm still effectively quadruple max power with the cantenna (14dB+12dB=26dB). Add an amp and I'm up a couple more multiples.

Surely we can agree that the same antenna and same amp will have a shorter range when (as in your example) the router is outputting 1/4 of it's full power. I'm sure we can also agree that with any setup there is always a distance that no antenna and amp is going to be able to overcome. The lower the signal strength the shorter this distance will be.

Let's say everyone in my neighborhood has directional antennas with amps pointed at my home. My router is at full power and there's 16 neighboring homes that can get a good enough signal to attempt a connection to my network. Some of these are going to be on the fringe. Now I reduce my power to 1/4 of max (as per your example). Those that are on the fringe are no longer able to attempt a connection. I have effectively reduced the number of potential hackers at no cost to myself by simply reducing the output power of my router. You may find it useless, but I find it to be common sense. It's not going to lock down the network where no one outside of your home can attempt a connection; however, it will limit the number of neighboring homes where a connection could be attempted. I guess I fail to see the argument against the practice. It takes a matter of minutes, doesn't cost anything and has no negative effects (assuming you don't turn it down too low). Not everyone is going to be able to turn down the power, but for those that can there really isn't any reasons not to. The only semi-legitimate reasons you've given for not turning it down is that you believe it's "useless".

As I've said before in a previous post I would expect my network to most likely be attacked by a bored kid down the street not someone that was targeting me specifically. If I put my network out of range by reducing the power I'm sure there are plenty of other networks they can play around with instead.

[brainbone]

Quote:

Originally Posted by Slipshod

That's not really how things work... If one AP sees anything else transmitting on it's channel (AP or otherwise), it will defer transmission until the channel is free.

And the lower power your AP and clients, the closer other APs and clients can be, operating on the same frequencies, without interfering. So, yes, it is how it works.

Quote:

Originally Posted by Slipshod

You're ability to transmit isn't influenced by your TX power.

Yes, it is. The higher your TX power, the further you can transmit -- of course other things come into play,
(a noisy/distorted high power signal isn't usually better than a clean lower power one, etc.), but, in general, if you have higher tx power, your signal will have a better chance of reaching the client -- and possibly reaching other clients that you did not intend.

Also, remember that in most environments the AP is usually transmitting more data to the client than the client is to the AP. Because of this, the AP is more likely to keep the channel busy, and an AP with higher TX power will keep that channel busy in a larger radius.

Now, for increasing TX power to overcome "noise", yes, that may not always work -- depending on your definition of "noise". From my point of view, if the "noise" is clear enough to be interpreted as a signal, it is no longer noise.

Quote:

Originally Posted by blade

I'm sure one day people will be saying the same thing about WPA2. Does that mean we shouldn't be using it now because someday in the future it will be deemed ineffective?

WEP and hiding your SSID are ineffective today, and should not be used.

As soon as WPA/WPA2 are deemed an ineffective security measure, we should stop using them.

[eric3a]

Quote:

As I've said before in a previous post I would expect my network to most likely be attacked by a bored kid down the street not someone that was targeting me specifically. If I put my network out of range by reducing the power I'm sure there are plenty of other networks they can play around with instead.

Most agreed and matches my earlier posts. I do believe there is an aspect of Physical security to your wireless security and it makes sense to take it into consideration . After all if you own / control where your wifi signal can be picked up and you had excellent physical security you wouldn't even need anything else.

I don't own a 60,000 acre ranch but do regularly setup poorly secured wifi on my boat miles away from anywhere for example. Up for a short time and off quickly to preserve batteries. I'd never setup the same thing in an inner city tower block.

Reducing who can physically access your signal, or how close they have to be is a security improvement.

Eric

[blade]

Quote:

Originally Posted by brainbone

WEP and hiding your SSID are ineffective today, and should not be used.

I agree completely and have already said so in my previous posts. I was just pointing out that just because it's not good practice now doesn't mean it wasn't at one time.

I do disagree with statements saying if you're using WEP then you might as well not use anything. I completely agree people should upgrade to WPA2 and that cracking WEP is very easy; however, WEP is better than nothing if upgrading just flat out isn't an option (though you'd have to be pretty strapped for cash for that to be the case).

The average wireless user has no idea how to crack WEP. Most of them can barely setup their own wireless security much less crack a network. Any of them could easily connect to an unsecured network though. You're much more likely to have a neighbor get on an unsecured wireless network than you are to have them crack one using WEP simply because there are more clueless users looking for an open network to check their email than there are knowledgeable ones.

[brainbone]

Quote:

Originally Posted by blade

I do disagree with statements saying if you're using WEP then you might as well not use anything.

Unfortunately, unless a hard line "WEP is no better than an open door" stance is taken, WEP will take longer to die. With less and less networks being open today, more kids turn to hacking WEP. As I'm sure you know, gaining access to a WEP network is often not much more difficult than burning and booting a live CD.

However, I do get your point. If I had to establish a link in a hurry, and circumstances only allowed the choice between WEP or open, yes, I would choose WEP -- but only as a temporary stop-gap until proper equipment arrived.

[BobPhoenix]

Quote:

Originally Posted by brainbone

Unfortunately, unless a hard line "WEP is no better than an open door" stance is taken, WEP will take longer to die. With less and less networks being open today, more kids turn to hacking WEP. As I'm sure you know, gaining access to a WEP network is often not much more difficult than burning and booting a live CD.

However, I do get your point. If I had to establish a link in a hurry, and circumstances only allowed the choice between WEP or open, yes, I would choose WEP -- but only as a temporary stop-gap until proper equipment arrived.

Just checked my laptop for connections from my livingroom: 2 networks completely unsecured, 4 using WEP, 1 WPA-PSK and 2 WPA2-PSK (one of those is mine). Only one WEP is fair rest are poor signal strength (except mine of course). Lots are 50 x 100ft. People will NOT retire WEP until they get burned or the equipment dies!

[reggie14]

Somewhat interesting, I can see about 40 APs from my apartment (using a somewhat high-gain antenna). All of them are encrypted. Only one uses WEP; the rest use some flavor of WPA/WPA2.

And yes, interference is a killer in the 2.4ghz band. Luckily I'm the only one with 5ghz gear.