Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

I've set up a wireless network at home for the first time, having
hopefully read up enough on security to make this a 'safe' proposition.
What I'd like to know is, having taken these steps, can I consider my
wireless network to be fully secure to all intents and purposes (given
that I'm just an ordinary person living in a low-population density
suburb (rather than, say, a corporate user at high risk of attack)?

I have a Linksys WRT54G router connected to always-on broadband, and
have taken the following steps:

1. Changed the router admin login details from the default
2. Changed the default SSID
3. Disabled SSID broadcast
4. Enabled MAC filter (ie only the MAC address of my laptop is allowed
to connect wirelessly)
5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
whatever that means!)
6. Enabled Windows XP firewall on all PCs (plus the router's hardware
firewall).

Does this sound reasonable? Should I really worry about accessing
online banking wirelessly for example, any more than when accessing it
from a wired PC?

--
Thanks
David

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

Both items 3 & 4 are of minimal to no value as far as security measures are concerned. The best
measure is using WPA, which you have done, with a very long and random key. Personally I use WPA-PSK
(TKIP) with a >25 character totally random ASCII key...

http://www.dslreports.com/faq/wlan/40.0+Security#10907
http://www.dslreports.com/faq/11462

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...


"Lobster" <davidlobsterpot601@hotmail.com> wrote in message
news:3z0re.7460$a5.955@newsfe5-win.ntli.net...
> I've set up a wireless network at home for the first time, having hopefully read up enough on
> security to make this a 'safe' proposition. What I'd like to know is, having taken these steps,
> can I consider my wireless network to be fully secure to all intents and purposes (given that I'm
> just an ordinary person living in a low-population density suburb (rather than, say, a corporate
> user at high risk of attack)?
>
> I have a Linksys WRT54G router connected to always-on broadband, and have taken the following
> steps:
>
> 1. Changed the router admin login details from the default
> 2. Changed the default SSID
> 3. Disabled SSID broadcast
> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed to connect wirelessly)
> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds, whatever that means!)
> 6. Enabled Windows XP firewall on all PCs (plus the router's hardware firewall).
>
> Does this sound reasonable? Should I really worry about accessing online banking wirelessly for
> example, any more than when accessing it from a wired PC?
>
> --
> Thanks
> David

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

Lobster wrote:
> I've set up a wireless network at home for the first time, having
> hopefully read up enough on security to make this a 'safe' proposition.
> What I'd like to know is, having taken these steps, can I consider my
> wireless network to be fully secure to all intents and purposes (given
> that I'm just an ordinary person living in a low-population density
> suburb (rather than, say, a corporate user at high risk of attack)?
>
> I have a Linksys WRT54G router connected to always-on broadband, and
> have taken the following steps:
>
> 1. Changed the router admin login details from the default
> 2. Changed the default SSID
> 3. Disabled SSID broadcast
> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed
> to connect wirelessly)
> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
> whatever that means!)
> 6. Enabled Windows XP firewall on all PCs (plus the router's hardware
> firewall).
>
> Does this sound reasonable? Should I really worry about accessing
> online banking wirelessly for example, any more than when accessing it
> from a wired PC?
>

So far I haven't been successful with 5 & 6. I take the MAC address is
the numbers/letters on the card that slots into the Notebook adjacent to
the serial number? Group renewal, I was wondering what that was to?

Thanks

--
Keith (Southend)

'Weather Home & Abroad'
http://www.southendweather.net

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

"Sooner Al [MVP]" <SoonerAl@somewhere.net.invalid> wrote in message
news:uHHPXv4bFHA.3912@TK2MSFTNGP15.phx.gbl...

[[top post relocated]]

> "Lobster" <davidlobsterpot601@hotmail.com> wrote in message
> news:3z0re.7460$a5.955@newsfe5-win.ntli.net...
>> I've set up a wireless network at home for the first time, having
>> hopefully read up enough on security to make this a 'safe' proposition.
>> What I'd like to know is, having taken these steps, can I consider my
>> wireless network to be fully secure to all intents and purposes (given
>> that I'm just an ordinary person living in a low-population density
>> suburb (rather than, say, a corporate user at high risk of attack)?
>>
>> I have a Linksys WRT54G router connected to always-on broadband, and have
>> taken the following steps:
>>
>> 1. Changed the router admin login details from the default
>> 2. Changed the default SSID
>> 3. Disabled SSID broadcast
>> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed to
>> connect wirelessly)
>> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
>> whatever that means!)
>> 6. Enabled Windows XP firewall on all PCs (plus the router's hardware
>> firewall).
>>
>> Does this sound reasonable? Should I really worry about accessing online
>> banking wirelessly for example, any more than when accessing it from a
>> wired PC?
>>
>> --
>> Thanks
>> David
>
>

> Both items 3 & 4 are of minimal to no value as far as security measures
> are concerned. The best measure is using WPA, which you have done, with a
> very long and random key. Personally I use WPA-PSK (TKIP) with a >25
> character totally random ASCII key...
>
> http://www.dslreports.com/faq/wlan/40.0+Security#10907
> http://www.dslreports.com/faq/11462
>
> --
>
> Al Jarvi (MS-MVP Windows Networking)
>

What Al told the O.P. isn't really true. Disabling SSID and enabling MAC
filtering will thwart all but the most devious and dedicated hackers who are
out crusiing the neighborhhod packet sniffing and looking to break in-- a
very small number of people indeed. The average Joe won't even see his
network-- much less get in.

It's like the lock on your front door or your car door. It can be defeated--
but only by those who really want to do that and have the technical knowhow
and tools.. The O.P. has good enough security for most situations most of
the time.

And BTW, use WPA-PSK AES security rather than TKIP-- much stronger and much
tougher to defeat--- even by a techonerd....

Doc

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

Well, first lets be clear on what I said and that was..."The best measure is using WPA, which you
have done..."

Now I agree that WPA using AES is better, but WPA, whatever flavor you use is better than WEP. It
simply depends on what your hardware supports. Mine supports WPA (TKIP), but not AES...

Secondly, security through obscurity is simply no security... Not to mention some clients simply can
not connect to a wireless network if the SSID is not broadcast. That is a fact...

Later...

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...


"J.H. Holliday" <doc@okcorral> wrote in message news:Y-GdnZxeA4JaNjHfRVn-1Q@comcast.com...
> "Sooner Al [MVP]" <SoonerAl@somewhere.net.invalid> wrote in message
> news:uHHPXv4bFHA.3912@TK2MSFTNGP15.phx.gbl...
>
> [[top post relocated]]
>
>> "Lobster" <davidlobsterpot601@hotmail.com> wrote in message
>> news:3z0re.7460$a5.955@newsfe5-win.ntli.net...
>>> I've set up a wireless network at home for the first time, having hopefully read up enough on
>>> security to make this a 'safe' proposition. What I'd like to know is, having taken these steps,
>>> can I consider my wireless network to be fully secure to all intents and purposes (given that
>>> I'm just an ordinary person living in a low-population density suburb (rather than, say, a
>>> corporate user at high risk of attack)?
>>>
>>> I have a Linksys WRT54G router connected to always-on broadband, and have taken the following
>>> steps:
>>>
>>> 1. Changed the router admin login details from the default
>>> 2. Changed the default SSID
>>> 3. Disabled SSID broadcast
>>> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed to connect wirelessly)
>>> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds, whatever that means!)
>>> 6. Enabled Windows XP firewall on all PCs (plus the router's hardware firewall).
>>>
>>> Does this sound reasonable? Should I really worry about accessing online banking wirelessly for
>>> example, any more than when accessing it from a wired PC?
>>>
>>> --
>>> Thanks
>>> David
>>
>>
>
>> Both items 3 & 4 are of minimal to no value as far as security measures are concerned. The best
>> measure is using WPA, which you have done, with a very long and random key. Personally I use
>> WPA-PSK (TKIP) with a >25 character totally random ASCII key...
>>
>> http://www.dslreports.com/faq/wlan/40.0+Security#10907
>> http://www.dslreports.com/faq/11462
>>
>> --
>>
>> Al Jarvi (MS-MVP Windows Networking)
>>
>
> What Al told the O.P. isn't really true. Disabling SSID and enabling MAC filtering will thwart all
> but the most devious and dedicated hackers who are out crusiing the neighborhhod packet sniffing
> and looking to break in-- a very small number of people indeed. The average Joe won't even see his
> network-- much less get in.
>
> It's like the lock on your front door or your car door. It can be defeated-- but only by those
> who really want to do that and have the technical knowhow and tools.. The O.P. has good enough
> security for most situations most of the time.
>
> And BTW, use WPA-PSK AES security rather than TKIP-- much stronger and much tougher to defeat---
> even by a techonerd....
>
> Doc

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

J.H. Holliday wrote:
> "Sooner Al [MVP]" <SoonerAl@somewhere.net.invalid> wrote in message
> news:uHHPXv4bFHA.3912@TK2MSFTNGP15.phx.gbl...
>
> [[top post relocated]]
>
>> "Lobster" <davidlobsterpot601@hotmail.com> wrote in message
>> news:3z0re.7460$a5.955@newsfe5-win.ntli.net...
>>> I've set up a wireless network at home for the first time, having
>>> hopefully read up enough on security to make this a 'safe' proposition.
>>> What I'd like to know is, having taken these steps, can I consider my
>>> wireless network to be fully secure to all intents and purposes (given
>>> that I'm just an ordinary person living in a low-population density
>>> suburb (rather than, say, a corporate user at high risk of attack)?
>>>
>>> I have a Linksys WRT54G router connected to always-on broadband, and have
>>> taken the following steps:
>>>
>>> 1. Changed the router admin login details from the default
>>> 2. Changed the default SSID
>>> 3. Disabled SSID broadcast
>>> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed to
>>> connect wirelessly)
>>> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
>>> whatever that means!)
>>> 6. Enabled Windows XP firewall on all PCs (plus the router's hardware
>>> firewall).
>>>
>>> Does this sound reasonable? Should I really worry about accessing online
>>> banking wirelessly for example, any more than when accessing it from a
>>> wired PC?
>>>
>>> --
>>> Thanks
>>> David
>>
>>
>
>> Both items 3 & 4 are of minimal to no value as far as security measures
>> are concerned. The best measure is using WPA, which you have done, with a
>> very long and random key. Personally I use WPA-PSK (TKIP) with a >25
>> character totally random ASCII key...
>>
>> http://www.dslreports.com/faq/wlan/40.0+Security#10907
>> http://www.dslreports.com/faq/11462
>>
>> --
>>
>> Al Jarvi (MS-MVP Windows Networking)
>>
>
> What Al told the O.P. isn't really true. Disabling SSID and enabling MAC
> filtering will thwart all but the most devious and dedicated hackers who are
> out crusiing the neighborhhod packet sniffing and looking to break in-- a
> very small number of people indeed. The average Joe won't even see his
> network-- much less get in.
>
> It's like the lock on your front door or your car door. It can be defeated--
> but only by those who really want to do that and have the technical knowhow
> and tools.. The O.P. has good enough security for most situations most of
> the time.
>
> And BTW, use WPA-PSK AES security rather than TKIP-- much stronger and much
> tougher to defeat--- even by a techonerd....
>
> Doc

I agree that disabling the SSID is a good thing. When people with Wi-Fi click on
"view wireless networks"... they will not see you. Their curiosity will not be
peeked to the point where they start thinking... "I wonder who that is... I
wonder if my computer hacker friend Fred can get into this network?" The
argument against hiding the SSID is that you are not being a good neighbor and
those folks won't know to avoid your channel. So... you can take the attitude
that you will police the neighborhood and avoid other Wi-Fi channels that are in
use. Of course you may not be the only one with that attitude and channel
conflicts can occur. So what to do. I hide my SSID.
I also use MAC filtering. Why not... it's easy and one more layer of protection.

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

Lobster <davidlobsterpot601@hotmail.com> wrote in
news:3z0re.7460$a5.955@newsfe5-win.ntli.net:

> Should I really worry about accessing
> online banking wirelessly for example, any more than when
> accessing it from a wired PC?
>

When you access a security-sensitive site e.g. online banking or
shopping checkout, you will** be using a secure HTTPS connection
irrespective of how you connect. That means data is encrypted end-to-
end between your PC and the bank or store.

If you have set up your wireless LAN to provide WPA encryption, the
data is encrypted a second time whilst in transit on your wireless
LAN, using a key that is typically changed every 60 minutes. So the
answer to your question is "No".

** If not, consider changing - NOW!

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

"DanR" <dhr22@sorrynospm.com> wrote:
>J.H. Holliday wrote:
>> "Sooner Al [MVP]" <SoonerAl@somewhere.net.invalid> wrote:
>>>>
>>>> 3. Disabled SSID broadcast
>>>> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed to
>>>> connect wirelessly)
>>>> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
>>>> whatever that means!)
....
>>> Both items 3 & 4 are of minimal to no value as far as security measures
>>> are concerned. The best measure is using WPA, which you have done, with a
....
>> What Al told the O.P. isn't really true. Disabling SSID and enabling MAC

Actually, it is *precisely* true.

>> filtering will thwart all but the most devious and dedicated hackers who are
>> out crusiing the neighborhhod packet sniffing and looking to break in-- a
>> very small number of people indeed. The average Joe won't even see his
>> network-- much less get in.

Okay, so you are saying that it keeps the harmless people out,
and only those who are most likely to do you real harm can get
in. Not good.

>I agree that disabling the SSID is a good thing. When people with Wi-Fi click on
>"view wireless networks"... they will not see you.

Generally that is a good thing too.

>Their curiosity will not be
>peeked to the point where they start thinking... "I wonder who that is... I
>wonder if my computer hacker friend Fred can get into this network?"

And if it is, he's using WPA to keep them out. Because SSID,
MAC filtering and WEP certainly won't.

>The
>argument against hiding the SSID is that you are not being a good neighbor and
>those folks won't know to avoid your channel.

That isn't a case of being a good neighbor, it's a case of being
a smart neighbor. If they don't see your network, they can't
plan to avoid it. So, they look, and see everyone except you,
and plonk down right on the same channel you chose. They just
happen to have a big antenna and good receivers, so you don't
bother them at all, but they cause just enough interference to
reduce your bit rate from 54 to 4 Mbps, but only intermittantly.

Not good!


>So... you can take the attitude
>that you will police the neighborhood and avoid other Wi-Fi channels that are in
>use. Of course you may not be the only one with that attitude and channel
>conflicts can occur. So what to do. I hide my SSID.

What for?

>I also use MAC filtering. Why not... it's easy and one more layer of protection.

Sure. Protection that causes *you* far more inconvenience
than it does someone intent on hacking into your network!

Not good...

--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) floyd@barrow.com

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

"DanR" <dhr22@sorrynospm.com> wrote in message news:Q_3re.308$Nz2.88@newssvr11.news.prodigy.com...
> The > argument against hiding the SSID is that you are not being a good neighbor and
> those folks won't know to avoid your channel. So... you can take the attitude
> that you will police the neighborhood and avoid other Wi-Fi channels that are in
> use. Of course you may not be the only one with that attitude and channel
> conflicts can occur.

??? How showing your SSID can help other to avoid your channel?

--PA

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Pavel A. wrote:
> "DanR" <dhr22@sorrynospm.com> wrote in message
> news:Q_3re.308$Nz2.88@newssvr11.news.prodigy.com...
>> The > argument against hiding the SSID is that you are not being a good
>> neighbor and those folks won't know to avoid your channel. So... you can
>> take the attitude
>> that you will police the neighborhood and avoid other Wi-Fi channels that
>> are in use. Of course you may not be the only one with that attitude and
>> channel
>> conflicts can occur.
>
> ??? How showing your SSID can help other to avoid your channel?
>
> --PA

Software that comes with your wireless card can do a site survey and show the
SSID and channel number of close by wireless networks. As will Netstumbler. (my
linksys monitor software will do this)
WinXP alone does not show channel number as far as I can tell.
If everyone played fair and everyone broadcasted their SSID then everyone could
see what everyone's broadcast channel was set to and avoid conflicts.

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

J.H. Holliday wrote:
> "Sooner Al [MVP]" <SoonerAl@somewhere.net.invalid> wrote in message
> news:uHHPXv4bFHA.3912@TK2MSFTNGP15.phx.gbl...
>
>>"Lobster" <davidlobsterpot601@hotmail.com> wrote in message
>>news:3z0re.7460$a5.955@newsfe5-win.ntli.net...
>>
>>>I have a Linksys WRT54G router connected to always-on broadband, and have
>>>taken the following steps:
>>>
>>>1. Changed the router admin login details from the default
>>>2. Changed the default SSID
>>>3. Disabled SSID broadcast
>>>4. Enabled MAC filter (ie only the MAC address of my laptop is allowed to
>>>connect wirelessly)
>>>5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
>>>whatever that means!)
>>>6. Enabled Windows XP firewall on all PCs (plus the router's hardware
>>>firewall).
>>>
>>>Does this sound reasonable? Should I really worry about accessing online
>>>banking wirelessly for example, any more than when accessing it from a
>>>wired PC?

>>Both items 3 & 4 are of minimal to no value as far as security measures
>>are concerned. The best measure is using WPA, which you have done, with a
>>very long and random key. Personally I use WPA-PSK (TKIP) with a >25
>>character totally random ASCII key...

> And BTW, use WPA-PSK AES security rather than TKIP-- much stronger and much
> tougher to defeat--- even by a techonerd....

Thanks to all for the replies; I'm quite reassured now! And I can see
that I can beef up my security another notch by using a better WPA key,
and by switching from TKIP to AES, which my router also supports.

--
David

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

Taking a moment's reflection, Lobster mused:
|
| 3. Disabled SSID broadcast

Unnecessary due to #5 below, SSID is still attached, unencrypted, to
every packet. So, those who could attempt to crack your encryption
already have your SSID. Might as well broad cast it to stay within spec
(less connectivity issues), and keep neighbours from setting their
wireless up on the same channel you are using ... thus causing
interference.

| 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed
| to connect wirelessly)

Unnecessary due to #5 as well. MAC address is attached to every
frame, unencrypted. So, anyone who can capture your packets can easily
determine what MACs are allowed.

| 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
| whatever that means!)

Use AES if your client software allows it. If you are using the XP
zero config connector, AES does not work with it. But, in that case,
TKIP is fine. Group renewal is the interval that the WPA keys are
regenerated automatically between server and client. This is how they
patched the vulnerability of WEP.

| Does this sound reasonable? Should I really worry about accessing
| online banking wirelessly for example, any more than when accessing it
| from a wired PC?

Other than my comments above, yes. It's reasonable. I wouldn't
worry about accessing online banking. With WPA enabled, you are
encrypted. Also, the banking website should have SSL encryption. So,
you are doubly encrypted.