Jump to content
RESET Forums (homeservershow.com)

Protect Yourself


mrossco
 Share

Recommended Posts

I've been spending a lot of time playing with Vail's new streaming capabilities. Armed with a library of 18,000+ songs, I've been leaving my iPod in my gym bag and streaming music to my work laptop wherever I go. Barring a few minor issues, the experience has been great! However, I stumbled across an old Astaro blog post, and it got me thinking. If I start using the remote access features of my Home Server more often, just how safe am I?

 

Tips for securing your WiFi Connection (Astaro)

http://www.astaro.com/blog/security-perspectives/tips-for-securing-your-wifi-connection

 

Original NPR blog post:

http://www.npr.org/blogs/alltechconsidered/2009/06/protecting_yourself_in_the_wif.html

Link to comment
Share on other sites

With regard to wireless, I'm still strongly of the opinion that if you are using WPA2-AES then you don't have to worry about silly things like MAC filtering or hiding the SSID. They just make it harder for you to use legitimately and don't really add any protection.

Link to comment
Share on other sites

With regard to wireless, I'm still strongly of the opinion that if you are using WPA2-AES then you don't have to worry about silly things like MAC filtering or hiding the SSID. They just make it harder for you to use legitimately and don't really add any protection.

 

MAC-filtering and SSID broadcast hiding are useless..

 

Your clients MAC address is sent in the headers of every packet you send to your wlan-ap, and the headers are unencrypted. So it's only a matter of downloading a tool like Kismet, listening for about .2 seconds of traffic, and you've circumvented MAC-filtering.

 

Likewise for SSID hiding. According to the specification, there are five cases of when your SSID is broadcasted. The "hide SSID" only turns off one of them. Every time you connect to the AP, for one, your SSID is broadcasted in the packet headers unencrypted and readable by anyone within reasonable distance.. or unreasonable, if someone is being crafty and using high-gain antenna.

 

Ofcourse there's also no such thing as unbreakable encryption (with the exception of one time pad, but let's not go there), but currently the only way to break WPA2-AES is brute force. Just select suitably long passphrase, and you're good.

Link to comment
Share on other sites

MAC-filtering and SSID broadcast hiding are useless..

 

Your clients MAC address is sent in the headers of every packet you send to your wlan-ap, and the headers are unencrypted. So it's only a matter of downloading a tool like Kismet, listening for about .2 seconds of traffic, and you've circumvented MAC-filtering.

 

Likewise for SSID hiding. According to the specification, there are five cases of when your SSID is broadcasted. The "hide SSID" only turns off one of them. Every time you connect to the AP, for one, your SSID is broadcasted in the packet headers unencrypted and readable by anyone within reasonable distance.. or unreasonable, if someone is being crafty and using high-gain antenna.

 

Ofcourse there's also no such thing as unbreakable encryption (with the exception of one time pad, but let's not go there), but currently the only way to break WPA2-AES is brute force. Just select suitably long passphrase, and you're good.

 

MAC-filtering and SSID broadcast hiding is not useless. It's just not enough to protect yourself.

Link to comment
Share on other sites

I've had issues with legitemately connecting to SSIDs that weren't broadcasted, so I almost never use that feature as it provides little added protection. I do, however, take advantage of MAC filtering. The art of security is to make it just difficult enough to deter unwanted individuals from accessing your network (kind of like the whole risk vs. reward thing). MAC Filtering may not add much protection, but it's also easy to configure on most routers. It also forces me to verify settings everytime I want to grant an additional device access to my network.

 

One take-away I have from these blog posts is to make sure I have at least WPA2/AES running and to make sure all my devices support it.

Link to comment
Share on other sites

 

One take-away I have from these blog posts is to make sure I have at least WPA2/AES running and to make sure all my devices support it.

 

To that end, devices in my home that can't run WPA2-AES are configured to reach the guest network, which only grants access to the internet. No internal access for those devices. Since they tend to be Nintendo DS' in my home, no big deal as those devices not capable of running that security generally only need to get to the net anyhow. WNDR3700 provides plenty of flexibility there.

 

No WPA2-AES, no internal network access.

 

Jim

Link to comment
Share on other sites

MAC-filtering and SSID broadcast hiding will probably be enough to stop your neighbors from using your connection. I agree that it's not enough to stop hackers.

 

I see those 2 like the locks on the bank doors. It's enough to stop honest people from walking in when they're not supposed to.

Link to comment
Share on other sites

I see it more like putting those silly chain locks on a door that is locked with a quad-directional bolt that is an inch thing and goes 3 inches into a solid concrete wall.

Link to comment
Share on other sites

Although MAC filtering can seem to be helpful, the router is actually requesting the correct MAC address so access can be granted so you could say the MAC address is being broadcasted. Not broadcasting the SSID, in my opinion, does nothing for security. People with the know how can still get in.

 

Strong security with strong passwords such as !QAZ2wsx#EDC4rfv are more than sufficient.

 

By the way mrossco, how do you like the Astaro box? I was going to stand up and ISA server when I get home but have been looking at this product too. I'm not too keen on the Linux interface. What was your setup experience?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...