Networking Notes: Security Begins at Home
When it comes to keeping outsiders off your home or office wireless network, a little security can go a long way.
In addition to writing Networking Notes each week, I also manage a site devoted to networking in the enterprise.
"Enterprise IT" is a slippery concept. I once asked a developer who worked in fairly large shop exactly what he considered "enterprise class" software, and he told me it was stuff that was about as complex as an aircraft carrier and slightly less interesting than a white rental car.
Over in enterprise-land, there are a different set of concerns from what we deal with in the world of practical networking. Big companies have to concern yourself with how well software or hardware can be managed for many, many installations, and they worry about how well it fits with the other pieces of your IT infrastructure.
Enterprise-focused networking tends to obsess about best practices, too. How your network is configured starts to matter once you go beyond a few PCs and a laptop. And there's a lot of thinking about worst-case scenarios, and nowhere is that more obvious than when we consider security. Get a bunch of enterprise IT pundits in a room, for instance, get them talking about wireless security, and they'll start swapping tales about the worst advice they've seen, especially from hometown newspaper consumer networking columnists.
The problem is there's a real disconnect between enterprise networking with its concerns and what those consumer columnists are trying to do, which is get their readers to do whatever they can to make themselves a little more secure with as much effort as they're willing to expend.
Take SSID [define] beaconing, for instance. That's the part of Wi-Fi networking that lets you see what wireless networks are available (or at least operating) in your vicinity. An early feature of some wireless access points in the consumer space included the capability to turn off SSID beaconing on the theory that if you aren't broadcasting your network's presence, people are less likely to try to use it. It's a "security measure" roughly the same way not wearing a fur coat down a dark alley in a strange city with lots of violent crime is a "security measure:" If you don't advertise what you've got, you aren't as easily turned into a crime of opportunity.
This advice ignores a few of the more popular boogie-men among enterprise security types: the flawed thinking behind "security through obscurity," and the existence of what security experts commonly refer to as "the determined attacker."
We'll leave "security through obscurity" behind for now and we'll consider the "determined attacker" through an anecdote.
Last spring, I was getting a late start one morning and ended up on my front porch with a cup of coffee to enjoy the fresh air. As I sat on my porch swing, my neighbor Susan came out on her front porch. We exchanged hellos, and she stopped after picking up her newspaper and shouted across the driveway "ornithopter?"
Oh! Right! Ornithopter! My wireless access point's SSID. It's simple on my network: If you're a computer, you're named after a planet in "Dune": Caladan (my Mac, a lush water-world), Arrakis (my Linux machine, a desert planet with lots of treasures hidden under the hardships), and Salusa (my Windows machine the Imperial prison planet). Hardware that isn't a computer, but exists on the network and can be accessed for web management or whatnot gets the name of Dune hardware: ornithopter, carryall, etc. etc.
So I shouted back "AllMine?"
"Yep! Hey ... can you get in to my network?"
"Nope. I tried but you're good."
"Cool. You do this for a living, right?"
"Close enough, I guess."
"OK. I didn't get into yours, either ... I just clicked it by mistake when it came up on my laptop. Have a good day!"
Susan, as near as I can tell, is a very nice lady. She gave my son pumpkins from her garden this past Halloween, remembered the trick the last person who lived in our house used to get in when he locked himself out but has not used it herself to get at all our stuff, and she has a useful but light touch with the neighborhood gossip. Susan is what people who don't work in enterprise networking refer to as "a neighbor," or possibly "an undetermined non-attacker."
When I turned off SSID beaconing that night, it wasn't to teach Susan a lesson but to make it a hair harder for her to accidentally bump into my network. When I turned on MAC (define) filtering another handy measure my access point provides, which simply blocks network devices that aren't on a white list it wasn't because I imagined that would make me completely safe, but because it makes it a bit harder for someone to just pull up outside my window and use my connection for whatever strikes their fancy. And if they try, I'll know their presence isn't an accident.
As a reader recently commented:
I might not try to sell that to a bunch of enterprise professionals (though there's a kernel of wisdom in it they could use anyhow), but for the rest of us it's a pretty good perspective.
Add to del.icio.us | DiggThis
For more help, don't forget to try one of our PracticallyNetworked Forums.