security on a wlan

I get the impression from reading the messages on this newsgroup that the
only security settings in the router one really needs in a home wireless LAN
are:
a) change the SSID from the default
b) use WPA-PSK

Is it really the consensus that things like
c) not broadcasting the SSID
d) MAC filtering
e) IP filtering
f) setting router firewall rules
etc.
that are available in the router settings are a waste of time and can be
ignored?

Thank you.

Jeff

(E-Mail Removed) <(E-Mail Removed)> wrote:
> I get the impression from reading the messages on this newsgroup that
> the only security settings in the router one really needs in a home
> wireless LAN are:
> a) change the SSID from the default
> b) use WPA-PSK
>
> Is it really the consensus that things like
> c) not broadcasting the SSID

If you do that, it will probably cause problems; don't.

> d) MAC filtering

You can, but MAC addresses are easily spoofed, so I don't bother

> e) IP filtering

Not sure what that means in this context

>> f) setting router firewall rules

Also not sure what that means. You should have these anyway...nothing
inbound should be allowed by default.

> etc.
> that are available in the router settings are a waste of time and can
> be ignored?
>
> Thank you.
>
> Jeff

not broadcasting the SSID isn't any kind of security.
MAC and IP filtering can be used in ADDITION to WPA2 (or WPA if you
can't implement WPA2).

firewall rules really are more for application/ports and need to be
used for things like FTP, some games, etc.

On Sun, 27 Jul 2008 07:28:25 -0400, "(E-Mail Removed)"
<(E-Mail Removed)> wrote:

>Is it really the consensus that things like
> c) not broadcasting the SSID
> d) MAC filtering
> e) IP filtering
> f) setting router firewall rules
> etc.
>that are available in the router settings are a waste of time and can be
>ignored?
--

Barb Bowman
MS-MVP
http://www.microsoft.com/windowsxp/e...ts/bowman.mspx
http://blogs.digitalmediaphile.com/barb/
http://digitalmediaphile.wordpress.com

Thank you Barb. That is what I thought but some recent comments on this
newslist lead me to believe that MAC filtering "added little if anything",
which is why I asked.

I already have MAC filtering implemented in my home wlan in addition to WPA.

I assume if one decides to implements IP filtering, it would be necessary to
assign IP addresses to the 3 PCs in my home network instead of their present
setting of:
"Obtain an IP address automatically" and
"Obtain DNS server address automatically".

If I "assign" a specific IP address to a laptop, will it still be able to
also connect with a wireless hotel network in a hotel room? Or, will the
assigned IP address prevent such connections?

Thank you.

Jeff


Barb Bowman wrote:
> not broadcasting the SSID isn't any kind of security.
> MAC and IP filtering can be used in ADDITION to WPA2 (or WPA if you
> can't implement WPA2).
>
> firewall rules really are more for application/ports and need to be
> used for things like FTP, some games, etc.
>
> On Sun, 27 Jul 2008 07:28:25 -0400, "(E-Mail Removed)"
> <(E-Mail Removed)> wrote:
>
>> Is it really the consensus that things like
>> c) not broadcasting the SSID
>> d) MAC filtering
>> e) IP filtering
>> f) setting router firewall rules
>> etc.
>> that are available in the router settings are a waste of time and
>> can be ignored?

(E-Mail Removed) wrote:
> Thank you Barb. That is what I thought but some recent comments on this
> newslist lead me to believe that MAC filtering "added little if anything",
> which is why I asked.
>
> I already have MAC filtering implemented in my home wlan in addition to WPA.
>
> I assume if one decides to implements IP filtering, it would be necessary to
> assign IP addresses to the 3 PCs in my home network instead of their present
> setting of:
> "Obtain an IP address automatically" and
> "Obtain DNS server address automatically".
>
> If I "assign" a specific IP address to a laptop, will it still be able to
> also connect with a wireless hotel network in a hotel room? Or, will the
> assigned IP address prevent such connections?
>
> Thank you.
>
> Jeff

If you want to do some reading on the usefulness of SSID hiding and MAC
filtering, see
http://blogs.technet.com/steriley/ar...ess-ssids.aspx

Yes, it would be a good idea to use static IPs if you are only going to
permit certain IPs to have access. Don't forget to also set the default
gateway IP address.

For best results, change your NIC to obtain an IP address automatically
when using a public network (like one in a hotel).

--
Lem -- MS-MVP

To the moon and back with 2K words of RAM and 36K words of ROM.
http://en.wikipedia.org/wiki/Apollo_Guidance_Computer
http://history.nasa.gov/afj/compessay.htm

MAC filtering will only deter the truly unmotivated or unskilled. It's
not that hard to spoof a MAC address. That said, if you only ever expect
to connect the same 3 machines to your wireless network then it doesn't
hurt to implement it as a small extra hurdle.

Just remember than when your cousin Sue comes to visit and wants to use
her laptop on your wireless than you're going to have to log into your
WAP and add her MAC address. So there is a bit of administrative
overhead.

--
-Ben-
Ben M. Schorr, MVP
Roland Schorr & Tower
http://www.rolandschorr.com
http://www.officeforlawyers.com
Author - The Lawyer's Guide to Microsoft Outlook 2007:
http://tinyurl.com/5m3f5q



"(E-Mail Removed)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed):

> Thank you Barb. That is what I thought but some recent comments on this
> newslist lead me to believe that MAC filtering "added little if anything",
> which is why I asked.
>
> I already have MAC filtering implemented in my home wlan in addition to WPA.
>
> I assume if one decides to implements IP filtering, it would be necessary to
> assign IP addresses to the 3 PCs in my home network instead of their present
> setting of:
> "Obtain an IP address automatically" and
> "Obtain DNS server address automatically".
>
> If I "assign" a specific IP address to a laptop, will it still be able to
> also connect with a wireless hotel network in a hotel room? Or, will the
> assigned IP address prevent such connections?
>
> Thank you.
>
> Jeff
>
>
> Barb Bowman wrote:
>
> > not broadcasting the SSID isn't any kind of security.
> > MAC and IP filtering can be used in ADDITION to WPA2 (or WPA if you
> > can't implement WPA2).
> >
> > firewall rules really are more for application/ports and need to be
> > used for things like FTP, some games, etc.
> >
> > On Sun, 27 Jul 2008 07:28:25 -0400, "(E-Mail Removed)"
> > <(E-Mail Removed)> wrote:
> >
>
> >> Is it really the consensus that things like
> >> c) not broadcasting the SSID
> >> d) MAC filtering
> >> e) IP filtering
> >> f) setting router firewall rules
> >> etc.
> >> that are available in the router settings are a waste of time and
> >> can be ignored?

Lem wrote:
> (E-Mail Removed) wrote:
>> Thank you Barb. That is what I thought but some recent comments on
>> this newslist lead me to believe that MAC filtering "added little if
>> anything", which is why I asked.
>>
>> I already have MAC filtering implemented in my home wlan in addition
>> to WPA. I assume if one decides to implements IP filtering, it would be
>> necessary to assign IP addresses to the 3 PCs in my home network
>> instead of their present setting of:
>> "Obtain an IP address automatically" and
>> "Obtain DNS server address automatically".
>>
>> If I "assign" a specific IP address to a laptop, will it still be
>> able to also connect with a wireless hotel network in a hotel room?
>> Or, will the assigned IP address prevent such connections?
>>
>> Thank you.
>>
>> Jeff
>
> If you want to do some reading on the usefulness of SSID hiding and
> MAC filtering, see
> http://blogs.technet.com/steriley/ar...ess-ssids.aspx
>
> Yes, it would be a good idea to use static IPs if you are only going
> to permit certain IPs to have access. Don't forget to also set the
> default gateway IP address.
>
> For best results, change your NIC to obtain an IP address
> automatically when using a public network (like one in a hotel).

Excellent article. Thank you very much.

Jeff

Hi
From the weakest to the strongest, Wireless security capacity is.
No Security
MAC______(Band Aid if nothing else is available).
WEP64____(Easy, to "Break" by knowledgeable people).
WEP128___(A little Harder, but "Hackable" too).
WPA-PSK__(Very Hard to Break).
WPA-AES__(Not functionally Breakable)
WPA2____ (Not functionally Breakable).
Note 1: WPA-AES the the current entry level rendition of WPA2.
Note 2: If you use WinXP and did not updated it you would have to download
the WPA2 patch from Microsoft. http://support.microsoft.com/kb/893357
The documentation of your Wireless devices (Wireless Router, and Wireless
Computer's Card) should state the type of security that is available with
your Wireless hardware.
All devices MUST be set to the same security level using the same pass
phrase.
Therefore the security must be set according what ever is the best possible
of one of the Wireless devices.
I.e. even if most of your system might be capable to be configured to the
max. with WPA2, but one device is only capable to be configured to max . of
WEP, to whole system must be configured to WEP.
If you need more good security and one device (like a Wireless card that can
do WEP only) is holding better security for the whole Network, replace the
device with a better one.
Setting Wireless Security - http://www.ezlan.net/Wireless_Security.html
The Core differences between WEP, WPA, and WPA2 -
http://www.ezlan.net/wpa_wep.html
Jack (MVP-Networking).

"(E-Mail Removed)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I get the impression from reading the messages on this newsgroup that the
>only security settings in the router one really needs in a home wireless
>LAN are:
> a) change the SSID from the default
> b) use WPA-PSK
>
> Is it really the consensus that things like
> c) not broadcasting the SSID
> d) MAC filtering
> e) IP filtering
> f) setting router firewall rules
> etc.
> that are available in the router settings are a waste of time and can be
> ignored?
>
> Thank you.
>
> Jeff
>

Thanks Jack. Very informative.

Jeff

Jack (MVP-Networking). wrote:
> Hi
> From the weakest to the strongest, Wireless security capacity is.
> No Security
> MAC______(Band Aid if nothing else is available).
> WEP64____(Easy, to "Break" by knowledgeable people).
> WEP128___(A little Harder, but "Hackable" too).
> WPA-PSK__(Very Hard to Break).
> WPA-AES__(Not functionally Breakable)
> WPA2____ (Not functionally Breakable).
> Note 1: WPA-AES the the current entry level rendition of WPA2.
> Note 2: If you use WinXP and did not updated it you would have to
> download the WPA2 patch from Microsoft.
> http://support.microsoft.com/kb/893357 The documentation of your Wireless
> devices (Wireless Router, and
> Wireless Computer's Card) should state the type of security that is
> available with your Wireless hardware.
> All devices MUST be set to the same security level using the same pass
> phrase.
> Therefore the security must be set according what ever is the best
> possible of one of the Wireless devices.
> I.e. even if most of your system might be capable to be configured to
> the max. with WPA2, but one device is only capable to be configured
> to max . of WEP, to whole system must be configured to WEP.
> If you need more good security and one device (like a Wireless card
> that can do WEP only) is holding better security for the whole
> Network, replace the device with a better one.
> Setting Wireless Security -
> http://www.ezlan.net/Wireless_Security.html The Core differences between
> WEP, WPA, and WPA2 -
> http://www.ezlan.net/wpa_wep.html
> Jack (MVP-Networking).
>
> "(E-Mail Removed)" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> I get the impression from reading the messages on this newsgroup
>> that the only security settings in the router one really needs in a
>> home wireless LAN are:
>> a) change the SSID from the default
>> b) use WPA-PSK
>>
>> Is it really the consensus that things like
>> c) not broadcasting the SSID
>> d) MAC filtering
>> e) IP filtering
>> f) setting router firewall rules
>> etc.
>> that are available in the router settings are a waste of time and
>> can be ignored?
>>
>> Thank you.
>>
>> Jeff

"(E-Mail Removed)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I get the impression from reading the messages on this newsgroup that the
>only security settings in the router one really needs in a home wireless
>LAN are:
> a) change the SSID from the default
> b) use WPA-PSK
>
> Is it really the consensus that things like
> c) not broadcasting the SSID
> d) MAC filtering
> e) IP filtering
> f) setting router firewall rules
> etc.
> that are available in the router settings are a waste of time and can be
> ignored?


Yep. Pretty much exactly that. There are a couple variations of WPA,..any
of them are pretty good.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------