Why my home wireless network is wide open to everyone

[tmaher]

[I started this as a comment in a friends-only post in someone else's journal, but it got too long. The context is that he just got a wireless network at home, but is slightly anxious about the security implications.]Don't sweat it! The single most important thing you need to do is change the administrative password to something totally non-

Comments

[allanh]

Aside from the fact that I think Bruce Schneier is Totall Hawt ... this makes a good deal of sense.

The only things on our wireless network other than my laptop are two TiVo units, which is why I installed the wireless network in the first place.

At present, not only do I lock down our home network, I only allow access via a MAC address list. This isn't 100% secure, as it's possible to spoof a MAC address, but it's more than enough (overkill, actually) for a network with only a couple of TiVos on it.

So ... yeah, it's worth considering un-locking our wireless network at home. I already segment it as a DMZ using our firewall.

Food for thought. Hm.

EDIT: And FWIW, because this wasn't addressed in Bruce's article ... I use ZoneAlarm Suite to protect my laptop on public networks and on customer networks. I've seen ZA block several worm attacks when I was sitting on a customer network that was considered "secure".

[tmaher]

Yeah, if you're already treating wireless as a DMZ, I'd be hard pressed to think of any security arguments against opening it up. I guess at absolute worst there could be an exploit in the tivo web server and someone could root it.

My most formative early security lessons were reading about Kerberos in undergrad. Never trust the security of the network. Consequently, that's probably warped my perspective and I tend think "well, if I don't trust the network already, then why not just open it up some more".

That's obviously not a viable philosophy with my current employer, but I deal.

[danthered]

Interesting perspective. I can't say I disagree with it. The only real downside I see is that a network name of "1234 5th St #2D, 503-867-5309" is a good bit less deviously fun than a network name of "FCC SURVEILANCE VAN #1117".

[tmaher]

FCC! What's the FCC doing in Toronto? They're overstepping their jurisdiction! Quick, someone call CSIS!

[danthered]

FCC SURVEILANCE VAN #1117 isn't in Toronto, it's in Seattle.

[furr_a_bruin]

Well, I keep mine locked down (and I even suppress SSID, which I know is useless against a determined hacker but it just makes me feel better) because I want my EeePC which I generally use via wireless to have the same access to my home network that any of the wired PCs do. And although I see your "don't trust the network" perspective - I just don't feel like "hardening" my home servers on the wired network.

If I'm going to be gone for a few days, I even go so far as to shut off my WiFi AP, since it's a separate unit from my main router/firewall. (It's faster and easier to just unplug its power supply than to go in and turn off the radio via the config page anyway.)

Now - if I had one of those units that creates two WiFi nets - one private and one public - I'd consider it.