wireless router/hard-wired security

[lewisv]

I've got a question about a wireless internet connection. I bought a wireless router that I connected to my sister's cable modem. I was under the impression that the only computer at risk was mine, because it was the only one receiving and sending 'wirelessly'. She has a teacher who told her that her computer was at risk too. Is that true? Besides being connected to the same router, no networking between the computers is set up.

[crazijoe]

Yes, this is very true. If someone can see the wireless network and gain access to it, not only will they see your computer but they will see other computers on the network. The key here is all the computers are on a "network" the intruder has acess to all nodes on the network and not just the one that is connected wirelessly. The WiFi is a doorway and you need to make it hard to enter it by using encryption (WPA, WEP, etc.) and access control lists. If someone wants to get in, they will find a way. You just need to make it harder. This is no different than surfing the internet, thus the reasons for Firewalls.

[lewisv]

Thanks for your reply. I think I understand a bit more now. However, if you don't mind I have another question. If I enable encryption on the wireless router, set up an access list, and each computer has a firewall - is that about as secure as you can get? How does that compare (security-wise) to surfing on the internet on a hard-wired connection?

Thank you again.

[waffleweed]

for wireless security, i remember an article saying one is better than the other. either WPA is better than WEP or WEP is better than WPA vice versa. probably johnwill can explain better.

also enable mac filtering so the wireless router will only recognise your computer in trying to access the wireless connection.

[johnwill]

Here are some common WiFi security myths, WPA with long random keys (20 char or more) is the most secure option currently available on SOHO routers.

MAC filtering: This is like handing a security guard a pad of paper with a list of names. Then when someone comes up to the door and wants entry, the security guard looks at the person's name tag and compares it to his list of names and determines whether to open the door or not. Do you see a problem here? All someone needs to do is watch an authorized person go in and forge a name tag with that person’s name. The comparison to a wireless LAN here is that the name tag is the MAC address. The MAC address is just a 12 digit long HEX number that can be viewed in clear text with a sniffer. A sniffer to a hacker is like a hammer to a carpenter except the sniffer is free. Once the MAC address is seen in the clear, it takes about 10 seconds to cut-paste a legitimate MAC address in to the wireless Ethernet adapter settings and the whole scheme is defeated. MAC filtering is absolutely worthless since it is one of the easiest schemes to attack. The shocking thing is that so many large organizations still waste the time to implement these things. The bottom line is, MAC filtering takes the most effort to manage with zero ROI (return on investment) in terms of security gain.

SSID hiding: There is no such thing as "SSID hiding". You're only hiding SSID beckoning on the Access Point. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms are; probe requests, probe responses, association requests , and re-association requests. Essentially, you re talking about hiding 1 of 5 SSID broadcast mechanisms. Nothing is hidden and all you ve achieved is cause problems for Wi-Fi roaming when a client jumps from AP to AP. Hidden SSIDs also makes wireless LANs less user friendly. You don't need to take my word for it. Just ask Robert Moskowitz who is the Senior Technical Director of ICSA Labs in his white paper Debunking the myth of SSID hiding.

Disable DHCP: This is much more of waste of time than it is a security break. DHCP allows the automatic assignment of IP addresses and other configurations. Disabling DHCP has zero security value and just wastes time. It would take a hacker about 10 seconds to figure out the IP scheme of any network and simply assign their own IP address. Anyone who tells you that this is a way to secure your wireless LAN doesn’t know what they’re talking about.

See the full article at: http://blogs.zdnet.com/Ou/index.php?p=43

[crazijoe]

This might scare you a little.
http://www.wardrive.net/wardriving/tools
http://www.wardrive.net/

Anybody can just download the tools needed to infiltrate your network.

[lewisv]

So - if I'm understanding correctly, no matter what I do in the way of security - wireless routers are just a snap to break into. Right? Does the firewall on the computer make a difference? I'm a software-type person, but quite hardware-naive. Is it correct that to gain access through the router they must be close by - like a neighbor or sitting in a vehicle nearby. Part of me has a hard time believing I will be targeted like that. Maybe I'm not paranoid enough.

[crazijoe]

A good firewall can make a difference. You are correct in the assumption that it would have to be a neighbor or someone sitting right outside. It would hard to say if anyone could be targeted like that. All I'm saying is just make it more difficult for someone to get in. Think of it like a robber and doors. A robber will try and break into a door with only 2 locks than attempt to break into a door with 6 locks.
Implement all the security and ecryption features the router has to offer. I wouldn't get overly paranoid about it. I've been using a wireless setup for about 2 years without a mishap that I am aware of. (note I said "I am aware of")

[lewisv]

Thanks. You all have been very informative.

[lewisv]

I have yet one more question. If I were to have a separate cable modem to which I connected my wireless router, would that protect my sister's computer from that sort of intrusion. While I'm not so paranoid - I cannot say the same for my sister. Thanks again for sharing your knowledge.

[crazijoe]

So the senario would be to have 2 cable modems, your sister connected to one and your wireless router connected to the other. Here's the problem. With 2 cable modems, you will need 2 public IPs from your ISP. This may cost you extra. Next problem, with your sisters computer connected directly to the cable modem, she would be open house on the internet. She would have more protection behind the router.

[johnwill]

Quote:

Originally Posted by lewisv

So - if I'm understanding correctly, no matter what I do in the way of security - wireless routers are just a snap to break into. Right? Does the firewall on the computer make a difference? I'm a software-type person, but quite hardware-naive. Is it correct that to gain access through the router they must be close by - like a neighbor or sitting in a vehicle nearby. Part of me has a hard time believing I will be targeted like that. Maybe I'm not paranoid enough.

Actually, the only currently available decent security measure for WiFi is WPA-PSK with a long and random key. That will keep the script kiddies at bay effectively right now, until someone figures a crack.