Wireless Networking Basic Security Checklist
Home User version

http://www.wardrivingcentral.org/WLAN_Sec_Home_v1.html

Which AP did you ask for? It's kind of hard to make suggestions without knowing what features your AP will support.

WEP initially had two drawbacks, constant initialization vectors and small (40-bit) keys due to cryptography export restrictions. Both of these problems have been addressed in new APs, which now support 128-bit WEP. This should be fine for a home network.

I don't think you realize what a headache VPNs are to configure. There are plenty of tools out there to simplify VPN configuration, but it will still be significantly harder than configuring WEP.

WEP should be fine for a home network, just make sure you run the newest firmware so that the weak IV packets are no longer a problem.

I'd go a step further and actually segment your wireless traffic off of your LAN and put it into some sort of DMZ. The simple home way of doing this would to be to wire your AP up to its own port on your *BSD firewall, then write a ruleset to govnern it. Then when you are on your wireless computers, VPN into your own LAN. This way your computer can access the resources it needs in a secure manner and your LAN is protected from anyone who happens to be hanging out on your wireless. Heck, I'd just leave the WiFi with unrestricted Inet access and deny all traffic from it into your network. You can VPN in to your LAN, and anyone who wants to 'borrow' your connection can't do anything but hit the net.

My Take

WEP, MAC filtering, and don't broadcast SSID.

Hiding SSID keeps those eveil frive by lan jackers like ck3k from hitting your network.

MAC filtering means only approved MAC adresses can connect.

WEP keeps everything encrypted. Its' not teh best, but combined with MAC filtering, it makes MAC hacking a lot harder becase you have two simltanious levels at the same time.

Anyone that get's past all three, has mad skills and will get past anything anyway, and has probably already owned your network from the main broadband feed.

A good idea, and one that most people don't think of. Also, on a quasi-related note: don't bother getting an 802.11b-only AP or card. The g units are now the same price (or sometimes cheaper if rebates or other discounts apply), and usefully faster. Also, since g is backwards-compatible with b, if you do end up getting some b-only gear later on, you'll still be able to use it. I'm using a Linksys WRT54G in a mixed b/g environment right now, and it works great.

What I find works well as a basic set of things to do when configuring a new AP is essentially the following:

- Check for firmware updates as soon as you get the AP home, and apply them as necessary.

- Enable WEP at 128-bit only and use cards capable of 128-bit encryption.

- Enable MAC address controls so that only your wireless cards are allowed to connect to the AP.

- Change the default password, and make sure that remote administration is only enabled on the inside. If your router supports it, specify that administration should only be from the wired network.

Taken alone, none of these are particularly strong methods of protecting your AP - but in combination, they'll keep it pretty well locked down.

Thanks for all the great advice everyone! I will probably use combination of 128 bits WEP, MAC address filtering, and VPN technologies to keep my wireless network secure from intrusion.

As for 802.11g advices I am getting Linksys WAP11 probably, and I already have 802.11b SMC card. Besides I don't need 54mbps I will just be doing IRC and ssh and maybe a little web browsing

Yeah yeah yeah...and no one will ever need more than 64k of RAM.

Anyway...this is the way to go:

http://www.linksys.com/products/prod...id=35&prid=565

OMG Chris that costs $200 LOL my parents aren't going to get me that. Besides I already have an OpenBSD router and that would let me set up VPN firewall. WAP11 is only like $40

Ahh...your Dad must be a corporate IT manager. You know, the guy that is willing to spend hundreds of thousands of dollars on the spiffiest laptop on the market for each and every person on staff who's title starts with V and ends with P but considers Zone Alarm Pro at $39.95 and extravagance.

I will grant that the WRV54G is more than you NEED. The steps Shatter mentioned are enough on pretty much ANY home wireless network...but hey...enough isn't good enough for me. ;)

BTW, I recently replaced my WAP 11 with the WRV54G. It rocks the house...but full step by step instructions for dummies locking down the WAP 11 with screenshots can be found here:

http://www.worldwidewardrive.org/linksys/linksys1.html

Now god dammit, don't make me come find you shatter ;)

Okay. The common denominator in everything you've mentioned here is that it's going in one direction: from your machine out to the Internet. And while it's true that 11Mbps is overkill for solely that, consider what's going to happen as you add more wireless devices.

The main impetus for me to upgrade from the WAP11 to the WRT54G was that I have two machines that are exclusively wirelessly-networked, and moving a couple of gigabytes of data off of one of them meant that the other could barely sustain an SSH session. Remember that these things don't perform any sort of QOS, so bandiwdth hogging is an issue.

Also, while you may not want 802.11g now, there's a good chance you might in the future. At least getting the g-capable AP gives you that option without having to replace it at a later date.

Ya..I can tell ya, moving things over 11mb (of course, sustained throughput is much lower) is painful. I frequently download things like linux ISOs on my laptop then have to send them to the burner, sending the ISO to the burner frequently takes twice as long as it does for me to actually burn it to disk.

You'll need a LOT of gas and tires to find my network dude...