-
Ask a question and get free supportUnlock new privileges and see hidden discussionsWin prizes and earn reputation
-
Question of the day ~ How often do you braai?
-
Afristay giveaway.Win a 2-night stay for two people at an establishment of your choice with R1,000 in spending money. Enter here.
Sign up with GoogleWiFi Security?
- Thread starter VC-1
- Start date
Define safe.
Depends on so many factors, but I'd say your router is about as secure as the weakest link... your PC/Laptop to begin with as it has the saved password/WPA2-PSK key stored somewhere. Physical access to your router could also be an avenue of attack. Also make sure that the default password(s) for the router have been changed.
Quick comment re: MAC Filtering ... MACs can be faked. Given enough time any security measure can be defeated
/
Depends on so many factors, but I'd say your router is about as secure as the weakest link... your PC/Laptop to begin with as it has the saved password/WPA2-PSK key stored somewhere. Physical access to your router could also be an avenue of attack. Also make sure that the default password(s) for the router have been changed.
Quick comment re: MAC Filtering ... MACs can be faked. Given enough time any security measure can be defeated
/ Depending on make / model of router, there are a few things you can do:
1. Setup WPA2-PSK (AES) with a strong password. Yes, if someone has the time, they can bruteforce attack it, but most people won't
2. Change the router admin password. Make it complex. And if possible, change the admin username.
3. De-activate the "access the router from the Internet" setting
4. MAC filtering. It is the next level, but normally a schelp to maintain. Especially if you want to add new people
5. Set 'Parental Guidance' I haven't tried this yet, but the idea is to setup only certain devices to have access to the Internet full time. Any new devices only get 1 hour.
6. Put the router in the roof if you don't want anyone to have physical access.
7. I normally disable SSID broadcast.
But again. This is raking precautions, but it won't guarantee security.
1. Setup WPA2-PSK (AES) with a strong password. Yes, if someone has the time, they can bruteforce attack it, but most people won't
2. Change the router admin password. Make it complex. And if possible, change the admin username.
3. De-activate the "access the router from the Internet" setting
4. MAC filtering. It is the next level, but normally a schelp to maintain. Especially if you want to add new people
5. Set 'Parental Guidance' I haven't tried this yet, but the idea is to setup only certain devices to have access to the Internet full time. Any new devices only get 1 hour.
6. Put the router in the roof if you don't want anyone to have physical access.
7. I normally disable SSID broadcast.
But again. This is raking precautions, but it won't guarantee security.
Alton Turner Blackwood
Honorary Master
- Joined
- Apr 30, 2010
- Messages
- 27,483
...but then you need to know the MAC of the device you want to mimic beforehandQuick comment re: MAC Filtering ... MACs can be faked. Given enough time any security measure can be defeated
Or you can just obtain it afterwards. All wifi devices freely transmit their own MAC address within the 802.11 headers they send out. MAC filtering merely provides a false sense of security most of the time.
Budza
Executive Member
- Joined
- Oct 14, 2008
- Messages
- 8,620
Given enough time any security measure can be defeated
Well, a woman's mind has some serious security. No man has ever cracked it
Well, a woman's mind has some serious security. No man has ever cracked it
Many a man has cracked it ... it is the understanding thereof that seems to the the insurmountable barrier.
SauRoNZA
Honorary Master
- Joined
- Jul 6, 2010
- Messages
- 47,842
MAC Security should always be ADDITIONAL and not the primary security.
I see so many people who think they are really clever by leaving their SSID's wide open and just enabling Mac filtering instead.
As far said above Mac addresses are freely broadcasted and so it's VERY easy to spoof a Mac address and join an open network like that.
Also what you should be more worried about isn't the data you have stored on your local network that someone can access, but rather the data you transmit wirelessly which can be easily intercepted with a man in the middle attack by someone on your own network.
All those username and passwords you send to websites that are probably one and the same is only as strong as the weakest link which transmits it in plain text. Then it becomes very easy to see every other website where you've used the same credentials and very quickly your life is stolen or someone is having a jolly good time sending emails on your behalf etc.
You won't believe what I've intercepted in all of a few minutes at Hotspots at the Airport. I have lists and lists of email accounts with username and passwords of businesses that I could easily put to very bad use and probably steal some money from by replacing invoices with different bank details etc if I was that way inclined.
In fact your home network isn't the one you should worry about, it's everyone else's network that puts you at risk.
I see so many people who think they are really clever by leaving their SSID's wide open and just enabling Mac filtering instead.
As far said above Mac addresses are freely broadcasted and so it's VERY easy to spoof a Mac address and join an open network like that.
Also what you should be more worried about isn't the data you have stored on your local network that someone can access, but rather the data you transmit wirelessly which can be easily intercepted with a man in the middle attack by someone on your own network.
All those username and passwords you send to websites that are probably one and the same is only as strong as the weakest link which transmits it in plain text. Then it becomes very easy to see every other website where you've used the same credentials and very quickly your life is stolen or someone is having a jolly good time sending emails on your behalf etc.
You won't believe what I've intercepted in all of a few minutes at Hotspots at the Airport. I have lists and lists of email accounts with username and passwords of businesses that I could easily put to very bad use and probably steal some money from by replacing invoices with different bank details etc if I was that way inclined.
In fact your home network isn't the one you should worry about, it's everyone else's network that puts you at risk.
And remember, red wine only cracks it for a short period, it resets itself to another state afterwards
Tim the Techxpert
Expert Member
- Joined
- Jul 19, 2012
- Messages
- 1,112
Hi There,
Creeper had the best response I have seen on security in a long time. So go with him.
If someone wants to get in then they are going to try and try until they do. Security is involved in making it more trouble than it is worth so that they will go and "play" somewhere else.
Implement Creepers suggestions and keep the passwords in a safe place (not underneath the router) and you should be fine.
Regards
Tim
Creeper had the best response I have seen on security in a long time. So go with him.
If someone wants to get in then they are going to try and try until they do. Security is involved in making it more trouble than it is worth so that they will go and "play" somewhere else.
Implement Creepers suggestions and keep the passwords in a safe place (not underneath the router) and you should be fine.
Regards
Tim
Thanks for all the good solid advice
SauRoNZA
Honorary Master
- Joined
- Jul 6, 2010
- Messages
- 47,842
Aren't you getting a bit over zealous now?
There is a fine line between security and usability. If you lock down a network so badly that it becomes ultimately useless for its purpose, then why bother having the network at all?
Also this goes way beyond the scope of the original question which I believe was strictly related to securing the wireless network from the OUTSIDE and not necessarily the home network from absolutely the entire planet or anything that moves.
*****
Another tip though, if you do need to have Remote Management on for whatever reason change the default port to something obscure.
HavocXphere
Honorary Master
- Joined
- Oct 19, 2007
- Messages
- 33,155
I just set up WPA2 & change the pass. For a residential house that is more than adequate. If its a business then its a completely different ball game...
3. Should be disabled by default anyway on well known router brands
5. Unconvinced. Extra hassle for no benefit imo
6. For a residential setup I don't see the point. Would make sense for small offices I guess.
7. Disagree. Some devices can't connect to hidden SSID & it won't stop anyone who can bypass WPA2.
I agree with the above on the whole, but some extra commentary:
3. Should be disabled by default anyway on well known router brands
5. Unconvinced. Extra hassle for no benefit imo
6. For a residential setup I don't see the point. Would make sense for small offices I guess.
7. Disagree. Some devices can't connect to hidden SSID & it won't stop anyone who can bypass WPA2.
hmm. That one is new to me. Nice. Thanks for posting it.
Don't be so over confident in only hardening your router.
A professional and first question in this field will be:
How important and critical is the traffic behind the router?
Could you specify in detail the topology of your setup and why and what?
We need to know what you trying to achieve
Last edited:
There are a few attack vectors with regards to WPS assuming of course a few things like WPS actually being enabled to begin with. One could deduce the default WPS pin by brute forcing it (only ~11000 pins that you need to try depending on the router) or merely looking it up in a MAC database or just lifting up the router and looking at the info available on the stickers underneath it.
