wireless security ideas

[The_Captain]

Hi all,


I have been asked to appear on our local cable channel for our schools to explain some of the security considerations for home users setting up wireless APs (see my charm and good looks are good for something). I am pretty experienced with wireless so I don't need technical info, but I'm not sure what topics would be useful to my end users and what I should avoid due to complexity levels.

The driving idea behind me going on there is the powers that be believe a lot of people will be getting wireless networking devices for Christmas and they want those people to be relatively safe. (hell just for the open ones that are already out there) Remember we're not trying to stop the person that wants to get in... obviously everyone here can crack wireless, we just need "reasonable" security.

I guess I'm asking if anyone has done anything like this or if you guys have ideas on what I should cover. My ideas so far include:

Changing default IP range and making it as small as possible
creating a SSID then not broadcasting it
MAC filtering
WEP or WPA (depends on some of their wireless adapters on their laptops, and driver updates are out of the question we're talking about users that are incapable of those concepts)


My ideas that are not wireless related but will still come into play with a lot of all in one devices are:

changing the default administration port on the device connected to the internet
disabling the remote administration feature
changing the default password on the access point
only sharing folders to machines that you specify on your network
only sharing printers to machines that you specify on your network


I also plan on having a technical document up on the intranet so they can see some of what I say and some examples.

I would have thought this was an easy topic, but when you think about explaining it there are a lot of considerations because we all know that if the end user can't understand it they just won't do it. In this case it's their own systems and in their best interest so I want to make it understandable for their sakes.


Thanks in advance for the help everyone,

The_Captain

[SirDice]

Show a map of the local neighborhood with all the unprotected wifi networks with huge blinking red dots..

Hey! That's my street! WTF? There's a blinking red dot on my house?!?!

That'll get their attention..

[The_Captain]

Ha ha,

I think that would be great... only problem is.. in one drive down half a mile stretch i came across 38 open access points. This school district is many many miles of city my whole map would be red.

[SirDice]

Oeps.... I think you need to get on the air a.s.a.p.!

[dstevens1958]

Something I'd warn them about is to use a STRONG password, even with WPA. I've seen a video (not sure how creadible it is, and I can't remember where it was) that WPA could be cracked in about 10 minutes if the password is smaller from a dictionary. WEP is easy either way, using Auditor Linux

[rapier57]

I'd warn them about listening to the sales-droids in the stores. Make sure the droid matches the equipment they want (802.11b-g, USB adapters, laptop PCMCIA, etc.), but take most of what they say with a grain of salt. Most of the droids I've encountered, even in the "good" tech stores, know next to nothing.

I think you have the bases covered. And, yeah, you've got your hands full. Trying to bring this to the masses is difficult. That's why you see all the open wireless when you drive around.

One of the good points to bring up is that many of the manufacturers have very good support staff for when you set up the wireless routers and such for the first time. They will walk you through the "good practices" for security and configuration, if you know the questions to ask.

Maybe that would be a good thing to provide at the end of the session, a list of specific questions the users can ask the vendor support folks when they call for help in setting up their equipment.

1. How do I set the administrator password?
2. How do I change the administrator user name?
3. How do I limit the wireless connections to specific systems?
4. How do I prevent someone from finding my wireless network?
...

Eh?

[dstevens1958]

Also, you might want to cover the basics of 'channels' If all their neighbors bought cheap 802.11b AP's and are all running channel 1, 4, and 6, perhaps they should try channel 11? Something like that, it will help educate people that channels are important, and can hopefully avoid conjestion and interference.

[Neptune0z]

When using wireless it's very important to use WPA. This is because WEP is totally insecure and easily crackable, and has been for some time. Those people buying wireless access points this year for christmas really should look for a solution like WPA with strong authentication measures like PKI. It's also very important (and I cant stress this enough) to use strong complex alphanumberic passwords. Because really at the most basic level, this is all the person is going to have protecting their wireless access point.

Psssstttt! Let me tell you a secret...

All this no SSID broadcast and MAC address filtering is nothing more then snake oil. These solutions really are not offering any security at all, they are just increasing the degree of complexity needed by an attacker. Sure they will definatly deter kiddy's and this is good, but will do nothing to deter a meticulous, and knowledgable attacker. SSID's and valid MAC addresses can all be sniffed. This is why it is very important to use strong passwords and reliable authentication methods. Also it's would probally be a good idea to try to reduce all unnecassary traffic on your wireless access point, this reduces the footprint thus making it harder to attack.

[ShagDevil]

Something I'd warn them about is to use a STRONG password, even with WPA. I've seen a video (not sure how creadible it is, and I can't remember where it was) that WPA could be cracked in about 10 minutes if the password is smaller from a dictionary

dstevens is absolutely correct.

All this no SSID broadcast and MAC address filtering is nothing more then snake oil.

Neptune is also very correct.
Now, I don't want to seem like I'm about to pet my ego (which I am anyway ) but, you can read this old thread I started about this subject matter. Once you understand the basics of the the "4 way handshake", you'll be amazed that, just about the only thing stopping a skilled cracker from entering your WPA-PSK protected network is a solid passphrase.
hope this helps you a bit.

[d0pp]

I would go for more than just "securing" the wireless... Make them aware of what wireless really means. Let them know their private information is more vulnerable.

Teach them safe surfing habits too.

The main thing I would reinforce as far as security goes is MAC filtering and WEP/WPA. Disable remote administration, universal plug and play, etc. is also good.

And teach them to keep and check logs. This will usually involve configuring a logging server with most smaller routers. Show them what all the bullshit in the log means. They don't need everyhting, but they need the basics.

Last thing... Routers need security updates too. Don't forget to teach them how to intall updated firmware.