DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th August 2008
JMJ_coder JMJ_coder is offline
VPN Cryptographer
 
Join Date: May 2008
Posts: 464
Thanked 8 Times in 8 Posts
Default How secure are wireless home networks?

Hello,

Comparatively speaking, how secure is a wireless home network - say, in a residential area? Would more security measures need to be provided than with a wired network?
__________________
And the WORD was made flesh, and dwelt among us. (John 1:14)
Reply With Quote
  #2   (View Single Post)  
Old 10th August 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

This kinda sounds like homework.

Anyway, as you seem to have been living under a rock... most residential, and even commercial networks are vulnerable to attacks, most people buy a wireless router/access point, plug it in.. and assume that's all they had to do.

Many networks are unencrypted and have no sort of authentication system... but users aren't entirely at fault, the available encryption techniques are mostly insecure..

WEP, (Wired Equivalent Privacy) was cracked.. years ago, I believe it takes only seconds to find someones key these days.

WPA/WPA2, is a little better.. but I know very little about it...

I'm not an expert, I'm sure there are more qualified people here... up until recently I had no wireless equipment, I've setup a few AP's for fun.. with OpenBSD+authpf.

All unauthenticated traffic was.. served a bogus error page.
Reply With Quote
  #3   (View Single Post)  
Old 10th August 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Quote:
Originally Posted by JMJ_coder View Post
Would more security measures need to be provided than with a wired network?
Yes, obviously... it's far easier to gain unauthorized access to a wireless network, you would notice someone walking into home and tapping into your Ethernet cables while munching on a twinkie and downloading illegal stuff.
Reply With Quote
  #4   (View Single Post)  
Old 10th August 2008
drhowarddrfine drhowarddrfine is offline
VPN Cryptographer
 
Join Date: May 2008
Posts: 358
Thanked 9 Times in 8 Posts
Default

Bruce Schneier, security expert, leaves his wide open saying he's not concerned. I don't know how many people would want to sit in their car outside my house stealing bandwidth, or that my neighbors know how to do that, but we're such bandwidth hogs ourselves that I just allow the MAC addresses for the 4 computers we own that use it.
Reply With Quote
  #5   (View Single Post)  
Old 10th August 2008
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
Spam Deminer
 
Join Date: Apr 2008
Location: NYC
Posts: 322
Thanked 31 Times in 25 Posts
Default

@bsdfan666--what if he's not munching a twinkie, how would I notice him?

My building has a couple of people with unsecured wireless networks--I remember once my wife sent a print job several times before we realized she'd lost connection to our LAN. I *really* hope that the unsecured network doesn't have a printer at 192.168.1.49 or whatever our printer IP is.
Reply With Quote
  #6   (View Single Post)  
Old 10th August 2008
18Googol2's Avatar
18Googol2 18Googol2 is offline
Real Name: whoami
Spam Deminer
 
Join Date: Apr 2008
Location: pwd
Posts: 283
Thanked 20 Times in 18 Posts
Default

Quote:
Originally Posted by scottro View Post
My building has a couple of people with unsecured wireless networks--I remember once my wife sent a print job several times before we realized she'd lost connection to our LAN. I *really* hope that the unsecured network doesn't have a printer at 192.168.1.49 or whatever our printer IP is.
Though they are network printers, you do need to install the printer driver, unless they are the same brand and model (very unlikely), so dont worry

I personally use RADIUS at home and havent detected any break-in attempt so far, which means nobody gives a damn about my wireless
Reply With Quote
  #7   (View Single Post)  
Old 10th August 2008
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

There are 3 or 4 wireless networks in my area, depending on signal strength of the most distant.... Only two use encryption and one of them is mine.


In regards to a "residential area" as you put it, I think it depends on the area. For example, where I am, let's just say bra size is larger then brain size for both sexes, computer geeks are more rare then finding rhodium in your backyard, peoples understanding of cracking follows Clarke's third law, which the've never heard of... And anyone smart enough to use tools to make it simple, are more then far enough displaced from here that I don't need to line my bedroom walls with RADAR absorbent material to feel safe.



In your area the inverse could be true, on you would know.



Compared to a wireless network, it's the same problem but in a very different way. If someone gets into your home, they can always unplug one of your computers and get on your network, even easier if your using DHCP. With a wireless network, they don't have to get physical access to your network in order to join it. "Wireless Equivalent Privacy" is just what it says it is, equivalent privacy to what you get over Ethernet/Token Ring systems (at least I assume so, since I've never used Token Ring). It's just enough security that the you have to 'want to' break in in order to do so. WPA/WPA2 and other methods provide tougher encryption but anything can be cracked given enough time and effort.


I'm not sure how many consumer wireless routers and AP allow you to place wireless clients in a separate virtual networks or not. But if your system can do so without interfering with your needs, you might look into it. Most consumer APs should allow you to restrict connections based on MAC (for what it's worth) /or segregate wireless clients off from the wired network, I would hope.



The problem with wireless is just that, it's wireless technology. Take what measures you can if you use it, and think carefully what you let pass. From my laptop to my AP, the wireless connection is encrypted and things 'of importance' that have to go across the wifi link are usually conducted via SSH, HTTPS, or likewise some encrypted protocol.



In the hopes of avoiding the "Hey wait, this isn't my network..." kind of situations. I configured my systems to only connect to my WLAN automatically and in the case of my laptop, I usually disable that automation when traveling, then encrypt the information in case of theft.
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
  #8   (View Single Post)  
Old 10th August 2008
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,906
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by JMJ_coder View Post
Would more security measures need to be provided than with a wired network?
Besides the fact that cracking is relatively easy, there is nothing stopping anyone from sitting out in a parking lot with a stronger access point from serving bogus Web pages just to harvest account names & passwords.

So think twice about doing online banking while at the local coffee shop.
Reply With Quote
  #9   (View Single Post)  
Old 10th August 2008
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
Spam Deminer
 
Join Date: Apr 2008
Location: NYC
Posts: 322
Thanked 31 Times in 25 Posts
Default

@i8google2, yes, I know they'd have to have the same model printer, but sometimes, accuracy should be sacrificed for humor. As she was printing a Japanese document, it would have been even better.
Reply With Quote
Old 11th August 2008
JMJ_coder JMJ_coder is offline
VPN Cryptographer
 
Join Date: May 2008
Posts: 464
Thanked 8 Times in 8 Posts
Default

Hello,

Thanks guys. That's what I thought, but I started to doubt myself. The only use I would have for a wireless connection right now would be to be able to get a laptop and sit out on the deck while using it.

But, for now I guess I'll save the money on the laptop and just stick to a good 'ol RJ45 connection for the time being. Maybe in another year or two, I might reconsider.

Again, thanks for the input.
__________________
And the WORD was made flesh, and dwelt among us. (John 1:14)
Reply With Quote
Old 12th August 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

ah, I'm always late to the party!

If you are running a wireless laptop to your LAN, establishing a VPN connection will get over the worries you may have with wireless hacks.

About checking your bank account at a coffee shop... if your online banking doesn't run over SSL, I wouldn't use it anywhere in the first place , but if does, you shouldn't have a real issue.
__________________
Network Firefighter
Reply With Quote
Old 12th August 2008
18Googol2's Avatar
18Googol2 18Googol2 is offline
Real Name: whoami
Spam Deminer
 
Join Date: Apr 2008
Location: pwd
Posts: 283
Thanked 20 Times in 18 Posts
Default

Quote:
Originally Posted by ai-danno View Post
About checking your bank account at a coffee shop... if your online banking doesn't run over SSL, I wouldn't use it anywhere in the first place , but if does, you shouldn't have a real issue.
Im a bit suprised about this statement, given what you have posted in this forum, you appears to be an experienced sys admin(no offence). Dont even think about SSL >= security, access can be gained over SSL.
__________________
The power of plain text? It can control an entire OS

Last edited by 18Googol2; 12th August 2008 at 05:57 AM.
Reply With Quote
Old 13th August 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

Quote:
Originally Posted by 18Googol2 View Post
Im a bit suprised about this statement, given what you have posted in this forum, you appears to be an experienced sys admin(no offence). Dont even think about SSL >= security, access can be gained over SSL.

No offense taken, in fact I appreciate the comment. But when you mention your wariness about SSL security, are you referring to a "man-in- the-middle" or attack? I think that those are do-able for sure, but I assume a low risk on them. Of course, low-risk is not no-risk, and I have not personally shopped online or done any online banking from a wireless hotspot. Also, the risk for a "man-in-the-middle" is also present on wired network paths, not just wireless, but again, the risk is low, and depends on the target website's implementation of SSL.

More to the point, I think that unless the site you are going to with sensitive information has properly implemented SSL (is completely SSL'd throughout the site and not just on authentication) then you shouldn't be visiting that site with sensitive information in the first place.

But if you are referring to something else... let me know. But my assumptions about SSL are that since it's encrypted traffic, and barring any insecure implementations of SSL, it's a secure way to communicate (aside from outlandish uber-hacker gangs and rogue governments... but if that's a realistic fear I wouldn't get online in the first place )

Here's a fun article about cracking SSL itself. I believe this refers to USA-export encryption, not domestic (which is stronger.) Here's another. This one is a more technical paper that describes the toughness of SSL.
__________________
Network Firefighter
Reply With Quote
Old 13th August 2008
lvlamb's Avatar
lvlamb lvlamb is offline
Real Name: Louis V. Lambrecht
Spam Deminer
 
Join Date: May 2008
Location: .be
Posts: 221
Thanked 25 Times in 24 Posts
Default

I have to backup fridder.
I already posted that there are enough default installed WiFi in a city neighbourhood to always get an Internet connection.
Stealing bandwidth? Well, if you leave your wallet for anyone to grab it, don't be surprised your cash will be gone.
Proper MAC address plus key authentification is just like keeping your wallet in your pocket.
Unfortunately, some ISPs will regularly "update" the modem settings as they want to remain "user friendly". Whatever you specify on ISPs modems should be checked on a regular basis.
"User friendly" meaning you are a Vista Home user, with the Windows firewall set and ISP provided Norton anti-virus installed, WiFi set as an access point for everybody including yourself as you are too stoopid to run WiFi-radar and get connected. Only objective, reduce phone support traffic.
__________________
da more I know I know I know nuttin'
Reply With Quote
Old 14th August 2008
18Googol2's Avatar
18Googol2 18Googol2 is offline
Real Name: whoami
Spam Deminer
 
Join Date: Apr 2008
Location: pwd
Posts: 283
Thanked 20 Times in 18 Posts
Default

Quote:
Originally Posted by ai-danno View Post
No offense taken, in fact I appreciate the comment. But when you mention your wariness about SSL security, are you referring to a "man-in- the-middle" or attack? I think that those are do-able for sure, but I assume a low risk on them. Of course, low-risk is not no-risk, and I have not personally shopped online or done any online banking from a wireless hotspot. Also, the risk for a "man-in-the-middle" is also present on wired network paths, not just wireless, but again, the risk is low, and depends on the target website's implementation of SSL.

More to the point, I think that unless the site you are going to with sensitive information has properly implemented SSL (is completely SSL'd throughout the site and not just on authentication) then you shouldn't be visiting that site with sensitive information in the first place.

But if you are referring to something else... let me know. But my assumptions about SSL are that since it's encrypted traffic, and barring any insecure implementations of SSL, it's a secure way to communicate (aside from outlandish uber-hacker gangs and rogue governments... but if that's a realistic fear I wouldn't get online in the first place )
Yes, the attack over SSL is MiM (man in the middle). SSL itself is practically impossible to crack, but it doesnt mean you are safe when surfing with https sites at all. The MiM doesnt attempt to crack SSL, in stead, with bogus private & public keys, it pretends to be the trusted party (the https site) you are supposed to deal with. So, consequencely, you blindly give your private info to the bad guy.

I wouldnt say its a low risk. Believe it or not, it would take a script kiddie only ~5mins in total (including the time to download software) to finish every step needed to retrieve the password over SSL. Also, it requires zero technical knowledge. All you have to do is point and click as per instruction. If the program is widespread one day, it would be a disaster.
__________________
The power of plain text? It can control an entire OS

Last edited by 18Googol2; 14th August 2008 at 08:39 AM.
Reply With Quote
Old 14th August 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

Quote:
Originally Posted by 18Googol2 View Post
Yes, the attack over SSL is MiM (man in the middle). SSL itself is practically impossible to crack, but it doesnt mean you are safe when surfing with https sites at all. The MiM doesnt attempt to crack SSL, in stead, with bogus private & public keys, it pretends to be the trusted party (the https site) you are supposed to deal with. So, consequencely, you blindly give your private info to the bad guy.

I wouldnt say its a low risk. Believe it or not, it would take a script kiddie only ~5mins in total (including the time to download software) to finish every step needed to retrieve the password over SSL. Also, it requires zero technical knowledge. All you have to do is point and click as per instruction. If the program is widespread one day, it would be a disaster.
With all due respect, I think you over-estimate the ease with which a MITM attack is conducted. Again, I don't argue that it's possible, or that it happens, just the probability that it's conducted on a regular basis, even at your local Starbucks. A hotel actually would be a better place to conduct such attacks, but even then, it's not that simple. The real weakness in all of this is the user's ability to surf intelligently (and as a result, securely.) But this is a another discussion entirely.
__________________
Network Firefighter
Reply With Quote
Old 18th April 2011
nilsgecko's Avatar
nilsgecko nilsgecko is offline
Port Guard
 
Join Date: Apr 2011
Location: Chicago, USA
Posts: 45
Thanked 0 Times in 0 Posts
Default Re: SSL

Quote:
Originally Posted by ai-danno View Post
No offense taken, in fact I appreciate the comment. But when you mention your wariness about SSL security, are you referring to a "man-in- the-middle" or attack? I think that those are do-able for sure, but I assume a low risk on them. Of course, low-risk is not no-risk, and I have not personally shopped online or done any online banking from a wireless hotspot. Also, the risk for a "man-in-the-middle" is also present on wired network paths, not just wireless, but again, the risk is low, and depends on the target website's implementation of SSL.

More to the point, I think that unless the site you are going to with sensitive information has properly implemented SSL (is completely SSL'd throughout the site and not just on authentication) then you shouldn't be visiting that site with sensitive information in the first place.

But if you are referring to something else... let me know. But my assumptions about SSL are that since it's encrypted traffic, and barring any insecure implementations of SSL, it's a secure way to communicate (aside from outlandish uber-hacker gangs and rogue governments... but if that's a realistic fear I wouldn't get online in the first place )

Here's a fun article about cracking SSL itself. I believe this refers to USA-export encryption, not domestic (which is stronger.) Here's another. This one is a more technical paper that describes the toughness of SSL.

I don't see where SSL would be considered insecure if properly implemented.
The biggest issue I would think is that it only authenticates from the Server
side, and doesn't authenticate the client. In other words, someone who can
gain access to your credentials (say online banking passwords etc) can
'authenticate' from anywhere since the session establishment is only one-way.

Also, as evidenced by the recent Comodo partner-hack, it can take some time before
a Certificate Authority finds out that a certificate has been issued by the
wrong hands....

SSL only works for TCP too, not UDP which as I understand it, things like VOIP
use.
Reply With Quote
Old 13th August 2008
fridder fridder is offline
Port Guard
 
Join Date: May 2008
Posts: 12
Thanked 0 Times in 0 Posts
Default

WEP=BAD NEWS, it is almost worse than leaving your network open because it gives a false sense of security. WPA/WPA2 is pretty dang good if you choose a good key. If you happen to get one of the 802.11n routers, be sure to enable security because the range on those things is much larger. perhaps I'm just paranoid, but I do live in an apartment and it is WAY to easy to hop onto someone's network. OH, and here is a nasty little story about businesses and wireless networks (from 2002 but stillcreepy)
Reply With Quote
Old 18th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,198
Thanked 182 Times in 149 Posts
Default

Or have a look at authpf http://netbsd.gw.com/cgi-bin/man-cgi?authpf++NetBSD-4.0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 19th November 2008
Oliver_H's Avatar
Oliver_H Oliver_H is offline
Real Name: Oliver Herold
UNIX lover
 
Join Date: May 2008
Location: Germany
Posts: 429
Thanked 26 Times in 22 Posts
Default

Point 2 and 6 are nonsense, myths of the net. WPA2 is good but if possible use VPN.
__________________
use UNIX or die :-)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
how to secure my ftp? milo974 OpenBSD Security 3 4th August 2009 03:47 PM
Securing wifi networks with ipsec/ssh and openbsd Oko OpenBSD Security 4 16th April 2009 07:32 AM
Is this secure? Ungenious OpenBSD Security 4 30th November 2008 02:27 AM
I would like to secure a system kungfujesus OpenBSD Security 4 28th September 2008 04:30 PM
DMZ for two networks users... maurobottone OpenBSD Security 6 2nd June 2008 02:57 PM


All times are GMT. The time now is 01:40 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick