Do you have questions about the site? Write to bruce at perens.com .
List of all articles we've ever published.
Source Code
Developer's Documentation
RSS
XML Sitemap
XML News Sitemap
![[Valid RSS]](/images/valid-rss.png "Validate my RSS feed")
Wi-fi security.
The whole wi-fi security issue is starting to crop up with increasing regularity in the mainstream media, but there is never any discussion, just warnings of the dangers and warnings of the consequences.
Most home wi-fi boxes offer three levels of "security" under the appropriate tab in the internal web server config page, none, WPA & WEP.
In various other tabs in the internal web server you can set things like channel number and network name, but chances are most of this is way over the head of the average user and they will instead use a set-up wizard and accept whatever defaults it suggests.
My home network consists of a cable modem feeding into a Belkin F5D7231 wireless hub, one cat5 in from the cable modem, and one cat5 out to the Planet DH1600 inside the Sun cabinet.
From the Planet there is cat5 to the streaming mp3 jukebox, to the lan file server, to the RAQ, to the networked colour laser, and one cat5 to the living room "multimedia" PC, and one cable running upstairs.
The Belkin provides wireless access to this laptop, to the girl's computer upstairs, and to the workshop (CNC controller) computer.
Everything in the Sun cabinet I have set up with fixed IP in the 192.168 range, the wireless stuff is DHCP assigned in a different part of the 192.168 range with permanent leases.
The Belkin also provides NAT and DynDNS to the RAQ, and I use OpenDNS nameservers for it.
Security is "none", but the Firewall tab on the internal web server I have MAC address filtering enabled, with the MAC address of every one of the above machines enabled.
From the security perspective I'm not so much worried about anyone stealing my bandwidth, I'd be more concerned about an outsider accessing correspondence or worse still deleting files.
There are two other wireless networks in range of this laptop, one is unsecured with a default name, one is secured with WPA and is called s****snetwork, but Network Stumbler would make easy meat out of either one. Both of them are often powered down.
My method is "picky", it is quite easy to create a set up where (which is actually the situation) one computer (in my case the workshop one) can access the LAN and play streaming mp3's from the LAN and so on, but not access the internet as a whole. In my case this is deliberate, but of course most people want something that they can set up by clicking "OK" a couple of times and everything just works.
I am not sure why, when using the word "security" with wi-fi the default response is "encryption", even though my RAQ is now all https, this is not a security response per se.
The default option when wishing to secure a server is not to encrypt all traffic, the default option is to restrict access.
I am not someone who has vast experience of configuring wi-fi networking, but one feature I have never ever seen on a wi-fi internal web server is a feature that detects all stations in range, and asks if you want to grant each one access, and if so, what type and level of access.
Nor have I ever seen a wi-fi router that flatly refused to function as a wi-fi router until you directly link to it via USB and change settings from factory default, specifically setting an admin password and a workgroup / network name.
This would be a LOT simpler than many of the wizards that do ship.
I was particularly disturbed, a couple of years ago, when I discovered that PCI and PCMCIA wi-fi cards weren't all hard wired, but that most had a small amount of non volatile memory in which settings were saved. I discovered this because I dual boot my laptop between WinXP and Debian, and for the longest time ran a Prism card for debian and a generic one for xp, then one day I discovered that running the windows wireless network setup wizards altered the data in this non volatile memory in such a way that the card would no longer work reliably with linux, and these cards do not come with buttons to reset to factory defaults.
It appears to be the mentality that since THIS is the machine I am using, then the device plugged into THIS machine is the one to run the wizards on, and everything views the whole world of wi-fi from that perspective, instead of the true perspective, which is that all the clients revolve around the AP, the AP is the centre of gravity, not whichever machine I happen to be sat at.
It is this mentality that gives us the broken security model we have, where traffic is encrypted by default, but brute force challenges can simply overcome them, whereas the method I use requires you to brute force spoof every possible MAC address before you can join the network.
I have watched competent coders fiddling with their devices for many minutes trying to get net access in my house, their first recourse is to see if there is a network broadcasting, there is, and their second recourse is to see if they can log on to it, they can't, and their third recourse is to just assume that since their machine didn't log them on automagically, they need a password from me.
This is despite the fact that even the default windows wizards and tools actually give them enough information to indicate that it isn't a password authentication problem, but a more fundamental authentication problem.
I suppose if I was truly paranoid I could add encryption as a SECOND level of defence after the first level of MAC address filtering, but quite frankly it is overkill and creates more problems that it is worth.