Just wondering whats more secure here? Whats the pros and cons of them? Cheers
Mick
Printable View
Just wondering whats more secure here? Whats the pros and cons of them? Cheers
Mick
WEP is very very weak. Why? parts of the key is transmitted from time to time within the data sent. In about 10mb of traffic you have more than enough to decompile the key. Very bad.
WPA is much more protective, it doesn't do what WPA does (send the key)
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
I would go with WPA and if your router supports is I would incorperate MAC filtering as an added layer. Also do not broadcast your SSID.
One thing you have to consider is some wireless Network cards do not support WPA, but that is mainly for the older ones. I do not think I have run into a a/b/g card that does not support WPA sold today.
This is also a good ideaQuote:
Originally Posted by BOB IROC
This has absolutely ZERO benefit. It does not "hide" your access point.Quote:
Originally Posted by BOB IROC
MAC filtering won't hide your access point, but disabling SSID broadcast per Bob's suggestion will. As he says, MAC filtering is just another layer of security and peace of mind. Both in short supply these days.
(Edit) to be a bit more correct and fairer to Fubarian, there are indeed techniques to discover wireless LANs even if SSID broadcast is disabled, but many, or most intrusion attempts can be defeated by this means.
Quote:
Originally Posted by slgrieb
Thats what I was going for, but some seem to think it has Zero benefit. It may not be much, but every little bit helps.
Every single time you connect, it sends a broadcast for the AP and the AP replies with a broadcast as well. All I do is interrupt your AP (use a wireless phone does this rather easily) and guess what? Oh, I got your SSID. Run a AP monitoring program and find this out for yourself.
Hiding the SSID broadcast gives 0 benefit, period. Security through obscurity does not work and is a terrible practice. MAC filters, yes (and even this is weak and spoofable, rather easily), WPA-PSK, AES and TKIP, yes! Hiding something, NO
Sheesh Fubarian, did someone piss in your cheerios?Quote:
Originally Posted by Fubarian
Not everyone has all these utilities that you speak of or knows how to use them, but I still think hiding your SSID and running MAC filtering will help keep the average neighbor of knowing you have a wireless network. Then you add WPA or WPA2 for added protection.
No, not at all! I just don't like people giving incorrect information -- the tools are very easy to find and are FREE and its got to the point the village idiot (well, ok not QUITE that easy) can figure it out with 30 minutes of internet searching.
Side note : One benefit to SSID is "long range" devices will stay connected better
Quote:
Originally Posted by Fubarian
Well, I wouldn't say "zero" benefits, here are a few:
- People who are not wardriving, etc. will not notice your network. If the average joe just pulls out a pda, laptop etc. and isn't looking to "crack" into a WiFi network, but rather just "hop" onto a free WiFi signal, they'll just keep moving along.
- The neighbor next door will not have it listed in his available networks, etc. and possibly connect to it either intentionally or unintentionally.
Sorry Fubarian, you just sounded like you were getting a little angry. And I dont think I am giving "incorrect" information here either. Well as I said Hiding your SSID and Using Mac filtering will keep the AVERAGE neighbor from knowing about your wireless network. As most people like that do not have and are not going to search for or use such utilities. However, if they can see a publically broadcasted SSID they may be likely to try and use the network for free internet.
I say this because I have seen it happen. I ran into a friend while shopping at best buy a couple months ago and he said he wanted to get a wireless card for his brother. I asked what kind of internet does he have and he said "he doesn't. His neighbor has a wireless network that he is going to steal a connection from" And that is just one example, but I have had teachers come up to me and ask similar questions like "what kind of wireless card should I get if I want to use my neighbors wireless network without them knowing it. Blocking your SSID and using MAC filtering will help at least a little bit with those situations. Don't ya think?
and now they both have the same SSID and you connect to my network by mistake ...
Quote:
Originally Posted by Fubarian
How do you figure? You make the SSID unique, you just block it from being broadcasted. Then you input your connection information into your wireless device manually. Granted that many people do no change their SSID from the defaults, but that is not the situation here I don't think.
I like to explain wireless security to people as being like locks on you car or house. Locks keep the honest people honest. If they walk up to a door and turn the handle and its locked, a honest person will walk away. If they're not an honest person, the lock is only going to slow them up a tad from getting in until they smash a window, bust the door (break the WEP/WPA, MAC filter, etc.).
What I hate is Verizon ships Westell modems out to all new DSL customers with wireless enabled by default, no security enabled, and the average customer installs with the cd, has the Westell modem/router hooked to their computer with an ethernet or usb cable, and have no use for wireless and have no clue that they're broadcasting a free WiFi unsecured signal to anybody nearby.
eh, not so much. Both are spoofable, rather easily, using widely available tools with little know-how, but the encryption isn't (assuming you use something OTHER than WEP). I would say, yes turn on your mac filter, but ssid broadcast takes you out of 802.11 compliance...there are reasons this is in the standard.Quote:
Originally Posted by BOB IROC
On paper, if someone's next door, they'll see your network at some point, regardless of SSID turned off. So thats out. If you leave it off, I see it once, setup a fake AP and cause all sorts of hell. Leave yours on, turn on encryption (NOT WEP!!) and those problems are fixed and its much MUCH harder for me to do something evil.
Pre-shared keys are still a "shared secret", but its a billion times better than using static, easily spoofable, interruptable, etc info. AES and TKIP are damn good and I highly recommend them because they're a bitch to crack (got a few galaxy lifetimes sittin around?). The chances of someone busting through that is ungodly unlikely where the others are rather simple.
Nokia (? I think it was a nokia ...it started with an N) APs are like this too.Quote:
Originally Posted by 3fingersalute
So do you camo the house then to hide it? :)Quote:
Originally Posted by 3fingersalute
No - I wasn't talking about hiding anything. I was talking about keeping out honest people who wouldn't otherwise do something illegal.Quote:
Originally Posted by Fubarian
Do you leave your car and house unlocked when you're not there because they're easy to break into? ;)
You had said some of the benefits was hiding the AP, so I was commenting in reference to that.Quote:
Originally Posted by 3fingersalute
nope, but I wouldn't think hiding it (parking it in the garage) would increase the unlikelyhood of a break in eitherQuote:
Do you leave your car and house unlocked when you're not there because they're easy to break into? ;)
I never said anything about hiding it at all.Quote:
Originally Posted by Fubarian
So why do you lock your garage or house at all then?Quote:
Originally Posted by Fubarian
yea ya didQuote:
Originally Posted by 3fingersalute
thats hiding an AP for the wrong reasons.Quote:
Originally Posted by 3fingersalute
I keep my car in the garage because I like my car clean and I live in an access controlled buildingQuote:
So why do you lock your garage or house at all then?
Wrong. Search the page, not once did I ever mention the word "hide"Quote:
Originally Posted by Fubarian
Ok, but do you lock the garage door, or the doors of the car? If so, why?Quote:
Originally Posted by Fubarian
You are taking this conversation in the wrong direction and thank you, but I do not need to search, I'm following along rather well - I'm not sure if you are though, so lets review.
If you go back over the convo, you'll notice I commented on zero security benefit disabling the SSID, period, you claimed there were indeed benefits to hiding the SSID, ie, hiding an AP, as you put it I wouldn't say "zero" benefits (see the quote prior) whereas I said there is zero benefit so you used the analogy of a house. Using this analogy, I asked if you camo the house to hide it, pointing out the uselessness of hiding an SSID.
I never once said protecting it was a bad idea. Continuing to follow the "House" analogy, I do not "hide" my car in the garage because it adds protection, I do it for other reasons.
Are we on the same page now?
I understand what you are saying, yes; and from a security stand-point, I'll agree that disabling the SSID does not "hide" you AP. NetStumbler, those little keychain WiFi finder, etc. make it very easy to find a WiFi signal, regardless of whether the SSID is being broadcast or not.Quote:
Originally Posted by Fubarian
I do however, still feel there are advantages to not broadcasting the SSID.
Cheers for the advice. Ive set up WPA-PSK security so hopefully it will be ok.
Mick
I wrote about this in another post. My probelm is that there doens't seem to be a tried and true method to set any of these diff. solutions up. Seems once I enable anyone of them I can't add other computers to the connection. Can anybody shed some light on this subject? I work in a medical field office and they want a wirless set up for sales people. I want to use the highest level of security possible due to HIPPA but I cn't get it to work. Chris
If you're dealing with HIPPA, I just wouldn't even bother with wireless dude. As stated before, even when secured to the best of its ability, its still very vulnerable.Quote:
Originally Posted by musicman7722
What do these sales people need access to? If its just internet, setup a separate router on a different subnet to get them access to internet only.
The sales person needs complete access to the server fro e-mail, printer etc. You are probably right i.e. the HIPPS, prob is I have to convince them its that and not my inability :)Quote:
Originally Posted by 3fingersalute
Chris
To protect a wireless network in an enterprise environment, you can use Radius + VPN on top of, isolate the AP from the rest of the network (plug it into the radius server) and this should provide a very good level of security. You should probably enforce LONG, complex passPHRASES and p2tp VPN (which includes IPSec! yay).
Downside : its -kinda- annoying to setup, and if you don't do it right, nothing will work (on the wireless side that is)