For Security, My Wi-Fi Access Point Relies On:
Displaying poll results.36370 total votes.
Most Votes
- Your main desktop OS at home is: Posted on December 21st, 2024 | 24691 votes
- What AI models do you usually use most? Posted on February 19th, 2025 | 10366 votes
- How often do you listen to AM radio? Posted on February 1st, 2025 | 7186 votes
Most Comments
- How often do you listen to AM radio? Posted on February 1st, 2025 | 85 comments
- What AI models do you usually use most? Posted on February 1st, 2025 | 78 comments
- Do you still use cash? Posted on February 1st, 2025 | 54 comments
Multiple? (Score:4, Insightful)
Re:Multiple? (Score:4, Funny)
Re:Multiple? (Score:5, Funny)
C'mon, everyone knows the feds don't knock anymore.
Re: (Score:2)
Re: (Score:3)
Well, unless they've taking to breaching the door with explosives
If you're gonna knock it down...might as well make it fun!
Re: (Score:3)
Yet U.S. Marshals are being killed once every so often as they serve warrants.
Why?
They knock on the door, and get shot through the thin door of the crappy place some scumbag lives in.
I propose a new federal entitlement program to provide the scumbags of America with sturdy doors.
Re: (Score:2)
I propose a new law against shooting federal marshalls executing a warrant by knocking
What about my neighbor's? (Score:3)
Re:Multiple? (Score:5, Insightful)
Eh. Why bother? Anybody who is able to hack your WPA2 password will easily be able to change their MAC address to a valid one. They're already sniffing your network, after all. The upside is a false sense of added security, the downside is a false sense of added security and more work when setting up new wireless devices.
Re: (Score:3, Interesting)
Eh. Why bother? Anybody who is able to hack your WPA2 password will easily be able to change their MAC address to a valid one.
Primarily historical reasons. I used to use WEP only, but after moving from a separate house to an apartment building, I added MAC filtering due to the weaknesses of WEP. After upgrading my router, I switched to WPA2, but kept my filtering out of habit. WPA2 is certainly MUCH more secure than WEP, but nevertheless it is still crackable, and so adding just one more layer of security doesn't hurt.
I'm aware MACs can be spoofed as well, and it's really not so difficult to do so, but I'm pretty much under the
Re: (Score:2)
If there's a WEP network in sight, they're going to go after that anyway. They have no way to determine in advance that you're using MAC filtering, so the decision to go after your network or someone else's really isn't affected by it.
Re: (Score:3, Insightful)
There is no such thing as "secure" or "guaranteed to keep unwanted hackers out" when you are on the internet. The entire point of internet security can be summed up as "make it enough of a pain in the ass for unauthorized people to get in that it's not worth their time, without making it just as hard for authorized people."
When you understand that, then adding MAC filtering to WEP or WPA2 does actually add security, as long as you aren't regularly needing to add new users and devices to your network.
Re: (Score:3, Interesting)
Re: (Score:2)
Well... you're fortunate that the problematic family member didn't know how to spoof their MAC.
Re: (Score:2)
Interesting use of the word "fortunate" by I'm inclined to agree
Re: (Score:3)
Re: (Score:3)
MAC-filtering will weed out the barely competent wifi crackers from script-kiddie level wifi crackers.
The script kiddie will follow the script, but not be able to figure out why the script works so well with this guy, but they're not able to get any authentication packets or why when the wepcrack generates a key, there's still no response when they try it. I have yet to see a "script" that factors in MAC-filtering steps.
But how many WEP-script-kiddies are there in your neighborhood?
The only correct answer
Re: (Score:2)
Simple - security in depth.
Re: (Score:3)
Actually it's more like security in breadth. If they can get past wep, they can spoof your MAC.
Re: (Score:2)
Security is a probability with a very broad range, not a binary 'yes/no' 'secure / not' value. Each additional layer of difficulty, lowers the probability that someone will bother. Simple analogy, having two padlocks on your door. Yes someone who "really wants to get in", will easily be able to cut through those padlocks. But chances are, they'll just break in to your neighbors instead, who have zero or one padlocks.
Re: (Score:3)
Except one is a padlock (WPA2) while the other is a piece of string you only notice after you've already broken the padlock. You're not going to break another padlock, you're just going to cut the piece of string.
Re: (Score:2)
Re: (Score:2)
Yes. Total pain in the ass when dealing with stuff that's plug-and-play in a home-theater system. The encryption is either sufficient or it's time to do yet another turn on Wi-Fi encryption methods.
I also have my router set up to use both a secure non-broadcast SSID, which the router then uses to allow access to both the Internet and my internal network, and a broadcast SSID, which only gets Internet access, but still uses WPA2. So my entertainment gear is dirt-simple to connect, but slightly less secure
Re:Multiple? (Score:4, Insightful)
I'm arbitrarily responding to you instead of one of the other folks who made the same point. When someone goes to the lengths to hack a WPA2 network, MAC spoofing just isn't any kind of issue. Hacking a WPA2 network is moderately complicated, anybody who is able to do it is also able to change their MAC adress. Worse, hacking the network is also moderately time-consuming, and if someone actually cracks the password, they're not going to want to throw away that work just because they need to change the MAC address: they've already done 98% of the work, they're not doing that again just to avoid the 20 seconds required to change their MAC. Chances are, they're modifying their MAC address anyway!
The "outrun you" argument really doesn't apply, because given two WPA2 networks, you don't know in advance which of them is going to require MAC spoofing, so that's not going to affect your evaluation which of them is easier to get into. Of course it works just fine when you've got WPA2 and your neighbours all run WEP, may god have mercy on their souls.
Re:Multiple? (Score:5, Interesting)
Mine relies on WPA2 _AND_ MAC Address Filtering... as I would expect many others do as well. I know, I know, don't complain about the options, but this just feels like it should be checkboxes rather than radio buttons.
Also multiple: WAP2 + MAC filter + proximity. I've arranged the wireless field geometry with a single directional antenna such that it covers the relevant parts of the house, but is not detectable outside the house, and is utterly undetectable outside our property (which extends 20-50 meters on all sides of the house).
Re: (Score:2)
I'm curious... how do you do that? That doesn't sound like a bad idea at all if your speed doesn't suffer from it.
Re: (Score:3)
I'm curious... how do you do that? That doesn't sound like a bad idea at all if your speed doesn't suffer from it.
Well, you have to get the directional antenna (flat patch antenna [wikipedia.org]) for the router and discard its planar antennae (usually rod shaped). In my case, the router is in a bottom corner of the house, and the antenna is aimed at the opposite upper corner, or a bit above it, actually. The field does not cover the whole house, but it covers the parts that matter for wireless with good signal strength and high speed.
Directional antennae are imperfect, but the positioning of the antenna can help attenuate sideways
Re:Multiple? (Score:5, Interesting)
I got this capability for free in my old house. It had a stucco exterior, and the stucco was applied by troweling it over a metal mesh that had been affixed to all the exterior walls. All I had to do was run a piece of wire from the mesh (exposed at one corner where a rock thrown by the lawnmower had whacked it) to the ground rod of my electrical service. Actually, I'm not totally sure I even needed to do that (I didn't check before I did it) but I was never able to detect a signal from my router anywhere in my yard. Just don't ask about my cell phone signal coverage...
Re: (Score:2)
Re:Multiple? (Score:4, Funny)
Ha! Ha! Radio buttons! Get it? Because we're talking about WiFi?
I'll just leave quietly...
Re: (Score:2)
Also, I use both methods that you do, in addition to physical location/shielding to keep my WiFi tamed.
OpenVPN (Score:5, Insightful)
I use OpenVPN for authentication & encryption, you insensitive clod!
(because my rather old Access Point doesn't support WPA2)
WPA2 + 802.1x + Certificate (Score:2)
Slightly paranoid.
Re: (Score:3)
You are aware that WPA2 is 802.1X, right (+ extra signaling for setting up encryption keys with EAPOL-Key messages)?
None..... (Score:5, Funny)
I use someone else's WiFi.
Re: (Score:3)
The local infrastructure monopoly wanted a huge check to install ADSL at our place (move in in September 2010). So I "temporarily" connected to one of the neighbors' open routers, and just haven't gotten around to checking out the alternatives yet. I probably never will, this is the most reliable internet service that I've ever had. Whenever my primary neighbor's internet goes out, I connect to another neighbor on a different infrastructure. And it's all free.
DHCP (Score:3, Interesting)
My DHCP gives out 127.0.0.1 as DNS and Gateway. It has proven to be a very effective way of fending off script kiddies. For the bigger kiddies I have a few other little surprises ;)
Re: (Score:2)
Re: (Score:2)
He'd just have to manually set them when setting up the connection (once per device), rather than let them be discovered via DHCP.
If he's using the 10 block, he could select something really easy to remember. (although, I'd avoid 10.1.1.1 or 10.1.1.254 ... or set those up to do something interesting)
Re: (Score:2)
Re: (Score:2)
If they're utter script-kiddies, maybe, but anyone who's wardriving is probably running an app that shows them the configs they're getting, and that'll glare like what's under Donald Trump's rug.
DHCP to annoy intruders, Manual Address for him (Score:2)
Most people's network connections are configured to use DHCP to get an IP address. He configures his manually on his own devices, so he's not using DHCP for himself; the DHCP is just there for annoying intruders. You could confuse them further by setting the DHCP to 127.0.0.2 (that's the laptop next to yours.)
None (Score:2)
All the stuff on my LAN is encrypted - sshfs, email with TLS, jabber server uses encryption.
I'm well aware that it's possible to sniff unencrypted traffic but anything worht protecting has encryption. A sniffer might be able to get my slashdot login but it's not something i'm bothered about. I'm also quite a bit from the road but google streetview still managed to pick up my AP
Re: (Score:2)
You can use WAP2 and set "password is 314159" as the access point name.
...Obscurity (Score:2)
Re: (Score:2)
No SSID broadcast. Plus WPA2
I used to do this, but Windows XP laptops often seemed to have sporadic trouble maintaining a connection when the SSID wasn't broadcast - so I turned SSID broadcast on.
Now that I think of it, though, my wife's switched to a Mac - I guess I could turn it back off if I cared enough to spend the 30 seconds needed... if my friends have trouble with the signal, that's not such a big deal.
Better method (Score:2)
I hide my SSID, so that nobody knows the network exists. No fumbling around with encryption! ;)
Seriously though, I hate it if people hide the SSID. It doesn't achieve any security and just causes hassle in setting up the clients. WPA2 is all you need.
Re: (Score:2)
I've seen 3 cases of problems with hidden SSIDs: one Android phone (although it connected without problem to different network with hidden SSID), one WinMo phone, and a Kobo.
Re: (Score:2)
Good idea in hiding the SSID.
Bad truth is, your clients have to actively probe exactly THAT SSID every few seconds if they're not connected to it. So they're trying to connect to it every time you're away from home, ie. airport, Starbucks, the mall, all places where you least want your device to send out *anything*.
If you've got more than one hidden SSID, the active probing the clients have to do gets increasingly ridiculous.
Dynamic WEP (Score:2)
We use EAP-TTLS for 802.1x authentication.
After authentication is complete, EAP-TTLS creates dynamic WEP keys that are different for each user and for each session. These dynamic WEP keys keep changing -- new keys are requested every 10 minutes. So if a hacker cracks the WEP key in 2 minutes he only have 8 minutes to use the key.
WPA2 + MAC filtering + VPN (Score:2)
Missing Option (Score:2)
I turn mine off (Score:2)
Re: (Score:2)
You know that most decent AP's have radio scheduling to do this automatically?
Re: (Score:3)
You know that not everyone works on an exact schedule, right? Last thing I need to hear is "It's 6pm, i am trying to get some work finished, and the damn wireless went down!!! Fix it fix it fixit!" A user-activated switch tied to the ligthing is a pretty elegant solution to the issue of how to know when someone is in the office and needs to use the wi-fi. Just be ready to drag a network cable out if you want to have a movie day in the office...
Re: (Score:2)
I like how your security depends, in part, on your janitor.
WPA2, MAC and Firewall (Score:2)
The Wireless device is hanging off of the firewall and inbound traffic is limited to transversing the connection out to the Internet. Devices on the WiFi don't have access to internal devices.
[John]
Re: (Score:2)
My router does that automaticaly. Indeed, I can't get it not to work that way. It gets a bit tiresome to tunnel everything by ssh, but I guess that is the only way to be safe...
WPA2, MAC Filtering and DHCP limits (Score:2)
In addition to the first two, I have the router set up to assign DHCP addresses within a certain range and no more. So, with 5 MAC addresses in the DHCP table, there's no need to even leave the possibility of assigning more than 5 IP addresses. Every MAC in the table gets the same IP address every time and no other machine can ever get an IP address even if I turn off MAC filtering. It means if I want to add another system to the network I have to fiddle with the router a bit more, and in my case it's paran
Re: (Score:2)
Only secure one.... (Score:2)
Signal/RF shielding and control.
IF you cant receive the signal you cant hack it.
WEP thanks to Windows 7 (Score:2)
Missing option... (Score:2)
The "radio off" switch and CAT5
(when I can keep CAT4-legged from playing with the CAT5)
Re: (Score:2)
(when I can keep CAT4-legged from playing with the CAT5)
Tell me about it, I recently noticed that half my my spare patch cables had been chewed by the new kitten.
Re: (Score:2)
no ssid = no target (Score:2)
Due to the Nintendo DS' horrible compatibility, I'm limited to WEP. Though, I'm not broadcasting the ssid and the network is hidden, so that should be enough.
Various secondary measures (Score:2)
For historical reasons, I still use a non-broadcast SSID and MAC filter, from the old WEP days when i still had a few Palm(tm) devices that couldn't do WPA2. I've since upgraded to WPA2, and kept the other bits -- I'm not totally convinced the non-broadcast and MAC business are useless, I think it makes me a harder target than my neighbors.
But, I also have additional secondary features, which I thought were just obvious -- a nondefault admin password on the AP, and a set-up where the AP's HTML config page i
Locks usually work even though you can break them (Score:2)
Although yesterday we were told it is the socially responsible thing to do to leave your router open so anyone can use your bandwidth for free and allow you to pay for it out of the goodness of your heart, I still block my router, including MAC address filtering. I know that theoretically all you hot shots can break it, but will you bother? Let's just say you're in an apartment house where everyone has Wi-Fi. Some people will encrypt and lock down as much as they possibly can. Others won't have the foggiest
WPA2+PowerSwitch (Score:2)
The latter used when I'm not actually online. It's completely immune to remote attacks.
MAC filtering only. (Score:4, Interesting)
MAC filtering to keep the casual public away (and to stop well meaning neighbours from accidentally latching onto my network). Absolutely do not use encryption though. I've been doing this for years in the hope that if it comes down to it, I have a loophole from any legal issues that land on my doorstep.
even better (Score:2)
For security reasons, I prefer to channel the wireless signal through these great flexible waveguides I found. The ends LOOK like they're phone jacks, but the Geek Squad guys assured me they were in fact advanced security caps.
Missing option: RADIUS (Score:2)
Cheers,
Dave
shielded (Score:2)
While my cables probably emit enough RF for a seriously dedicated snooper to receive my internal network traffic, I have not been able to identify a means to inject packets through the shielding (disrupt, yes), so I rely on the cable shielding to protect myself.
The actual WAP is additionally protected by being isolated from a source of power, my wired network, and static discharge by remaining in its anti-static bag, inside the box it came packaged within, since I cannot otherwise ensure its security.
Obvious missing option (Score:2)
rural isolation (Score:2)
kinda related to proximity, but my nearest neighbor is a mile away and there's no major roads for 3 miles...
None. (Score:2)
On the wired side, everything is secure, so all someone would be able to do if they got on to my wireless network is see the outside world, and print to my ancient laserjet 4 (assuming it is turned on, which it rarely is).
So I guess it is "almost" proximity
needs multi-choice (Score:2)
I use 'hide SSID' (stops casual browers), can't use Admin over wireless, WPA2 and MAC address filtering, and I check who/what has been connected recently. Just a little bit paranoid, but not ready for a white coat.
Re: (Score:2)
Re: (Score:2)
And the signal modulated onto your powerline ethernet is protected from your neighbors how?
Did you think the modulated EM waves carrying your data are
a) traveling only to those parts of the line that are located inside your property
and/or
b) refusing to radiate off from all that definitively unshielded plain wiring inside your house?
Powerline is a security risk, if you ask me.
Re: (Score:2)
Are you sure about that? I think back in November when we hooked up the kids' new-to-them Wii, before the usb/ethernet adapter arrived from http://www.dealextreme.com/ [dealextreme.com] I thought we had it hooked up to the WPA2 wireless for a few months. Maybe yours needs an update?
Or maybe we used the adapter from the TiVo? I'm too lazy to go and fire it up to check to see if the WPA2 ability is there.
Re: (Score:2)
Nintendo DS and DS Lite don't support WPA. Wii, DSi and newer hardware does. I use WEP + MAC filtering for this reason. I know it's easy to crack but it means someone has to take an affirmative step that is unambiguously illegal if they want to use my network.
Re: (Score:2)
The Wii supports WPA2 just fine, as does the 3DS. The DS, DS Lite and DSi only support WEP.
Re: (Score:2)
Hmmm, that's interesting. My daughter got a DSi shortly after they came out, and when I tried to set up wifi on it I only saw an option for WEP. She still asks why she can't connect to the internet...
Re: (Score:2)
The Wii does WPA2. I assume you're talking about your DS, which will only do WEP? You can get a Nintendo USB adapter [wikipedia.org] for your DS wireless, and use WPA2 on your primary access point. Just make sure you run them on different channels. (You may have to get one used, depending on your country, as there have been lawsuits).
Pain in the arse, but it will work.
--
Toro
"Mario Freak Extraordinaire"
Re: (Score:2)
Create a separate wireless access point for your DS that uses WEP. Only allow a connection from the DS.
Re: (Score:2)
Re: (Score:2)
It's only the DS/DS Lite, as others have mentioned, but the really pathetic part is that even if you plug a WFC-capable DS game into a DSi/3DS, it STILL can't use WPA/WPA2! So it's not just that Nintendo was unable to support WPA2, they also apparently were completely unable to grasp the concept of hardware abstraction (i.e. the WEP part was apparently hardcoded into their SDK and compiled in as a part of every game, as opposed to just making calls to the OS to get an abstracted network socket).
Same thing
Re: (Score:2)
Nothing thwarts feds like 12 feet of primercord wrapped around the hard drives and triggered remotely.
"Yes sir, my friends computer is in the basement... What was that noise? What's going on? what is that?"
Re: (Score:2)
SLOW!
CAT6 shielded FTW!
Re: (Score:2, Insightful)
This is trivial to get around.
Re: (Score:2)
I hope a WPA2 security key was set in that router's configuration?
Re: (Score:2)
I hope a WPA2 security key was set in that router's configuration?
Yes, it was set to "puppy".
Re: (Score:2)
You ought to be able to set up one of those computers to broadcast an access point.
Re: (Score:2)
Am I the only person with intelligent neighbors? There are five other APs receivable within my house (well, at least five that broadcast SSIDs), and all of them are encrypted and none of them are named "linksys" or "netgear".
Re: (Score:2)
Re: (Score:2)
I feel as lost as you on those threads. I have 3 networks around here (plus mine), and all of them are protected by WAP2. At my parent's hour there are nearly a dozen of them, and all of them protected (well except for one, that uses WEP).
Re: (Score:2)
And WPA2 for the Mac? (double entendre intended).
Re: (Score:2)
Re: (Score:2)
That is simple to do. Get a password generation utility you can trust (KeePass, or Apple's password maker), create a 63 character string, save it to a USB flash drive, and paste it in the router config and machine configs.
Then every six-12 months, change it. Of course, someone who get possession of the router, the USB flash drive, or one of the devices can glean the key from it, but this is pretty much as good as it gets for security unless you want to go with a RADIUS server and WPA2-Enterprise, or like
neato, turnkey! (Score:2)