Using a wirless modem in home

[erik]

I was thinking about purchasing a wireless modem that replaces a standard modem, not a wifi account. My question is if I'm signed into a, or many accounts online would a neighbor close enough be able to pick up my local signal and surf my accounts as I'm online? I want to be able to use my laptop in my bedroom or on the back porch without a wire.

[Wiz Feinberg]

You will need to encrypt the signal to your PC, just like you need to do for a wireless access point/router. Unless you engage strong encryption a neighbor with a little bit of cunning can piggyback his wireless adapter onto your Internet connection and do who knows what, for which you will be held accountable.

[erik]

Thank you, Wiz.

[Joe Harwell]

This helps me understand wireless security.

Securing access-that is authentication.
Securing data transfer-that is encryption.

Take some time and read your documentation carefully.

What confuses many people at first is that encryption can and should be used to authenticate. But is not the same as data transfer encryption.

I like to specify devices by MAC numbers for authentication. MAC's are unique and can only be added by the system administrator, you.

Don't broadcast your SSID.

Use the lowest broadcast power settings possible.

Then take your laptop for a spin around the block to see how things look outside of your house for a test.

All this should be covered in your documentation.

Hope this might help.

[erik]

Would it be safer to use the basic G level device? It looks on the diagram like it won't transmit beyond the home.

[Wiz Feinberg]

Eric;
G will give you the best range, but be aware that there will be some bleed through to the outside. If there is a determined war driver in the area he will find your signal and attempt to piggyback onto it. These folks use focused beam antennas to grab every milliwatt of power that bleeds outside from a wireless access point. They also use encryption breaking software to crack simple WEP type encryption. Use WPA 2 for better security and if you discover that somebody has cracked the code, add MAC filtering. If that doesn't stop them, change your computers to static IP addresses and disable DHCP on the Access Point/Router.

I realize that this may be geek talk, but it is important to learn the meaning and significance of these terms if you intend to operate a wireless Internet transmitter.

[Earnest Bovine]

I was thinking about purchasing a wireless modem that replaces a standard modem,

Maybe you don't need to spend that much. You can buy a wireless router that plugs into your modem. That will let you use your laptop computer anywhere around the house. It should cost $30 or $40, maybe less.

Don't get 802.11a or 802.11b which are old and obsolete.

Get 802.11g

802.11n is brand new and better but expensive.

[Wiz Feinberg]

802.11n is brand new and better but expensive.

And, has not been accepted as a standard yet, which means that some of the routers and NICs supporting the N standard chosen by their manufacturers may become obsolete if a different standard than theirs is selected as the final draft. I would only purchase an N product today if it came with a guaranteed free update to a replacement containing the final approved firmware, or else is flash-able to the final firmware, over the I'net.

Note; Some firmware flashes go bad and can trash the device.

[Randy Reeves]

my neighbor has a wireless modem in his house. our neighborhood is a hot zone in the city. the bubble around his house is about 120 feet.
having learned that I wanted to go for wireless internet at home he offered his connection for me.
he came by with his lap top, and sure enough, the connection was strong in my house.
he helped me fire up my connection free.
he set up fil;ters to protect me. I don't know specifics.
I post this to pass the word that wirelss does bleed.
in my case I get free wireless for mowing his lawn twice a month. it is a nice agreement.

[Jeff Agnew]

Whew. Lots of terms being used here interchangeably, which can be confusing for some folks. Including me, and I work with this stuff every day. I couldn't for the life of me figure out why anybody would want to use a wireless modem at home, unless their regular net connection was down. Then I figured out that everyone meant something different. It's important to know the distinction because the terms really mean different things.

I was thinking about purchasing a wireless modem that replaces a standard modem, not a wifi account.

First, there's no such thing as a WiFi account. Second, the industry definition for a wireless modem is that of a device to allow you to connect a laptop to a wireless phone. Some are PCMCIA cards that plug into your laptop, others are simply a cable to allow your computer to connect directly to the phone. Handy for travelers or business folks away from a WiFi hot spot or other net access.

A wireless access point (WAP) connects to an existing net provider through either an Ethernet cable (if you're on broadband) or a built-in modem that will use your phone line to access your ISP (less common). Your WAP may also include a small four or five port router, which must be connected to a broadband connection such as DSL, cable, or fiber. This is by far the most common configuration.

Folks without broadband access tend to not expend the effort to set up a wireless connection for a dial-up account because they typically only support a single concurrent user. But I'm guessing this is what Erik wants to do. Which most of you already figured out; I just took his words literally. It's not a wireless modem.

my neighbor has a wireless modem in his house

Again, to be precise, almost certainly not. More likely it's a WAP connected to a broadband provider.

...he offered his connection for me.

Just so you know, most ISPs consider this to be a violation of their terms of service. Even if the guy isn't charging you anything. It's a stupid rule and he isn't likely to get caught, but read their TOS and you'll find it. Again, just FYI.

I like to specify devices by MAC numbers for authentication... Don't broadcast your SSID.

These are good recommendations to deter the casual snooper but they aren't truly effective. If I've got a laptop and copies of AirSnort and Ethereal I don't need the SSID. Your WAP will show up as soon as I scan. If I've broken your password or encryption then getting the MAC address is a matter of reading the packet headers.

They also use encryption breaking software to crack simple WEP type encryption. Use WPA 2 for better security...

Too true. WEP is laughably insecure and really isn't much better than nothing. WPA is much better but is dependent upon a good encryption key. It should be long and use a good mix of alpha/non-alpha characters. Steve Gibson's site has a very nice tool to generate a secure password for you to use in these situations.

If you're using a wireless device of any kind connected to your home network or broadband connection, there are a few simple things you can do that will increase your security significantly:

Please change the default password on your WAP. You would be shocked to know how many folks don't. Bad guys depend on this as it makes their job so much easier.

If you're using a Windows computer, turn off File/Printer sharing. This will limit damage if someone hacks your WAP. Besides, if you're using a cable modem (a shared connection), it should be off anyway.

Unless you are downloading stuff overnight, either turn off the WAP or disconnect your computer from it or the cable/DSL modem when you are not using it. If you're using the WAP as a router, this isn't practical so consider instead disconnecting it from your cable/DSL modem. There are other implications here though so check with your ISP first.

[Earnest Bovine]

W
Please change the default password on your WAP. You would be shocked to know how many folks don't. Bad guys depend on this as it makes their job so much easier.

Jeff, what can a "bad guy" do if he gets your password, or if you have no encryption at all? Wouldn't he have to be so close that you can see him if you look around the house?

[Jeff Agnew]

Earnest,

First, only you can determine whether securing your machine against this potential threat is a concern for you. Many folks think "I don't have anything that's worth stealing". Possibly true, but most intruders aren't looking for data these days.

The important thing to realize is that usually if a bad guy can get into your LAN, even if it only comprises a single PC, he's inside your defenses. Most WAPs provide at least a minimal hardware firewall function; now the intruder has gone through it. So now they're in your house, so to speak. This is why everyone should do as Wiz keeps harping on and run a software firewall in addition to any hardware device -- it limits damage.

So what can they do, once inside? First, it's easier to take over your PC. Unless you're a savvy user you probably won't even know it. The primary target these days is an unsecured Windows PC connected to broadband. That's the pot of gold. A bad guy will download a very small program that will hide in your machine and turn it into a "bot" used to send spam. (Common spyware scans won't find these. You need something like Rootkit Revealer.)

Second, with access to your PC most bad guys will take time out to look around and sniff for stored passwords to banking sites, or credit card numbers. Or SSNs. Or anything that will aid identity theft.

Next, if you're on a cable modem connection, now your intruder is a de facto member of your node/workgroup. From there he can look for other unsecured PCs in your Window network neighborhood and seed them with more bot software, rootkits, and other nasty programs.

I could go on but you get the idea.

Edited to add: Forgot to answer your other question:

Wouldn't he have to be so close that you can see him if you look around the house?

Reasonably close. If you live on an acre or so it's not a problem. From my house in the 'burbs, TiVo detects four or five WAPs, and that's only the ones broadcasting an SSID.

You'll have to determine whether you think your neighbors pose a risk, or whether the area in which you live might be prone to war drivers.

[Earnest Bovine]

You'll have to determine whether you think your neighbors pose a risk,

My neighbors? Definitely crooked enough. But smart enough? If they can turn their computer into a war driver by yelling at it, then I'm in trouble.

[erik]

I have a laptop with built-in 802.11b/wireless. I have DSL which I use direct with a cable plugged in. I was just thinking I'd like my PC to be protable within the home or my backyard. They sell these wireless devices at Wal-Mart, g or g+ specs. I have a laminated card that came with my PC saying to change default password, turn on encryption, and don't broadcast your SSID (does this mean secure socket ID?)But I never concverned myself with what it meant because I just plug in.

[Wiz Feinberg]

I think it may be a good idea if I start a Sticky thread dealing with securing wireless networks. I will launch this thread today and invite Jeff and others in the "biz" to add their input|corrections|recommendations to it.

As wireless networking becomes more widespread, including the use of cellphones on the Internet, securing these networks and devices becomes more important all the time. As Jeff has pointed out up-thread, if a hacker is able to penetrate your wireless network he will be able to plant malware or backdoor programs on your computers which will enable him to add them to a botnet of zombie computers, waiting to do his bidding upon a command he issues.

Some of the things that can happen to computers that become compromised into botnets include these items:

• Piggyback onto your Internet connection to illegally upload and download copyrighted materials. You may be sued by the RIAA, or MPIA when they trace the IP address/time signature to You. Ignorance will not be a viable defense.
• Use your computers to illegally host and distribute copyrighted materials. You may be sued by the copyright owners.
• Turn your computers into spam relays. Your ISP will receive reports from SpamCop, Spamhaus, or the DNSBL, and you may have your Internet access shut off until you remove the programs sending the spam and secure the computer(s).
• Use your computers to host and disseminate web pages for the purposes of Phishing, spamming, scamming, or the distribution of Trojan Horse programs. You may face legal consequences for identity theft or damages caused by programs or websites hosted on your computers.
• Turn your computers into open proxies to hide behind, for performing illegal deeds, or scamming forums, or spamming logs and blogs. Your account may be terminated for abuse complaints for allowing this to happen.
• Enlist your computers into a zombie army used to attack legitimate websites or governments that annoy the bot master. These attacks are designed to overwhelm a web server with steady traffic from thousands of zombie computers, shutting it down to legitimate traffic. If a government office or website is the target, when law enforcement traces the sources of the attack and you show up as one of those sources you may find yourself under arrest and your equipment confiscated. If a large company is the target and they suffer financial losses and find your computer as one of the sources, they may sue you for damages in court.
• Steal your banking, investment, or auction identities (identity theft). Your accounts will be emptied so fast it'll make you head spin. New credit accounts may be opened using your name and credentials. Things may be purchased and charged to you, or your account numbers may be sold on the black market.
• If you are an eBay seller and hackers get your login identity off your computer they can change your password and lock you out of your eBay account, then use it to defraud buyers with phony auctions, leaving you to take the flack from ripped off bidders.

Normally I warn you about spyware and Trojan Horse downloads as the major threat to your security, but it is time to add wireless security vulnerabilities to the list of things to do to protect yourself from these types of intrusions and takeovers.

[Joe Harwell]

Joe said:

I like to specify devices by MAC numbers for authentication... Don't broadcast your SSID.

Jeff said: "These are good recommendations to deter the casual snooper but they aren't truly effective. If I've got a laptop and copies of AirSnort and Ethereal I don't need the SSID. Your WAP will show up as soon as I scan. If I've broken your password or encryption then getting the MAC address is a matter of reading the packet headers".

No one solution is effective in and of itself.
It does require a combination of configurations.

Restating my distinction between encrypting network access info
and encrypting the actual data transferred over the connection is, imo, the key to understanding this topic.

My job is to make that if/then as difficult as possible. I can never make it impossible.

For beginners all this can be overwhelming.
A false sense of security is dangerous, too.

Once you put something up in the air, it's open season.

That's why there is such a wide price range for wireless access points.
Most of my experience with wireless is on the higher end with full featured configuration sets.

I'm in the middle of a CISCO CNAP instructor certification training session at this very time
and it has given me some good ideas for the casual home user.
I plan on during further research on what the "best" devices
and "best" practices at a layman's level as much as possible.
This thread has served me as a reference point for discussion.
In fact, we're going to spend tomorrow discussing this very scenerio.

After this session, I will be developing an online class
and plan on using that research in a teaching module.

This thread is giving me great student perspective.

I think Wiz's idea of a forum FAQ is excellent.

Your info is excellent, too.

Thanks-

[Wiz Feinberg]

I have finally posted my initial information about securing wireless networks and devices. It is a work in progress and is open to qualified input. I will moderate it to eliminate spurious comments or questions that are better asked in standard new posts. I hope to have the new thread as a source of good information, rather than speculation.

[Jeff Agnew]

Joe, I do understand your distinction between encrypting access and authentication. But unfortunately the average wireless product documentation does not explain it. Nor do the docs and marketing materials explain why it's important. Which leads the average consumer to this point:

A false sense of security is dangerous, too.

Which was a better way of saying what I tried to convey. Namely, that using the two methods in question is certainly recommended (I use them at home, myself) but do not guarantee security in and of themselves. Users should avail themselves of whatever tools they have on hand to secure their machines/network. But having those tools in place doesn't mean you should never think about security again. As you said:

No one solution is effective in and of itself.

Exactly. As Bruce Schneier keeps saying, security is a process, not a product or a specific technique.

Part of that process is assessing risk vs. reward. Hence my comment to Earnest that he is the only one who can decide what level of effort to secure his access point makes sense, balancing the odds of it being compromised with what he stands to lose if it is.

[Joe Harwell]

I never doubted for a moment, Jeff :')!

I was just reiterating for those who might not.

There's a lot of meat in your post that bears a little research/reflection time
if a person is serious about securing their wireless access point.

I would and do spend my "spare" time on my steel rather than tech documentation.

And your reply also pointed out what I think is the fallacy of Mr. OU's blog.
It would tend to lead people NOT to do those things.
(This blog is referenced in Wiz's sticky note.)

I think what we've been saying is do those things.
But there's more that needs to be done to be as secure as possible.

After briefly seaching, certainly not exhaustive,
the lowest-priced access point I found was a CISCO 1200
that can really offer true security is in a price range of around 500.00.
That unit offers both secure authentication and good encryption.
I'm guessing there are some lower priced ones but will search later.

I know Mr. OU did not seem to be very fond of CISCO.
Or at least LEAP. But Mr. OU should have put his comments in a historical perspective.
CISCO was addressing an area that was new at the time.
CISCO has made lots more viable options presently.

On the other hand, I think Mr. OU's "whitepaper" on enterprise level wireless security is a very good read.
But I think the need for those features are rapidly being pushed down to the casual home user.
Looks like as good a beginning point as any for tackling wireless security.

The vendor who can produce an AP with the proper features AND ease of configuration
at an affordable price can capture the market.

And I'm certainly not promoting CISCO over any other vendor.
I go for ease of installation, configuration, and maintainence.
AND does the job.
I'm not brand loyal.

I read your reply in another thread concerning the Himachi device with it's NAT'ing abilities and found it most helpful.

What AP would you recommend?

Ultimately, I'll be looking for a po'boy software solution to beef up the inexpensive AP's.

eric, how's your wireless network?

[Jeff Agnew]

What AP would you recommend?

That's a tough choice. I hate to fall back on the old "it depends" answer but it really does depend on your needs.

In the office we've got a mixture of Cisco and a few rogue pieces left over from earlier purchases that will be phased out as budget allows. We've slowly introduced the AirTight stuff to protect them over the last several months and so far things are going well. One advantage is that they have intrusion detection built in. I'm still a bit on the fence whether this is our best answer but it is promising. It's also expensive and overkill for a home network.

For consumer-grade stuff, I don't know what I'd recommend. D-Link always tests well and is a favorite of gamers but doesn't offer the range of some others. The latest Netgear APs have been getting rave reviews but also suffer in range tests. Linksys usually offers good range but is inconsistent between models. One will be an incredible performer then they'll bring out the replacement model and it will stink. So who knows. In my home I've got an older Linksys and an Airport. I will say, BTW, that the Airport has been rock solid while the Linksys regularly drops connections (especially TiVo). Nice piece of gear.

If I lived in an apartment or a smaller house without a lot of walls I'd probably go for the Netgear stuff. If I needed more range I'd choose the Linksys. Again, gamers usually go for D-Link because of the throughput. For the average user the differences between brands are probably less important than making sure you configure it correctly.