Simple advice for securing your home wireless LAN

Simple advice for securing your home wireless LAN

Summary: When I wrote this previous blog "Hack most wireless LANs in minutes!" which mostly focused on insecure corporate wireless LANs, it seemed to generate more questions than answers which is typical every time I go in to this topic.

SHARE:
TOPICS: Wi-Fi
19

When I wrote this previous blog "Hack most wireless LANs in minutes!" which mostly focused on insecure corporate wireless LANs, it seemed to generate more questions than answers which is typical every time I go in to this topic. Many of the comments and questions were based on home security so I answered them as best I could which prompted even more questions. So to clear this up once and for all, I offer the following advice.

  • Refuse to buy any new devices that are not WPA certified. Believe it or not, there are some new devices being touted at this year's CES (Consumer Electronic Show) for wireless LAN media players that only support WEP encryption.
  • Demand that your vendors provide upgrades for older devices, especially if they are only two years old.
  • Many devices that aren't too old can already be upgraded to WPA. You need to check with your vendor to get the updated drivers and/or firmware. Devices include 802.11 Access Points and client adapters.
  • Use WPA-PSK mode with a random key. Don't use words in the dictionary or a variation of them because they can easily be cracked. It's better to simply store the key on a USB dongle or even a floppy disk. Microsoft provides a very simple mechanism for setting up WPA security by making it easy to create a simple setup file on a USB dongle.

Now you may have noticed that I didn't include "MAC filtering" or "SSID hiding" as part of my recommendation. This is because those are two of the biggest myths in wireless LAN security which I'll have to leave for another blog. If you have any more questions or comments, just use our talkback section and I'd be happy to answer them.

Topic: Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • nothing new here

    See http://www.microsoft.com/windowsxp/using/networking/learnmore/bowman_05february10.mspx for the real skinny on wireless security. Looks like you've summarized this quite well.
    gurutech
    • Thanks for the link

      Thanks for the link. This blog is specifically in response to the questions in my previous blog. Although it is very basic information, you'll be surprised how often people get confused about this issue and keep asking the same thing over and over again.
      george_ou
  • Mixed network - PC and MAC

    I appreciate your article on network security and have, in fact, saved the wpa to a USB dongle as suggested. This was done using a desktop computer running Windows XP Professional. However,the computer a am trying to network with is an iBook (Apple notebook). The procedures for setting up or joining a network on the iBook do not seem to coincide with the PC procedures. Can the two co-exist? If yes, how?
    Art843
    • You'll need to manually set the WPA-PSK

      Assuming that you're running a modern version of Mac OS X that supports WPA-PSK mode, you should be able to take the WPA-PSK key and manually configure it on the Mac. You will not be able to do the automated install process because it's designed for Windows XP SP2.

      I'm not a Mac expert so my advice on this platform is limited. It would be nice if Apple would come up with a simple way to simply import the settings from the USB stick. I do know that it is possible to get WPA-PSK mode to work on a Mac so there is no reason that it shouldn't coexist unless you?re running an older Mac Hardware/Mac OS that doesn?t support WPA-PSK mode.
      george_ou
  • Any cheap intrusion detections?

    As I live in a relatively rural area, I'm not sure whether I'm at any real risk of someone breaking my WLAN or not. I currently have static WEP because that's all several of my older WLAN client devices support. All the PCs have individual firewalls enabled.

    Is there a simple / cheap way to ring an alarm when someone breaks in to the WLAN?
    A.Sinic
    • Look at the DHCP tables

      All you need to do is look at the DHCP allocation table on your router and look for machines you don't recognize. If you see one that shouldn't be on the network, you've been broken in to. If that's the case, it's hard to combat with WEP. If you change the WEP key, it can be broken in minutes again. The point is, just don?t use WEP.
      george_ou
      • Alarm app

        Your answer to the preceding question did not answer the question asked. Looking at the DHCP allocation table may work when it is checked, but, is there a method or application (cheap or free) that can alert you to an intrusion when it is initiated?
        garylh@...
        • Not sure about free

          There are some commercial personal applications that have wireless IDS capability, in addition to some very expensive enterprise class solutions. On one anti-virus vendor's website, there is an online application that can scan for intruders.

          However, my best advice is to simply follow the advice in the original blog so that you don't need to worry about intrusions in the first place. This pertains to the home as well as the corporation. A fundamentally sound Wireless LAN is not susceptible to cracking or Evil Twins. That is where priority should be given first because worrying about a wireless IDS without dealing with the basics is like putting the wagon before the horse.
          george_ou
          • TIVO is WEP only...

            so if we can't upgrade our tivo so that it would work with wpa standard... we're perty much screwed unless we pull a line from the router to the tivo device, huh? that sucks...
            kram2004@...
          • Indeed it sucks

            That is one of the biggest problems. The worst offenders are the wireless multimedia devices. New products being released in 2005 are WEP only and it's a horrible shame. It should be treated the same as selling a new 2005 model car without anti-lock breaks, seatbelts, or airbags but it isn?t.
            george_ou
  • Mac OS X 10.2.x

    Apple says that OS 10.2 does not support WPA. Is there a known way to do what Apple says cannot be done, short of spending $129 to upgrade to 10.3?
    zdnut
    • 3rd party client

      You might be able to use the Aegis client. The current version should be WPA compatible.

      See this link about MAC OS 10.2
      http://bc-wifi.brooklyn.cuny.edu/started.php
      george_ou
      • 3rd party client, WPA on Mac OS X 10.2.x

        Thanks for the potential solution, George. As it turns out, the Aegis client will not impact OS 10.2's built-in incompatibility with WPA. It appears that Apple may have used a driver which, by design, won't allow the use of WPA without purchasing 10.3.
        zdnut
        • Even Windows 2000 supports WPA via 3rd parth

          There is a free 3rd party utility that supports WPA-PSK for the old Windows 2000. It's strange that they can't do this for Mac OS 10.2 which isn't nearly as old as Windows 2000.
          george_ou
  • Stupid, but not worse than nothing.

    Security by obscurity = bad. Sure.
    We should all use WPA. Sure.

    But in a world of only WEP. All I want to do is protect my home WiFi as much as I can from people driving by with netstumbler, or the curious neighbors down the block.

    Sure in theory turning off SSID broadcast and enabling MAC filtering does nothing. But in practice at least it is something. It makes it at least a little less likely that someone is even going to see the access point. And even if they do are they going to spend 1 minute to probe the SSID then 2 minutes trapping a MAC then 5 or so minutes cracking the WEP key or are they just going to use the fully open "out of the box" point down the road?

    If you have no locks on your doors the house is not safe. Would anyone argue that it makes no difference if you put a sign out the front of that house that says "There are no locks on this house"?

    Final word: Use WPA.
    davidkclark@...
  • Home wirelss device

    I am trying to buy a home/small office wireless device for my home/small office, which has 4 PCs. There are so many wireless router out there (Linksys, Netgear, Dlink..etc). Which brand and model, do you recommend?

    Thanks,
    Barun
    bpghimire
  • Delll autrocity

    George, I recently purchased a Dell E1505 laptop with Ubuntu 7.04. It has been so long since I did any real maintenance on a computer(Win 3.1 before I went to IBM's OS/2 Warp.) that I need a detailed instruction set to install WPA security on this computer which came without WPA capability. I had seen somewhere that Ubuntu 7.04 now supports WPA "out of the box" so I downloaded and installed a new copy. It doesn't.

    I need help.
    Update victim
  • RE: Simple advice for securing your home wireless LAN

    well this is an eye opener for me.
    don't stop keep it comming.
    informitive.
    trestrailbernard97@...
  • RE: Simple advice for securing your home wireless LAN

    Home security system has now became a necessary gadget for home safe,here is another good example.
    Irene7999