PDA

View Full Version : Home Network Security



slaveofconvention
10-28-2009, 03:47 AM
A new story entry has been added:

Home Network Security



http://www.thebestcasescenario.com/slaveofconvention/banners/homenetworksecurity.png

By Slaveofconvention
As soon as you have two or more computers linked together, you become the proud owner of your very own home network or LAN. Just like your desktop and notebook PC's, your network can be at risk to various threats and security exploits, especially once you take the network and connect it to the internet. Fortunately, there are things you can do to improve the security of your network...

Commando
11-01-2009, 04:15 AM
Great work man.

Great guide. I learned a few new things.

TD

x88x
11-01-2009, 02:03 PM
Good guide overall; you make a lot of good points. I would make a few clarifications about wireless though:

First and foremost, whether you're broadcasting your SSID or not, you should always change it from the default. This keeps people from accidentally accessing your wireless network. Imagine if you and a few neighbors all used the same SSID, and all used encryption; your wireless autoconfig tools would automatically try and connect to the strongest signal with the right SSID, which may or may not be yours. Also, changing the SSID makes you less susceptible to WPA rainbow table attacks, which I'll mention later.

On WEP encryption. It is a common misconception that 128-bit WEP is more secure than 64-bit. Unfortunately, with modern hardware and software, this is not the case anymore. Both are equally vulnerable to attack because of the way that the RC4 encryption algorithm is implemented.

When possible, definitely use WPA2 or WPA-AES. The reason for using one of these over WPA-TKIP (the original WPA standard) is that instead of using the RC4 stream cipher, they use the AES block cipher, which is much more well suited for an environment such as a wireless network where high packet loss is expected. Unfortunately, support for AES encryption is a matter of hardware, not firmware or software, so if your wireless client device(s) do not support AES, then you are forced back to TKIP. (Side note, PSK simply refers to the authentication method, and is not part of the standard's name. Both WPA and WPA2 also support 802.1X authentication, which uses a central authentication server (ex, RADIUS).)

Unfortunately, even with WPA, if a common SSID and password are used, it is relatively simple to discover the password through the use of methods such as the Church of WiFi's CoWPAtty rainbow tables (http://www.churchofwifi.org/Project_Display.asp?PID=90). Because of this, again, always change your SSID, and set a strong password or passphrase for the PSK authentication.

On the topic of MAC filtering and disabling SSID broadcasting, we encounter two more common misconceptions about wireless security. If a device is connected to your wireless network, both the client device and the wireless access point are broadcasting to each other. By using a tool such as kismet (http://www.kismetwireless.net/), by just sitting and listening for a little while, it is a simple matter to view the SSID (or client name), signal strength, MAC address, manufacturer, encryption used, and several other useful information points about any WiFi devices currently communicating.

This is not something you will hear me say very often about security measures, but in my opinion, the added security that you get by disabling DHCP is not worth the trouble. The reason for this is that it really is a last-ditch measure. By the time that it would hinder an attacker, they are already authenticated and connected to your wireless network, and by that point, I really feel like you would have bigger problems. That being said, if you want to disable DHCP, it would be a better idea to use a subnet in one of the less commonly used (in residential networks) private subnets (http://en.wikipedia.org/wiki/Private_IP_address) (10.0.0.0-10.255.255.255 or 172.16.0.0-172.31.255.255). Personally I would recommend one in the 10.x.x.x range, as there are significantly more possible subnets for an attacker to test (65536) than in the 192.168.x.x (256) or 172.16-31.x.x (4096).

Overall, if you're really paranoid, just turn wireless off :P Though personally, with WPA2 and a huge pass-phrase, I feel pretty secure....for the moment...

slaveofconvention
11-01-2009, 02:45 PM
Cheers, I appreciate the comments but I'd like to point out that I tried to make it clear that none of these things will ever make a network utterly secure - they all just add a little more security than if they weren't there at all. I agree utterly on the changing the SSID every time, but I prefer to advise people on what I think they should do, as opposed to trying to order them to do something, if that makes any sense. Oneslowz28 will probably make some kind of comment about British Politeness - well he might have done if I didn't do it already :P

As you correctly stated, the only secure wireless network is an absent one lol - but we want the wireless so.... Gotta do what we can :)

x88x
11-01-2009, 02:53 PM
Sorry, didn't mean to step on anyone's toes; I was just trying to spread the knowledge and keep everyone secure. I can't tell you how many times I've seen/heard/read of wireless networks (both personal and business) being compromised because of either default SSID, WEP or no encryption, and/or weak or default authentication passwords.

slaveofconvention
11-01-2009, 03:53 PM
Seriously, no need to apologise - any additional information is more than welcome - people who read the article will read the comments, and as the whole point was to give people the help they need to secure their networks, the more help, the more experience, the better. I know a fair bit, but I'm well aware I don't know everything :)