Just how secure is our Wireless Protection feature?
For Network Magic 3.0 we implemented the ability to lock a wireless network. We call this feature "Wireless Protection".
There are three common ways to secure a wireless network using the most common infrastructure available today. Deciding which one to base our initial security approach on met a lot of debate here at Network Magic. There are usually two camps in the debate – the security purists and the user advocates. 
I’m more in the latter camp. I care about security as much as it :
a) provides reasonable defense against my most likely threat and
b) is easy for me to implement.
We’ve all heard the "IT policy" horror-stories. Where the IT department decided to crack down on strong passwords:
Bomb proof. Secure, right? Not really, it’s so unusable from a user-point of view that people have to write their passwords down on sticky notes in front of their workstation to remember them all. Great technical solution, flawed execution.
So let's look at each of the 3 main ways and hear the debate… then I’ll tell you what we did and why we did it.
Security Options
1. MAC Address Filtering
MAC address filtering is a simple security measure. A MAC address is a unique address assigned to devices and computers. By maintaining an ‘approved’ list of MAC addresses on the router, it can deny access to any new machine that is not on the list. There are several shortcomings to this approach:
a) you need to know the MAC addresses of the devices you want to add, not an easy thing to figure out (Unless you have Network Map handy).
b) If a hacker knows the addresses of someone on the ‘approved list’, 
they can easily spoof the address and get on your network and
c) even when your network is denying requests to other machines, it *is* transmitting information in the air-waves. This information is in clear-text and not encrypted in any way. A sophisticated hacker with a signal sniffer can watch what you are doing online and where you are browsing too. They can’t see the credit-card that you sent as part of check-out of a commerce transaction (Amazon.com for instance), as most commerce sites use a secure-connection (SSL) to transmit this data.
2. WEP Encryption
WEP was the first form of wireless encryption to be available on wireless networks. To use it you have to setup a fancy password (known as a WEP-Key) in the router, and configure each computer and/or device to also know this password. 
Unfortunately the ‘password’ isn’t pretty - you cant use a simple password such as “BobLikesJane”. It has to be a “128-bit encryption key” that is represented as 26 hexadecimal characters. Confused? You can be sure that you mum will be. The nice thing about WEP is that once you have it setup, your data transmissions are encrypted and anyone wanting to join your network needs to enter the ‘key’. So it feels fairly secure. Another bonus is that most other network devices – such as cameras and TiVos and media-players all support it. Although punching in a 128-bit hex-key on your TiVo remote is no fun way to spend a Saturday night.
The biggest downside of WEP? Any hacker worth their salt can crack your key in about 3 minutes or less.
3. WPA Encryption
The most common form of WPA 
encryption in the home network space, is WPA-PSK or “Pre-Shared Key” Mode. The good news is that WPA uses a more friendly ‘password’ metaphor, so no weird hex-key voodoo. The bad news is that most home users don’t bother creating strong passwords, and pick something like “banana” or “Johnny” which are well known words found in the dictionary. This weak-password approach can render WPA as weak as WEP in many cases. Which makes any WPA enabled network vulnerable to automated dictionary attacks. Another big downside to WPA is that older routers don’t support it and a lot of consumer networking devices do not support it either. This is starting to change however, and more recent updates of devices such as the SqueezeBox are coming to market with WPA.
The Real Threat?
So where does all this leave us? Putting the technical details aside, to truly understand the merits of each approach you have to consider WHO you are defending against. I give you two possible categories of people to defend against:1. The intruding neighbor
This is your busy-body, freeloading neighbor who wants to get on your network to steal bandwidth and maybe poke around to see what interesting files he can find. He’s not that talented when it comes to hacking networks and can’t really do that much damage.
2. The professional hacker
This is the guy that sits outside your house in a white van with a Pringles can over his antenna pointing directly at your network. He knows all the tricks of the trade and knows how to get into a network.
For the intruding neighbor, any of the security methods above are a sufficient deterrent to keep him out. For the professional hacker, MAC Address filtering is like leaving the door to your house closed with no lock. Using WEP is like barricading your door with a single strand of wet spaghetti. Using WPA is like having a box of assemble-yourself lock-parts. If you know how to arrange them in the right way, you can make a decent lock. But if the hacker REALLY wants in, he can still break the windows.
Conclusion
To determine the right security solution for you, you have to consider a) what is your real threat and b) what is your worst exposure in the event of a compromise.I don’t keep a Bio-Hazard suit in my basement, because I really don’t think there’s going to be a chemical terrorist attack on downtown Seattle anytime soon and for $60, I’ll take my chances.
For Network Magic 3.0, we chose to implement MAC Filtering as our first-step security solution. We believe that this has maximum ease-of-use and still provides an improved level of security over what most people have today – no security at all. For a future release of Network Magic, WPA seems like the next natural step.
Comments
I think if you combine MAC address filtering with turning the broadcast of your SSID off you're in very good shape. The bad guys will go after one of your neighbors instead of you for sure. Brett, on another related topic, I've heard people say you can't use your wireless network if you turn SSID broadcasting off, but I turned my off and don't have a problem. Are people confused about this?
Posted by: home networking news | April 18, 2006 01:03 AM
I think the comment comes from folks that have network devices that only allow you to pick from an SSID-broadcast list vs. type in the SSID you want to connect to. I remember some older generation audio devices having issues like this. In which case you can't turn off SSID and still join the device wirelessly.
I don't think this is an issue with more recent devices.
Anecdotally, I have observed some weirdness with the windows wireless connection manager dropping connections to a hidden SSID network on an older linksys b-router of mine. But I don't have a lot of data to suggest it will cause problems.
I'd be curious to hear from any other folks out there that have experienced issues with hiding their SSID.
Posted by: Brett Marl | April 18, 2006 01:46 AM
In relation to the audio gear and broadcasting SSID, I have a Netgear MP101 and it only allows you to select from SSIDs found when it scans. I enabled the broadcast of SSID, set up the MP101 then disabled SSID. Seems to work fine ... apart from some other issues with the server software :-)
As for all the other comments ... here was I thinking my network was realtively secure having disabled SSID broadcast, enabled WEP and MAC filtering .... But as you point out, what are they really going to steal?
Posted by: Michael de Koning | April 18, 2006 06:39 AM
Michael that's the process I've followed as well when I add a new device to my wireless network - I turn SSID broadcast back on, get the new device recognized by the network, then I turn SSID broadcast off. Then, even if I take my laptop to work and then bring it back home, I can still get on the network no problem. And I never had to type in the SSID directly.
Posted by: home networking news | April 18, 2006 05:54 PM
OK... time for another shameless Network Magic plug :)
The process you describe of turning off MAC filtering and turning on SSID broadcast to get a new device on the network is exactly how the "Add New Device" feature works in Network Magic 3.0.
When you invoke this wizard, it temporarily "lowers the security shield", allows you to add the device and then automatically puts the shield back up with that device included.
If your router is supported you guys should check it out - we'd love to hear some feedback on the feature. Hopefully we automated yet another tedious networking task for you.
Posted by: Brett Marl | April 18, 2006 06:07 PM
Hiding your sid is a complete misnomer, any good war driving program will expose them. Also, mac filtering is really not very secure. Any network device can be programmed to send any mac the bad guys want it to. So given a wep protected device with sid broadcasting disabled and mac filtering on and a competent bad guy can use your house to send millions of spam emails in a few minutes. Maybe they don't want to steal anything, maybe they just want to use your network connection.
Posted by: Anonymous | February 9, 2008 07:41 PM
Agreed. Relying on your SSID being off is worthless. It may reduce your profile, but if you have a TiVo or device that requires it, that will make it unworkable.
Posted by: Mike | August 16, 2008 03:11 PM