Is my wifi security good enough?

Any help/tips appreaciated. I have a linksys wifi router for my home LAN
(need convenience of LAN gaming besides general security and usage for
my laptop and a second PC in my home), wondering if my wifi security is
strong enough, if there is something else I can do? Set it up as WPA
encryption (Pre-shared key, TKIP) with 30 character random passphrase key
(with mix of lower/uppercase, numbers, symbols) MAC address filtering on,
SSID broadcast is on.

Everything I hear makes me think wifi is not very secure, I am a bit
spooked. I even heard WPA can now be cracked. What more can I do? I want
to set up a softare firewall at some point for my linux system, but when I
have done that in the past it really makes it hard or impossible for me to
do computer LAN gaming (or should I run the fireall, shut if off when I do
a LAN game which is really not that often?).

Proteus wrote:
> Any help/tips appreaciated. I have a linksys wifi router for my home LAN
> (need convenience of LAN gaming besides general security and usage for
> my laptop and a second PC in my home), wondering if my wifi security is
> strong enough, if there is something else I can do? Set it up as WPA
> encryption (Pre-shared key, TKIP) with 30 character random passphrase key
> (with mix of lower/uppercase, numbers, symbols) MAC address filtering on,
> SSID broadcast is on.
>
> Everything I hear makes me think wifi is not very secure, I am a bit
> spooked. I even heard WPA can now be cracked. What more can I do? I want
> to set up a softare firewall at some point for my linux system, but when I
> have done that in the past it really makes it hard or impossible for me to
> do computer LAN gaming (or should I run the fireall, shut if off when I do
> a LAN game which is really not that often?).

It depends on the threat you're having.

In a normal neighbourhood where there are still plenty
of wide open WLANs, even simple WEP is enough to move
the bad boys to the easier booty.

For the really scary, install a VPN link for running
over the WLAN, e.g. OpenVPN, and make it use SSL
encryption.

--

Tauno Voipio
tauno voipio (at) iki fi

On Wed, 16 Nov 2005 20:49:21 +0000, Tauno Voipio wrote:
....
> For the really scary, install a VPN link for running
> over the WLAN, e.g. OpenVPN, and make it use SSL
> encryption.

I feel really stupid about VPN, I really do not understand it. I am hoping
a podcast due out this week from TechTV on VPN security will help me learn
about VPN. I am doing all I can to understand WEP and WPA.

On 2005-11-16, Proteus <proteus@uselessemail.net> wrote:
>
> I feel really stupid about VPN, I really do not understand it. I am hoping
> a podcast due out this week from TechTV on VPN security will help me learn
> about VPN. I am doing all I can to understand WEP and WPA.

What don't you understand about it?

If it's just the theory, then don't sweat it too much. Just remember
that a VPN is, for the most part, an encrypted channel between hosts,
and will help protect data going over media that might be sniffed (it's
not relevant whether it's wireless or someone else's wired network).

If it's implementation, check out the quick start docs for OpenVPN.
It glosses over the details, but at the end you should have a working
VPN. One thing you'll want to note is that you should reverse the
orientation of your WAP: pretend the wired end of the WAP is an ISP, and
cable for that scenario. Otherwise, your wireless is on the same
network as your other nodes, and if your wireless is cracked the cracker
may also be able to sniff wired packets from your LAN. (I can make an
ASCII sketch if needed; I just did a setup like this recently.)

The best part is that VPN complements WEP or WPA. You can continue to
use WPA on your wireless network, and run a VPN on top of it. This way
if your WPA is cracked, your own data is still relatively safe.

In any case, you can gain further understanding by asking more specific
questions about your issue--no need to wait for TechTV. :)

--keith

--
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom
see X- headers for PGP signature information

On Wed, 16 Nov 2005 14:28:38 -0800, Keith Keller wrote:
...
> In any case, you can gain further understanding by asking more specific
> questions about your issue--no need to wait for TechTV. :)


Ok...
1. When would I/anybody want to use VPN-- for my home network? just for
wifi at a cafe? just for business (enterprise) network?

2. How would I go about setting up a VPN, anybody care to throw me a bone
to an easy to follow document on how to set up a VPN? I do not know why
but VPN just goes over my brain. Give me some credit for using Linux for a
few years, but I have some mental block about VPN, it just seems so
abstract to me and I have no clue how to set up and configure VPN like I
do for say a Linksys router with wifi and WEP.

The answers to both of these were in my previous followup, but perhaps
somewhat obliquely. So I'll answer directly.

On 2005-11-16, Proteus <proteus@uselessemail.net> wrote:
> 1. When would I/anybody want to use VPN-- for my home network? just for
> wifi at a cafe? just for business (enterprise) network?

Home/cafe: to make it more difficult for crackers to sniff your wireless data
Business: to set up a secure connection between your work and wherever
you are (say hotel room or conference), to make it difficult for the
people who control the intervening networks to sniff your data

> 2. How would I go about setting up a VPN, anybody care to throw me a bone
> to an easy to follow document on how to set up a VPN?

Look at the quick start on the OpenVPN site, www.openvpn.net.

--keith

--
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom
see X- headers for PGP signature information

Proteus <proteus@uselessemail.net> wrote in
news:pan.2005.11.16.23.00.44.298645@uselessemail.n et:

> On Wed, 16 Nov 2005 14:28:38 -0800, Keith Keller wrote:
> ..
>> In any case, you can gain further understanding by asking more specific
>> questions about your issue--no need to wait for TechTV. :)
>
>
> Ok...
> 1. When would I/anybody want to use VPN-- for my home network? just for
> wifi at a cafe? just for business (enterprise) network?
>
> 2. How would I go about setting up a VPN, anybody care to throw me a
> bone to an easy to follow document on how to set up a VPN? I do not know
> why but VPN just goes over my brain. Give me some credit for using Linux
> for a few years, but I have some mental block about VPN, it just seems
> so abstract to me and I have no clue how to set up and configure VPN
> like I do for say a Linksys router with wifi and WEP.

To set up a VPN you need to install VPN software. There are several
different vendors providing their own proprietary software. It would make
a lot of sense to use an open source offering such as OpenVPN as has
already been recomended to you, Start here:

http://openvpn.net/

Klazmon.




>
>

Proteus <proteus@uselessemail.net> writes:

> Set it up as WPA encryption (Pre-shared key, TKIP) with 30 character
> random passphrase key (with mix of lower/uppercase, numbers,
> symbols) MAC address filtering on, SSID broadcast is on.

That's more than enough. If you allow access only to a few selected
MAC addresses, you may be sure that only good guys will access your
network. If you feel paranoic, disable SSID broadcasting; in that
way, only users who know the SSID name (and the WPA key, and have the
right MAC address) will be able to connect.

--
Maurizio Loreti http://www.pd.infn.it/~loreti/mlo.html
Dept. of Physics, Univ. of Padova, Italy ROT13: ybergv@cq.vasa.vg

Proteus wrote:
> Any help/tips appreaciated. I have a linksys wifi router for my home LAN
> (need convenience of LAN gaming besides general security and usage for
> my laptop and a second PC in my home), wondering if my wifi security is
> strong enough, if there is something else I can do? Set it up as WPA
> encryption (Pre-shared key, TKIP) with 30 character random passphrase key
> (with mix of lower/uppercase, numbers, symbols) MAC address filtering on,
> SSID broadcast is on.
>
> Everything I hear makes me think wifi is not very secure, I am a bit
> spooked. I even heard WPA can now be cracked. What more can I do? I want
> to set up a softare firewall at some point for my linux system, but when I
> have done that in the past it really makes it hard or impossible for me to
> do computer LAN gaming (or should I run the fireall, shut if off when I do
> a LAN game which is really not that often?).
>

You're as secure as you can be without using your own AAA server instead
of the PSK model.

Wifi isn't secure in that the data medium travels in the air. Which
means that it can be blocked/jammed and it's possible for commands to
be injected... especially at layer 2.

If you pop your email, use ftp, use telnet or use a cable modem, those are
much more serious security problems.

The internet is a trusted environment. You implicitly trust everyone
else on it. You can try to block... but there's always going to be
some kind of evil that can be done to you... even if just a denial
of service of sorts.

The internet is not a place for the paranoid or timid.

Setup everything as if it were open on the internet (to where you
don't mind if somebody hacks it) and then put your blocks into
place. If they get through... no biggie.