Is my network secure enough now?!?

I've set up a wireless network at home for the first time, having
hopefully read up enough on security to make this a 'safe' proposition.
What I'd like to know is, having taken these steps, can I consider my
wireless network to be fully secure to all intents and purposes (given
that I'm just an ordinary person living in a low-population density
suburb (rather than, say, a corporate user at high risk of attack)?

I have a Linksys WRT54G router connected to always-on broadband, and
have taken the following steps:

1. Changed the router admin login details from the default
2. Changed the default SSID
3. Disabled SSID broadcast
4. Enabled MAC filter (ie only the MAC address of my laptop is allowed
to connect wirelessly)
5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
whatever that means!)
6. Enabled Windows XP firewall on all PCs (plus the router's hardware
firewall).

Does this sound reasonable? Should I really worry about accessing
online banking wirelessly for example, any more than when accessing it
from a wired PC?

--
Thanks
David

Both items 3 & 4 are of minimal to no value as far as security measures are concerned. The best
measure is using WPA, which you have done, with a very long and random key. Personally I use WPA-PSK
(TKIP) with a >25 character totally random ASCII key...

http://www.dslreports.com/faq/wlan/40.0+Security#10907
http://www.dslreports.com/faq/11462

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...


"Lobster" <(E-Mail Removed)> wrote in message
news:3z0re.7460$(E-Mail Removed)...
> I've set up a wireless network at home for the first time, having hopefully read up enough on
> security to make this a 'safe' proposition. What I'd like to know is, having taken these steps,
> can I consider my wireless network to be fully secure to all intents and purposes (given that I'm
> just an ordinary person living in a low-population density suburb (rather than, say, a corporate
> user at high risk of attack)?
>
> I have a Linksys WRT54G router connected to always-on broadband, and have taken the following
> steps:
>
> 1. Changed the router admin login details from the default
> 2. Changed the default SSID
> 3. Disabled SSID broadcast
> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed to connect wirelessly)
> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds, whatever that means!)
> 6. Enabled Windows XP firewall on all PCs (plus the router's hardware firewall).
>
> Does this sound reasonable? Should I really worry about accessing online banking wirelessly for
> example, any more than when accessing it from a wired PC?
>
> --
> Thanks
> David

Lobster wrote:
> I've set up a wireless network at home for the first time, having
> hopefully read up enough on security to make this a 'safe' proposition.
> What I'd like to know is, having taken these steps, can I consider my
> wireless network to be fully secure to all intents and purposes (given
> that I'm just an ordinary person living in a low-population density
> suburb (rather than, say, a corporate user at high risk of attack)?
>
> I have a Linksys WRT54G router connected to always-on broadband, and
> have taken the following steps:
>
> 1. Changed the router admin login details from the default
> 2. Changed the default SSID
> 3. Disabled SSID broadcast
> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed
> to connect wirelessly)
> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
> whatever that means!)
> 6. Enabled Windows XP firewall on all PCs (plus the router's hardware
> firewall).
>
> Does this sound reasonable? Should I really worry about accessing
> online banking wirelessly for example, any more than when accessing it
> from a wired PC?
>

So far I haven't been successful with 5 & 6. I take the MAC address is
the numbers/letters on the card that slots into the Notebook adjacent to
the serial number? Group renewal, I was wondering what that was to?

Thanks

--
Keith (Southend)

'Weather Home & Abroad'
http://www.southendweather.net

"Sooner Al [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

[[top post relocated]]

> "Lobster" <(E-Mail Removed)> wrote in message
> news:3z0re.7460$(E-Mail Removed)...
>> I've set up a wireless network at home for the first time, having
>> hopefully read up enough on security to make this a 'safe' proposition.
>> What I'd like to know is, having taken these steps, can I consider my
>> wireless network to be fully secure to all intents and purposes (given
>> that I'm just an ordinary person living in a low-population density
>> suburb (rather than, say, a corporate user at high risk of attack)?
>>
>> I have a Linksys WRT54G router connected to always-on broadband, and have
>> taken the following steps:
>>
>> 1. Changed the router admin login details from the default
>> 2. Changed the default SSID
>> 3. Disabled SSID broadcast
>> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed to
>> connect wirelessly)
>> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
>> whatever that means!)
>> 6. Enabled Windows XP firewall on all PCs (plus the router's hardware
>> firewall).
>>
>> Does this sound reasonable? Should I really worry about accessing online
>> banking wirelessly for example, any more than when accessing it from a
>> wired PC?
>>
>> --
>> Thanks
>> David
>
>

> Both items 3 & 4 are of minimal to no value as far as security measures
> are concerned. The best measure is using WPA, which you have done, with a
> very long and random key. Personally I use WPA-PSK (TKIP) with a >25
> character totally random ASCII key...
>
> http://www.dslreports.com/faq/wlan/40.0+Security#10907
> http://www.dslreports.com/faq/11462
>
> --
>
> Al Jarvi (MS-MVP Windows Networking)
>

What Al told the O.P. isn't really true. Disabling SSID and enabling MAC
filtering will thwart all but the most devious and dedicated hackers who are
out crusiing the neighborhhod packet sniffing and looking to break in-- a
very small number of people indeed. The average Joe won't even see his
network-- much less get in.

It's like the lock on your front door or your car door. It can be defeated--
but only by those who really want to do that and have the technical knowhow
and tools.. The O.P. has good enough security for most situations most of
the time.

And BTW, use WPA-PSK AES security rather than TKIP-- much stronger and much
tougher to defeat--- even by a techonerd....

Doc

On 12-Jun-2005, Lobster <(E-Mail Removed)> wrote:

> I have a Linksys WRT54G router connected to always-on broadband, and
> have taken the following steps:
>
> 1. Changed the router admin login details from the default
> 2. Changed the default SSID
> 3. Disabled SSID broadcast
> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed
> to connect wirelessly)
> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
> whatever that means!)
> 6. Enabled Windows XP firewall on all PCs (plus the router's hardware
> firewall).
>
> Does this sound reasonable? Should I really worry about accessing
> online banking wirelessly for example, any more than when accessing it
> from a wired PC?
>
> --
> Thanks
> David



I would just add that you use a long nonsense passphrase as your encryption
key. An example is:

p8Y38LdIzIG3_AUqzQTwLfMyL2TSWAqgKlh9izvmI9DrE2EMGT b7F3Y2sNxS4MG


--
Just Me, D

Well, first lets be clear on what I said and that was..."The best measure is using WPA, which you
have done..."

Now I agree that WPA using AES is better, but WPA, whatever flavor you use is better than WEP. It
simply depends on what your hardware supports. Mine supports WPA (TKIP), but not AES...

Secondly, security through obscurity is simply no security... Not to mention some clients simply can
not connect to a wireless network if the SSID is not broadcast. That is a fact...

Later...

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...


"J.H. Holliday" <doc@okcorral> wrote in message news:Y-GdnZxeA4JaNjHfRVn-(E-Mail Removed)...
> "Sooner Al [MVP]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
> [[top post relocated]]
>
>> "Lobster" <(E-Mail Removed)> wrote in message
>> news:3z0re.7460$(E-Mail Removed)...
>>> I've set up a wireless network at home for the first time, having hopefully read up enough on
>>> security to make this a 'safe' proposition. What I'd like to know is, having taken these steps,
>>> can I consider my wireless network to be fully secure to all intents and purposes (given that
>>> I'm just an ordinary person living in a low-population density suburb (rather than, say, a
>>> corporate user at high risk of attack)?
>>>
>>> I have a Linksys WRT54G router connected to always-on broadband, and have taken the following
>>> steps:
>>>
>>> 1. Changed the router admin login details from the default
>>> 2. Changed the default SSID
>>> 3. Disabled SSID broadcast
>>> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed to connect wirelessly)
>>> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds, whatever that means!)
>>> 6. Enabled Windows XP firewall on all PCs (plus the router's hardware firewall).
>>>
>>> Does this sound reasonable? Should I really worry about accessing online banking wirelessly for
>>> example, any more than when accessing it from a wired PC?
>>>
>>> --
>>> Thanks
>>> David
>>
>>
>
>> Both items 3 & 4 are of minimal to no value as far as security measures are concerned. The best
>> measure is using WPA, which you have done, with a very long and random key. Personally I use
>> WPA-PSK (TKIP) with a >25 character totally random ASCII key...
>>
>> http://www.dslreports.com/faq/wlan/40.0+Security#10907
>> http://www.dslreports.com/faq/11462
>>
>> --
>>
>> Al Jarvi (MS-MVP Windows Networking)
>>
>
> What Al told the O.P. isn't really true. Disabling SSID and enabling MAC filtering will thwart all
> but the most devious and dedicated hackers who are out crusiing the neighborhhod packet sniffing
> and looking to break in-- a very small number of people indeed. The average Joe won't even see his
> network-- much less get in.
>
> It's like the lock on your front door or your car door. It can be defeated-- but only by those
> who really want to do that and have the technical knowhow and tools.. The O.P. has good enough
> security for most situations most of the time.
>
> And BTW, use WPA-PSK AES security rather than TKIP-- much stronger and much tougher to defeat---
> even by a techonerd....
>
> Doc

J.H. Holliday wrote:
> "Sooner Al [MVP]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
> [[top post relocated]]
>
>> "Lobster" <(E-Mail Removed)> wrote in message
>> news:3z0re.7460$(E-Mail Removed)...
>>> I've set up a wireless network at home for the first time, having
>>> hopefully read up enough on security to make this a 'safe' proposition.
>>> What I'd like to know is, having taken these steps, can I consider my
>>> wireless network to be fully secure to all intents and purposes (given
>>> that I'm just an ordinary person living in a low-population density
>>> suburb (rather than, say, a corporate user at high risk of attack)?
>>>
>>> I have a Linksys WRT54G router connected to always-on broadband, and have
>>> taken the following steps:
>>>
>>> 1. Changed the router admin login details from the default
>>> 2. Changed the default SSID
>>> 3. Disabled SSID broadcast
>>> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed to
>>> connect wirelessly)
>>> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
>>> whatever that means!)
>>> 6. Enabled Windows XP firewall on all PCs (plus the router's hardware
>>> firewall).
>>>
>>> Does this sound reasonable? Should I really worry about accessing online
>>> banking wirelessly for example, any more than when accessing it from a
>>> wired PC?
>>>
>>> --
>>> Thanks
>>> David
>>
>>
>
>> Both items 3 & 4 are of minimal to no value as far as security measures
>> are concerned. The best measure is using WPA, which you have done, with a
>> very long and random key. Personally I use WPA-PSK (TKIP) with a >25
>> character totally random ASCII key...
>>
>> http://www.dslreports.com/faq/wlan/40.0+Security#10907
>> http://www.dslreports.com/faq/11462
>>
>> --
>>
>> Al Jarvi (MS-MVP Windows Networking)
>>
>
> What Al told the O.P. isn't really true. Disabling SSID and enabling MAC
> filtering will thwart all but the most devious and dedicated hackers who are
> out crusiing the neighborhhod packet sniffing and looking to break in-- a
> very small number of people indeed. The average Joe won't even see his
> network-- much less get in.
>
> It's like the lock on your front door or your car door. It can be defeated--
> but only by those who really want to do that and have the technical knowhow
> and tools.. The O.P. has good enough security for most situations most of
> the time.
>
> And BTW, use WPA-PSK AES security rather than TKIP-- much stronger and much
> tougher to defeat--- even by a techonerd....
>
> Doc

I agree that disabling the SSID is a good thing. When people with Wi-Fi click on
"view wireless networks"... they will not see you. Their curiosity will not be
peeked to the point where they start thinking... "I wonder who that is... I
wonder if my computer hacker friend Fred can get into this network?" The
argument against hiding the SSID is that you are not being a good neighbor and
those folks won't know to avoid your channel. So... you can take the attitude
that you will police the neighborhood and avoid other Wi-Fi channels that are in
use. Of course you may not be the only one with that attitude and channel
conflicts can occur. So what to do. I hide my SSID.
I also use MAC filtering. Why not... it's easy and one more layer of protection.

Lobster <(E-Mail Removed)> wrote in
news:3z0re.7460$(E-Mail Removed):

> Should I really worry about accessing
> online banking wirelessly for example, any more than when
> accessing it from a wired PC?
>

When you access a security-sensitive site e.g. online banking or
shopping checkout, you will** be using a secure HTTPS connection
irrespective of how you connect. That means data is encrypted end-to-
end between your PC and the bank or store.

If you have set up your wireless LAN to provide WPA encryption, the
data is encrypted a second time whilst in transit on your wireless
LAN, using a key that is typically changed every 60 minutes. So the
answer to your question is "No".

** If not, consider changing - NOW!

On 12-Jun-2005, McSpreader <(E-Mail Removed)> wrote:

> Lobster <(E-Mail Removed)> wrote in
> news:3z0re.7460$(E-Mail Removed):
>
> > Should I really worry about accessing
> > online banking wirelessly for example, any more than when
> > accessing it from a wired PC?
> >
>
> When you access a security-sensitive site e.g. online banking or
> shopping checkout, you will** be using a secure HTTPS connection
> irrespective of how you connect. That means data is encrypted end-to-
> end between your PC and the bank or store.
>
> If you have set up your wireless LAN to provide WPA encryption, the
> data is encrypted a second time whilst in transit on your wireless
> LAN, using a key that is typically changed every 60 minutes. So the
> answer to your question is "No".
>
> ** If not, consider changing - NOW!

I agree. Still, and I know it's paranoia, when I make puchases online or do
my online banking, I use a wired connection.

--
Just Me, D

"DanR" <(E-Mail Removed)> wrote:
>J.H. Holliday wrote:
>> "Sooner Al [MVP]" <(E-Mail Removed)> wrote:
>>>>
>>>> 3. Disabled SSID broadcast
>>>> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed to
>>>> connect wirelessly)
>>>> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
>>>> whatever that means!)
....
>>> Both items 3 & 4 are of minimal to no value as far as security measures
>>> are concerned. The best measure is using WPA, which you have done, with a
....
>> What Al told the O.P. isn't really true. Disabling SSID and enabling MAC

Actually, it is *precisely* true.

>> filtering will thwart all but the most devious and dedicated hackers who are
>> out crusiing the neighborhhod packet sniffing and looking to break in-- a
>> very small number of people indeed. The average Joe won't even see his
>> network-- much less get in.

Okay, so you are saying that it keeps the harmless people out,
and only those who are most likely to do you real harm can get
in. Not good.

>I agree that disabling the SSID is a good thing. When people with Wi-Fi click on
>"view wireless networks"... they will not see you.

Generally that is a good thing too.

>Their curiosity will not be
>peeked to the point where they start thinking... "I wonder who that is... I
>wonder if my computer hacker friend Fred can get into this network?"

And if it is, he's using WPA to keep them out. Because SSID,
MAC filtering and WEP certainly won't.

>The
>argument against hiding the SSID is that you are not being a good neighbor and
>those folks won't know to avoid your channel.

That isn't a case of being a good neighbor, it's a case of being
a smart neighbor. If they don't see your network, they can't
plan to avoid it. So, they look, and see everyone except you,
and plonk down right on the same channel you chose. They just
happen to have a big antenna and good receivers, so you don't
bother them at all, but they cause just enough interference to
reduce your bit rate from 54 to 4 Mbps, but only intermittantly.

Not good!


>So... you can take the attitude
>that you will police the neighborhood and avoid other Wi-Fi channels that are in
>use. Of course you may not be the only one with that attitude and channel
>conflicts can occur. So what to do. I hide my SSID.

What for?

>I also use MAC filtering. Why not... it's easy and one more layer of protection.

Sure. Protection that causes *you* far more inconvenience
than it does someone intent on hacking into your network!

Not good...

--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) (E-Mail Removed)