DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th August 2008
JMJ_coder JMJ_coder is offline
VPN Cryptographer
 
Join Date: May 2008
Posts: 464
Thanked 8 Times in 8 Posts
Default How secure are wireless home networks?

Hello,

Comparatively speaking, how secure is a wireless home network - say, in a residential area? Would more security measures need to be provided than with a wired network?
__________________
And the WORD was made flesh, and dwelt among us. (John 1:14)
Reply With Quote
  #2   (View Single Post)  
Old 10th August 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

This kinda sounds like homework.

Anyway, as you seem to have been living under a rock... most residential, and even commercial networks are vulnerable to attacks, most people buy a wireless router/access point, plug it in.. and assume that's all they had to do.

Many networks are unencrypted and have no sort of authentication system... but users aren't entirely at fault, the available encryption techniques are mostly insecure..

WEP, (Wired Equivalent Privacy) was cracked.. years ago, I believe it takes only seconds to find someones key these days.

WPA/WPA2, is a little better.. but I know very little about it...

I'm not an expert, I'm sure there are more qualified people here... up until recently I had no wireless equipment, I've setup a few AP's for fun.. with OpenBSD+authpf.

All unauthenticated traffic was.. served a bogus error page.
Reply With Quote
  #3   (View Single Post)  
Old 10th August 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Quote:
Originally Posted by JMJ_coder View Post
Would more security measures need to be provided than with a wired network?
Yes, obviously... it's far easier to gain unauthorized access to a wireless network, you would notice someone walking into home and tapping into your Ethernet cables while munching on a twinkie and downloading illegal stuff.
Reply With Quote
  #4   (View Single Post)  
Old 10th August 2008
drhowarddrfine drhowarddrfine is offline
VPN Cryptographer
 
Join Date: May 2008
Posts: 358
Thanked 9 Times in 8 Posts
Default

Bruce Schneier, security expert, leaves his wide open saying he's not concerned. I don't know how many people would want to sit in their car outside my house stealing bandwidth, or that my neighbors know how to do that, but we're such bandwidth hogs ourselves that I just allow the MAC addresses for the 4 computers we own that use it.
Reply With Quote
  #5   (View Single Post)  
Old 10th August 2008
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
Spam Deminer
 
Join Date: Apr 2008
Location: NYC
Posts: 307
Thanked 31 Times in 25 Posts
Default

@bsdfan666--what if he's not munching a twinkie, how would I notice him?

My building has a couple of people with unsecured wireless networks--I remember once my wife sent a print job several times before we realized she'd lost connection to our LAN. I *really* hope that the unsecured network doesn't have a printer at 192.168.1.49 or whatever our printer IP is.
Reply With Quote
  #6   (View Single Post)  
Old 10th August 2008
18Googol2's Avatar
18Googol2 18Googol2 is offline
Real Name: whoami
Spam Deminer
 
Join Date: Apr 2008
Location: pwd
Posts: 283
Thanked 20 Times in 18 Posts
Default

Quote:
Originally Posted by scottro View Post
My building has a couple of people with unsecured wireless networks--I remember once my wife sent a print job several times before we realized she'd lost connection to our LAN. I *really* hope that the unsecured network doesn't have a printer at 192.168.1.49 or whatever our printer IP is.
Though they are network printers, you do need to install the printer driver, unless they are the same brand and model (very unlikely), so dont worry

I personally use RADIUS at home and havent detected any break-in attempt so far, which means nobody gives a damn about my wireless
Reply With Quote
  #7   (View Single Post)  
Old 10th August 2008
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by JMJ_coder View Post
Would more security measures need to be provided than with a wired network?
Besides the fact that cracking is relatively easy, there is nothing stopping anyone from sitting out in a parking lot with a stronger access point from serving bogus Web pages just to harvest account names & passwords.

So think twice about doing online banking while at the local coffee shop.
Reply With Quote
  #8   (View Single Post)  
Old 10th August 2008
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

There are 3 or 4 wireless networks in my area, depending on signal strength of the most distant.... Only two use encryption and one of them is mine.


In regards to a "residential area" as you put it, I think it depends on the area. For example, where I am, let's just say bra size is larger then brain size for both sexes, computer geeks are more rare then finding rhodium in your backyard, peoples understanding of cracking follows Clarke's third law, which the've never heard of... And anyone smart enough to use tools to make it simple, are more then far enough displaced from here that I don't need to line my bedroom walls with RADAR absorbent material to feel safe.



In your area the inverse could be true, on you would know.



Compared to a wireless network, it's the same problem but in a very different way. If someone gets into your home, they can always unplug one of your computers and get on your network, even easier if your using DHCP. With a wireless network, they don't have to get physical access to your network in order to join it. "Wireless Equivalent Privacy" is just what it says it is, equivalent privacy to what you get over Ethernet/Token Ring systems (at least I assume so, since I've never used Token Ring). It's just enough security that the you have to 'want to' break in in order to do so. WPA/WPA2 and other methods provide tougher encryption but anything can be cracked given enough time and effort.


I'm not sure how many consumer wireless routers and AP allow you to place wireless clients in a separate virtual networks or not. But if your system can do so without interfering with your needs, you might look into it. Most consumer APs should allow you to restrict connections based on MAC (for what it's worth) /or segregate wireless clients off from the wired network, I would hope.



The problem with wireless is just that, it's wireless technology. Take what measures you can if you use it, and think carefully what you let pass. From my laptop to my AP, the wireless connection is encrypted and things 'of importance' that have to go across the wifi link are usually conducted via SSH, HTTPS, or likewise some encrypted protocol.



In the hopes of avoiding the "Hey wait, this isn't my network..." kind of situations. I configured my systems to only connect to my WLAN automatically and in the case of my laptop, I usually disable that automation when traveling, then encrypt the information in case of theft.
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
  #9   (View Single Post)  
Old 10th August 2008
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
Spam Deminer
 
Join Date: Apr 2008
Location: NYC
Posts: 307
Thanked 31 Times in 25 Posts
Default

@i8google2, yes, I know they'd have to have the same model printer, but sometimes, accuracy should be sacrificed for humor. As she was printing a Japanese document, it would have been even better.
Reply With Quote
Old 11th August 2008
JMJ_coder JMJ_coder is offline
VPN Cryptographer
 
Join Date: May 2008
Posts: 464
Thanked 8 Times in 8 Posts
Default

Hello,

Thanks guys. That's what I thought, but I started to doubt myself. The only use I would have for a wireless connection right now would be to be able to get a laptop and sit out on the deck while using it.

But, for now I guess I'll save the money on the laptop and just stick to a good 'ol RJ45 connection for the time being. Maybe in another year or two, I might reconsider.

Again, thanks for the input.
__________________
And the WORD was made flesh, and dwelt among us. (John 1:14)
Reply With Quote
Old 12th August 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

ah, I'm always late to the party!

If you are running a wireless laptop to your LAN, establishing a VPN connection will get over the worries you may have with wireless hacks.

About checking your bank account at a coffee shop... if your online banking doesn't run over SSL, I wouldn't use it anywhere in the first place , but if does, you shouldn't have a real issue.
__________________
Network Firefighter
Reply With Quote
Old 12th August 2008
18Googol2's Avatar
18Googol2 18Googol2 is offline
Real Name: whoami
Spam Deminer
 
Join Date: Apr 2008
Location: pwd
Posts: 283
Thanked 20 Times in 18 Posts
Default

Quote:
Originally Posted by ai-danno View Post
About checking your bank account at a coffee shop... if your online banking doesn't run over SSL, I wouldn't use it anywhere in the first place , but if does, you shouldn't have a real issue.
Im a bit suprised about this statement, given what you have posted in this forum, you appears to be an experienced sys admin(no offence). Dont even think about SSL >= security, access can be gained over SSL.
__________________
The power of plain text? It can control an entire OS

Last edited by 18Googol2; 12th August 2008 at 05:57 AM.
Reply With Quote
Old 13th August 2008
fridder fridder is offline
Port Guard
 
Join Date: May 2008
Posts: 12
Thanked 0 Times in 0 Posts
Default

WEP=BAD NEWS, it is almost worse than leaving your network open because it gives a false sense of security. WPA/WPA2 is pretty dang good if you choose a good key. If you happen to get one of the 802.11n routers, be sure to enable security because the range on those things is much larger. perhaps I'm just paranoid, but I do live in an apartment and it is WAY to easy to hop onto someone's network. OH, and here is a nasty little story about businesses and wireless networks (from 2002 but stillcreepy)
Reply With Quote
Old 13th August 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

Quote:
Originally Posted by 18Googol2 View Post
Im a bit suprised about this statement, given what you have posted in this forum, you appears to be an experienced sys admin(no offence). Dont even think about SSL >= security, access can be gained over SSL.

No offense taken, in fact I appreciate the comment. But when you mention your wariness about SSL security, are you referring to a "man-in- the-middle" or attack? I think that those are do-able for sure, but I assume a low risk on them. Of course, low-risk is not no-risk, and I have not personally shopped online or done any online banking from a wireless hotspot. Also, the risk for a "man-in-the-middle" is also present on wired network paths, not just wireless, but again, the risk is low, and depends on the target website's implementation of SSL.

More to the point, I think that unless the site you are going to with sensitive information has properly implemented SSL (is completely SSL'd throughout the site and not just on authentication) then you shouldn't be visiting that site with sensitive information in the first place.

But if you are referring to something else... let me know. But my assumptions about SSL are that since it's encrypted traffic, and barring any insecure implementations of SSL, it's a secure way to communicate (aside from outlandish uber-hacker gangs and rogue governments... but if that's a realistic fear I wouldn't get online in the first place )

Here's a fun article about cracking SSL itself. I believe this refers to USA-export encryption, not domestic (which is stronger.) Here's another. This one is a more technical paper that describes the toughness of SSL.
__________________
Network Firefighter
Reply With Quote
Old 13th August 2008
lvlamb's Avatar
lvlamb lvlamb is offline
Real Name: Louis V. Lambrecht
Spam Deminer
 
Join Date: May 2008
Location: .be
Posts: 221
Thanked 25 Times in 24 Posts
Default

I have to backup fridder.
I already posted that there are enough default installed WiFi in a city neighbourhood to always get an Internet connection.
Stealing bandwidth? Well, if you leave your wallet for anyone to grab it, don't be surprised your cash will be gone.
Proper MAC address plus key authentification is just like keeping your wallet in your pocket.
Unfortunately, some ISPs will regularly "update" the modem settings as they want to remain "user friendly". Whatever you specify on ISPs modems should be checked on a regular basis.
"User friendly" meaning you are a Vista Home user, with the Windows firewall set and ISP provided Norton anti-virus installed, WiFi set as an access point for everybody including yourself as you are too stoopid to run WiFi-radar and get connected. Only objective, reduce phone support traffic.
__________________
da more I know I know I know nuttin'
Reply With Quote
Old 14th August 2008
18Googol2's Avatar
18Googol2 18Googol2 is offline
Real Name: whoami
Spam Deminer
 
Join Date: Apr 2008
Location: pwd
Posts: 283
Thanked 20 Times in 18 Posts
Default

Quote:
Originally Posted by ai-danno View Post
No offense taken, in fact I appreciate the comment. But when you mention your wariness about SSL security, are you referring to a "man-in- the-middle" or attack? I think that those are do-able for sure, but I assume a low risk on them. Of course, low-risk is not no-risk, and I have not personally shopped online or done any online banking from a wireless hotspot. Also, the risk for a "man-in-the-middle" is also present on wired network paths, not just wireless, but again, the risk is low, and depends on the target website's implementation of SSL.

More to the point, I think that unless the site you are going to with sensitive information has properly implemented SSL (is completely SSL'd throughout the site and not just on authentication) then you shouldn't be visiting that site with sensitive information in the first place.

But if you are referring to something else... let me know. But my assumptions about SSL are that since it's encrypted traffic, and barring any insecure implementations of SSL, it's a secure way to communicate (aside from outlandish uber-hacker gangs and rogue governments... but if that's a realistic fear I wouldn't get online in the first place )
Yes, the attack over SSL is MiM (man in the middle). SSL itself is practically impossible to crack, but it doesnt mean you are safe when surfing with https sites at all. The MiM doesnt attempt to crack SSL, in stead, with bogus private & public keys, it pretends to be the trusted party (the https site) you are supposed to deal with. So, consequencely, you blindly give your private info to the bad guy.

I wouldnt say its a low risk. Believe it or not, it would take a script kiddie only ~5mins in total (including the time to download software) to finish every step needed to retrieve the password over SSL. Also, it requires zero technical knowledge. All you have to do is point and click as per instruction. If the program is widespread one day, it would be a disaster.
__________________
The power of plain text? It can control an entire OS

Last edited by 18Googol2; 14th August 2008 at 08:39 AM.
Reply With Quote
Old 14th August 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

Quote:
Originally Posted by 18Googol2 View Post
Yes, the attack over SSL is MiM (man in the middle). SSL itself is practically impossible to crack, but it doesnt mean you are safe when surfing with https sites at all. The MiM doesnt attempt to crack SSL, in stead, with bogus private & public keys, it pretends to be the trusted party (the https site) you are supposed to deal with. So, consequencely, you blindly give your private info to the bad guy.

I wouldnt say its a low risk. Believe it or not, it would take a script kiddie only ~5mins in total (including the time to download software) to finish every step needed to retrieve the password over SSL. Also, it requires zero technical knowledge. All you have to do is point and click as per instruction. If the program is widespread one day, it would be a disaster.
With all due respect, I think you over-estimate the ease with which a MITM attack is conducted. Again, I don't argue that it's possible, or that it happens, just the probability that it's conducted on a regular basis, even at your local Starbucks. A hotel actually would be a better place to conduct such attacks, but even then, it's not that simple. The real weakness in all of this is the user's ability to surf intelligently (and as a result, securely.) But this is a another discussion entirely.
__________________
Network Firefighter
Reply With Quote
Old 18th November 2008
JMJ_coder JMJ_coder is offline
VPN Cryptographer
 
Join Date: May 2008
Posts: 464
Thanked 8 Times in 8 Posts
Default

Hello,

I finally got a wireless gateway for use with my laptop. Here is the security I currently have:


1) ssid name is unusual - 7-8 characters - mix of caps, lowercase, numbers, control characters
2) ssid broadcast turned off
3) using WPA-PSK (wpa_supplicant on NetBSD didn't seem to like WPA2-PSK - gateway doesn't support Enterprise)
4) passcode is 24 characters - mix of caps, lowercase, and numbers (didn't like it when I put control characters in there, so I left them out)
5) gateway has built-in firewall (for whatever good there default setup is)
6) using MAC filtering where my laptop's MAC is the only one allowed on the wireless


I'm planning to setup my own firewall (probably PF, once I have time to learn how to configure it) in the future, but for now, is that decent security? Anything else I can do?
__________________
And the WORD was made flesh, and dwelt among us. (John 1:14)
Reply With Quote
Old 18th November 2008
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 770
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by JMJ_coder View Post
Hello,

I finally got a wireless gateway for use with my laptop. Here is the security I currently have:


1) ssid name is unusual - 7-8 characters - mix of caps, lowercase, numbers, control characters
2) ssid broadcast turned off
3) using WPA-PSK (wpa_supplicant on NetBSD didn't seem to like WPA2-PSK - gateway doesn't support Enterprise)
4) passcode is 24 characters - mix of caps, lowercase, and numbers (didn't like it when I put control characters in there, so I left them out)
5) gateway has built-in firewall (for whatever good there default setup is)
6) using MAC filtering where my laptop's MAC is the only one allowed on the wireless


I'm planning to setup my own firewall (probably PF, once I have time to learn how to configure it) in the future, but for now, is that decent security? Anything else I can do?
Are you trying to tell us that you how insecure is your home network
or you are trying to ask us what you really need to do to make it really secure?
Reply With Quote
Old 18th November 2008
JMJ_coder JMJ_coder is offline
VPN Cryptographer
 
Join Date: May 2008
Posts: 464
Thanked 8 Times in 8 Posts
Default

Quote:
Originally Posted by Oko View Post
Are you trying to tell us that you how insecure is your home network
or you are trying to ask us what you really need to do to make it really secure?
That is the security I have implemented so far. I'm asking how secure (or insecure - I hope not ) that is and what else I can do to make it really secure?
__________________
And the WORD was made flesh, and dwelt among us. (John 1:14)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
how to secure my ftp? milo974 OpenBSD Security 3 4th August 2009 03:47 PM
Securing wifi networks with ipsec/ssh and openbsd Oko OpenBSD Security 4 16th April 2009 07:32 AM
Is this secure? Ungenious OpenBSD Security 4 30th November 2008 02:27 AM
I would like to secure a system kungfujesus OpenBSD Security 4 28th September 2008 04:30 PM
DMZ for two networks users... maurobottone OpenBSD Security 6 2nd June 2008 02:57 PM


All times are GMT. The time now is 08:32 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick