Paranoid about security. I have a few quick, easy questions.

[deereynolds]

This post may be annoying to some.. Apologies in advance.

I've never really been a WiFi type guy, I've always preferred my wired 1gigabit LAN. I have a Buffalo router that I'm using now with dd-wrt. I have the WiFi on a different subnet so that my wired cant talk to my wireless. I only use the WiFi for my Android phones (I "think" the different subnet would prevent any intruders getting to my wired LAN if they got into my WiFi) .

Anyways, I live in a very busy area, WiFi signals are everywhere. I just recently bought the Asus RT-N66U and would like to go wireless with my whole network, no more subnets. I bought the Nvidia Shield and need access to my Steam games and needed a 5ghz router. Right now, I have the factory firmware and just turn the router off when I'm not using the Shield. I'm paranoid of someone getting into my network via my WiFi signal.

I'm looking to dump my Buffalo router and just use the Asus N66U exclusively. Also, I'll be flashing the latest Merlin FW.

My question is.. Should I be paranoid about any intrusions? I'll be using wpa2 with 64 character key. But I'll have the WiFi on 24/7, all of my PCs will be on the same network and that worries me a little.

Am I crazy? What are the chances of anyone cracking it and getting in? And besides for using WPA2 and the latest Merlin build is there anything else I should do to secure the wireless?

Thanks for reading and thank you for any feedback.

 

[Razor512]

With current WPA2, no one has found any major security issues, thus the only attack is still really just brute forcing the password.

If 1 router provides enough coverage for the whole home, then switch what ever router is the best, and run it 24/7 if needed.

Just be sure to use a unique SSID since it is used to salt the password, thus a unique one will be less likely to have rainbow table created for it.

 

[stevech]

Run WPA2

Unless you live in a tech school dorm, you OK because both proximity and motive are needed. Unlikely.

 

[azazel1024]

With current WPA2, no one has found any major security issues, thus the only attack is still really just brute forcing the password.

If 1 router provides enough coverage for the whole home, then switch what ever router is the best, and run it 24/7 if needed.

Just be sure to use a unique SSID since it is used to salt the password, thus a unique one will be less likely to have rainbow table created for it.

Not really true. There are short cuts by grabbing the association packets when a device first connects to the Wifi network. If this doesn't occur very often, the amount of time needed to crack goes up exponentially.

Granted, you'll need to be pretty dedicated to do it and last I checked, the "short cut" simply means that you can brute force a password in a matter of a handful of weeks for a WPA2 complex password if you capture enough association packets and have a nice setup (like, say, dual or triple BIG GPU setup for cracking).

For all practical applications, WPA2 with something greater than a 10 digit randomish password is more or less unbreakable with extreme dedication.

Of course that was only an article I was reading a few months ago. Not entirely sure the exact state of things. This is not casual "war driving" or WEP cracking.

 

[sfx2000]

Run WPA2

Unless you live in a tech school dorm, you OK because both proximity and motive are needed. Unlikely.

Run WPA2 with AES, not mixed TKIP/AES - and it's prudent to support a decent password, as this is a vector under strong attack...

Case in Point - pass phrases are good...

N0wI5th3Tim3f0rA77Go0dM3nt0C0me2th3A1dofOn35CounTrY

You can test your passwords here -- https://www.grc.com/haystack.htm

sfx

 

[heyyahblah]

Also, I wanted to add since no one seemed to mention this, and it might help you ...

If your router the Asus RT-N66U supports Disable broadcast SSID then turn it off, mine does .

It will be even harder for someone to 'hack' you on your wireless network if they don't even know if your broadcasting wifi and SSID has to be case-specific as well otherwise it won't connect to the network.

So disable your SSID broadcasting. That's what I did on mine because I didn't want anyone seeing(hearing) whatever you would like to call it, my signal.

 

[sfx2000]

Of course that was only an article I was reading a few months ago. Not entirely sure the exact state of things. This is not casual "war driving" or WEP cracking.

WPA2 with TKIP (mixed mode/legacy mode) is breakable for the group SSID, so one should use AES exclusively...

If set - AES can secure both the group PW along with individual client keys...

PSK's are the soft-spot with short pass-phrases... and cloud compute resources are cheap these days.

If one is truly paranoid - WPA2-Enterprise with certs and a trusted radius server is the way to go.

 

[sfx2000]

Also, I wanted to add since no one seemed to mention this, and it might help you ...

If your router the Asus RT-N66U supports Disable broadcast SSID then turn it off, mine does .

It will be even harder for someone to 'hack' you on your wireless network if they don't even know if your broadcasting wifi and SSID has to be case-specific as well otherwise it won't connect to the network.

So disable your SSID broadcasting. That's what I did on mine because I didn't want anyone seeing(hearing) whatever you would like to call it, my signal.

Actually - don't do that - disabling SSID-Broadcast does nothing - a couple of minutes with Kismet and AirCrack fuxes that up - sending a de-associate command will disclose the SSID in any event...

Windows clients, along with others, disclose the previous SSID's they've been associated with, so there's no value here from a Protection perspective.

sfx

 

[stevech]

Yes. Disabling SSID broadcast (in the beacon packets) makes it hard for your clients to work - you have to manually tell the clients what the SSID is if they don't have it.

The SSID is sent in other packets so as said, one with motive and proximity can get the SSID. With WPA2/AES, the SSID value is of no real use.

 

[CaptainSTX]

Leave your SSID on. Turning it off does not improve security and only creates additional hassles for authorized users of your network.

Do if you don't need WiFi during the day or night turn the WiFi radios off using the built in timer function. The GUI interface on ASUS or Merlin only allows one off on cycle per twenty four hour period, but if necessary you can write a simple script for additional cycles. DD-WRT allows for twenty four on/off timers.

Disable WPS.

Be sure you use a very strong administrative password (I use 15 letters incl capitals, numbers and special characters.) in addition to a strong WiFi paraphrase.

Finally if you are really paranoid lock your router in a room where nobody can touch it and do a reset and thereby gain administrative access.

 

[RMerlin]

Case in Point - pass phrases are good...

N0wI5th3Tim3f0rA77Go0dM3nt0C0me2th3A1dofOn35CounTrY

I dare you to enter that on a 100$ HP OfficeJet using a phone-like dialpad

Or even on any Android device.

Sadist.

 

[System Error Message]

There are a lot of misconceptions in this thread. Hidden or visible SSID doesnt matter, when i run wifi analyser on my phone i see hidden wifi and their info except their SSID name. Hiding your SSID actually exposes your wifi even more and makes them vulnerable. This is because your devices would be actively transmitting all the time even when not in range. In the phone app hidden SSIDs appear like normal except that they dont have names.

WPA2 is better than WEP which is better than WPA. AES is better than TKIP but requires hardware that supports it and there have been issues with some apple devices connecting to WPA2 AES but it is not widespread. Short or long passwords dont make much of a difference except if someone wishes to spend months to find it which it would help to have a longer password. Regardless whether your password is 8 or 64 characters long the resultant hash will be the same length. unless someone properly hacks WPA2 and AES based on their math and algorithm, longer passwords with symbols and such only protect against brute force. Because of this sort of encryption it is possible for multiple passwords to produce the same hash.

To better secure your network it is better to use WPA2 enterprise with AES. It does require setting up a radius server and stuff but it is much more secure because any device that wishes to access your network whether wired or not must login. An alternative to this is hotspot. I hope merlin firemware for asus routers can run radius server and use WPA2 enterprise so that only 1 device is required instead of needing to set up seperate devices.

If you have a guest network it is much better to secure them using subnets and VLANs rather than port isolation and prevent direct routing. My ISP uses port isolation ( I have to deal with double NAT) but i find that so many packets from other users arent isolated and i have to configure L2 firewall with L3 just to deal with this.

If you want to make things even more secure you can have every device with a 255.255.255.255 subnet and rely on L3 routing if they were to communicate. This requires a router with a good CPU to control the traffic and security.

There are also many L2 based configurations required just to make your network secure against hacks like the pineapple hak. Most wifi networks are vulnerable against such hacks once the hacker gains access to the network.

 

[enr00ted]

I dare you to enter that on a 100$ HP OfficeJet using a phone-like dialpad

Or even on any Android device.

Sadist.

Lol. I remember trying this setup once. A nightmare !

 

[AdvHomeServer]

To better secure your network it is better to use WPA2 enterprise with AES. It does require setting up a radius server and stuff but it is much more secure because any device that wishes to access your network whether wired or not must login.

I played around a bit with DD-WRT radius server. There's less there than meets the eye. The certificate is generic and essentially meaningless. I'm not even sure what it does; possibly generic encryption. The user id / password combo is only basic; no certificate authentication. If user id / password is what you want, it's ok I guess. If there's a way to get good user based encryption combined with id / password with DD-WRT or any equivalent setup that uses the router as the server, then I'd like to know how.

Also, on the PC, as I recall, you can override a lot of settings the radius server on the router asks for since the router does not enforce policy.

Turn off uPNP on your router. Now. Turn off all remote access settings you don't use.

For password security, Google how safe is my password and run a few of the testers that come up.

Study your router settings and look up the ones you don't understand. Asking for help on forums has limits and they aren't very wide.

Malware on your PC poses a greater threat than outside access getting in. The malware will open the door no matter how your router is set up. I use Sandboxie to browse and for email and my container is on a ram disk. Also Norton Internet Security, zemana paid version, and scan often with free Malwarebytes. Ccleaner daily keeps things tidy. Everything gets flushed except DishAnywhere and Slingbox cookies.

 

[deereynolds]

Wow.. Thanks for all of the great replies guys. I'm just gonna set it at wpa2 with AES and be done with it. I'll just leave the SSID names visible, I feel if its hidden people would think I have something to hide.

I'll put all of my wifi devices on the guest network with no access to intranet. All expect for my Nvidia Shield, which is the reason I got this router. It runs awesome by the way. Its a beautiful thing to be able to Stream all of my Steam games around the house.

 

[RogerSC]

Wow.. Thanks for all of the great replies guys. I'm just gonna set it at wpa2 with AES and be done with it. I'll just leave the SSID names visible, I feel if its hidden people would think I have something to hide.

I'll put all of my wifi devices on the guest network with no access to intranet. All expect for my Nvidia Shield, which is the reason I got this router. It runs awesome by the way. Its a beautiful thing to be able to Stream all of my Steam games around the house.

Well, I doubt that anyone would care if you "hide" (don't broadcast) your SSID, neighboring networks without SSID's show up in all my client wireless network lists.

You can feel secure using WPA2/AES with a strong (not guessable by googling or knowing you) password. As has been said, the main effect of hiding your SSID is that your clients may have problems, and you'll have to do more work.

Glad that you ended up in a good place after all these posts *smile*.

 

[poisonbroke]

The number one thing to do to protect your router is to turn WPS off!!
Every new Xfinity router has WPS on by default.
I can crack your password in under 10 seconds with my little Aspire laptop running Linux and using a Reaver with Pixy attack.
There is no brute force required! Hiding your SSID wont help, changing the routers password wont help, WPA2/AES or TKIP doesn't matter....
It doesnt matter how long your password is.... I'll have it in 10 seconds!
TURN OFF WPS!!!!!!!

 

[sfx2000]

The number one thing to do to protect your router is to turn WPS off!!
Every new Xfinity router has WPS on by default.
I can crack your password in under 10 seconds with my little Aspire laptop running Linux and using a Reaver with Pixy attack.
There is no brute force required! Hiding your SSID wont help, changing the routers password wont help, WPA2/AES or TKIP doesn't matter....
It doesnt matter how long your password is.... I'll have it in 10 seconds!
TURN OFF WPS!!!!!!!

Many routers/vendors have sorted out the Reaver Attack on WPS, but generally... don't count on it.

Don't run WPS - turn if off in your Router/AP, and check with Vendors to ensure you have current Firmware...

 

[sfx2000]

My question is.. Should I be paranoid about any intrusions? I'll be using wpa2 with 64 character key. But I'll have the WiFi on 24/7, all of my PCs will be on the same network and that worries me a little.

Am I crazy? What are the chances of anyone cracking it and getting in? And besides for using WPA2 and the latest Merlin build is there anything else I should do to secure the wireless

WPA2, strong keys, you'll be fine... on the wireless side...

on the router, be very careful what services/ports you have open there.

If your router has WPS/Single Session keying, etc... turn it off

And if you don't need uPNP, disable it - one can always port forward specific services...

And everyone knows by now... A Router is not a NAS, so if you're worried about Network/Data security, don't share a USB/eSATA drive on your router...

 

[sfx2000]

Yes. Disabling SSID broadcast (in the beacon packets) makes it hard for your clients to work - you have to manually tell the clients what the SSID is if they don't have it.

The SSID is sent in other packets so as said, one with motive and proximity can get the SSID. With WPA2/AES, the SSID value is of no real use.

And for what it is worth - the clients will disclose the SSID's they're searching for - hidden or not, and with smartphones/tablets/laptops, it's every SSID they've ever attached to, along with the MAC address of the AP...

So, someone sitting in a coffee shop, with the right tools, they'll know where you've been, based on what your WiFi client is asking for - hidden or not...

sfx