Wireless security checklist?

[petereno]

Hello, Im new to wireless and I want some expert advise. I read through some tutorials and searched the net a bit for what to do once I get my wireless router. Can you please tell me if I have left anything out of this list:


* Change default usernames and passwords for network devices.

* Enable WPA.

* Change default SSID for each WAP device.

* Disable SSID broadcast.

* Turn of DHCP.

* Change the default IP subnet.

* Enable Mac filtering.

* Adjust signal strength if possible.

* Disable or change Simple Network Management Protocol (SNMP) settings to prevent outsiders from obtaining personal information. (have to read more about that one)

* Install firewall for each computer.

Thanksyou.

[brokencrow]

Turn off DHCP? Why? You have another DHCP server running on your network besides the router?

All I'd do is:

* Change default usernames and passwords for network devices.

* Enable WPA

* Enable Mac filtering.

* Install firewall for each computer (XP's default is fine).

Stick to basics if you're not particularly knowledgeable, then move onto the other stuff. Getting wireless up and running is not as easy as a hardwired network.

[morganlefay]

well....turning off the dhcp....stops outside computers from getting an address\gateway settings automatically......hence slowing down the process of getting on the wireless network...

kinda like auto login....a deterent

MLF

[treanglin]

haha...."auto login..."


Well petereno, it looks like you've got it down brother, I did't even consider disabling the DHCP but I see how that can be effective. I agree with brokencrow though, wireless can be a real bi...bear to setup sometimes, so just go with those basic security measures, make sure everything is fine, and then go from there.

[ShagDevil]

1) Change default usernames and passwords for network devices - I agree
2) Enable WPA - I agree somewhat, see below
3) Change default SSID for each WAP device - I agree
4) Disable SSID broadcast - I disagree
5) Turn of DHCP - Your choice
** rather than turn it off, just limit your DHCP's IP range to a couple IP's**
6) Change the default IP subnet - Also Your choice
7) Enable Mac filtering - I agree
8) Adjust signal strength if possible - I disagree
9) Disable or change Simple Network Management Protocol (SNMP) settings to prevent outsiders from obtaining personal information. (have to read more about that one) - Your choice
10) Install firewall for each computer - I agree

They left out something very important about WPA. I'm assuming they meant WPA-PSK. If that's the case, WPA is only as strong as the passphrase used. Make sure when you select your passphrase that you use complexity. I reccomend at least 20 characters, mixed between upper case/lower case/numbers and symbols.
The other two options I disagreed with are security through obscurity. Disabling your SSID isn't really going to protect you much, nor is adjusting your signal strength. I suppose, if you weakend your signal to the point where it didn't permeate outside your walls, that may offer some security, but, if you enable a WPA-PSK and choose a good passphrase, limit your DHCP range, enable your MAC filter (not the best security, but it adds another layer), and use common sense. I suspect you'll be fine.

[brokencrow]

haha...."auto login..."

Oh, no...everywhere I go...it's the "evil auto login"...it's deja vu all over again...

[HTRegz]

Originally posted here by morganlefay
well....turning off the dhcp....stops outside computers from getting an address\gateway settings automatically......hence slowing down the process of getting on the wireless network...

kinda like auto login....a deterent

MLF

I'm starting to laugh as I read this site... Especially since this time I agree with brokencrow... (as well as ShagDevil)

With MacFiltering and WPA you've got all the "deterent" you need... These are the deterent... (sort of like say... a bios password with the hard drive as your only bootable device)... They force some effort to be exerted... If someone is going to beat MacFiltering... in the process they will have determined your SSID and learned your DHCP range... if not.. shortly after cracking your WPA they will have the DHCP range... if someone's going to go after MacFiltering and WPA.. Disabling DHCP is not an additional deterent. It just makes the users life more inconvenient.. not the malicious persons life.

[Negative]

I've always used George Ou's Wireless LAN security guide as a guideline. While you're at it, you might want to check out his The Six dumbest ways to secure a wireless LAN - turning on MAC filtering, for example, is in that list, as are disabling DHCP and "hiding" SSID

[morganlefay]

Well HT......

I may not be the IT expert you are......

But I see security as a layered approach........make them jump through as many hoops as they can.

hopefully the skiddie will get bored an move on.........

If they really want in ...they will get in.

But I may just notice a rogue IP address that wasnt assigned....tracks

MHO...as always

MLF

[HTRegz]

Originally posted here by morganlefay
Well HT......

I may not be the IT expert you are......

But I see security as a layered approach........make them jump through as many hoops as they can.

hopefully the skiddie will get bored an move on.........

If they really want in ...they will get in.

But I may just notice a rogue IP address that wasnt assigned....tracks

MHO...as always

MLF

You're actually more likely to notice that with DHCP enabled.. you'll have leases... you look at your leases and you're like oh.... I only have two clients.. why 3 leases.... Without DHCP (which they could go with or without you having a DHCP server) you'd have to scan the network/sniff traffic and hope they're doing something you'll see/pick up..

I love that you still only addressed me... 4 people have now posted the same sentiment...