«

> Be aware that you will incur a significant overhead by setting up
> encryption. IIRC it was about 30% when I last set one up at work.

There are many variable which determine whether it's an issue. For most
home users, 30% less performance than say a max of 22Mbps leaves me with
15Mbps which is *still* faster than my internet connection.

> Personally I don't bother with any security on the wireless component
> of my network. If anyone is stealing my bandwidth it hasn't been
> noticable.

If you think that stealing bandwidth is the only concern you should have
then think again.

> Why do you think you need it?

Well for starters, I'd like to collect my email from a client. I don't
have the desire to use a web based email client doing SSL from home. I
quite like being wireless at home and so I think that being able to
collect email via say POP3 is ok for me. However, POP3 is clear text
authentication as is the resultant traffic. What a great way to begin
an identity theft experiment for someone sniffing.

With the wireless portion encrypted, the simple eavesdropping won't
succeed and neither will the kiddie porn get downloaded over my
connection nor will my connection end up being used by a spammer. I
don't consider any of these likely knowing where I live but there's no
reason why not.

Those are just examples.

David.

David Taylor wrote:
>>it's one aspect of security, and MAC filtering gives you that aspect,
>>which is all many people want.
>
>
> Well since the original poster hasn't said whether he wan't security or
> to just keep accidental stumblers off his network we won't know.
>
>
>>Just because you want *more* security doesn't mean MAC filtering is
>>*no* security.
>
>
> I'd just want some rather than nothing. MAC filtering prevents people
> from associating for the amount of time it takes them to run a sniffer
> and spoof their MAC address. That in my mind is no security from either
> association and certainly no security of the data packets in transit so
> I still call that no security.
>
> If you are happy with the illusion that MAC filtering provides your
> network with some security, i'm happy for you! Just let me know
> where you live.
>
> David.
I've been following this thread with some interest as I took my laptop
to work on the train the other day, initially I was looking for an
access point in the station but noticed a number of open wireless
networks which didn't seem to be commercial setups so I kept on scanning
during the journey, I reckon I found 40-50 open & unencrypted networks
during the 1 hour journey. I found this quite shocking really
particularly as the tools are there to make it fairly easy to enable
encryption on wireless kit.

I realise that encryption isn't foolproof but it'll deter the casual hacker.

For the effort involved I would:
1. enable MAC filtering.
2. turn off SSID broadcast
3. choose a different SSID from the default
4. turn on encryption


It should only take a few minutes to set it all up, & once done you can
forget all about it.

> access point in the station but noticed a number of open wireless
> networks which didn't seem to be commercial setups so I kept on scanning
> during the journey, I reckon I found 40-50 open & unencrypted networks
> during the 1 hour journey. I found this quite shocking really

I'm surprised you found so few. I drove around the city here and in 15
minutes had found 270 of which half were (apparently) unencrypted, some
commercial. This was only with netstumbler although I did the same
route last week and found 277 with kismet so very little difference.

> I realise that encryption isn't foolproof but it'll deter the casual hacker.

Yes but again, if it's just the casual hacker that you're looking to
deter then:-

> For the effort involved I would:
> 1. enable MAC filtering.

Does not deter even a casual hacker who has the intent on spoofing and
if it's to avoid people falling onto your network by accident then (4)
does this already.

> 2. turn off SSID broadcast

Does not in any way hide the SSID, it's in the frames and kismet,
wellenrieter etc pick it up just fine. Just makes it harder for other
people to avoid your channel and you end up with interference. Also
breaks some client functionality. The only people you're hiding from
here are the XP zero config clients and they're not your worry anyway.

> 3. choose a different SSID from the default

Ok but only so as to not look like a target. Nothing like a ripe
company with an SSID which matches the company name.

> 4. turn on encryption

Which deters the accidental person connecting, provides some security
and hopefully deters the lazy hacker who may seek other low hanging
fruit. This is the only one of the above that is really in the realms
of any security despite what you might read on the web, much of it which
is several years old in principle and has never been updated.

David.

On Mon, 03 Oct 2005 18:25:25 GMT, Geoffrey
<> wrote:

> Personally I don't bother with any security on the wireless component
> of my network. If anyone is stealing my bandwidth it hasn't been
> noticable.
>
> Why do you think you need it?

The majority of ISP's don't provide anything but plain text
authentication for POP3 mail servers, some ISPs (e.g. Pipex) require
that you log onto their news server (i.e. Giganews) using your main
login account details, ..... If I were a Pipex user (which I was once
upon a time) then I'd be a bit reluctant to let anyone capture my
main login account details since they could then use up my 10GB/month
limit from Giganews (i.e. you can log onto Giganews with Pipex login
info even if you are not on a Pipex connection - just as you can to
most POP3 servers).

So I'd say that there are a couple of very good reasons for doing
everything possible to prevent people from sniffing your WLAN traffic.

On Mon, 03 Oct 2005 18:25:25 GMT, Geoffrey <>
wrote:

>On Sun, 02 Oct 2005 11:20:40 GMT, David Taylor <>
>wrote:
>
>>> Have you got any suggestions then please?
>>
>>WPA with a strong passphrase (strong, non dictionary phrase, greater
>>than 20 characters, non a-z characters.
>>
>>You haven't actually said what it is that you'd like to achieve from a
>>security standpoint.
>>
>Be aware that you will incur a significant overhead by setting up
>encryption. IIRC it was about 30% when I last set one up at work.
>

Which for most home networks would be imperceptible, as they will very
rarely use it to anywhere near capacity.

Although it shouldn't be anywhere near that high anyhow.

>Personally I don't bother with any security on the wireless component
>of my network. If anyone is stealing my bandwidth it hasn't been
>noticable.
>
>Why do you think you need it?

Because only people who never access anything that needs a password,
and never use credit cards on line don't need it.

And even then, they could well find themselves struggling to prove it
wasn't them if the person piggybacking on their account starts using
the connection for illegal activities.

Or if said person starts breaching your ISPs AQUP, you could well lose
your account with no comeback.

There is no reasonable reason NOT to secure your network as much as
you can.
--
Alex Heney, Global Villager
Take my advice, I don't use it anyway.
To reply by email, my address is alexATheneyDOTplusDOTcom

On Mon, 03 Oct 2005 20:03:56 GMT, martyn
<> wrote:

> I've been following this thread with some interest as I took my laptop
> to work on the train the other day, initially I was looking for an
> access point in the station but noticed a number of open wireless
> networks which didn't seem to be commercial setups so I kept on scanning
> during the journey, I reckon I found 40-50 open & unencrypted networks
> during the 1 hour journey. I found this quite shocking really
> particularly as the tools are there to make it fairly easy to enable
> encryption on wireless kit.

So how did you know that these WLANs were really 'open', unless you
connected and tried to transfer traffic ?

> I realise that encryption isn't foolproof but it'll deter the casual hacker.
>
> For the effort involved I would:
> 1. enable MAC filtering.
> 2. turn off SSID broadcast
> 3. choose a different SSID from the default
> 4. turn on encryption
>
> It should only take a few minutes to set it all up, & once done you can
> forget all about it.

Alternatively do what I do :-

1. disable MAC filtering
2. turn on SSID broadcast
3. choose a SSID which clearly identies it as your network [1]
4. turn off encryption [1]
5. only permit VPN traffic between the WLAN and any other network
(and only allow VPN authentication through certificates, not
PSKs).

It only takes a few minutes to set up. Maybe if you were passing
you'd find it "quite shocking" since you might mistakenly think it was
insecure, but believe me, the VPN I use is far more secure than WEP
or WPA-PSK.

[1] Well to be honest if my WLAN gateway does detect uninvited
'guests' on the WLAN, then WPA is automatically enabled with one
of several different PSKs and the SSID is automatically changed
so that legitimate clients know which PSK to use. The effect on
legitimate clients is a brief pause in communication, but since
the VPN stays up, no TCP/UDP connections are affected. The effect
on uninvited guests (there are two script kiddies in the vicinity
who regularly find new 'toys' to play with) is that, hopefully,
they get a bit annoyed; and to try and make sure that they do, I
often set the WLAN up to use WEP by default, and then let the
automatated system switch the encryption to WPA as as soon as
they've cracked the WEP key (which is never re-used, of course)
and connected to the AP

Dave Dowson wrote:

> 1. disable MAC filtering
> 2. turn on SSID broadcast
> 3. choose a SSID which clearly identies it as your network [1]
> 4. turn off encryption [1]
> 5. only permit VPN traffic between the WLAN and any other network
> (and only allow VPN authentication through certificates, not
> PSKs).

Maybe I'm just demonstrating my ignorance, but doesn't VPN require a VPN
server on the other end? If I was an authorized user on your WLAN, how
would I browse the Internet?
--
derek

On Mon, 03 Oct 2005 21:23:33 GMT, David Taylor <>
wrote:

[ntl newsgroups dropped because Newsguy doesn't carry them]

>I drove around the city here and in 15
>minutes had found 270 of which half were (apparently) unencrypted, some
>commercial.

Don't assume that just because it's not encrypted, it's also insecure.

The local hospital wireless system is a good example. It shows up as
unencrypted. Anyone can connect. However, they're greeted with an
SSL encrypted splash web page that demands a user name and password
(along with some instructions). Once you login, all traffic is SSL
encrypted. It also delivers a magic cookie for temporary
authentication making session hijacking difficult. At first glance,
this would appear to be insecure, but it's really quite secure.

The same thing with VPN over wireless. The wireless connection is
unencrypted. However, all traffic is configured to go to the VPN
server. All ports are blocked except those required for the VPN. The
only way to get anywhere is to fire up the VPN client. All traffic
appears encrypted by the VPN tunnel.

There is an issue with client-to-client security on such systems, but
most access points have a "client isolation" feature that prevents
unencrypted bridging between connected clients.

While I'm ranting on security, I have a really bad attitude about
security by group rather than by individual. Having a common WEP or
WPA key for a system is rediculous. The chances of social engineering
or simple theft causing the key to leak out is far to risky to even
consider WEP or WPA a useable security mechanism. Would you trust
your co-worker with *YOUR* system passwords? Encryption should be
individualized so that a leak or security breach by one person does
not compromise the rest of the users or the rest of the system.

--
Jeff Liebermann
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

In message <lkqa13-> Derek Broughton
<> wrote:

>Dave Dowson wrote:
>
>> 1. disable MAC filtering
>> 2. turn on SSID broadcast
>> 3. choose a SSID which clearly identies it as your network [1]
>> 4. turn off encryption [1]
>> 5. only permit VPN traffic between the WLAN and any other network
>> (and only allow VPN authentication through certificates, not
>> PSKs).
>
>Maybe I'm just demonstrating my ignorance, but doesn't VPN require a VPN
>server on the other end? If I was an authorized user on your WLAN, how
>would I browse the Internet?

Yes.

Personally, I don't run MAC filtering, WEP, WPA, or anything else...
However, the only services you'll get on my wireless LAN are a DNS
server and a VPN server. Depending on which firewall I'm using, the
only query the DNS server will answer is the VPN server's IP, it doesn't
even resolve on it's own, it's just there so that I can use the same VPN
icon on my desktop when I'm on my wireless network or when I'm
traveling.

Anyone with the ability to break my VPN's encryption will have better
things to do then monitor my wireless traffic

--
If electricity comes from electrons, where does morality come from?

On Tue, 04 Oct 2005 14:27:16 -0300, Derek Broughton
<> wrote:

> Maybe I'm just demonstrating my ignorance, but doesn't VPN require a VPN
> server on the other end? If I was an authorized user on your WLAN, how
> would I browse the Internet?

You just connect to my VPN server