To encrypt, or not to encrypt: that is the question

[danaeris]

[Poll #801904]

I also need to figure out if the forms of encryption offered on this router are compatible with my MAC. They should be...

I have a compact Linksys Wireless G router that allows me to set up WEP 128 bit or 64 bit (but it generates four long ass keys, and I'm not sure how this works), as well as a number of other methods like WPA.

Comments

[deyo.livejournal.com]

I live in a single-family dwelling on a half-acre lot, and I encrypt my connection. I certainly understand the desire to provide access for those nearby in need, but letting them on my subnet introduces a host of new security concerns that I'd just as soon not address.

If you decide to provide a wireless access point, you'll want a firewall between the wireless router and your private network.

[danaeris.livejournal.com]

This is some of what I don't get. What internal network? There are three computers who connect to the internet through this router, but we don't connect to each other, or to, say, a printer. There's no networking going on.

[random-vamp.livejournal.com]

The router inherently creates a network, whether or not you connect the computers to each other.

I didn't answer the poll because it didn't have the option I tend to prefer for home routers, namely MAC address filtering. By enabling that rather than encryption you don't have to deal with passwords and such for the network, however no one outside of the network will be able to get on it (without MAC address hacking and other things that are way to much work for the benefit of using your wireless for free). The only real reasons to use encryption is if you don't want other people sniffing your traffic or if you expect a lot of other people to visit and want on the network (which would require you to enter each of their MAC address if you go that route instead)

[tshuma]

This is my preferred choice, also.

[jadine.livejournal.com]

Totally agree here. The easy possibilities are:
1. Encrypt
2. Have a big security hole where malware on your neighbors' boxes can more readily attack your computers and sniff your traffic for personal information, in addition to other concerns cited.

MAC address filtering is a nice choice, but it's usually significantly more complicated to set up, and I don't see that it would gain you anything over encryption.

If you specifically want to provide free wireless, get a cheap firewall- even a little Linksys router like yours includes firewall software, but you would need a second one to do this.

to gibbidaway, gibbidaway, gibbidaway or no

[http://users.livejournal.com/_duncan/]

The neighbor-to-me malware issue is addressed by an option I've seen on Buffalo and Linksys wireless routers to block client-to-client communication. Each node can send traffic to the AP for delivery to the WAN but traffic will not be repeated back to another client on the same side.

Another option is to run two wireless routers, one outside a NAT/firewall layer and the other inside it. Encrypt the inside one (avoiding WEP) if you're selectively paranoid and sending sniffable data in the clear over the Internet.

I leave it wide open and broadcast my phone number in the SSID field. If the link gets swamped to the point I feel inclined to enable MAC filtering people can ask for access. For the past four months I've transmitted my phone number ten times a second all day nearly every day. For the two years before that it was sent by two APs, twice a second each, all day every day. Just one call.

now serving drive-by spammers

[http://users.livejournal.com/_duncan/]

Oh, one more thing. I don't condone drive-by-spamming. I take mild steps to thwart the casual user's outbound access on port 25. If the hardware allowed layer-4 decisions based on layer-2 addresses I'd whitelist SMTP by MAC. As it is I use static DHCP and an IP whitelist.

[geekosaur]

Actually, I set mine up briefly to be open access (with lots of filtering and monitoring to protect my own machines); a neighbor found it shortly thereafter.

Said neighbor's machine had all sorts of odd traffic, though. I'm pretty sure they had every piece of spyware and malware in existence. :/ I shut off access after that, not being interested in being the point of origin for loads of odd network scans and accesses.

Macs vs. encryption: Tiger does WPA fine, and that's strongly preferred; WEP is officially worthless.

The Final Nail in WEP's Coffin
Bittau, A. Handley, M. Lackey, J.
University College London;

Authors present an attack that allows you to send arbitrary data on a WEP network after having eavesdropped a single data packet!! Next, communicate with every host in the router's LAN. And finally decrypt packets in real-time.

(from MIT zephyr)

[nathanjw]

I would mostly not bother. There's even an interesting plausable-deniability argument; if something bad happens that can be tracked back to your network, you can point to your open wireless and claim it could have come from there instead of coming from your internal systems.

[tocityguy.livejournal.com]

I prefer to encrypt just on the basis that I don't want my machine being accessed by another computer - which is always possible if somebody gets onto your network.

WPA or WPA2 is much, much better than WEP. Don't even consider WEP.

If you're interested in letting other neighbours use your connection, you can always give them the key and thus share your connection.

[lastmx.livejournal.com]

This might or might not apply to you, but think of the free rides you've gotten on other people's networks when you've been travelling and needed an IP connection.

[energeticintent.livejournal.com]

So long as you're running a firewall btw the public connection and your personal machines, this is a nice option! I know that I've been a major benefactor of public network connections over the years. However, this won't work so well unless your below the 15th floo (forget how tall Hazelburn is.)

[qedrakmar.livejournal.com]

WEP's all but useless. go with WPA if you can.