Helping people with computers... one answer at a time.

Adding a wireless device without encryption to your network is tricky. There are approaches, but the best method is to get a device that supports encryption.

I have a small network (five computers, router/switch, wireless access point, and a printer). Recently, I set up two wireless security cameras. They don't operate with WPA, WEP, or TKIP turned on, so I set the security authentication on the access point to “open access” and “No Data Encryption”. I have implemented MAC Authentication for all wireless devices connecting to the wireless access point. I know that this is not the best security. I run Norton Security on all computers. What are your thoughts on my chances for security problems?

You're correct; this is not the best security.

I can't tell you what the chances of security problems are because that depends on a bunch of non-technical things, like whether someone is actually interested in breaking into your network for some reason and how close you are to other computers and WiFi networks.

What I can tell you is why your network can very easily be breached.

And then, I'll outline what I would do instead that would provide you as much security as your situation would allow.

MAC filtering is easily defeated

The problem here is very simple: you have a wide-open wireless network. Anyone with sufficient knowledge and the desire to connect to your network and start poking around can easily do so. At a minimum, they would be able to see all of the data going to and from the wireless access point.

"MAC address authorization is no barrier to someone who's targeting your network."

When enabled, MAC Authentication requires that you pre-authorize all computers that are allowed to access the wireless network by manually entering their unique MAC address in the access point.

Recall that a MAC address is a number that uniquely identifies every network adapter. No two network adapters are supposed to have the same MAC address. Thus, in theory, you're restricting access to only those computers on which those pre-authorized network adapters are installed.

In theory.

The reality is this:

  • Many network adapters can be programmed to be given any MAC address. That means if you know any MAC address that's been authorized on the wireless access point, you can configure your network adapter to have that MAC address.

  • MAC addresses are transmitted in the clear on wireless networks. That means that anyone listening in to the wireless traffic could identify the MAC addresses that have been authorized.

MAC address authorization is no barrier to someone who's targeting your network.

So what you have will keep honest people honest, but the bad guys can get in if they want to pretty easily.

Better approaches

There are three basic approaches to this problem.

Replace the cameras

To be totally honest, I'd get different security cameras. The lack of security in these security cameras is not just ironic, but actually quite troublesome. Even after we get everything else secure, anyone within range can monitor what your security cameras see, simply because they require open WiFi. Getting cameras that support WPA is the only correct solution.

And it's the solution that I recommend.

However, let's assume that for some reason, that's not an option.

Add an access point

A compromise solution that is relatively simple and improves security is to use two access points.

Two access points, one secure one not

One access point (the one combined with your router, if you have a combined unit) should be fully secured with WPA security. This is also the access point that every computer and device capable of wireless encryption should connect to.

The other access point, connected to a port on your router, would be open.

This scenario secures your wireless connections from sniffing, but only for those devices using encryption. Devices connected to the open access point would still be transmitting in the clear and thus be sniffable.

This approach has a serious flaw: it does not protect you from people connecting to your network. Anyone in range can connect to your open access point. That means that, while they won't see your internal network traffic (assuming the router is doing its job), they can still cause problems by being connected.

That requires additional hardware.

Add a router

Essentially, you need to treat the network with an open access point as a completely untrusted network. That means putting a router between it and you.

Using two routers to host an open and a a secure network

As a firewall, a router with NAT enabled protects what's "inside" your network from what's "outside". In a one-router situation, the router protects your local network from the internet. That's essentially what router #1 is doing in the diagram above.

If you have a segment of your network that is also untrusted - a condition that your open WiFi access point creates - then you need the second router to protect the rest of your equipment from whatever happens there. (There are variations on this approach that basically amount to different arrangements of the two routers.)

While maximally secure, it quickly gets more complex, as this is can be a tricky configuration.

For example, I'm sure that you'll want to access your security cameras on your open access point from computers on the other "secure" side of router #2. Depending on exactly how those cameras are accessed, you may need to perform additional configuration of that router to enable access across it.

Are you sure that you wouldn't really rather get security cameras that support WPA? It would make many things much easier.

And more secure.

Article C4900 - August 11, 2011 « »

Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Nils Torben
August 16, 2011 9:31 AM

Connecting the cameras to the router through cables would do the job? But that's not in question?

My experience is that wireless devices often don't have wired as an option. Similarly wireless security cameras are often used specifically because wired connections are not an option. But yes, a wired connection would side-step the issue.

August 16, 2011 11:00 AM

Good tutorial.I have a router and the 123 easy instructions were not easy for me.I do not even see a program that shows if i have the ability to access a Wi=Fi.On my last
computer running XP it was easy.I am not hooked up yet? i planned to have 2 computers running the same program!

Georges Oth
August 17, 2011 2:37 AM

There is still another argument for avoiding the "solutions" with an open acces point, at least this side of the Atlantic: if your open network(-part) is used by someone driving by to do illegal things via on your network-connections, and you cannot prove that you have taken action to prevent this scenario, YOU are legally responsible for the consequences of the unwanted visitor's doings. And that can be very expensive (loss and damage, even time in jail, ....)

Morpheus Exegis
January 4, 2012 8:03 AM

This seems like a fairly recent article. one alternative way i can see is a capture portal. that should allow any device to connect to your network but will redirect them to a radius based authentication. this way you should be able to protect a prat of your network. it is not a full solution for your problem but it does help a bit more than letting someone get unsecured access to even a part of your network. theoretically speaking if someone has access to your network and disrupts your internet connection the rest of your LAN suffers. In my lab we have similiar situation with HP's older ipaqs being used and a capture portal with encrypted cookie helps keep some of the bad guys out.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.