Can someone explain basic wireless internet security to me?

[DeeBye]

Right now I have this D-Link wireless router. I have the wireless capability disabled because the two computers connected to it are side by side and are physically plugged into it. I know nothing of wireless security other than that I should be concerned about it if I have a wireless network, so I just took the easy way out and turned it off.

Now I'm in a situation where I have a third device I'd like to connect to my router, but it must be a wireless connection (I managed to get a Wii). Both my router and the Wii support WEP and WPA security (whatever they are), and I hear that I should turn both on. The problem is that I know jack crap about what any of this stuff means. I don't want to enable the wireless signal on my router without being pretty confident that I can secure it.

Can someone walk me through basic wireless internet security, including things like what WEP, WPA, and MAC filtering mean and how I can lock down my network? Please to be using simple terms that a wireless idiot can understand.

[kandrathe]

Right now I have this D-Link wireless router. I have the wireless capability disabled because the two computers connected to it are side by side and are physically plugged into it. I know nothing of wireless security other than that I should be concerned about it if I have a wireless network, so I just took the easy way out and turned it off.

Now I'm in a situation where I have a third device I'd like to connect to my router, but it must be a wireless connection (I managed to get a Wii). Both my router and the Wii support WEP and WPA security (whatever they are), and I hear that I should turn both on. The problem is that I know jack crap about what any of this stuff means. I don't want to enable the wireless signal on my router without being pretty confident that I can secure it.

Can someone walk me through basic wireless internet security, including things like what WEP, WPA, and MAC filtering mean and how I can lock down my network? Please to be using simple terms that a wireless idiot can understand.

Most people secure their router to only accept connections from specified MAC addresses. That is the simplest, however if someone intrepid figures out one of your MAC addresses they can spoof one of your devices and connect. So, then you really need to have encryption and some secure authentication protocol. WPA allows WEP to be more secure, so you need to enable them both. WPA uses Temporal Key Integrity Protocol (TKIP) which upgrades WEP to address security problems. Essentially, rather than using the same encryption key on every packet, TKIP creates a new key for every new packet thus foiling anyone who happens to snatch a packet and decrypt it hoping to then hack your network.

This seems to be a good article on it. PC Mag.

[yangman]

WPA replaces WEP -- they are related but non-compatible protocols that operate at the same layer, and only one can be in use for a device at once time. WPA is much more secure than WEP, so that is the one that you'd want.

WPA2 with with pre-shared key and AES encryption is the most secure option available to home and small office users without access to an expensive authentication server, although you may need to be content with WPA1 instead if some of your devices are incompatible. According to Wikipedia, however, all devices that are Wi-Fi Alliance certified since March must be WPA2 compatible, so you shouldn't have too much trouble with your Wii.

As far as the passphrase used as the "key" to your router is concerned, I would recommend some decent length of text that is easy to remember, preferably with punctuation and other non-alphanumeric components. This allows you to have something that is sufficiently complex, without the added difficulty of having to look it up when a friend comes over with a laptop and wants to borrow the wireless. I find quotes from movies, TV shows, or literature good sources of keys.

Finally, in regards to MAC address filtering: don't bother. Once the actual data encryption is broken, MAC addresses are trivial to obtain from the packets being passed around. It is only an inconvenience to yourself having to update the whitelist with virtually no added security benefit provided that the router is already sufficiently secure.

[Kylearan]

Hi,

Can someone walk me through basic wireless internet security, including things like what WEP, WPA, and MAC filtering mean and how I can lock down my network? Please to be using simple terms that a wireless idiot can understand.

YZilla already gave you some very good advice, but just in case you don't know what the "MAC" in MAC filtering means: Every physical device has a unique MAC (Medium Access Control) address, which is needed to decide which data packets on a local network should be delivered to what device. While a device can have several different IP addresses, it only has one MAC address which is unique world-wide.

MAC filtering means that you can tell your router only to accept data packets from specific MAC addresses, e.g. the MAC addresses from your other devices, which in theory should prevent other devices (from some hacker, for example) to connect to your router. However, as YZilla noted already, the MAC addresses are stored in the data packets sent over the air with no additional encryption, so they can easily be read from any hacker who then can use them to fool your router to believe his network device is actually one of yours. MAC filtering won't hurt, but won't help much either. Use WPA (not WEP, which can be hacked automatically taking only a couple of minutes!), and you should be fine.

-Kylearan

[Flymo]

Don't forget to change your router's admin password from the default:)

I'll add my voice to all those doubting you should tie down MAC addresses - this will make it harder for you to allow other people to connect, for example if a friend brings his laptop round.

[kandrathe]

Don't forget to change your router's admin password from the default:)

I'll add my voice to all those doubting you should tie down MAC addresses - this will make it harder for you to allow other people to connect, for example if a friend brings his laptop round.

Being an old guy has its benefits. My friends don't bring their equipment over to my house. We do things like go out fishing, or play poker for quarters.

[Zippyy]

Don't forget to change your router's admin password from the default:)

I'll add my voice to all those doubting you should tie down MAC addresses - this will make it harder for you to allow other people to connect, for example if a friend brings his laptop round.

Agreed. The inconvenience is not worth the thin layer of security it provides. Bypassing MAC filtering is about as easy as punching through a tissue.

[Merlinios]

Being an old guy has its benefits. My friends don't bring their equipment over to my house. We do things like go out fishing, or play poker for quarters.

Us young'uns generally just do that via the computer anyway. And Starcraft for quarters is FAR superior to poker.

--me

[Archon_Wing]

Us young'uns generally just do that via the computer anyway. And Starcraft for quarters is FAR superior to poker.

--me

Hell no, I'd just go broke then.:D

Anyhow, WPA is secure and should be fine. I'd probaly check those firewall settings on the router. (Not only to prevent intruders from coming in) but to make sure your own traffic doesn't get blocked. Mac filters can be useful, but they're really not that useful-- too easy to spoof, WPA is the main thing. All and all, there's no need to worry. People looking for wireless networks to leech off will go for the unsecured ones first, simply because it's easier that way, thus if you have a decent amount of security you should be safe. Heck, I can detect three insecure networks right now. ;D If you really wanted to be safe, you can always turn wireless on only when needed, but that can be a hassle.

P.S. I'm quite sure the d-link has a function to set a schedule of when to allow access or not. Don't worry too much about messing settings up, as you can always reset the router. Find out how to reset the router first of course! And check for firmware upgrades. Be careful about that though, you do not want to install firmware for the wrong router, as that could screw your router.