WiFi at home can be simple and secure.
The solution I recommend
- WPA2 with AES encryption
- At home (or for a small office), use a pre-shared key (PSK). This is a WPA Personal architecture (as opposed to a WPA Enterprise architecture).
- Use a long passphrase, and do NOT write it down, just remember it (I see passwords on stickers everywhere, it drives me crazy). You can make up any kind of WPA passphrase like this, for example: "I want to count 87$ potatoes forever twice". It's harder to guess when it doesn't really make sense... and it's actually easier to remember that way! If you think that it takes too much time to type it, just save it, you're at home.
Note: You need a long passphrase because WPA/PSK and WPA2/PSK are vulnerable to offline dictionary attacks. Hackers can sniff a successful login attempt, and try millions of passwords offline until they find the one that matches.
And of course all the other usual recommendations come to mind:
- Install an antivirus and keep it up to date
- Activate your firewall
- Change your router's password
- Deactivate the access to its admin interface through the Web, unless you really need it
- Do not activate its DMZ functionality
- Do not give away your personal address on Facebook or anywhere on the Web
- Do not chat with psychopaths
Should you avoid WPA/TKIP?
Yes and no. A flaw in WPA and WPA2 with TKIP encryption has recently been discovered by researchers. People have claimed that WPA/TKIP is broken. It is NOT... yet. For now, the flaw only allows (very motivated) hackers to decipher some small packets, once in a while. It would not allow them to do much harm. So if your WiFi equipments only support WPA/TKIP, don't panic. WPA/TKIP is battered but not broken. Just go ahead and upgrade your equipments to WPA2/AES Personal when you have some money to spend. Don't rush.
Solutions I do NOT recommend
These "solutions" will only make your life more complicated, without giving you any kind of real security:
- WEP encryption : it's been broken for years.
- MAC filtering : complicated to manage, trivial to spoof
- No SSID broadcasting : trivial to detect a "hidden" SSID. Only keeps neighbors and friends away. WPA2/AES would keep them away anyway, unless you wanted to.
Solutions for a medium or large organisation
This is just a free bonus, you may want to skip it (the question was just about Home security). ;-)
- Use WPA2/AES Enterprise (requires a RADIUS Server for authentication, authorisation and accounting) with PEAP/Ms-CHAP-v2 or TTLS/PAP.
- Alternatively, if you have an existing VPN solution, you may find it simpler to just use it instead of deploying a WPA2/AES Enterprise solution. Leave your WiFi network open, but connect your access points to a separate VLAN, configure your access points to prohibit all direct traffic between users, and configure your network firewall to allow traffic only to and from your VPN server.
- Prohibit weak passwords such as "1234", "qwerty" or dictionary words.
- PEAP/Ms-CHAP-v2 and TTLS/PAP authentication methods are NOT vulnerable to offline dictionary attacks so you should NOT try to enforce ultra-complicated passwords (such as "L9fl!1~SjQQ$AjN"): it is annoying and counter-productive. Users will forget them or, again, they will write them down on stickers.
- Instead, users should be allowed to have "reasonable" passwords (8 characters, avoiding things like "1234"). Passwords should be simple enough to remember, but complicated enough so that you couldn't guess them with just a few thousand tries.
- Make sure your authentication server is configured to detect brute force attacks
- Monitor your network for intrusion and detect rogue APs.
I would recommend WPA2 (AES encryption). I use it (WPA2-PSK) at home with no problems, and I recommend all my friends (and anyone that asks). It's not too difficult to setup with a decent router, and certainly beats anything else - bearing in mind that mac addresses can be spoofed, and WEP can be cracked (WPA too).
I think that Ars was overstating the vulnerability of WPA PSK. As long as you have a good key, WPA PSK should be good for personal use. (It's not good for corporate because everybody has the same key.)
The question was:
what is the most practical security methodology
This implies various things - first that we actually do have security and secondly that its not too onerous to setup or support.
So, in descending order of practicality (most practical first) and assuming that you do actually want to be secure:
- Change the default password and, if possible, user name for logging into your router (but write both down when you do so).
- (Or maybe 1) Use WPA-PSK - to the best standard all your kit supports (if some of your stuff only supports WEP replace it or use an alternative method to network it). Use a longish pass phrase - doesn't have to be random, a good set of words using mixed case and some punctuation will do pretty much as well and will be easier to remember and to enter into devices various. If you're going to allow access to visitors/guests (which is where practical comes in) then have it written/printed on something they can copy from but don't leave that in plain site.
- Don't broadcast the SSID, makes you harder to find good for people you want to keep away, less good for guests/visitors etc as you have to jump through more hoops to connect in the first place.
- Restrict the mac addresses - at this point to add a new device to your wireless network starts to become a chore as it requires that you have to make config changes at the router to add the device so we're starting to get less practical though more secure.
At this point I think we're pretty much at the limit of what one might do in terms of wireless and home networks although I'm happy to be corrected.
Considerations beyond this are the normal ones for any network i.e. that the other devices on your network should be secured to whatever degree is appropriate - if you don't want other people who are on your network to be able to ferret through your files then you should be protecting the accounts/servers/folders/etc containing those files.
As @Neall indicated, it is a gross over statement to say that WPA PSK has been "hacked" to any real degree. In any scheme you come up with - that is an open standard subject to implementation scrutiny - your general goal is for there to be no discovered techniques that can do better than brute force search against the site's selected credentials. That is, there should be no real short cuts to determine the secret keys.
In the case of WPA PSK, there are no short cuts shown to beat brute force. The only published techniques so far have been demonstrated techniques for discovering poorly chosen (ie: easily guessed) pass phrases via an analysis of captured wireless traffic.
In my opinion this is hardly an exploit of any significance. It is an important property to understand, but leads to the conclusion of something that we already knew - the security can only be as good as the pass phrase chosen.
In terms of the original question to recommendations for practical security in a home environment, you actually have excellent security if you do the following:
1) Select a long pass phrase (more than 10 characters) that contains numeric digits, punctuation and/or mixed case. Ideally, some "words" in the phrase are chosen as non-sense "baby talk" words that are not found in a dictionary and the longer the better. This rule is no different than the recommendations of the selection of a secure password used for any other type of access credential.
2) Use a non-default SSID that is not likely used by others. This is to thwart dictionary attacks against common SSID's. It shouldn't matter if you use a good pass phrase, but it is a good extra measure
Turning off SSID broadcasts and/or MAC address based lock downs are a waste of time. The MAC's are easily spoofed and discovering the real SSID is trivial even if broadcasts are off.
Conclusion: WPA PSK is very secure if a well chosen pass phrase is used.
I've seen demonstrations of WEP being "hacked" in well under a minute. MAC addresses can also be spoofed pretty easily. Unless there is a good reason to go with WEP (i.e. my 2 routers only support wireless bridge with WEP security), go with some form of WPA.
Filtering on MAC address adds nothing to security, it is easy to sniff them out and spoof them on your cracking machine.
If you have anything that you REALLY don't want people to know then keep it off the network or encrypted with something like Trucrypt.
The last time I thought about this, the only "secure" thing I could come up with was wepor wpa (realize that both can be cracked), mac filtering (realize that these can be spoofed), and ipsec tunnels (secure with a decent key!!) between the wireless clients and a wired concentrator or server.
But for home use, I'd say mac address filtering with wep/wpa should be good enough. Or just leave it open, who cares?
I'm only answering to add two additional items:
- if you're doing work from home, or dealing with work data from home, you need to treat it like a work network and protect it as such. (see above note regarding ipsec)
- this isn't a programming question, and I'm not sure it's even a sysadmin question, so I'm not sure it even belongs on stackoverflow.
Feel free to vote up or down even if you don't agree or disagree with 1 or 2... :)
EDIT: Can't believe I forgot the simple stuff, like change the password, don't broadcast the SSID, like Murph said. But keep in mind that the SSID can be sniffed, and the password (username) can be gotten if you send it over the air without SSL. So enforce SSL for the admin of the wireless router/ap! (most firmware have a checkbox for this, it's usually off by default.)
Turning off DCHP on the router works pretty well, it trips up the average joe from using your wireless. You just have to set a static IP on each computer you use, and you're done. This is good if you have guests over on a regular basis, but don't want to fish out a WPA/WEP key. However, this is not a perfect solution, and in order to get the best security you should use WPA2. WEP has been known to have vulnerabilities that can be exploited with a packet sniffer.
WPA2 with a long, cryptographically random key. Use a password generator to generate a random password of 63 characters (the maximum permitted).
Exception: if you want to use a Nintendo DS online, then you have to use 128-bit WEP. Don't trust the wireless network if you do.
I think a secure way for regular wireless router is to have an allowed MAC addresses list and deny access to the rest. In adition you can use a WPA2.
Never put a $1000 padlock on a $20 bicycle.
If your home network, i.e. not just the individual hosts but the network infrastructure itself, is so valuable that the strength of WPA2/PSK isn't sufficient insurance against the attackers you're realistically expecting to face, then you should be running CAT-5 cables around your house instead of Wi-Fi access points. You should also probably consider upgrades to your physical security systems... a man's home is his castle, as they say. Do remember to make sure the generators have fuel tanks with enough capacity, the fresh water tanks are large enough for the whole family. In a siege, the fresh water is usually the resource that runs out first.