Just how secure is our Wireless Protection feature?
For Network Magic 3.0 we implemented the ability to lock a wireless network. We call this feature "Wireless Protection".
There are three common ways to secure a wireless network using the most common infrastructure available today. Deciding which one to base our initial security approach on met a lot of debate here at Network Magic. There are usually two camps in the debate – the security purists and the user advocates.
I’m more in the latter camp. I care about security as much as it :
a) provides reasonable defense against my most likely threat and
b) is easy for me to implement.
We’ve all heard the "IT policy" horror-stories. Where the IT department decided to crack down on strong passwords:
Bomb proof. Secure, right? Not really, it’s so unusable from a user-point of view that people have to write their passwords down on sticky notes in front of their workstation to remember them all. Great technical solution, flawed execution.
So let's look at each of the 3 main ways and hear the debate… then I’ll tell you what we did and why we did it.
1. MAC Address Filtering
MAC address filtering is a simple security measure. A MAC address is a unique address assigned to devices and computers. By maintaining an ‘approved’ list of MAC addresses on the router, it can deny access to any new machine that is not on the list. There are several shortcomings to this approach:
a) you need to know the MAC addresses of the devices you want to add, not an easy thing to figure out (Unless you have Network Map handy).
b) If a hacker knows the addresses of someone on the ‘approved list’,
they can easily spoof the address and get on your network and
c) even when your network is denying requests to other machines, it *is* transmitting information in the air-waves. This information is in clear-text and not encrypted in any way. A sophisticated hacker with a signal sniffer can watch what you are doing online and where you are browsing too. They can’t see the credit-card that you sent as part of check-out of a commerce transaction (Amazon.com for instance), as most commerce sites use a secure-connection (SSL) to transmit this data.
2. WEP Encryption
WEP was the first form of wireless encryption to be available on wireless networks. To use it you have to setup a fancy password (known as a WEP-Key) in the router, and configure each computer and/or device to also know this password. Unfortunately the ‘password’ isn’t pretty - you cant use a simple password such as “BobLikesJane”. It has to be a “128-bit encryption key” that is represented as 26 hexadecimal characters. Confused? You can be sure that you mum will be. The nice thing about WEP is that once you have it setup, your data transmissions are encrypted and anyone wanting to join your network needs to enter the ‘key’. So it feels fairly secure. Another bonus is that most other network devices – such as cameras and TiVos and media-players all support it. Although punching in a 128-bit hex-key on your TiVo remote is no fun way to spend a Saturday night.
The biggest downside of WEP? Any hacker worth their salt can crack your key in about 3 minutes or less.
3. WPA Encryption
The most common form of WPA encryption in the home network space, is WPA-PSK or “Pre-Shared Key” Mode. The good news is that WPA uses a more friendly ‘password’ metaphor, so no weird hex-key voodoo. The bad news is that most home users don’t bother creating strong passwords, and pick something like “banana” or “Johnny” which are well known words found in the dictionary. This weak-password approach can render WPA as weak as WEP in many cases. Which makes any WPA enabled network vulnerable to automated dictionary attacks. Another big downside to WPA is that older routers don’t support it and a lot of consumer networking devices do not support it either. This is starting to change however, and more recent updates of devices such as the SqueezeBox are coming to market with WPA.
The Real Threat?So where does all this leave us? Putting the technical details aside, to truly understand the merits of each approach you have to consider WHO you are defending against. I give you two possible categories of people to defend against:
1. The intruding neighbor
This is your busy-body, freeloading neighbor who wants to get on your network to steal bandwidth and maybe poke around to see what interesting files he can find. He’s not that talented when it comes to hacking networks and can’t really do that much damage.
2. The professional hacker
This is the guy that sits outside your house in a white van with a Pringles can over his antenna pointing directly at your network. He knows all the tricks of the trade and knows how to get into a network.
For the intruding neighbor, any of the security methods above are a sufficient deterrent to keep him out. For the professional hacker, MAC Address filtering is like leaving the door to your house closed with no lock. Using WEP is like barricading your door with a single strand of wet spaghetti. Using WPA is like having a box of assemble-yourself lock-parts. If you know how to arrange them in the right way, you can make a decent lock. But if the hacker REALLY wants in, he can still break the windows.
ConclusionTo determine the right security solution for you, you have to consider a) what is your real threat and b) what is your worst exposure in the event of a compromise.
For Network Magic 3.0, we chose to implement MAC Filtering as our first-step security solution. We believe that this has maximum ease-of-use and still provides an improved level of security over what most people have today – no security at all. For a future release of Network Magic, WPA seems like the next natural step.