This question has arisen from other postings recently.Apart from stopping people stealing your download allowance because you have a second rate cheapy ISP, why is it necessary to have password protection to the router? Any possible access to other machines using the same router should prevented by firewalls anyway.
Why use encryption on a wi-fi link
- Thread starter oilman
- Start date
Sponsored Links
My home network has 3 computers, two on wireless cards and the main one plugged direct to the network port on the router. I also have a network hard disk plugged directly to the router. I have it setup so I have shared files and shared printing hence the firewalls allow all the computers on my network to talk to each other. I have WPA encryption for the wireless network to stop anyone accessing firstly the network hard disk and secondly any shared files. I also have mac address? enabled on my router so hopefully only my computers and my PSP can talk to it in anycase.
I
Igorian
In most home setups with a router, the router forms the first line of defence with NAT or some other firewall. This is preventing any public ip address (eg from the internet) from accessing any of your private ip addresses on nodes connected to the routers LAN ports.
If you don't protect your wireless connection (an open connection), anyone with another wireless device can connect to it, discover your subnet address and connect to your network just as if they had connected using a patch cable. They are now within your private network and can access any shared resource.
Even if you have protected your network and turned off file sharing etc., the intruder could still gain internet access. This might not seem like a problem on the face of it, but consider someone who wants to abuse the internet by downloading child porn, spamming or sharing terrorist information. If they use your router, then it would appear that the actions were performed from your premises.
These are extreme cases, but you probably get the point.
Use the highest level of encryption supported by your router, turn off your SSID broadcast, turn off the ping responder and use mac address filtering.
If you don't protect your wireless connection (an open connection), anyone with another wireless device can connect to it, discover your subnet address and connect to your network just as if they had connected using a patch cable. They are now within your private network and can access any shared resource.
Even if you have protected your network and turned off file sharing etc., the intruder could still gain internet access. This might not seem like a problem on the face of it, but consider someone who wants to abuse the internet by downloading child porn, spamming or sharing terrorist information. If they use your router, then it would appear that the actions were performed from your premises.
These are extreme cases, but you probably get the point.
Use the highest level of encryption supported by your router, turn off your SSID broadcast, turn off the ping responder and use mac address filtering.
Igorian said:
I have to disagree with the above statement, in general most of what you have said is true and in some cases the above statement may be true. Being connected to a network doesn't automatically give you access to resources.
I have software that can crack WEP encoding within a couple of minutes and it's freely available on the web for download. MAC filtering is much better and I usually use smoothwall firewall on my systems, any old PC will do to run it and it does provide excellent security.
Regards - J
Sponsored Links
I
Igorian
johnb80 said:
You are correct, they may not automatically have access, but once they have access to the unprotected router, they CAN gain access to any shared resource.
I didn't mention any particular encryption method. WEP was 'cracked' long ago, and I agree, packet sniffers are freely available. MAC filtering is actually one of the weakest forms of protection as it is easily spoofed. Every wireless device has to broadcast it's MAC, and they are easy to capture.
Having a gateway PC provides an extra layer of protection, but won't prevent access to the unprotected router. If the router contains the modem, then internet access can (should I say could) be gained. I don't mean to sound pompus, but the average home user wouldn't have a clue about gateways or multi homing.
My point was to use a combination of methods. Most (decent) home/small office routers are now being shipped with AES.
As mentioned, if you have no security on your wirelessm, then for all intents and purposes, people can connect to your network just as if they plugged in a patch cable. Now this gives us 2 mean reasons for concern - They (whoever is connected to your lan) are of course able to "borrow" your internet conenction, now what if suddenly your connection was used to download a few gigs a day of child - er u know - stuff, or visit certain sites that may ring warning bells with your ISP's proxy (yes they are monitored to an extent) not to mention if you have a conenction with a download limit, and the speed of your conenction dropping as someone else uses it.
AS for local security, not as bad with XP as the guest account is disabled by default, and you arnt able to connect to a share with no password, that said there are a number of utilities widely available which will aid in the retrieval of usernames/passwords over a network. Now consider this- mr Bloggs next door aquires your username/password for a share on another pc - chances are the average home user will have each account as an administrator. So once someone has the password - they also have the admin password, with which they basically own the pc, regardless of shares setup manually, once they have the admin logon details then the pc is wide open, all documetns can be viewed/changed, maliscious programs put in start up etc etc.
WEP as mentioned isnt as good as it was initially assumed, WPA is much better. MAC address filtering alone is a waste of time, but used in conjunction with WPA may add that little bit more.
Personally I dislike wireless, not simply because of the security issues but also connnection speed/reliability and most of all latency.
AS for local security, not as bad with XP as the guest account is disabled by default, and you arnt able to connect to a share with no password, that said there are a number of utilities widely available which will aid in the retrieval of usernames/passwords over a network. Now consider this- mr Bloggs next door aquires your username/password for a share on another pc - chances are the average home user will have each account as an administrator. So once someone has the password - they also have the admin password, with which they basically own the pc, regardless of shares setup manually, once they have the admin logon details then the pc is wide open, all documetns can be viewed/changed, maliscious programs put in start up etc etc.
WEP as mentioned isnt as good as it was initially assumed, WPA is much better. MAC address filtering alone is a waste of time, but used in conjunction with WPA may add that little bit more.
Personally I dislike wireless, not simply because of the security issues but also connnection speed/reliability and most of all latency.
I
Igorian
eggplant said:
There's nothing to stop you (by default) in making a share with no password.
I
Igorian
eggplant said:
Correct, but the key to this statement is Remote users. That is to say users connecting from another network, possibly using the vpn, dial up or other connection medium. Wireless users don't fall into this category as once connected, they are direct users not remote ones.
remote refers to a non local - i.e. not the physical computer in question - ie another pc on the network. - have a go, create a share on an xp box, create a user with no password and try and connect using this user account.
Should you want to allow users with no password access, you can change the local security policy but this isnt really a good idea,.
Should you want to allow users with no password access, you can change the local security policy but this isnt really a good idea,.
So from before I have mac address filtering enabled and WPA encryption with a password containing 30+ completely random letters and numbers, do I need to do anything more? btw I also have Mcafee virusscan / firewall on all 3 PCs, router has built in firewall but as I understand this only protects the network from the internet, not the wi-fi / wired network from a wi-fi attack.
In all honesty, WPA and a decent password is fine, ideally user accounts should be set up to allow the user just as much rights as they need - but as mentioned, unless you "dig a bit deeper" you only see a limited account or an admin account.
If you lock out the wireless well, and ensure local passwords are decent then you wont be doing to badly.
If you lock out the wireless well, and ensure local passwords are decent then you wont be doing to badly.
I
Igorian
eggplant said:
Read kb304040 again. The part you refer to is under the heading:
Behavior that is not caused by turning on Simple File Sharing
Also the full text reads :
Remote users cannot authenticate by using an account that has a blank password. This authentication is configured separately.
It also says:
Simple File Sharing is always turned on in Windows XP Home Edition-based computers. By default, the Simple File Sharing UI is turned on in Windows XP Professional-based computers that are joined to a workgroup
Which describes most home setups i've ever seen,and goes on to say:
Managing levels of access to shares and to files
You can use Simple File Sharing to configure five different levels of access to shares and files:• Level 1: My Documents (Private)
• Level 2: My Documents (Default)
• Level 3: Files in shared documents available to local users
• Level 4: Shared Files on the Network (Readable by Everyone)
• Level 5: Shared Files on the Network (Readable and Writable by Everyone)
NOTES• By default, files that are stored in My Documents are at Level 2.
• Levels 1, 2, and 3 folders are available only to a user who is logging on locally. Users who log on locally include a user who logs on to a Windows XP Professional-based computer from a Remote Desktop (RDP) session.
• Levels 4 and 5 folders are available to users who log on locally and remote users from the network.
For your benefit, I have two newly configured PCs ready to ship and can confirm that neither have passwords and can share resources with no problems.
I suspect you've changed the policy manually or by setting up a remote access service which forces this policy, which was the reason for me trying to distinguish between local (inside the LAN) and remote (outside...)
I have access to all my shared files, network HDD, shared printers from any PC. I don't know much about the accounts, my (short) password for XP logon is the same for all 3 machines and my folder on the network HDD, they all seem to work OK. I don't have to enter the password to login to the HDD though, it seems entering it once when logging into XP does it. I have admin rights on all the machines.
I
Igorian
eggplant said:
Can't argue with that tho.
Sponsored Links
