Forgot your password?

For Security, My Wi-Fi Access Point Relies On:

Displaying poll results.
No encryption
  1859 votes / 5%
WEP
  2992 votes / 8%
WPA
  2423 votes / 6%
WPA2
  23447 votes / 64%
MAC address filtering
  2843 votes / 7%
Signal blocking / proximity
304 votes / 0%
BRB, Feds are knocking
  2490 votes / 6%
36370 total votes.
[ Voting Booth | Other Polls | Back Home ]
  • Don't complain about lack of options. You've got to pick a few when you do multiple choice. Those are the breaks.
  • Feel free to suggest poll ideas if you're feeling creative. I'd strongly suggest reading the past polls first.
  • This whole thing is wildly inaccurate. Rounding errors, ballot stuffers, dynamic IPs, firewalls. If you're using these numbers to do anything important, you're insane.
This discussion has been archived. No new comments can be posted.

For Security, My Wi-Fi Access Point Relies On:

Comments Filter:
  • Multiple? (Score:4, Insightful)

    by YttriumOxide (837412) <yttriumox&gmail,com> on Friday April 29, 2011 @07:21AM (#35973350) Homepage Journal
    Mine relies on WPA2 _AND_ MAC Address Filtering... as I would expect many others do as well. I know, I know, don't complain about the options, but this just feels like it should be checkboxes rather than radio buttons.
    • by adamofgreyskull (640712) on Friday April 29, 2011 @07:29AM (#35973408)
      Yeah, this. Also, the Feds are knocking...BRB.
    • Re:Multiple? (Score:5, Insightful)

      by moonbender (547943) <moonbender@NOsPaM.gmail.com> on Friday April 29, 2011 @07:36AM (#35973454)

      Eh. Why bother? Anybody who is able to hack your WPA2 password will easily be able to change their MAC address to a valid one. They're already sniffing your network, after all. The upside is a false sense of added security, the downside is a false sense of added security and more work when setting up new wireless devices.

      • Re: (Score:3, Interesting)

        by YttriumOxide (837412)

        Eh. Why bother? Anybody who is able to hack your WPA2 password will easily be able to change their MAC address to a valid one.

        Primarily historical reasons. I used to use WEP only, but after moving from a separate house to an apartment building, I added MAC filtering due to the weaknesses of WEP. After upgrading my router, I switched to WPA2, but kept my filtering out of habit. WPA2 is certainly MUCH more secure than WEP, but nevertheless it is still crackable, and so adding just one more layer of security doesn't hurt.

        I'm aware MACs can be spoofed as well, and it's really not so difficult to do so, but I'm pretty much under the

        • If there's a WEP network in sight, they're going to go after that anyway. They have no way to determine in advance that you're using MAC filtering, so the decision to go after your network or someone else's really isn't affected by it.

      • by gr8dude (832945)

        Simple - security in depth.

        • by geekoid (135745)

          Actually it's more like security in breadth. If they can get past wep, they can spoof your MAC.

      • by BeanThere (28381)

        Security is a probability with a very broad range, not a binary 'yes/no' 'secure / not' value. Each additional layer of difficulty, lowers the probability that someone will bother. Simple analogy, having two padlocks on your door. Yes someone who "really wants to get in", will easily be able to cut through those padlocks. But chances are, they'll just break in to your neighbors instead, who have zero or one padlocks.

        • Except one is a padlock (WPA2) while the other is a piece of string you only notice after you've already broken the padlock. You're not going to break another padlock, you're just going to cut the piece of string.

      • by bb5ch39t (786551)
        I generally agree with you. But, unless I am specifically targeted, I only need to be more difficult than average to discourage most thieves. Like one person said: "I don't need to out run the cheetah! I only need to out run YOU!"
      • by blair1q (305137)

        Yes. Total pain in the ass when dealing with stuff that's plug-and-play in a home-theater system. The encryption is either sufficient or it's time to do yet another turn on Wi-Fi encryption methods.

        I also have my router set up to use both a secure non-broadcast SSID, which the router then uses to allow access to both the Internet and my internal network, and a broadcast SSID, which only gets Internet access, but still uses WPA2. So my entertainment gear is dirt-simple to connect, but slightly less secure

    • Re:Multiple? (Score:5, Interesting)

      by AliasMarlowe (1042386) on Friday April 29, 2011 @09:07AM (#35974262) Journal

      Mine relies on WPA2 _AND_ MAC Address Filtering... as I would expect many others do as well. I know, I know, don't complain about the options, but this just feels like it should be checkboxes rather than radio buttons.

      Also multiple: WAP2 + MAC filter + proximity. I've arranged the wireless field geometry with a single directional antenna such that it covers the relevant parts of the house, but is not detectable outside the house, and is utterly undetectable outside our property (which extends 20-50 meters on all sides of the house).

      • I'm curious... how do you do that? That doesn't sound like a bad idea at all if your speed doesn't suffer from it.

        • I'm curious... how do you do that? That doesn't sound like a bad idea at all if your speed doesn't suffer from it.

          Well, you have to get the directional antenna (flat patch antenna [wikipedia.org]) for the router and discard its planar antennae (usually rod shaped). In my case, the router is in a bottom corner of the house, and the antenna is aimed at the opposite upper corner, or a bit above it, actually. The field does not cover the whole house, but it covers the parts that matter for wireless with good signal strength and high speed.

          Directional antennae are imperfect, but the positioning of the antenna can help attenuate sideways

        • Re:Multiple? (Score:5, Interesting)

          by Doctor Memory (6336) on Friday April 29, 2011 @12:33PM (#35976880)

          I got this capability for free in my old house. It had a stucco exterior, and the stucco was applied by troweling it over a metal mesh that had been affixed to all the exterior walls. All I had to do was run a piece of wire from the mesh (exposed at one corner where a rock thrown by the lawnmower had whacked it) to the ground rod of my electrical service. Actually, I'm not totally sure I even needed to do that (I didn't check before I did it) but I was never able to detect a signal from my router anywhere in my yard. Just don't ask about my cell phone signal coverage...

    • This is a slashdot poll, you insensitive clod!
    • by SheeEttin (899897) <sheeettin@g[ ]l.com ['mai' in gap]> on Friday April 29, 2011 @10:54AM (#35975556) Homepage

      radio buttons

      Ha! Ha! Radio buttons! Get it? Because we're talking about WiFi?

      I'll just leave quietly...

    • by kent_eh (543303)
      Agreed. (on the radio button VS check box issue)
      Also, I use both methods that you do, in addition to physical location/shielding to keep my WiFi tamed.
  • OpenVPN (Score:5, Insightful)

    by Anonymous Coward on Friday April 29, 2011 @07:22AM (#35973356)

    I use OpenVPN for authentication & encryption, you insensitive clod!
    (because my rather old Access Point doesn't support WPA2)

  • Slightly paranoid.

    • by Zarhan (415465)

      You are aware that WPA2 is 802.1X, right (+ extra signaling for setting up encryption keys with EAPOL-Key messages)?

  • None..... (Score:5, Funny)

    by realsilly (186931) on Friday April 29, 2011 @07:51AM (#35973538)

    I use someone else's WiFi.

    • The local infrastructure monopoly wanted a huge check to install ADSL at our place (move in in September 2010). So I "temporarily" connected to one of the neighbors' open routers, and just haven't gotten around to checking out the alternatives yet. I probably never will, this is the most reliable internet service that I've ever had. Whenever my primary neighbor's internet goes out, I connect to another neighbor on a different infrastructure. And it's all free.

  • DHCP (Score:3, Interesting)

    by sven_eee (196651) on Friday April 29, 2011 @08:07AM (#35973676)

    My DHCP gives out 127.0.0.1 as DNS and Gateway. It has proven to be a very effective way of fending off script kiddies. For the bigger kiddies I have a few other little surprises ;)

    • Do you simply have a select group of websites you visit with a local DNS cache or something? I'm not exactly a network guru, so I'm curious about what you're doing.
      • by oneiros27 (46144)

        He'd just have to manually set them when setting up the connection (once per device), rather than let them be discovered via DHCP.

        If he's using the 10 block, he could select something really easy to remember. (although, I'd avoid 10.1.1.1 or 10.1.1.254 ... or set those up to do something interesting)

        • Ah, that makes sense. Thanks for the info; networks are not my strong point, but I'd love to learn more.
    • by blair1q (305137)

      If they're utter script-kiddies, maybe, but anyone who's wardriving is probably running an app that shows them the configs they're getting, and that'll glare like what's under Donald Trump's rug.

  • I have had so much use over the years from other people's Wifi I'd hate to deny someone else that.

    All the stuff on my LAN is encrypted - sshfs, email with TLS, jabber server uses encryption.

    I'm well aware that it's possible to sniff unencrypted traffic but anything worht protecting has encryption. A sniffer might be able to get my slashdot login but it's not something i'm bothered about. I'm also quite a bit from the road but google streetview still managed to pick up my AP
    • by doti (966971)

      You can use WAP2 and set "password is 314159" as the access point name.

  • No SSID broadcast. Plus WPA2
    • No SSID broadcast. Plus WPA2

      I used to do this, but Windows XP laptops often seemed to have sporadic trouble maintaining a connection when the SSID wasn't broadcast - so I turned SSID broadcast on.

      Now that I think of it, though, my wife's switched to a Mac - I guess I could turn it back off if I cared enough to spend the 30 seconds needed... if my friends have trouble with the signal, that's not such a big deal.

  • I hide my SSID, so that nobody knows the network exists. No fumbling around with encryption! ;)

    Seriously though, I hate it if people hide the SSID. It doesn't achieve any security and just causes hassle in setting up the clients. WPA2 is all you need.

  • We use EAP-TTLS for 802.1x authentication.
    After authentication is complete, EAP-TTLS creates dynamic WEP keys that are different for each user and for each session. These dynamic WEP keys keep changing -- new keys are requested every 10 minutes. So if a hacker cracks the WEP key in 2 minutes he only have 8 minutes to use the key.

  • I have no wi-fi you insensitive clod.
  • During the day, WPA2 is protecting our wifi network at the office. But when the last guy leaves, he turns off the router using a remote that also turns off the lights. The first guy to come in the next morning, turns both the lights and the wifi back on again. There's no better security than being offline.
    • by Lumpy (12016)

      You know that most decent AP's have radio scheduling to do this automatically?

      • by jeffmeden (135043)

        You know that not everyone works on an exact schedule, right? Last thing I need to hear is "It's 6pm, i am trying to get some work finished, and the damn wireless went down!!! Fix it fix it fixit!" A user-activated switch tied to the ligthing is a pretty elegant solution to the issue of how to know when someone is in the office and needs to use the wi-fi. Just be ready to drag a network cable out if you want to have a movie day in the office...

    • by repetty (260322)

      I like how your security depends, in part, on your janitor.

  • The Wireless device is hanging off of the firewall and inbound traffic is limited to transversing the connection out to the Internet. Devices on the WiFi don't have access to internal devices.

    [John]

    • My router does that automaticaly. Indeed, I can't get it not to work that way. It gets a bit tiresome to tunnel everything by ssh, but I guess that is the only way to be safe...

  • In addition to the first two, I have the router set up to assign DHCP addresses within a certain range and no more. So, with 5 MAC addresses in the DHCP table, there's no need to even leave the possibility of assigning more than 5 IP addresses. Every MAC in the table gets the same IP address every time and no other machine can ever get an IP address even if I turn off MAC filtering. It means if I want to add another system to the network I have to fiddle with the router a bit more, and in my case it's paran

  • Signal/RF shielding and control.

    IF you cant receive the signal you cant hack it.

  • I have unfortunately been using WEP because the signal quality vs data encryption with WPA2 causes constant connection loss when on Windows 7. If I wanted a stable connection, I literally have to open up Windows XP Mode and use that instead. If I'm in native W7, my samba sharing drops like flies every time I try to transmit more than a couple megs, and my streaming connections cut out frequently as well. For whatever reason, WEP seems to be more fault tolerant than WPA2, at least as far as W7 is concerne
  • The "radio off" switch and CAT5

    (when I can keep CAT4-legged from playing with the CAT5)

    • by H0p313ss (811249)

      (when I can keep CAT4-legged from playing with the CAT5)

      Tell me about it, I recently noticed that half my my spare patch cables had been chewed by the new kitten.

      • by bb5ch39t (786551)
        Bitter Apple on the cable? Usually works with puppies. I don't know about cats. They're so perverse that they'd probably enjoy it.
  • Due to the Nintendo DS' horrible compatibility, I'm limited to WEP. Though, I'm not broadcasting the ssid and the network is hidden, so that should be enough.

  • For historical reasons, I still use a non-broadcast SSID and MAC filter, from the old WEP days when i still had a few Palm(tm) devices that couldn't do WPA2. I've since upgraded to WPA2, and kept the other bits -- I'm not totally convinced the non-broadcast and MAC business are useless, I think it makes me a harder target than my neighbors.

    But, I also have additional secondary features, which I thought were just obvious -- a nondefault admin password on the AP, and a set-up where the AP's HTML config page i

  • Although yesterday we were told it is the socially responsible thing to do to leave your router open so anyone can use your bandwidth for free and allow you to pay for it out of the goodness of your heart, I still block my router, including MAC address filtering. I know that theoretically all you hot shots can break it, but will you bother? Let's just say you're in an apartment house where everyone has Wi-Fi. Some people will encrypt and lock down as much as they possibly can. Others won't have the foggiest

  • The latter used when I'm not actually online. It's completely immune to remote attacks.

  • MAC filtering only. (Score:4, Interesting)

    by MtlDty (711230) on Friday April 29, 2011 @01:45PM (#35977858)

    MAC filtering to keep the casual public away (and to stop well meaning neighbours from accidentally latching onto my network). Absolutely do not use encryption though. I've been doing this for years in the hope that if it comes down to it, I have a loophole from any legal issues that land on my doorstep.

  • For security reasons, I prefer to channel the wireless signal through these great flexible waveguides I found. The ends LOOK like they're phone jacks, but the Geek Squad guys assured me they were in fact advanced security caps.

  • I have a relatively old laptop and an equally old AP. Neither support WPA2. A little research seemed to indicate setting up a RADIUS server and using SSL certificates was a viable option. What I did and how I did it can be found here [davenjudy.org] and here [davenjudy.org].

    Cheers,
    Dave
  • While my cables probably emit enough RF for a seriously dedicated snooper to receive my internal network traffic, I have not been able to identify a means to inject packets through the shielding (disrupt, yes), so I rely on the cable shielding to protect myself.

    The actual WAP is additionally protected by being isolated from a source of power, my wired network, and static discharge by remaining in its anti-static bag, inside the box it came packaged within, since I cannot otherwise ensure its security.

  • kinda related to proximity, but my nearest neighbor is a mile away and there's no major roads for 3 miles...

  • My closest neighbor is too far away to get on my WiFi (and they have their own anyways). Where I live you'd have to pull into my driveway to get on my WiFi, since you'd otherwise get clobbered by speeding traffic if you tried to use it form the road.

    On the wired side, everything is secure, so all someone would be able to do if they got on to my wireless network is see the outside world, and print to my ancient laserjet 4 (assuming it is turned on, which it rarely is).

    So I guess it is "almost" proximity
  • I use 'hide SSID' (stops casual browers), can't use Admin over wireless, WPA2 and MAC address filtering, and I check who/what has been connected recently. Just a little bit paranoid, but not ready for a white coat.

The tree of research must from time to time be refreshed with the blood of bean counters. -- Alan Kay

 



Forgot your password?
Working...