Wi-Fi. Everyone’s got it nowadays. Your Comcast or Verizon broadband connection at home probably comes with a wireless router. But do you really know how to set it up?? Better yet – do you really know how yours is set up currently? Or does it “just work”?
I want to briefly share my thoughts on the subject and give you some advice on making a secure – or perhaps intentionally insecure – wireless network at home.
Let me explain some fundamentals. The first thing that you need to keep in mind is that all wireless traffic is visible to everybody. Your XBOX live session. Your online banking from your laptop. Your IM sessions. It’s all out there, just waiting to be listened in on, on a very well-defined and well-understood protocol, 802.11.
Before you panic, you need to remember the second important thing – nearly all wireless traffic can be well-protected. Walter has been doing a nice series on encryption, and even if you don’t follow all the details, the major takeaway can be that data can be wrapped up pretty tightly if you set it up correctly.
For most people, I am going to advocate running a closed network – encrypting your traffic and only allowing authorized users to use your home access point (AP). This is the subject of some debate among the security community, most notably from Bruce Schneier (who advocates for keeping your wireless network open), but I’ll say that for the “average user” it’s better to close it off.
Your network can be secured through a combination of obscurity, exclusions, and encryption. Obscurity is not openly advertising the name of the AP. Exclusions are preventing unauthorized network cards from joining your network. Encryption is wrapping the traffic in a difficult-to-break code that can only be understood by your wireless devices and your wireless router. The first two methods are relatively trivial to subvert – any ‘serious’ attacker could get themselves onto your network if they were the only two barriers to entry. But the third is the most important, and here your choice is pretty clear – definitely encrypt!
But which encryption and authentication method to choose? Home APs commonly come with a couple varieties of encryption options – WEP, WPA-PSK, and WPA2-PSK. WEP has had known vulnerabilities since almost its inception, and is now easily broken in less than 10 minutes of work. So don’t use it. Use WPA or WPA2, although WPA2 is relatively new and supported by less devices than WPA.
PortForward.com has an excellent guide to the details of setting up security on many wireless routers. I would personally recommend against masking the SSID (the “name” of the wireless network) and implementing MAC address filtering, just because they’re easily compromised anyways, and make the network a hassle to administer. The slight tradeoff in security is worth it for the increased usability. As long as you’re using WPA or WPA2 with a relatively long pre-shared key – at least 15 characters – you’re better off than many networks.
Finally, if you choose to run an “open network” – a network that freely allows any client to associate with it, with no encryption – there are a few ways to still be safe. First, keep in mind, that while the wireless traffic may be easily ‘sniffed’, if the data itself has already been encrypted via SSL (look for the ‘lock’ icon displayed in your browser) or a VPN tunnel, it’s a moot point – it’ll be garbage to an attacker. So even though I menacingly mentioned that your bank traffic is visible earlier in this post – it’s only visible as encrypted gobbledygook, so no reason to panic just yet.
Summary – use WPA or WPA2. Don’t bother with MAC filtering or SSID masking. Don’t use WEP unless you really have to. And you probably don’t want to run a wide-open network, but if you do so, don’t panic too much – most ‘important’ traffic is probably encrypted anyways.
In another post I’ll go into some ideas for running a secure, yet open home wireless network. But until then, keep my simple recommendations in mind and you’ll be just fine!
Tags: wireless
What do you think of Bruce Schneier’s home wireless network staying wide open? http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html
I disagree with Schneier’s opinion there, but he doesn’t really give us much detail about how his network is configured.
I don’t see anything terribly wrong with running an open network if you have your own traffic VLAN’ed off or on a separate network entirely. Then you’re doing, as Bruce says, a “public service”.
But if you’re keeping your own devices on an unencrypted, wide open network, you’re not really protecting your own assets. That defeats the purpose of running a home network, in my opinion.
The other interesting argument for running it open is the idea of this leaving you open to repudiation – you could download illegal content and then claim that it was someone else using your open network. I know that someone has tried that defense in court but I am not sure of the legal outcome to it. Seems like an inefficient way to cover your legal ass.
Security isn’t always aimed at evildoers and predators…sometimes it just keeps peace in the family. Let me explain.
While MAC address filtering is easily defeated by smart wireless users, but it does protect your network from the uninitiated.
For example, other family members have the encryption key to your network and can give it to their buddies to use when they come over to game or whatever. However, they still can’t get on the network due to inability to add their buddies’ MAC address to the wireless router.
So it’s not totally useless.