To SSID or Not to SSID - WiFi Security Recommendations
RTA Information Technology, Tempe, AZ
WiFi security is a big deal. It's a source of lots of confusion and service calls by consumers and businesses. And lack of WiFi security is probably the biggest security hole in your home or office network.
Let's start with the BAD NEWS:
If you don't have encryption turned on, ANYBODY within range can read everything sent across your Wireless network. That includes:
* UserNames, Account Numbers, and Passwords (unless the site you log into uses SSL or other encryption)
* Your WiFi-sent email
* What you are browsing on the Internet
Without encryption, it's definitely possible for your next-door neighbor (or a hacker sitting in his car down the block) to monitor your broadcasts. Or join your network and use your Internet connection for evil purposes. Or to attack your internal computers.
Have I convinced you to use Encryption yet?
Common Security Settings
There are three common security parameters available on WiFi networks: SSID broadcast, MAC address filtering, and Encryption.
SSID Broadcast: Your WiFi router or access point can broadcast a name (SSID) that identifies it. Some folks say you should turn this broadcast off.
MAC Address Filterning: Your router or access point can limit its clients to a specific list of MAC addresses. MAC addresses are 12-character codes (supposedly unique) that are assigned to networking devices. By filtering, you can, in theory, limit which devices can connect to your WiFi network.
Encryption: Common forms include WEP, WPA, and WPA2. Data is encrypted so that, even if intercepted, it can't be decoded.
My Suggested Settings:
1) Use an innocuous SSID name.
Don't use the Default SSID name. That'll tell a hacker what kind of router you have. Don't use your name or your Company's name. Use something innocuous, like "Red" or "Blue".
2) Leave SSID Broadcast ON.
Yes, this flies in the face of common security advice. But ANYBODY who wants to find your WiFi network can locate it with a WiFi detector. And can easily monitor it with NetStumbler, or other freely-available WiFi cracking software.
By turning off SSID Broadcast, you make your own life considerably more complicated. If you forget the SSID name, you'll have to access the router to re-discover the name. Or you'll have to reset the router and re-configure it from factory defaults. It's too much work for too little Security gain.
3) Use MAC filtering at your own risk.
I think it's too much trouble. Every time you bring a new WiFi device into your home or office, you'll have to add it to the allowed-MAC-address list. And a determined cracker will, again, find a way around the MAC filter, using a spoofed MAC address. Again, I think you're making a lot of complication for yourself, and not that much complication for a hacker.
The Big One:
4) Use (WPA) Encryption!
WPA encryption is tough to break. As long as you use a good, long, random passphrase. A hacker would have to REALLY want to break into your network to bother with breaking WPA. Encryption is the single, necessary key to WiFi security. Until a hacker breaks your encryption scheme, he's not going to join your network, he's not going to attack your computers, and he isn't going to read your transmissions.
Even WEP encryption (although definitely breakable with enough network traffic) is much better than no encryption at all. But WiFi equipment is pretty cheap. Get WPA-capable equipment. Your entire network has to use the same encryption method, so replace any old WiFi cards with recent, WPA-capable, cards.
WiFi security is a big deal. It's a source of lots of confusion and service calls by consumers and businesses. And lack of WiFi security is probably the biggest security hole in your home or office network.
Let's start with the BAD NEWS:
If you don't have encryption turned on, ANYBODY within range can read everything sent across your Wireless network. That includes:
* UserNames, Account Numbers, and Passwords (unless the site you log into uses SSL or other encryption)
* Your WiFi-sent email
* What you are browsing on the Internet
Without encryption, it's definitely possible for your next-door neighbor (or a hacker sitting in his car down the block) to monitor your broadcasts. Or join your network and use your Internet connection for evil purposes. Or to attack your internal computers.
Have I convinced you to use Encryption yet?
Common Security Settings
There are three common security parameters available on WiFi networks: SSID broadcast, MAC address filtering, and Encryption.
SSID Broadcast: Your WiFi router or access point can broadcast a name (SSID) that identifies it. Some folks say you should turn this broadcast off.
MAC Address Filterning: Your router or access point can limit its clients to a specific list of MAC addresses. MAC addresses are 12-character codes (supposedly unique) that are assigned to networking devices. By filtering, you can, in theory, limit which devices can connect to your WiFi network.
Encryption: Common forms include WEP, WPA, and WPA2. Data is encrypted so that, even if intercepted, it can't be decoded.
My Suggested Settings:
1) Use an innocuous SSID name.
Don't use the Default SSID name. That'll tell a hacker what kind of router you have. Don't use your name or your Company's name. Use something innocuous, like "Red" or "Blue".
2) Leave SSID Broadcast ON.
Yes, this flies in the face of common security advice. But ANYBODY who wants to find your WiFi network can locate it with a WiFi detector. And can easily monitor it with NetStumbler, or other freely-available WiFi cracking software.
By turning off SSID Broadcast, you make your own life considerably more complicated. If you forget the SSID name, you'll have to access the router to re-discover the name. Or you'll have to reset the router and re-configure it from factory defaults. It's too much work for too little Security gain.
3) Use MAC filtering at your own risk.
I think it's too much trouble. Every time you bring a new WiFi device into your home or office, you'll have to add it to the allowed-MAC-address list. And a determined cracker will, again, find a way around the MAC filter, using a spoofed MAC address. Again, I think you're making a lot of complication for yourself, and not that much complication for a hacker.
The Big One:
4) Use (WPA) Encryption!
WPA encryption is tough to break. As long as you use a good, long, random passphrase. A hacker would have to REALLY want to break into your network to bother with breaking WPA. Encryption is the single, necessary key to WiFi security. Until a hacker breaks your encryption scheme, he's not going to join your network, he's not going to attack your computers, and he isn't going to read your transmissions.
Even WEP encryption (although definitely breakable with enough network traffic) is much better than no encryption at all. But WiFi equipment is pretty cheap. Get WPA-capable equipment. Your entire network has to use the same encryption method, so replace any old WiFi cards with recent, WPA-capable, cards.
posted by Myron Johnson | 12:08 PM
|
1 comments
