Which wireless security setting?

[h linamen]

Both my brother and I have set up our respective wireless networks using NETGEAR on flat-panel iMacs.... my intel and his G5 iMac. Going into the security settings, ours are both showing "none". Which of the following settings should we click on?

WEP password, WEP 40/128-bit hex, WEP 40/128-bitASCII, LEAP, WPA Personal, WPA Enterprise, WPA2 Personal, WPA2 Enterprise or 802.1X WEP

Sorry to be so uninformed on wireless. Thanks for your help.

[john dough]

It depends on what level of security your wireless router, your Netgear, is using.

If you are not sure, go into the settings and look for the wireless security area. If "no" security is chosen, change that to WPA2 Personal (a very good level of security), enter a passphrase and use those settings on your computers.

[Filliam H. Muffman]

I think WPA2 might be the "best" that is commonly available but do not assume it is unbreakable. I have heard that there are utilities that can break it faster than you can type in a password.

[john dough]

I am do not assume that anything is unbreakable, as people are figuring things out daily. At one client's office, they use WPA2 with a long passphrase (50+ random characters), MAC filtering on, SSID broadcast off, DHCP off (IPs are manually input), wireless radio only on M-F 7 a.m. - 7 p.m. and output power turned down to only cover about 40 feet. Only him and his business partner use that network and only 4 devices are allowed on (2 laptops, 2 iphones).

I would be very, very surprised if they were to get compromised.

[wickedsteve]

If someone wants on your wireless network then there is not much you can do about it.

[onthedownlow]

Filliam H. Muffman wrote:
I think WPA2 might be the "best" that is commonly available but do not assume it is unbreakable. I have heard that there are utilities that can break it faster than you can type in a password.

You are thinking of WEP cracking, most likely...not WPA2.

As long as your devices' wireless cards can support it, WPA2 is the best you are going to get right now. It is still 'unbreakable' (was estimated to take several years using current tech) and was supposed to be realiably the best for the next decade or two...but that may be changing as the raw power some of these dedicated cracking apps are getting from GPUs...they have been able to crack some of these down to weeks and now even a few days; however, most of these are being used with simple ascii keys and it will only work against static keys; anyone using more complicated authentication schemes will not be at risk for now.

Just make sure your password/passphrase is slightly complex, at minimum, and never compromised or changed it you think it may be...and you should have no worries.

Don't worry about WPA2-Enterprise...virtually the same, but better in a corporate environment with many users - for home use, there is really no benefit.

[silvarios]

john dough wrote: MAC filtering on, SSID broadcast off

Tell them not to bother with these two, especially the latter. I worked on a customer's older Dell and the bundled wireless connection manager could see networks that didn't broadcast their SSID. Turning off the SSID doesn't do anything.

You could argue, not effectively mind you, that MAC address filtering offers some protection. I would stop using it as well because it just adds an extra step to the setup, with very little if any benefit.

I love the rest of there setup. Kudos. Did you do the grunt work configuring their network? Good job.


Nathan

[silvarios]

wickedsteve wrote:
If someone wants on your wireless network then there is not much you can do about it.

Not true. WPA 2 Personal with a good, i.e. long pseudo random password, is going to protect you from pretty much everyone. Add in some more access controls for your WAN side and LAN side and you are pretty safe.


Nathan

[silvarios]

onthedownlow wrote:
You are thinking of WEP cracking, most likely...not WPA2.

Exactly. Spot on with the rest of the advice as well.

To the original poster,
You need to configure your Netgear router appropriately. I would suggest WPA2 Personal with a nice long password. Try this password generator if you are stumped. I like to use HEX passwords, but not all devices will accept straight HEX. Use the ASCII if you are unsure about compatibility.

Some people suggest turning off wireless admin access to the router (i.e. you cannot configure the router from a wireless connection, only with an ethernet connection), which does help security, but can be impractical if you don't have an easy way to run an ethernet cable from one of your computers to the router. Disabling UPnP on the router is another good bet. I'd suggest keeping the router's firewall enabled. Not a bad idea to keep the Mac firewall enabled as well.

Oh, does your Netgear support 802.11g? If so, and you do not not have older legacy 802.11b wireless devices, I would disable b access.


Nathan

[john dough]

silvarios wrote:
[quote=john dough]MAC filtering on, SSID broadcast off

Tell them not to bother with these two, especially the latter. I worked on a customer's older Dell and the bundled wireless connection manager could see networks that didn't broadcast their SSID. Turning off the SSID doesn't do anything.

You could argue, not effectively mind you, that MAC address filtering offers some protection. I would stop using it as well because it just adds an extra step to the setup, with very little if any benefit.

I love the rest of there setup. Kudos. Did you do the grunt work configuring their network? Good job.


Nathan Yes, I set up their network. I know that MAC address could be spoofed and the SSID can be picked up, but the password was set up as completely random and no computer is going to magically "guess" a 55 or so characters, and then you have to manually put in a non standard IP address (good luck with that one). To show how serious I was about their wireless setup, my MacBook Pro is not set up to access their network wirelessly (I can only access from inside their office, wired) - they like that no one else can get in.

Besides, their SonicWall firewall is set up to allow network traffic ONLY from a total of 7 devices (only 2 other desktops and my MacBook Pro are allowed to access the network, also based on MAC address and computer/iPhone name). They are as hardened as they need, as they are involved in viewing financial transactions of other companies and need that security.