Wi-Fi

How secure is your Wi-Fi?

Much has been written about Wi-Fi security in the wake of an AirDefense study in New York City, where they found over 1,300 wireless access points, of which 39% were totally unsecured and 29% were secured using WAP, an encryption protocol that is nearly trivial to break.

Much has been written about Wi-Fi security in the wake of an AirDefense study in New York City, where they found over 1,300 wireless access points, of which 39% were totally unsecured and 29% were secured using WAP, an encryption protocol that is nearly trivial to break. In addition, and even more seriously, of the nearly 1,700 devices (laptops, PDAs, and cell phones) they monitored Monday at the National Retail Federation Convention and Expo, over 80% could be compromised by rogue hotspots.

Study: NYC Retailers Not Protecting Wireless Networks (Information Week)

AirDefense Discovers Wireless Security Less Than ‘Bullet Proof’ at 97th Annual National Retail Federation Convention & Expo (Business Wire)

There were also a couple of articles that almost seemed like they came from a He-Said, She-Said column. For example, a Wired blogger expounded on the virtues of open wireless (in the home, not in the business) with a less-than-complimentary response from a CIO.com writer. These differing approaches, from "Steal This Wi-Fi" to "Not in my Backyard," are stark and highlight the incredible gray area that still exists when it comes to computer security.

Steal This Wi-Fi (Wired)

In-Home Wi-Fi: To Secure or Not to Secure? (CIO.com)

At my work, we have a wireless infrastructure that has separate networks for faculty/staff and students. Students can connect once our Cisco Clean Access server determines that patches and virus definitions are current, and we allow access to only the resources that are available on the Internet. Both networks are secured by WPA and both require that the user authenticate with their own username and password. At home, I don't encrypt my wireless traffic, but I have a router inside my DSL modem (also my WAP) to protect my PC, my wife's Mac, and my Xbox. I do hide my SSID, so you have to ask me to use the network, but anything I do that needs to be secured goes through a VPN tunnel anyhow.

How do you secure your wireless infrastructure?

56 comments
cathar.gnostic
cathar.gnostic

I have no problem people using my WiFi, throttled but fast enough to check their e-mail etc. The rest of the system is locked down but I think an open door policy is helpful for all. I watch attempts on my system all the time, it's amusing and it helps me learn more about them.

shardeth-15902278
shardeth-15902278

I do firewall to specific MAC's / IP's, but that is it. I have an extended range antenna on my roof as well. But I live in a neighborhood where the only options for internet are absurdly expensive (like $60/mo for 256K expensive), SO I am co-op'ing to several neighbors in order to keep the cost bearable. Unfortunately, I may have to cease and desist my good samaritanism though, due to recent legislation. I can't afford the resources to CMA sufficiently, without jacking up the price too much, not for the small number of people I am sharing with.

Jaqui
Jaqui

I set it to only allow those machines I explicitly add the mac address to the table to connect. then I left it completely un-encrypted. and broadcast a ssid. ]:) available wireless networks show mine as being open, yet no-one can get online with it. ]:) [ I have had people complain they can't get online through my access point ]

mjd420nova
mjd420nova

Besides not broadcasting the SSID and having changed the name, I use WEP and MAC filtering to keep others out. I've also had to mount some grounded foils and screens around the antennas to prevent a neighbors "N" type WIFI from interfering with my "G" type and this also eliminates any signal from leaving the home in those two directions. It's a pretty busy router, with a wired home server and two other desktops wired besides a desktop and two laptops on the wireless. I also add from time to time a wired Sony PS2 and a wireless Sony PS3. The hardware firewall is also enabled to stop any incoming from the web.

Michael Kassner
Michael Kassner

If I understand correctly, your DSL modem is also an AP? Since the connections are open what are your feelings about others using your Internet access? Possibly for nefarious reasons.

Andy Moon
Andy Moon

At home, I take a fairly lassaiz-faire approach as I have a router inside my wireless access point to protect my hardwired computers, which are also the ones that have data I would prefer remains private. Neither router has the default password and I do change and refrain from broadcasting the SSID. I don't encrypt because an SSID is so much easier to remember and apply for guests and I really don't care if someone knows that I am playing internet poker. How do you secure your wireless?

JCitizen
JCitizen

when your as paranoid as I. I commend you for your open door policy. If you have a good software firewall on your wireless units it should be harmless to you. I have mine locked down with WPA2 and no body knocks on my door, according to the IDS logs. I use Commodo Pro on my laptop for the odd occasion when my router brain farts and the secure connection is lost; also for LAN security. I'm not allergic to connecting to people's dial-up when teching customers with that unit so it needs a good on board firewall anyway. The only thing I haven't had time to figure out is how to get my Kiwi Syslog to accept log recording wirelessly. I have to go to my server to check the logs and this causes delays in analyzing security concerns.

catseverywhere
catseverywhere

I have it on tap to try this: http://community.smoothwall.org/forum/viewtopic.php?t=21698 What a hoot! I'll set all my legit IPs static, and any that get an IP via DHCP will be redirected to kittenwars no matter what they do! I have a good candidate location in mind, a client in a residential area that has had someone in the area trying to access their wireless network. (some days relentlessly) There's a lot of young-uns hanging out in the area, demonstrably not your civic-minded kind of folk. (graffiti, skateboarding on private property under the "no skateboarding" signs...) No doubt the wanna-be cracker(s) is/are among this group. This is gonna be fun. cat [EDIT]: all IPs NOT among the legitimate hosts on the LAN will be redirected, i.e it won't matter if the kiddies set themselves a static IP. If it ain't one of the 11 (currently) legitimate IPs they'll be able to vote for the fuzzy kittens but nothing else.

robo_dev
robo_dev

Plus any passive scanner such as Kismet can grab ALL your traffic, since it does not need to authenticate. I'm not trying to be alarmist, but any script kiddie with Kismet could grab all your mac addresses, spoof one, and then they're on your network. Note that if you do a google search on 'mac address spoof utility' you get 26,000 hits.

robo_dev
robo_dev

And if joe-pervert is surfing for young-uns on your network, it's gonna be YOUR IP address in the server logs and in the search warrant. Does that sound OK to you? And even worse if it were somebody doing something really bad, you could wake up with a shiny black SWAT team boot on your neck with a tiny red laser dot on the old forehead. No thanks!

JCitizen
JCitizen

the last riot the subject caused!

prscott1
prscott1

Can allow a hacker to get your MAC addys... go to: http://amac.paqtool.com/ With this tool, you cn scan all wireless private subnets in range... it will pick up the MAC addy of ALL PCs connected - even the ones directly connected to the router with ethernet. As long as the router is broadcasting or sending out frames or packets, this tool can use that RF signal to get ALL of your MAC addresses. SO, if you're using a wireless router, but don't have any wireless clients, and therefor don't need the RF WAP - TURN OFF THE WIRELESS FUNCTIONALITY OF THE ROUTER.

Borg
Borg

I use WPA-PSK with a very short re-key period. But the best security I have is my Hacker Trap......it takes the form of the numpty in my area who has no security whatsoever, hasn't even chnaged the default router name from NETGEAR !! This guy keeps everyone amused for hours...thus keeping them away from me.

SometimesITSupport
SometimesITSupport

1. Open Wifi 2. Change the default PW of the router: better than #1 3. Do not broadcast SSID: better than #2, hackable 4. Mac Address Filtering: better than #3, hackable 5. Combo #2 and #3, - better than #4, hackable 6. WEP: better than #5, hackable 7. Combo #5 and #6: better than #6, hackable 8. WPA: better security at this time 9. WPA2: best security at this time

shady108
shady108

no matter what you do, or how you secure something, if someone wants to get in they will :) i guess encryption will protect u from the numptys looking for free internet tho :)

shady108
shady108

you can choose WEP , WPA, WPA2 whatever, i can guarantee you within 10 minutes someone can get in there :) ive seen it done, all you need is 2 pieces of software and an apple mac :)

ryanlin2002
ryanlin2002

I use WPA-PSK2 with random 63 char. key. SSID is on broadcast with no mac filtering.

robo_dev
robo_dev

I would think that polar bears would be more of a risk than wifi intrusion.

JCitizen
JCitizen

I was expecting to see baby kittens duking it out, hissing and spitting! That would have been hilariously comical place to suddenly be confronted with if you were an unsuspecting wifi lurker.

robo_dev
robo_dev

This is fun because it looks like you've got like 1,000 ssids, and your real one hides in plain sight (to the untrained eye).

Jaqui
Jaqui

I don't have any devices connecting to the wireless router that are NOT wired and bypassing the mac address table. :D

Jaqui
Jaqui

you can always implement it yourself now that it is in your mind. ]:) though the really evil part I never posted, I turned of DHCP so my wireless is using static ips, and it's not the default ip set it would normally use. ]:) ]:) and naturally it's evil, look at the source. ;)

catseverywhere
catseverywhere

I was about to dig for that article and post it myself. Hiding SSID and mac filtering might keep the honest out of your network, but if someone is looking for it, they'll find in a few seconds. Like George said, a good WPA-PSK password is the best you can do at the moment. Mine is a phrase, with numeric substitutions and punctuation, 23 characters long. By all definitions this is "impossible" to crack. But for good measure, I have limited the number of "guest" IP address available from my DHCP server to two. It's much easier to keep an eye on the two for the unlikely event an uninvited guest gets on of 'em. BTW my wifi router does not run the DHCP, I have set it up as a mere switch, the requests are passed along to a smoothwall firewall, which is far more secure and configurable than your off the self router. On that point, putting a smoothwall in front of the internet, and having that, rather than your wifi router, handing out IPs is far more security than hiding SSID or mac filtering. ...the latter of which you can do with the smoothie anyway. And all my machines, though obtaining IP through DHCP, get the same IP every time by matching the mac with an IP I have programmed the smoothie to give the device. Bonus here is a consistent hosts file for ease of LAN connectivity, yet still having DHCP for the frequent guests... cat

Forum Surfer
Forum Surfer

Make no mistake about it...I know that no home wireless access point is truely safe. I wouldn't go so far as calling the security measures listed in that article as being "dumb" at all. We are talking about devices here that cost less than $50, not a whole lot of security options, so it is best to implement them all. Disabling DHCP, mac filtering and turning off your beacon are all great ideas that should be used with WPA. Even still, it is possible to breech the security...which is why mega expensive enterprise and military grade solutions exist. If they get an at that point they're within visual distance since I live in a small neighborhood. I'll knock on their door and confront them at that point or snatch them out of their car on the curb, lol.

robo_dev
robo_dev

And in about ten seconds you can see the AP/router mac address and any attached clients. Any IP information is there as well, if encryption is disabled. If you lookup the OUI information from the mac address, you can tell the manufacturer, which can help to sort out what's what. By looking at unencrypted traffic, you can make a good guess as to what the device is.

Forum Surfer
Forum Surfer

I've cracked many...you don't need a mac either. I've done it with a locked down corporate laptop just to prove a point. Like others said, I feel the safest bet is to use encryption and disable your broadcast ID.

shady108
shady108

oh theres also software about which shows you wireless networks which arent broadcasting their SSIDS so the only real secure way is to apply the mac filter on your wireless router, then only computers that you want to access your wireless network can............

catseverywhere
catseverywhere

Well, at least the Russian bears have hope of surviving unmolested. Once the "North American Union" goes through those Canadian bears will lose their sovereignty and be subject to deportation. Now maybe we could get Michael Vick to organize some bear-penguin action down there on the bottom of the earth... cat

Jaqui
Jaqui

he has no real concern for the environment. :p besides, most polar bears are either Canadian or Russian. :D

JCitizen
JCitizen

up and spit them out! That would be animal cruelty! ;)

catseverywhere
catseverywhere

Hey, Linus Torvalds got bitten by a pissed off penguin once, in so. Australia: "APC: You've been to Australia, and rumour has it that you were bitten by a penguin. Is that true? How did you find Australia, how many times have you been there, any favourite town or city? Was there any kind of activity like bush-walking and things like that which you really took to in Australia? LT: I've been to Australia several times, these days mostly for Linux.Conf.Au. But my first trip - and the one when I was bitten by a ferocious fairy penguin: you really should keep those things locked up! - was in 93 or so, talking about Linux for the Australian Unix Users Group." article: http://apcmag.com/node/7012 As for polar bears, maybe Al Gore is gonna ship a few of 'em your way, disappearing habitat and all... take care of the penguin problem. ;)

JCitizen
JCitizen

:^0 Maybe an occasional Abominable Snowman or two! :)

catseverywhere
catseverywhere

Good one, I wonder if I could substitute a youtube vid for "kittenwars?" When I get the deal set up I'll try changing the URL and see what happens. Saw there's a bunch of vids with "kitten" and "fight" in the title. You're right, it is more entertaining than the lame popularity contest... cat

catseverywhere
catseverywhere

Hey, if you find something like that please let me know! For now that was the best I could come up with...

The Scummy One
The Scummy One

is that none of his systems connects to it wirelessly, therefore there is no traffic, just frames from the router saying "I'm here, I'm open"

The Scummy One
The Scummy One

From my meager knowledge, it would appear that an open wifi router with no traffic or way in is pretty secure. Before someone can spoof a MAC address, they will need to know an accepted MAC address to spoof. same with IP's. Unless someone connects to his local LAN and grabs this info, they will not have it for the wireless connection. But also consider that they would need to know which LAN to connect to AND know that MAC filtering was enabled AND that he has the MAC addresses of the local systems on-site as configured (or some of them). So, the only real threat is if someone takes over the router completely. Since you obviously know more than the rest of us, what is this big threat?

prscott1
prscott1

You said "without wireless traffic"... there IS wirless traffic - that's the problem: he is puposely leaving his WAP's RF signal ON for no reason because his PCs are all connected via ethernet.

prscott1
prscott1

We can all let Jaqui explain how someone accessed his system because he left his RF on for no good reason.. that is afer he reinstalls his system. :-)

The Scummy One
The Scummy One

without wireless traffic, and MAC filtering, and IP filtering, hoe is one going to connect? Since you are obviously a know-it-all, please explain in more detail than what you have posted.

apotheon
apotheon

Jaqui said: "[i]they cannot get it, WHEN THERE IS NO WIRELESS TRAFFIC.[/i]" All the techniques you mentioned in your previous post are predicated upon the notion that there is wireless traffic from which you can harvest MAC addresses and IP addresses. What am I missing?

catseverywhere
catseverywhere

Can you point to any resources that explain your points more thoroughly? Please, and thank you. cat

robo_dev
robo_dev

nevermind. You're right. Your network is perfectly safe. I was going to mention the fact that I do security penetration testing for a living, and that I worked for three years designing and deploying WLANs in warehouses throughout North America and Europe, and that I have been a presenter at Networld+Interop and several other similar events on the topic of WLAN security, and that I have x number of years of network protocol analysis, web application security, crypto training, and blah blah blah... .....but I am clearly wrong in this area and know nothing about this technology. So I will now state for the record. 1) It is impossible to connect to a unencrypted WLAN if mac address filters are present. 2) There is no way to determine the IP address range of a network or assign a static address to a WLAN device.

Jaqui
Jaqui

they cannot get it, WHEN THERE IS NO WIRELESS TRAFFIC. and, you have to supply both a valid mac address AND a valid ip to even hope to connect. my router logs show them trying, no one succeeding.

Jaqui
Jaqui

there is no wireless traffic on the router. and, since the dipsticks that make them don't make routers WITHOUT wireless any more, if I have to have wireless capable, I'll make sure it pi$$es everyone else off.

robo_dev
robo_dev

There's a nifty little utility called WLAN-Jack that will force any device to dis-associate. The attacker then re-associates once your device is forced off the network. Even worse is monkey-jack, which gives a man-in-the middle connection once the first device is forced off the network. The utility kracker-jack is designed specifically to defeat mac-address filtering and gives the attacker a man-in-the middle session. And since the IP address info is part of the data stream, setting a static address is no big deal. The other issue, don't forget, is that you are sending all your network traffic over the air, unencrypted. Therefore it's very possible to capture ALL your data, unencrypted, without ever touching your network. Using mac-address security is like hiding your house key under the left side of the mat instead of the center of the mat.

robo_dev
robo_dev

There's a nifty little utility called WLAN-Jack that will force any device to dis-associate. The attacker then re-associates once your device is forced off the network. Even worse is monkey-jack, which gives a man-in-the middle connection once the first device is forced off the network. The utility kracker-jack is designed specifically to defeat mac-address filtering and gives the attacker a man-in-the middle session. And since the IP address info is part of the data stream, setting a static address is no big deal. The other issue, don't forget, is that you are sending all your network traffic over the air, unencrypted. Therefore it's very possible to capture ALL your data, unencrypted, without ever touching your network. Using mac-address security is like hiding your house key under the left side of the mat instead of the center of the mat.

MGP2
MGP2

So, are you saying that you have no wireless clients and you're just running a wireless router to splatter wireless signals into the neighborhood and bother other people?

cap james t kirk
cap james t kirk

actually I have read that MAC filtering is pretty easy to crack as well. everything I read says WPA is the best you can do.