So Mary brought her bright shiny new Mac Air with her, and, yes, it;’s very pretty and very thin and all. And then we started getting into the wireless network …
And I discovered I’d turned off the security at some point a while back and never turned it back on. Oops.
So since I have to re-enable the security anyway, I decided to do a bit of digging into it. There’s a lot of info out there (e.g.) … the question is, what’s reasonable security vs. possible security.
When I had security put on before, it was MAC-addressed base. I shied away from WEP because it’s always seemed kind of dangerous to set a key and expect to be able to get the machines all set up right to use it (though subsequent experience at my in-laws has shown me how “easy” it can be). MAC-address (using the PC’s network card address) seemed a bit more reliable.
Now, the fact is, MAC can be spoofed, so if someone knew (or could detect?) the MAC addresses authorized on the network, they could broadcast as though that MAC address and get on the system. Most security types consider MAC authentication as a belt–and-suspenders to use with some sort of encryption.
The original WiFi encryption was WEP, but it can be cracked. Nearly all security sites say instead to use WPA encryption.
But … WPA can be cracked, too (though less easily than WEP). And it sounds like it actually slows down connectivity more than WEP (encryption/decryption always slows things down). And …
… the fact is, I don’t live in a big apartment in the city with hundreds of guys with WiFi systems all looking to either steal my bandwidth or break into my machine. I don’t see a lot of folks sitting at the curb in my neighborhood, working on their laptop computers, either.
How much security is “enough”? A security guy would tend to say, “There’s no such thing.” (I know — I’ve had them working for me before.) But there’s a cost to security, in terms of complexity (things breaking) and friction (slowing down connections). If I want the best security, I’ll skip the WiFi and go with cables — but I’m not doing that, so where’s the compromise line here?
The level of security I want is like a lock on our doors — not enough to withstand a siege (which I don’t expect), but enough so that if someone walks up to the front door of the house during the day and turns the knob, the house isn’t easily open. Similarly, I want something on our WiFi so that if someone’s actually looking around, they see it’s locked with something and don’t bother stealing bandwidth or poking around at computers.
Any determined burglar can get into our house, given time. We’ve made a decision about the cost/inconvenience of home security; the same decision needs to be made about our network security. Just saying to throw the most powerful version of encryption and etc. onto our WiFi network is silly if the cost of doing so (fragility and lag) is too high.
So, faithful readers … should I drop back to just MAC validation? Go to WEP? Step up to WPA? What’s the actual value analysis, vs. simply making the security guys happy?
Mac and wep can live together just fine and they’re both easy to do. But I just have a mac list. If someone visits, I have the base station bookmarked on my (wired) desktop machine and add their mac address. Makes them feel special.
Which is what I used to do.
Yup, I’d agree. If someone wants to get in, they’re going to.
As an additional note, if you’ve got some work-type proprietary stuff on your machine, you could put it into a special folder and use the WinXP encryption capability.
Actually, not so much worried about that. Running a firewall on it, etc.
At my house, we go with WEP and MAC-address filtering. It’s a minor pain whenever a new device needs access to the wireless, but that happens so seldomly that it’s not that much of an inconvenience.
The combo works well because 1) you don’t have any random person able to get on with just a WEP password and 2) you get the performance benefits of WEP over WPA while still having “reasonable” security.
Like you said, bottom line, if your intruder was determined to get in, they’d get in.