RE: Wireless Security for Home Users

From: Snow, Corey (csnow@deltadentalwa.com)
Date: 09/04/02 

From: "Snow, Corey" <csnow@deltadentalwa.com>
To: "'Tony Brisco'" <tony_brisco@yahoo.com>
Date: Wed, 4 Sep 2002 09:54:17 -0700

Well, I'm not entirely certain what you mean by securing it over cable
modem, but the things to do with WLAN connections:

Use WEP. It's not perfect, but it's a heckuva lot better than nothing.

User 128-bit WEP if your equipment supports it. If it doesn't, look into
firmware updates from your vendor. Just using WEP will cause about 95% of
the casual wardrivers to pass you by; there's always an unencrypted network
to snoop just up the street.

Use any vendor-specific security improvements available to you. For example,
I believe if you use a 3Com WAP and 3Com client cards, there are some
higher-security options than straight WEP available to you. If, like me, you
have a different vendor for your client WLAN card than your WAP, you're
probably stuck with straight WEP. (do some research as well. Check out the
various wireless LAN sites, and google around a bit).

Change your WEP keys on a regular basis. Even if it means typing them in
manually. Since this is a home network, you probably don't need to do it for
a bunch of machines.

DO NOT, and I repeat: DO NOT put your WAP on your network directly! This is
security suicide, and I don't care how many layers of encryption you put on
it. If it's directly on your network, you're done for. Put it on a DMZ of
some type, and assume that everything coming from that DMZ is suspect. I
have a 3-tier system on my home network, like so:

Internet---DSLRouter---Firewall---DMZ---Firewall---Internal
                                           |
                                           |
                                          WAP

On my firewall(s), I have some very specific rules about what traffic is
allowed in from the segment the WAP point lives on- that is, very, very
little. And even that is only enough to establish a more secure connection,
which is subject to only very slightly higher privilege levels. I also
recommend the use of tools like SSH to add an additional layer of security
to your WLAN sessions.

You may not have or need a large system like the one above, but you should
definitely keep a WAP off your internal network. Use an old box (even a 486
DX2/66 will do), throw FreeBSD and a couple of old NICs in it, and you've
got a nice, cheap firewall.

Remember, nothing prevents someone from associating with a WAP or simply
listening to the traffic it broadcasts passively. I have built, just for
grins, a directional antenna that lets me use a laptop to pick up and sniff
WAP signals from over 1/2 mile away. If I had used more precision tools, I
could probably do it from 2 miles. I did this because it amused me. There
are people who will do it to attack you. Wireless is cool, but it's major
security risk if you don't do it right- and the reason wardriving is so
popular is because almost no one does.

Corey M. Snow- csnow@deltadentalwa.com
I don't speak for my employer.

> -----Original Message-----
> From: Tony Brisco [mailto:tony_brisco@yahoo.com]
> Sent: Tuesday, September 03, 2002 9:34 AM
> To: security-basics@securityfocus.com
> Subject: Wireless Security for Home Users
>
>
>
> Hello everyone,
>
> What would be the must do things to secure my home
> wireless connection over cable modem ?
>
> Thanks,
> Tony Brisco.
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Finance - Get real-time stock quotes
> http://finance.yahoo.com
>

#########################################################
The information contained in this e-mail and subsequent attachments may be privileged,
confidential and protected from disclosure. This transmission is intended for the sole
use of the individual and entity to whom it is addressed. If you are not the intended
recipient, any dissemination, distribution or copying is strictly prohibited. If you
think that you have received this message in error, please e-mail the sender at the above
e-mail address.
#########################################################

Relevant Pages

  • RE: 802.11i research papers
    ... IT Infrastructure - Network Design ... Subject: 802.11i research papers ... with WPA which is the replacement to WEP (TKIP is ... WEP and other security features that the protocol has implemented. ...
    (Security-Basics)
  • RE: Replacing WEP was Re: Dsniffng wireless networks
    ... Here you assume that you have some security by using WEP. ... always be treated like a public network and secured accordingly. ... and open VPN tunnels into the private network. ...
    (Pen-Test)
  • Re: Is Dynamic WEP Secure Enough?
    ... Forgive me for my ignorance and please correct me if I am wrong OR if I have wrongly understood these/ any of the replies to the Dynamic WEP question ... different users changing their keys at different points in time ... The physical security that is existing on the ground that can contribute and hence the probability of finding out a parking lot hacker ... WEP can be cracked in less than ten minutes (even on a network without ...
    (Security-Basics)
  • Re: Wireless network security
    ... only the cable modem connection. ... >> How do I check security and hackability? ... > As long as you have WEP enabled, ... Also try operating as a "closed network", ...
    (comp.security.firewalls)
  • Re: Remove WPA from SP2
    ... but I'd like to be able to NOT use WEP or WAP and it seems that SP2 ... > network I use. ... So I'd like to NOT use WEP or WAP. ...
    (microsoft.public.windowsxp.general)