Wireless network security

I'm branching this out from another thread because I felt I was kind of hijacking that one. I ended up stumbling upon a link eventually, which for some reason I'm unable to copy & paste right now entitled "6 steps to Secure Your Home Wireless Network. After reading through them, then the comments below, there seems to be some disagreement on a few points.

This topic is of particular interest to me because I've just recently set up a wireless network in my home. I was always hard wired into a router before, and still prefer to be, but recent changes make that unfeasible.

Some of the main dilemmas I have:

SSID Broadcast - Some swear by disabling it to add security, some (Microsoft themselves) say it's less secure to disable it.

Auto-connect - Is it compromising me any to auto-connect to my network at Windows startup as opposed to connecting manually? I've seen a claim that it does. What I mean by this is the tick-box "Connect when this network is in range" (XP Pro SP3) under "Properties" in Network Connections. Also, said tick-box seems to have a mind of it's own and tick itself again every time I connect. So I have to untick it after connecting every single time if I wish to manually connect the next time. Does this happen to anyone else? Any way to remedy it?

RIP Direction - After looking around I see that this broadcasts routing tables. First of all, I have no idea what exactly this means. Does it present any security risk? I ask this because my router (Netgear) offers me no option to disable it, even though in the right-hand column it says the default setting for it is "disabled". For me the only options are In, Out, and Both.

I have a strong WPA2 key and plan on changing it every 2 weeks or so. I've set up MAC address filtering allowing only my network adapter. And I've changed the IP address & password for my router. I gather I've done the main stuff.

Any insight is greatly appreciated.

 

SSID Broadcast: Does not matter if you turn it on or leave it off. It can be seen regardless.

Auto Connect: I see no issues with autoconnecting.

RIP: Isn't generally needed in home environments. There are vulnerabilities in the RIP protocol. Leave it off.

Mac address filtering is also a false sense of security. Spoofing mac addresses is a relatively easy thing to do.

 

That's just the thing, I can't turn it off. Even though in the router itself it says the default setting is "disabled", that's not even an option for me in the drop-down list. My only options are In, Out, or Both. So which is the lesser of those 3 evils then since disabling it isn't an option for me?

Hearing that this presents a possible vulnerability doesn't make me too warm & fuzzy inside. Guess that's what I get for accepting their "free" router. I might go out and buy one that lets me disable that feature.

 

Just to clarify this RIP dilemma I went back in and looked at the settings. This is how it is.

RIP Direction - Options are "In Only", "Out Only", and "Both". In the descriptions on the right hand side it says this is set to "None" by default. Curious, as "None" isn't even in the drop down list. In reality it was set to "Both" by default.

RIP Version - Options are "Disabled", "RIP_1", "RIP_2B", and "RIP_2M". It says the default for this is "Disabled", and it was indeed set to that out of the box.

It's a NetGear N-150

So does the RIP version being disabled in effect disable this entire feature? Or is having the version disabled in my case a bad thing... perhaps these "versions" are some sort of encryption, and by having it disabled while being unable to choose "None" for the direction it's a security breach?

I appreciate the response Greg. I know a lot of security guru's post in here and I'd love to hear feedback regarding this situation.

 

Yes...

 

Wrong. Spoofing the right address isn't.

 

Well ok. Now you have to determine who you're going to listen to. Sniffing for MAC addresses (using something like SMAC) is a trivial thing to do. MAC addresses are not encrypted. But if you don't believe me, here's just one video showing how trivial it is to spoof MAC addresses. Yes, the right one.

http://www.youtube.com/watch?v=a2MWwOAgoHw

 

Thank you, I certainly hope this is the case.

The topic of MAC address filtering did have many conflicting opinions. From what I gather it seems it would have some positive benefit, even if very minor, so why not do it? I guess if somebody gets through your encryption everything else becomes somewhat trivial.

I noticed I can't change the username in my router either, or at least I don't see where I can. I can only change the password. So I make my password strong, and will probably change that periodically as well.

I saw somebody also suggest the idea of making an uncommon router IP so that nobody could guess it, but somebody else shot down that idea saying 192.168.x.x is used for a good reason... because they're private IP's. So is the range 192.168.1.1 - 192.168.255.255 all private then? If not, what is the range?

Also, I see I have the option of using either 63 ASCI characters or 64 hex characters. Is either more secure than the other?

Thanks again. This is very helpful.

 

Being able to change the username would add much more difficulty for an attacker.
Changing your passwords every 2 weeks is unnecessary extra work for you. Spend more time learning how passwords get cracked.
Check out Aircrack-NG, coWPAtty, John the Ripper, there is a lot more.
It is effortless to collect the handshake of WPA/2 encrypted keys, it is another thing to brute force them to reveal the key.
If you use only the alphabet and the number keys, lowercase and uppercase, that's 72 characters. A 6 digit password, is 72*72*72*72*72*72=139,314,069,504 possible combinations, a couple of gigabytes for a single file. Each password converted to the key type and compared for a match is a time intensive process, cpu's are not super fast for brute forcing regardless what the manufacturer tells you.
It is much more likely for an attacker to install a keylogger and collect your router password while you're changing it every 2 weeks.

 

Tell me about it... twice as difficult I reckon, as they'd have to break through 2 instead of 1. This is something I'm not too happy about at all. What an oversight. No wonder they give them out for free.

The more I think about it the more I think I'm going to buy a router. To me this is not a little, trivial thing. I already feel less safe using a wireless connection, let alone having a router that is stripped of some security features.

I guess my next post will be asking opinions on a new router.

Your replies have been helpful. Thanks