RE: home wireless router good practices for security

["Ed Whitesell" <edwlist () airpathwireless com>]

1) 128-bit encryption should not hurt your performance.  If by some odd
chance it does and is noticeable, you need new hardware because the
stuff you're using is garbage.

2) Changing the SSID only means that people who are only looking for the
standard Linksys SSID won't find it.  It's trivial now with all of the
wireless scanning software that exists and the fact that Windows XP will
seek out any SSID it can see.  Think of the SSID as configuring the port
on a switch.  If you don't know which port to connect to, you can't
connect to the network; but if you can check all of the ports on a
switch, you'll find it

3) 128-bit WEP is a decent start.  WEP can be cracked if someone is
given enough data or time, but it's still pretty good.  MAC filtering is
better as it would require an "unauthorized user" to know your MAC
address to associate to the AP.  Using MAC filtering on top of WEP is
pretty good in my opinion.  You'll also want to see if you can disable
the SSID broadcast and any beacons within the AP.  Some APs will only
allow you to change the time between beacons, so turn it up all the way.

The only other options you could do would be to also use a VPN from your
machine to something on the wired side of the router; or use some
proprietary software/hardware to do encryption.  But I think WEP, MAC
filtering, disabling the SSID broadcast and beacons should be more than
enough for home use.

-Ed

-----Original Message-----
From: Steve [mailto:securityfocus () delahunty com]
Sent: Tuesday, December 30, 2003 1:33 PM
To: security-basics () securityfocus com
Subject: home wireless router good practices for security


So I went out and purchased a wireless router (Linksys 802.11b) for home
since it was so inexpensive and actually less cost than the wireless
access
points I was trying to get via eBay.  Got it home, installed my wireless
network card (SMC), powered on the router, attached it to a port on my
other
wired linksys router, and boom it worked great.  Then about 5 minutes
after
I sent an instant message to my neighbor (fellow IT friend) he was on my
network.  So I took the steps that Linksys recommends below, seems good
(to
me).
    Change the default SSID
    Disable SSID Broadcasts
    Change the default password for the Administrator account
    Enable WEP 128-bit Encryption
Linksys also recommends these other measures, I have not implemented:
    Enable MAC Address Filtering
    Change the SSID periodically
    Change the WEP encryption keys periodically.

My Questions:

1) Anyone know how much enabling 128-bit encryption will hurt my
wireless
performance?

2) Does setting the SSID for my wireless NIC then keep me from getting
onto
other wireless networks like when traveling?  I ask since that setting
was
set to ANY before I changed it to the SSID that I set for my wireless
router.

3) What else should I really do to protect my home network?



------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------