(OT) What do you consider secure for home/small office wireless?

-Complex admin password to router?
-WEP,WPA, or WPA2?
-Changing default broadcast channel?
-Disable SSID broadcast?
-Disable ping respond?
-Complex SSID name?
-Utilize MAC and/or IP filtering?

I'd like to hear some ideas from the experienced in the group as to what
steps are sufficiently secure for non-critical/non-targeted homes and small
business given how quickly methods change out of necessity.

It is, of course, understood that if someone sufficiently bright with enough
time on their hands wants to intrude, they will.

What's good enough for you in this scenario?

"S.Lewis" <> wrote in message
news:OLDUg.40499$. ..
> -Complex admin password to router?
> -WEP,WPA, or WPA2?
> -Changing default broadcast channel?
> -Disable SSID broadcast?
> -Disable ping respond?
> -Complex SSID name?
> -Utilize MAC and/or IP filtering?
>
> I'd like to hear some ideas from the experienced in the group as to what
> steps are sufficiently secure for non-critical/non-targeted homes and
> small business given how quickly methods change out of necessity.
>
> It is, of course, understood that if someone sufficiently bright with
> enough time on their hands wants to intrude, they will.
>
> What's good enough for you in this scenario?

For my simple home network consisting of two desktops and a laptop, I find
WPA-Personal and TKIP data encryption with a simple SSID name in place of
the default to be quite sufficient. Of course, I run a firewall, Zone Alarm
Pro, to protect my network. I have never had an intrusion. Zone Alarm Pro
has reported numerous attempts to sniff out my network but none have been
able to find it, hidden as it is behind the Zone Alarm Pro firewall.

"Kevin" <> wrote in message
news:452310bf$0$25777$...
>
> "S.Lewis" <> wrote in message
> news:OLDUg.40499$. ..
>> -Complex admin password to router?
>> -WEP,WPA, or WPA2?
>> -Changing default broadcast channel?
>> -Disable SSID broadcast?
>> -Disable ping respond?
>> -Complex SSID name?
>> -Utilize MAC and/or IP filtering?
>>
>> I'd like to hear some ideas from the experienced in the group as to what
>> steps are sufficiently secure for non-critical/non-targeted homes and
>> small business given how quickly methods change out of necessity.
>>
>> It is, of course, understood that if someone sufficiently bright with
>> enough time on their hands wants to intrude, they will.
>>
>> What's good enough for you in this scenario?
>
> For my simple home network consisting of two desktops and a laptop, I find
> WPA-Personal and TKIP data encryption with a simple SSID name in place of
> the default to be quite sufficient. Of course, I run a firewall, Zone
> Alarm Pro, to protect my network. I have never had an intrusion. Zone
> Alarm Pro has reported numerous attempts to sniff out my network but none
> have been able to find it, hidden as it is behind the Zone Alarm Pro
> firewall.
>

I also forgot to list changing the router's default broadcast channel.

Stew

In article <OLDUg.40499$>, stew1960
@mail.com (known to some as S.Lewis) scribed...

> -Complex admin password to router?

Yes. Use a mix of letters and numbers, upper and lower case, and
special characters.

> -WEP,WPA, or WPA2?

WPA or WPA2 only. WEP has been cracked six ways from Sunday. You
also need a nice, long passphrase, at least 26 characters (longer if you
can).

> -Changing default broadcast channel?

Won't do a thing. Any WiFi device worth it's salt scans all
available channels.

> -Disable SSID broadcast?

Again, won't do a thing. A WiFi sniffer will still see the SSID
when an authorized workstation connects.

> -Disable ping respond?

If you have the WAP behind a good firewall (as you should), this
shouldn't matter as the firewall should be able to stop a ping flood
attack.

> -Complex SSID name?

Unnecessary.

> -Utilize MAC and/or IP filtering?

One of the best security measures available, if you don't mind
keeping up the access list. This, in combination with WPA or WPA2 that's
been properly set up, will make anyone other than the most determined
attackers look elsewhere for easier targets.

Happy securing.

--
Dr. Anton T. Squeegee, Director, Dutch Surrealist Plumbing Institute
(Known to some as Bruce Lane, KC7GR)
http://www.bluefeathertech.com -- kyrrin a/t bluefeathertech d-o=t calm
"Salvadore Dali's computer has surreal ports..."

S.Lewis wrote:
> -Complex admin password to router?
> -WEP,WPA, or WPA2?
> -Changing default broadcast channel?
> -Disable SSID broadcast?
> -Disable ping respond?
> -Complex SSID name?
> -Utilize MAC and/or IP filtering?
>
> I'd like to hear some ideas from the experienced in the group as to what
> steps are sufficiently secure for non-critical/non-targeted homes and small
> business given how quickly methods change out of necessity.
>
> It is, of course, understood that if someone sufficiently bright with enough
> time on their hands wants to intrude, they will.
>
> What's good enough for you in this scenario?

If you want Secure, Wired would be a better choice. Not to mention more
reliable (less interference).

- Change admin password (complex is good)
- WPA2
- Disable SSID broadcast
- MAC filtering

To get hacked, you'll almost have to be the target of a very
sophisticated and determined enemy or the government (maybe the same
thing?? :-> )

Regards,
Hank Arnold

S.Lewis wrote:
> -Complex admin password to router?
> -WEP,WPA, or WPA2?
> -Changing default broadcast channel?
> -Disable SSID broadcast?
> -Disable ping respond?
> -Complex SSID name?
> -Utilize MAC and/or IP filtering?
>
> I'd like to hear some ideas from the experienced in the group as to what
> steps are sufficiently secure for non-critical/non-targeted homes and small
> business given how quickly methods change out of necessity.
>
> It is, of course, understood that if someone sufficiently bright with enough
> time on their hands wants to intrude, they will.
>
> What's good enough for you in this scenario?
>
>
>
>
>
>
>

"Hank Arnold" <> wrote in message
news:YzKUg.929$...
>- Change admin password (complex is good)
> - WPA2
> - Disable SSID broadcast
> - MAC filtering
>
> To get hacked, you'll almost have to be the target of a very sophisticated
> and determined enemy or the government (maybe the same thing?? :-> )


I'm no computer expert (I don't claim to be one) but everything I've
read on the net about wireless security says MAC filtering is a waste of
time. Anybody who has the programs to sniff out your SSID and break into
your WEP security will have no problem getting around MAC filtering. Same
for disabling SSID. If your serious about security why put MAC Filtering
and Disabling SSID in with WPA2? Isn't the real question this - are you
using unsafe WEP or safe WPA/WPA2?

Von Fourche wrote:
> "Hank Arnold" <> wrote in message
> news:YzKUg.929$...
>> - Change admin password (complex is good)
>> - WPA2
>> - Disable SSID broadcast
>> - MAC filtering
>>
>> To get hacked, you'll almost have to be the target of a very sophisticated
>> and determined enemy or the government (maybe the same thing?? :-> )
>
>
> I'm no computer expert (I don't claim to be one) but everything I've
> read on the net about wireless security says MAC filtering is a waste of
> time. Anybody who has the programs to sniff out your SSID and break into
> your WEP security will have no problem getting around MAC filtering. Same
> for disabling SSID. If your serious about security why put MAC Filtering
> and Disabling SSID in with WPA2? Isn't the real question this - are you
> using unsafe WEP or safe WPA/WPA2?
>
>
>
>
You're correct; pretty much the only significant threat to WPA[2] is
man-in-the-middle attacks (eg. someone with a stronger signal spoofs
your AP and you don't notice since they're forwarding your packets).

S.Lewis wrote:
> -Complex admin password to router?
Definitely do this, won't really stop remote IP attacks but for local
wireless security it's a must.

> -WEP,WPA, or WPA2?
I only use WEP if there's a bunch of open networks (ie. easier targets)
around me and the people connecting may change frequently
WPA[2] is much better if the machines using it are typically not going
to change orif there's no other targets. For home I'd use a pre-shared
key; for business I probably wouldn't do wireless but if I had to I'd
definitely be authenticating using 802.1X protocols (eg. RADIUS server,
EAP-TLS, etc.).

> -Changing default broadcast channel?
In terms of security useless, beneficial because of less interference.

> -Disable SSID broadcast?
Useless, and sometimes causes issues with certain WiFi cards. You might
want to reduce the signal to only cover the necessary area of your
home/business -- this is a more effect approach but still very weak
security.

> -Disable ping respond?
Doesn't really help against local wireless attacks, but makes you less
obvious of a target from remote IP's. Having common ports open defeats
the point though.

> -Complex SSID name?
Useless, might cause issue with some cards.

> -Utilize MAC and/or IP filtering?
MAC filtering is a waste, I'm not sure what you mean by "IP filtering"
but if you mean basic firewall rules then it's definitely important for
remote security (ie. block all ports and only open those absolutely
necessary).
>
> I'd like to hear some ideas from the experienced in the group as to what
> steps are sufficiently secure for non-critical/non-targeted homes and small
> business given how quickly methods change out of necessity.
>
> It is, of course, understood that if someone sufficiently bright with enough
> time on their hands wants to intrude, they will.
>
> What's good enough for you in this scenario?
>
In all cases change the router password to something at least 8
characters with at least 3 of the following (lower case letter, capital
letter, number, non-alphanumeric character); I'd also change the default
channel to the one with the least interference. As for use cases:
Home with lots of stupid neighbors using open access points -- WEP
Home with no neighbors -- WPA with PSK
Business -- WPA with data link (layer 2) security or no WiFi

The more important things to consider is what ports are open on the
router, and if remote login is enabled on any of the machines, are all
the passwords strong (use the same standard mentioned above). Ideally
if you're going to open any ports, try and use obscure ones whenever
possible and make sure the daemon answering them is known to be secure
(eg. OpenSSH).

"S.Lewis" <> wrote in message
news:OLDUg.40499$. ..
> -Complex admin password to router?
> -WEP,WPA, or WPA2?
> -Changing default broadcast channel?
> -Disable SSID broadcast?
> -Disable ping respond?
> -Complex SSID name?
> -Utilize MAC and/or IP filtering?
>
> I'd like to hear some ideas from the experienced in the group as to what
> steps are sufficiently secure for non-critical/non-targeted homes and
> small business given how quickly methods change out of necessity.
>
> It is, of course, understood that if someone sufficiently bright with
> enough time on their hands wants to intrude, they will.
>
> What's good enough for you in this scenario?
>

Turn it off when you aren't using it. That provides less opportunity for
someone to locate it, hack it and misuse it.