What is risk to use non-encrypted wireless network? Thanks

[mike20030405]

I set the router only allow my wireless adapter(with MAC address) to connect, coz my SUSE10.1 on Armada M300 doesn't work with encrypted network.
Now I am gonna use T60 XP, I do worry about the safety of wireless network. Any suggestion?

[Wiz]

You really have to decide for yourself if that is ok or not, but mac filter is really easy to bypass. Since the mac-adresse is sent in clear-text anyone can use a sniffer to see your mac-address and use that mac-address to be able to connect to your wireless. This can easily be done in a couple of minutes or less. Of course if someone connect to your wireless at the same time you are connected with the same mac-address that would cause problems for both of you, but while you are not using the wireless they could use if for free without any problems. I would say that mac-filter is one of the least secure options.
WPA2 or WPA1 with a long pre-shared key should be pretty secure and if not supported i guess 128bits WEP is enough for most people. WEP is in theory pretty easy, but time consuming to break. 64bits WEP is much faster to break then 128bits WEP.
If you have a lot of close neighbors or others that is close enough to use your wireless it might be of your interest to secure the wireless better then using mac-filter. If you live in a house far from other people you might find it unnecessary, but you really have to decide for yourself how much security you need.

I would recommend WPA2 as explained above or WPA1 if WPA2 is not supported. Those should be pretty secure. If neither is supported by your equipment WEP128 would be the next option. Also if supported by your equipment you could decrease the signal strength. That way they have to be closer to your wireless access point for the signal to be good enough to connect. It could be used in combination with mac-filter if you want that as well, but using WPA1/2 or WEP i cannot see any good reason to use mac-filter as well since it's so easy to bypass.

Some more advanced access points have the option to use EAP/802.1x where you have to authenticate to connect and the keys are dynamic and different each time you connect. Could also be configured to change the keys at a certain interval. That way you don't have enough time to break the keys before they are changed and make it very hard to get unauthorised access. I don't think most people really need that kind of security at home though.

[Toe]

Really depends on where you live. I've setup wireless networks for friends/work in many different locations. I usually follow these guidelines:

1.)Remote location. (ie. a farm with nobody for miles) No security.

2.)Small town. (ie. 1 stop light and a sheetz) MAC address Filtering

3.)Large town/College dorm (ie. More wireless networks then you've ever seen before) 64/128 WEP,MAC filtering, Decreased Signal strength...depending on router/location

If someone really wants on your network, You can not stop them...only slow them done. I'll usually check out the other local networks, and go a step up on security compared to everyone else.

-Toe

[khyew]

@Toe: Why would you set your scale your security features based on your location? It's not as if enabling WEP/WPA is a difficult task or burden on the network. If you have it, you might as well use it. Better than needing it and not having it.

As well, MAC address filtering is probably more time-consuming to set up than WPA/WEP. Sharing a password is much faster than determining and entering all of your NICs' MAC addresses into the router configuration.

As for stopping attackers, WPA does a *very* good job at stopping even determined crackers. The only method known to work reliably against WPA is a brute-force passphrase attack. Have a good passphrase with WPA and you should be fine.

@mike: MAC filtering will work adequately against casual drive-by surfers and leeching neighbors. Most people don't know how to spoof MAC addresses.

Why doesn't your Armada work with network encryption? Linux has both WEP and WPA support and all 802.11 cards support at least WEP.

[Kyocera]

1.)Remote location. (ie. a farm with nobody for miles) No security.

2.)Small town. (ie. 1 stop light and a sheetz) MAC address Filtering

3.)Large town/College dorm (ie. More wireless networks then you've ever seen before) 64/128 WEP,MAC filtering, Decreased Signal strength...depending on router/location

this is actually a pretty good general guideline. If you live far enough out like I do, no one receives your broadcast. Change your channel from the default. But just for the heck I do use a wep key. Anywhere people can access you need to lock it down, the level of encryption is up to you, also change your default workgroup, and of course there are more ways than just the wireless router to secure your network. Don't use admin account, change the name of your admin account, blah, blah, blah, any mcse manual goes over this stuff, or do a google.

Some people may use your AP briefly just to check their email if they are driving by, used to do this a lot myself, but as a network guy i have gone into places like lawyers, doctors, real estate co. that were wide open and had no idea what was going on, pretty amazing.

[khyew]

Does your router support SSID hiding? You can use that to mask your network to all but those persistent enough to use packet sniffers.

[Toe]

@Toe: Why would you set your scale your security features based on your location? It's not as if enabling WEP/WPA is a difficult task or burden on the network. If you have it, you might as well use it. Better than needing it and not having it.

Thought the whole "farm" comment would have given it away. If I setup for someone, its because they can't do it themselves. If they can't setup a wireless access point.....no chance of adding a key to each new machine they add.

I'm not being lazy at their expense, if the extra steps are needed, they get it. (and I get called when they need another machine added)

this is actually a pretty good general guideline.

Thanks. Its not 100% accurate (like the 802.11N router I found in an old folks home before the standard was popular).......but overall works fine.

-Toe

[Wiz]

If someone really wants on your network, You can not stop them...only slow them done. I'll usually check out the other local networks, and go a step up on security compared to everyone else.

Based on what information do you say that? It's not like i'm saying it's completely impossible to break because that i cannot say, but if you really know that WPA2 can be broken as easily as it sounds you seems to know something most security people missed. Unless you know for sure and can explain or refer to some documentation about security issues with WPA2/AES and how they can be exploited you cannot make such a statement. I presume WPA2/AES it's setup correctly of course when using this as an example of a secure wireless network. I work with this for a living and most security people i know or talked to cannot make a statement like yours that a wireless network cannot be secure and only slow down the hackers. Neither have i ever read something to confirm such a statement. I'm not saying it's completely impossible though because that i could never prove and you cannot really use the word impossible for anything related to network security.

Also in theory things is often a bit different. Like WEP is not defined as secure anymore, but could be pretty secure using dynamic keys. Also using a static 128bit WEP key it could easily be broken in less then 20 minutes in theory, but i never seen anyone do it that fast and never managed to do it that fast myself. I wasn't even close to the theoretically 15-20 minutes. Even if WEP is defined as not secure very few people actually know how to break the WEP key and is only able to do it because there are software available that do the job for them. I have never seen any software that break WPA2/AES that is confirmed to be working and also able to finish the job before i die of age.

Also for the mac filter you normally doesn't need to know how to spoof a mac adress since a lot of network cards have this option from device manager in windows where you can simply specify a new mac address. That way almost no knowledge is required ot change the mac.

[arni]

I would say that every unsecured wireless lan is a potencial risk and i would suggest everybody to turn on and use WPA or WPA2 protection (go with WEP when there are devices that cannot handle these two encryptions). It's not only that there might me someone trying to get on your network but overall security measures but the confidence that your data will stay safe! Think about this analogy: Would you leave your doors open all the time so everybody can enter your house, just because you live on a farm and there's nobody near you?

I don't know how it's handled in the US but here in Germany you can get into big trouble and get sued if you willingly don't secure your wireless network and someone breaks in.

And forget about all the myths with WEP, MAC filtering and other stuff. At this time the only secure method to prevent you from attacks is WPA.

[Kyocera]

Based on what information do you say that? It's not like i'm saying it's completely impossible to break because that i cannot say, but if you really know that WPA2 can be broken as easily as it sounds you seems to know something most security people missed.

Wiz, I don't believe Toe is implying that at all, but the fact does remain that wired is far more secure than wireless, it's a no brainer, if no one can physically access a network then there is zero margin for error. If someone can access your network, they can crack it.

Wireless networking has also been deemed too risky for the 2008 Olympics. There will be no wireless used among the core systems of the Olympic Games, said Leon Xie, director of Olympic technology and sponsorship at Lenovo. All networking will take place over wire lines, including the backup system.

[Wiz]

Wiz, I don't believe Toe is implying that at all, but the fact does remain that wired is far more secure than wireless, it's a no brainer, if no one can physically access a network then there is zero margin for error. If someone can access your network, they can crack it.

Well maybe i didn't really understand what he tried to say, but his exact words: "If someone really wants on your network, You can not stop them...only slow them done.". That make it sound far less secure then it actually is. Using WPA2/AES setup correctly my opinion is that you can stop and not only slow them down.....until someone prove me wrong But i'm well aware of the difference between wireless and wired which will always make wireless less secure because of the physical requirements....at least in theory. Maybe someone find some issues with WPA2 as well some day so they prove that WPA2 isn't that secure after all, but now there is really no such proof. Also if you hear about someone that manged to get unauthorised access to a wireless network it's important to check the deails before claiming that wireless isn't secure. A lot of companies use 802.1x authentication to access the wireless network integrated with active directory and use a very weak password policy. In that case you cannot really blame it on the wireless if they got access using brute-force or lucky guess.....a chain is no stronger than its weakest link. So using WPA at home the pre-shared key/password is important and should preferable be long and cryptic.

Wireless networking has also been deemed too risky for the 2008 Olympics. There will be no wireless used among the core systems of the Olympic Games, said Leon Xie, director of Olympic technology and sponsorship at Lenovo. All networking will take place over wire lines, including the backup system.

I can fully understand that the olympics prefer the most secure option even if they cannot really prove why wireless isn't secure enough when setup correctly. I can only imagine what would happen if they used wireless and someone managed to get access and caused damage. That would be a scandal, but not many people can compare them self to the Olympics when we talk about security requirements/needs. A lot of companies neither want wireless because the risk is so much higher then the requirements/need for wireless.

[GomJabbar]

Wireless networking has also been deemed too risky for the 2008 Olympics. There will be no wireless used among the core systems of the Olympic Games, said Leon Xie, director of Olympic technology and sponsorship at Lenovo. All networking will take place over wire lines, including the backup system.

The statement above can be taken two ways. Either wireless networking is too risky from a security point of view or to risky from a reliability and compatibility point of view. The absence of surrounding text or a citation leaves some doubt.

[Kyocera]

The statement above can be taken two ways. Either wireless networking is too risky from a security point of view or to risky from a reliability and compatibility point of view. The absence of surrounding text or a citation leaves some doubt.

Correct, and in my experiences setting up wireless networks and tearing them (figuratively) out for companies, it's both Naive business owners look to wireless to avoid costly cable run fees, after numberous calls (to people like me) to get their poorly configured wide open access network back on line they eventually go to hardwire.

I'll reread the article, I kind of glaze over things sometimes

edit: after re reading there is no real context to draw from other than the discussion of instability of Vista, so I can't interpret the word "risky" via anything, so it is open for interpretation. I have to go with my experience, it's risky in both aspects, security and stability.

[Toe]

Wiz, I don't believe Toe is implying that at all, but the fact does remain that wired is far more secure than wireless, it's a no brainer, if no one can physically access a network then there is zero margin for error. If someone can access your network, they can crack it.

Well maybe i didn't really understand what he tried to say, but his exact words: "If someone really wants on your network, You can not stop them...only slow them done.". That make it sound far less secure then it actually is. Using WPA2/AES setup correctly my opinion is that you can stop and not only slow them down.....until someone prove me wrong

I suppose my statement goes back to the old thief comparison, "If they really want to break into your house...no security system will stop them". (Goes well with cars too) Basically the same as my quote above. Now I'm not trying to say its hopeless! Just that there is no way to have 100% protection. Given the reaction, I'd say that statement was outside the bounds for this topic...and I withdraw it.

And for the record, Yes we do sometimes leave our doors unlocked in PA.

-Toe

[tomh009]

I can fully understand that the olympics prefer the most secure option even if they cannot really prove why wireless isn't secure enough when setup correctly. I can only imagine what would happen if they used wireless and someone managed to get access and caused damage. That would be a scandal, but not many people can compare them self to the Olympics when we talk about security requirements/needs. A lot of companies neither want wireless because the risk is so much higher then the requirements/need for wireless.

For the olympics, I expect that the main reason they are using wired networking is not security, but, rather, guaranteed availability. You just can't lose your network connection while judging platform diving -- there is no second chance.

As for security, there is no guarantee that someone won't snoop on your wired network as well, although it's considerably more difficult, meaning that you'd have to have some high-value data to make it worth someone's while to attempt that.

[LB_BlueVue]

I can fully understand that the olympics prefer the most secure option even if they cannot really prove why wireless isn't secure enough when setup correctly. I can only imagine what would happen if they used wireless and someone managed to get access and caused damage. That would be a scandal, but not many people can compare them self to the Olympics when we talk about security requirements/needs. A lot of companies neither want wireless because the risk is so much higher then the requirements/need for wireless.

Also consider that an attacker could take out a wireless network simply by jamming the frequencies of the network; it wouldn't matter how secure the encryption.

[Wiz]

Also consider that an attacker could take out a wireless network simply by jamming the frequencies of the network; it wouldn't matter how secure the encryption.

Of course wireless is more vulnerable because it's radio so that is a possibility and pretty easy with the right equipment. I don't think i ever heard about any case where someone used such equipment to take down a wireless network though (I'm not saying it never happened) so it's pretty hypothetical. Like if you know what you are doing it's pretty easy to take out the power in a building or take down the phone lines. There is no limits what you can worry about if you are paranoid enough.
Also unless i'm wrong mike that started this thread is using wireless at home so the chance that someone would like to spend that much time breaking his wireless network is not very likely. I have the impression that he is most concerned about securing the network so no one could access his network and the equipment connected to his network at home. If someone attack a wireless using such equipment i think they do it for a purpose like to cause damange for a company or steal data.....i don't think mike would be a target for such an attack. If his home network is that critical to secure he would probably never used just mac-filter in the first place.
For the Olympics though it more likey that someone could do such an attack and absolutely something they should consider before they use wireless at the Olympics.