MAC filtering and SSID broadcast do basically nothing for security if your hypothetical hacker is out of grade school. Having to be in the building (or have a nice big directional antenna) helps, but that's all you've really got.

If you really care about security, ditch the useless settings and just get WPA going.
posted by Tomorrowful at 7:43 AM on May 19, 2008

Upgrade your equipment. Your network is pretty much an open door at the moment. MAC filtering isn't particularly helpful given that an intruder who has compomised your WEP encryption can quite easily obtain and spoof your MAC addresses.
posted by le morte de bea arthur at 7:45 AM on May 19, 2008

Tomorrowful has it right. Still, I will point out that your settings are ample to keep out the casual freeloader -- WEP is easy to get past, but there are likely easier pickings than your access point, with the degree of lockdown that you have employed.

It's true that WEP is insecure and WAP2 is much improved, but consider the nature of your (potential) attackers. Past a certain point of resourcefulness, no wireless network is going to be 100% secure. It's all about how important your data and network is, and what kind of motivation and resources your adversaries could have.
posted by NucleophilicAttack at 7:47 AM on May 19, 2008

WEP and MAC filtering are trivial to defeat. Less than 10 minutes with free tools, for anyone who knows what they are doing. So, no security at all, there. Access hours limits are good. SSID broadcast off is a minor inconvenience at best, for anybody looking for a network to join. So, your network is essentially unsecured when you are using it, and WEP is just sucking up processor cycles.

WPA/WPA2 upgrades with short key exchange cycles (15 minutes or so) would be your best bet. The Spectec SDW-821 supports WPA.
posted by paulsc at 7:50 AM on May 19, 2008

Changing a mac is pretty easy. The real question is how secure do you want to be? Right now a semi-determined teenager can crack your network. Is that acceptable? If not then switch to WPA with a strong password.
posted by damn dirty ape at 7:56 AM on May 19, 2008

Or go the other route and unsecure it entirely!
posted by Aquaman at 8:25 AM on May 19, 2008

I'd also consider looking at local networks within your vicinity (google netstumbler). If there's other, unsecure networks, chances are that a potential freeloader is going to tether onto that one instead of hacking yours.
Also realize the audience you're asking here. By and large, this is a much more technical-savvy crowd than your average user. I would suggest the large majority of users aren't even aware WPA>WEP, or that WEP is easily hackable.

Also consider that someone tech-savvy enough to break in is most likely going to have their own Internet connection, and thus not have a need to.

So, yea, WEP isn't the most secure protection in the world. But, it is better than nothing and I think would keep away most wannabe freeloaders.
posted by jmd82 at 8:35 AM on May 19, 2008

Yeah, WEP sucks and MAC filtering and SSID hiding don't get you much of anything except administrative inconvenience.

Consider splitting your network. A WPA network for clients that support it, and then another network for WEP devices that is a dead-end unless the device opens a PPTP VPN connection (assuming that WM2003 has a PPTP client).
posted by Good Brain at 8:58 AM on May 19, 2008

As is always the case in securing a system, there's a trade-off between security and convenience. What kind of threats are you worried about? Are you just worried about people leeching your bandwidth? Like jmd82 says, your security setup is fine for preventing freeloaders, especially if you live in an urban apartment building. If you do, I can all but guarantee there are other wifi networks in your area that are easier to access.

If you have some other real reason to be worried about wifi network security, then upgrading to WPA is indeed the cheapest wifi security upgrade you can make.
posted by Nelsormensch at 8:58 AM on May 19, 2008

It's like the old joke about the two campers being chased by a bear. You don't have to outrun the bear, you just have to outrun your fellow camper. In other words, the person looking to hop on some free wireless is just going to use your neighbor's router that is broadcasting its SSID "linksys" and using no encryption. Despite the fact that WEP is crackable, it's still enough of an hurdle that 99% won't be interested in your network anyway.
posted by knave at 8:59 AM on May 19, 2008

Why is this anonymous?
posted by proj at 9:12 AM on May 19, 2008

The greatest risk to the average wireless connection is that there are a lot of devices around that will just passively latch on to the nearest open wireless network and steal your bandwidth (maybe using it for possibly unlawful purposes like file sharing). In using 128-bit WEP you've kept that guy out because he would have to type a password into his device in order to get on your network, and that makes it not passive any more. You have a lock that should suffice to keep honest people (and devices) out.

Let's take the next case: someone with minimal technical skills who actively wants on to *your* network for a particular reason, maybe to watch your web activity, snarf your passwords, get blackmail fodder, whatever. This person is willing to make an attempt to actively defeat your security measures. You are not protected from this person now. WEP is brute-force crackable with easily available tools. It takes some time to get in, the amount of time depending on how much traffic crosses your network. If you are using your connection during the hack attempt, to actively surf the net and receive web images and video, 10 minutes sounds about right, maybe even less than that.

MAC access lists and SSID broadcast hiding offer no protection whatsoever, because they depend on the client machine playing by the rules and there is no reason that the client machine has to play by those particular rules.

We think WPA and WPA2 are more secure and not easily brute-forced, so the next logical step for you would be to "eat it," i.e. upgrade to hardware that supports them.
posted by ikkyu2 at 9:52 AM on May 19, 2008

Why is this anonymous?

Because they're essentially saying, "My electronic house doesn't have any locks on the doors." If the OP's MeFi user profile features a Real Name and accurate ICBM co-ords, well, they might not feel very comfortable also sharing the lameness of their wireless security. Would you?
posted by mumkin at 9:56 AM on May 19, 2008 [1 favorite]

You can go with another method. Your hardware seems to have some VPN support (looks like OpenVPN is being ported to it, it also seems to support PPTP). If you want to spend lots of time on this project (have fun!), you can either try flashing your router with a free firmware (DD-WRT, OpenWRT, etc) and try setting up a VPN server on it, encryption enabled, of course. Or you can use your computer as the router/vpn server.

The idea being any wireless network/internet access will require logging on to the VPN. It's a pain, but it's what I did while WEP was cracked and there were no alternatives.

Do note that PPTP's encryption isn't particularly great, either, so OpenVPN is probably best.
posted by shepd at 12:00 PM on May 19, 2008

go ahead and broadcast your SSID. Just change it from "linksys" to "FBI security watch", or "homeland security data collection" or anything intimidating. Or just "Don't even think about it"

obviously change your password.

sure, if I see an unsecured wireless network, say linksys, I know the router addy is 192.168.1.1, user=blank, password= admin. So I can lock you out of your own network. People are that stupid to not learn how to secure their own network. I have 2 neighbors with open networks, but I would never comprimise them or steal their bandwidth. I am honest.

My router is only WEP equipped for security, but I also monitor my router logs, see if anyone is on my network.

Finally, back up all sensitive data to disc, so your computer has nothing critical on it.

The only way to really be safe from wireless attacks is to just hardwire all computers to your router.
posted by cvoixjames at 2:28 PM on May 19, 2008

Using WEP is equivalent to using 'password' as your password. It will stop the casual user, but anyone with any clue will easily bypass it.
posted by blue_beetle at 6:11 PM on May 19, 2008

Go ahead and broadcast your SSID. Just change it from "linksys" to "FBI security watch", or "homeland security data collection" or anything intimidating. Or just "Don't even think about it"

Do not do this. Yes, change it from linksys or whatever, but do not issue a challenge. Go with something nice and innocuous that neither invites nor intimidates. Pick a random noun, or use bibliomancy, or whatever other method floats your boat.
posted by mumkin at 6:24 PM on May 19, 2008

This may be silly, but our Tivo requires WEP only, so I just have two wireless routers. One wireless router is WPA2 for all of the computers on our network, and the other is just plugged into the main one and serves a mini WEP network for my Tivo. You could do something similar if you got your hands on some cheapo router.
posted by kosmonaut at 6:49 PM on May 19, 2008

What kosmonaut said.

My guess is you aren't doing online banking for your old PDAs. Set up two routers or two VLANs if you're fancy--one for computers doing secure things and another open one for PDAs and/or community service.

You can also limit the capabilities of the open network to stop p2p and other bandwidth intensive applications.

Make sure they are on different channels so they don't interfere with each other!
posted by Mr. Anthropomorphism at 8:50 AM on May 20, 2008

This thread is closed to new comments.