Wireless Security

[Brandon]

This is something that I've always found to be a big topic, as such I'm wondering what everyone else's thoughts are.

I've had a few friends that kept the mentality "They can get in anyway, might as well leave it wide open". That's never sat well with me, I do know that nothing is unbreakable in terms of wifi security, but it does stop the majority of net-stealing torrenters.

What do you guys do for SOHO wireless security? I'm in the health insurance area of work, so I'm of the overly paranoid, until recently, wireless didn't touch our network.

Our current setup has our internet coming in to a Cisco ASA firewall, which splits it into three LAN's. One of which is a DMZ set aside only for wireless. This gives direct access out to the iternet, as well as to the ASA's SSL VPN setup. Using the VPN is the only way to reach the inside network from the DMZ.

This has the downside of majorly cutting down throughput because you're taking a double hit on data encryption.

The up side, that hit is still faster than connection using a secondary internet connection via DSL/Cable.

I use this same method in my home, only with an ASA5505.

My question, what do you guys feel safe with?

 

[Tamarin]

One cool feature of high-end APs is the ability to have multiple SSIDs going into multiple VLANs. I like to set up a open-access SSID that gives internet access (still ACL'd, but hey), and then another that isn't broadcast, with a much higher encryption...WPA/WPA2 with either PSK or RADIUS. This provides the protected route, especially with WPA2... And it saves having to ensure clients have VPN. But depending on the implimentation, it may take a better wireless client than the built-in Windows one.

Tam

 

[YeOldeStonecat]

Thoughts are.....for business...put in what you feel is good. For healthcare and businesses with other important information....top notch wireless security is good. What I've used for my healthcare clients...is Sonicwalls WiFiSec. Their Sonic G access point hangs off of their main TZ box..and is managed by it. Wireless clients attach to the SSID..which..amusingly..I have it wide open..not secured, because they use PDAs which only support B..not G. The Sonic point puts wireless clients into a different subnet...and it has zero access to any network resoureces yet..including internet. Think of it as a padded room.

Next...the PDAs and laptops must launch Sonicwalls Global VPN client..which is an IPSec VPN client...they authenticate...and then are given access to the network resources I have made for them in the rules.

For home? I know people get all sorts of paranoid...I guess look at what/who is surrounding you, and base it on that. At my old house...one neighbor of mine was the director of IT at a college, he had his own secured internet...and was 60+ years old, not a prankster in my book. 3x other neighbors were all widowed ladies above their 70's. I could have run open and be care free....but I just did WPA.

Where I am now..I still do WPA, I don't think there's anyone nearby that I'd have to worry about.

For home networks...my advice for people...at the very least..make your SSID unique. So many wireless networks out there that keep the default SSID...such as Linksys or Netgear. I've seen situations where there was more than 1x SSID in the same neighborhood of the same name. The lady said her husband couldn't print to her shared printer. His office was on the back of the house...he actually attached to his neighbors "Linksys" network by honest mistake...so naturally since he wasn't connected to his "Linksys" network..he couldn't print across his network to his wifes shared printer. Case in point that "honest" people can latch onto neighbors wireless networks also...by accident.

For home..also just put "some" measure of security in. As long as there is some measure of security in place...IMO 99.9% of the "freeloaders on your network" will stay out. WEP is basic, MAC filtering works somewhat, WPA is easiest to implement..and more secure...so why not go with the easiest that gives you a higher level of security.

Look at your neighbors...I'd wager if there are teenage boys nearby...sure..they may be into computers and perhaps have stumbled across some article on "How to crack WEP"..and may try to grind into your network just for kicks. In those cases..you may want at least WPA or WPA2. If worried a lot..change it frequently.

Another good rule to practice...never leave the admin password of your routers web admin the default one..make it a good one. Some kids actually do go around (I've seen this happen...and seen the results of this)...log into routers on open networks...knowing common default passwords...and go in and change settings on you.

 

[Brandon]

I'll be honest, if I'm somewhere for a while, I'll often "borrow" wide open wireless routers (Not downloading everything in sight, but bored web serfing).

It always kills me how many people keep default passwords on routers/access points.

That's usually where I stop, but often times I wonder what else is unlocked/unpassworded. Even simple passwords on file shares make for protection. You can always tell the newcomers to the field.. after the Nimda.a virus, I won't go NEAR an open file share... *shutter*..

 

[YeOldeStonecat]

It always kills me how many people keep default passwords on routers/access points.

Yup....even if other network consultants set them up.

For home users....it can be expected...people aren't trained to assume the worse. But....

...not long ago...I was setting up a wireless network at a physical therapy office. There was a neighboring wireless network in the same plaza...at a well known "gym/workout club" chain. It was open...and shockingly...open peer to peer Windows shares...one labeled "Peachtree" (so we know there's accounting data there). Router..default password. And a PcAnywhere host....wide open.

 

[scotty]

In my opinion,

The 'they're going to get in anyway' mentality is a lazy mentality. If you're 'just going to leave it wide open' then I sure hope the person who says that is not an IT person of any kind. That's like a Doctor saying 'well you're going to die eventually, so why bother with any treatment'. Lazy lazy lazy.

For me personally, over and above a properly secured network, the far bigger threat in my opinion is the human and social factor. You can have AES256+ encryption, IPSEC, 3DES, and all the security algorithms humming like a tune on your network, but it's all for nothing when your employees share their passwords. Let's face it, modern security and encryption algorithims are strong enough that when properly implimented are virtually impossible to crack by any reasonable means. A strong 20+ character RNG'd AES256 hash would take hundreds of trillions of years to brute force crack even if you had the world's top 100 supercomputers at your disposal. For me, that's not what I would be loosing sleep about.

 

[geo]

If you lock the front door of your home when you go out, knowing that someone could break a window. . . .

If you lock your car in a parking lot, knowing that someone could jimmy the lock or break a window. . . .

. . . then why wouldn't you secure your network just because some hypothetical super haxxor might make you his pet project?

The logic is no different.

 

[Bart]

If you lock your car in a parking lot, knowing that someone could jimmy the lock or break a window. . . .

A friend of mine actually never locks his car for this exact reason. He figures most thieves are only interested in stuff that's in the car, and not the car itself (where we live, this is about right). He reckons this method has a least saved him a smashed window or two.

(I don't really agree with him, but hey...)