Wireless Access Pointless
Phil Libin has an interesting point on wireless access points and the free rider syndrome.
Not only is securing a wireless LAN difficult for most mortals, but there’s very little motivation to actually make the attempt. You probably won’t notice the bandwidth drain of someone leeching from you, and virus and worms are best combated at the firewall and PC level. You and your neighbor might actually be better off sharing the same access point and not having two separately encrypted networks fighting for the radio spectrum.
I’m a late adaptor on this technology (in fact, I’ve yet to adopt it) but this is worth thinking about. The down side of this would seem to be to create a disencentive for creating additional access points. One would think the infrastructure would get swamped at some point as more people start using wireless and everyone is trying to leech off of the ones who, unnecessarily it seems, put up their own.
Well, I use my home wireless network and networks out in the public all of the time. The problem with keeping a free and open network for your neighbors or the public at large is that besides the bad guys, what if your neighbor does something illegal on your network?
For example, many home wireless routers use NAT (network address translation) which basically allows a number of computers to use one static IP address. So, say, if your IP address has been caught downloading porn/music/movies/what have you, guess who will be held responsible (or do you really want to go through the hassle of having to prove you weren’t the one downloading all of that crap?).
Or, what about someone sniffing your traffic? Do you use http/ftp? Both of those protocols send passwords in plain text.
Or, you Windows users, do you inadvertently have your C: drive set to shared?
Also, there are providers out there like who are now beginning to crack down on use of NAT, and who are now nailing people for excessive use of bandwith and/or charging for additional IP addys. So, if you live in a one or two broadband provider area, you’ll be up a creek if the cable company doesn’t want to serve you anymore.
Now, again, I have a wifi enabled laptop and I love it. I love being able to go to a public area and get on to the Internet. However, I’m also wise enough to understand that in a public area, I’m more vulnerable. Now, for me, I understand the risks and I take precautions (although, admittedly I’ve got some paranoid friends who only use tunnelling, SSH, etc.) but the average user does not.
Just set my wi-fi hub up this week. I haven’t gotten around to configuring it. It works fine out of the box but I want to look at the security options AND would like to turn DHCP off. My firewall handles that and the wireless IP addresses are not compatible with the rest of my network. But…I’m too busy to bother at this point.
Maybe next week.
I run one at home to do work and I really didn’t care because I firewall each computer connected to the the main network and use another router to protect a wireline network where I do work for work.
My attitute changed when I was snooping my wireless network trying to figure out a connection issue. I discovered another person using a DHCP address surfing porn off my ISP connection. I suddenly got a chill when I realized that if he ever started to download child porn, I would be the one left holding the bag.
After that, I turned on WPA (better than WEP – the normal encryption mechanism), installed a radius server (manages DHCP addresses to authorized clients only), mac filtered the network (restricted it so that only registered mac (raw) address from a list would be accepted).
No one should run an unrestricted wireless network out of home. If you wonder why not, ask yourself if a policeman would believe your story about not knowing that child porn or worse was being loaded over your network without your knowledge.
yes, no point in having more than one DHCP server.
For security, mac filter your network, suppress the SSID/ESSID of your network, use WEP is you can, the larger key the better. If you have a radius server (free on linux, very expensive on non linux), then set that up to validate anyone trying to get a DHCP address, and then configure WPA to use it.
Even so, even client computer on the network should have a firewall (zonealarm is free for windows)
All of this will give you defense in depth. One they break one system, they need to tackle more systems, each backing the other. It would require a lot to hack. not impossible, just improbable. 😉
Joy,
You make a good argument, but I’m going to stick by mine.
I never said that people shouldn’t secure their WAPs. I think that people *don’t* secure their WAPs because the technology is poorly implemented and frustrating. If WiFi security was more robust and easier to use, it would naturally be in everyone’s advantage to use it.
However, if I’m going to ask average consumers to spend a few hours on computer “securityâ€Â, I’d much rather they first install the latest OS patches, turn off file sharing, install a firewall at the network and on every computer, learn a bit about “phishing†and other scams (and maybe download SpoofStick), install an anti-virus program and get the latest signatures, check for spyware and rethink their passwords. When they’ve done with all that, they can monkey around with their WiFi network. All the other stuff is more important, more effective and easier to do.
Even if you manage to keep your WiFi access point encrypted, you’re not really adding a whole lot of security. Everything just reverts right back to plaintext as soon as it goes from the WAP to the ISP, all your HTTP and FTP and email is bouncing around the guts of the web for anyone to see. If you’ve got data worth protecting, use SSH or SSL or a VPN – then it doesn’t matter if you’ve secured your WAP. If a non-SSL site asks you for a password, assume that everyone can see it. If you send out unencrypted, unsigned email, assume that there’s going to be a searchable trail of everything you’ve ever written somewhere or another.
As for the legal aspects, I don’t buy it. Internet access is not a firearm, and I don’t have any responsibility to make sure others can’t use the bits my access point decides to shoot out into the air. If my ISP has a problem with this, they should figure out how to restrict access on their side. I shouldn’t have to waste my time setting up “security†to solve their billing problem. If a crime is committed in my neighborhood, it’s not up to me to prove that I didn’t do it. It’s up to the authorities to find whoever did – and to prove it. Of course, you’re right that this area is “undefined†and it may take an unpleasant case or two to iron things out. If you’re concerned about being blamed for the actions of others on “your†wireless network, by all means take the appropriate precautions. For what it’s worth, I’ve found that MAC filtering works better than WAP encryption.
So, bottom line: we need better security technology that takes the burden of securing all data away from the user. In the mean time, locking down residential wireless access points is not my top security priority, and may not be a good way to spend finite security resources.