Helping people with computers... one answer at a time.
Adding a wireless device without encryption to your network is tricky. There are approaches, but the best method is to get a device that supports encryption.
I have a small network (five computers, router/switch, wireless access point, and a printer). Recently, I set up two wireless security cameras. They don't operate with WPA, WEP, or TKIP turned on, so I set the security authentication on the access point to open access and No Data Encryption. I have implemented MAC Authentication for all wireless devices connecting to the wireless access point. I know that this is not the best security. I run Norton Security on all computers. What are your thoughts on my chances for security problems?
You're correct; this is not the best security.
I can't tell you what the chances of security problems are because that depends on a bunch of non-technical things, like whether someone is actually interested in breaking into your network for some reason and how close you are to other computers and WiFi networks.
What I can tell you is why your network can very easily be breached.
And then, I'll outline what I would do instead that would provide you as much security as your situation would allow.
The problem here is very simple: you have a wide-open wireless network. Anyone with sufficient knowledge and the desire to connect to your network and start poking around can easily do so. At a minimum, they would be able to see all of the data going to and from the wireless access point.
When enabled, MAC Authentication requires that you pre-authorize all computers that are allowed to access the wireless network by manually entering their unique MAC address in the access point.
Recall that a MAC address is a number that uniquely identifies every network adapter. No two network adapters are supposed to have the same MAC address. Thus, in theory, you're restricting access to only those computers on which those pre-authorized network adapters are installed.
The reality is this:
Many network adapters can be programmed to be given any MAC address. That means if you know any MAC address that's been authorized on the wireless access point, you can configure your network adapter to have that MAC address.
MAC addresses are transmitted in the clear on wireless networks. That means that anyone listening in to the wireless traffic could identify the MAC addresses that have been authorized.
MAC address authorization is no barrier to someone who's targeting your network.
So what you have will keep honest people honest, but the bad guys can get in if they want to pretty easily.
There are three basic approaches to this problem.
To be totally honest, I'd get different security cameras. The lack of security in these security cameras is not just ironic, but actually quite troublesome. Even after we get everything else secure, anyone within range can monitor what your security cameras see, simply because they require open WiFi. Getting cameras that support WPA is the only correct solution.
And it's the solution that I recommend.
However, let's assume that for some reason, that's not an option.
A compromise solution that is relatively simple and improves security is to use two access points.
One access point (the one combined with your router, if you have a combined unit) should be fully secured with WPA security. This is also the access point that every computer and device capable of wireless encryption should connect to.
The other access point, connected to a port on your router, would be open.
This scenario secures your wireless connections from sniffing, but only for those devices using encryption. Devices connected to the open access point would still be transmitting in the clear and thus be sniffable.
This approach has a serious flaw: it does not protect you from people connecting to your network. Anyone in range can connect to your open access point. That means that, while they won't see your internal network traffic (assuming the router is doing its job), they can still cause problems by being connected.
That requires additional hardware.
Essentially, you need to treat the network with an open access point as a completely untrusted network. That means putting a router between it and you.
As a firewall, a router with NAT enabled protects what's "inside" your network from what's "outside". In a one-router situation, the router protects your local network from the internet. That's essentially what router #1 is doing in the diagram above.
If you have a segment of your network that is also untrusted - a condition that your open WiFi access point creates - then you need the second router to protect the rest of your equipment from whatever happens there. (There are variations on this approach that basically amount to different arrangements of the two routers.)
While maximally secure, it quickly gets more complex, as this is can be a tricky configuration.
For example, I'm sure that you'll want to access your security cameras on your open access point from computers on the other "secure" side of router #2. Depending on exactly how those cameras are accessed, you may need to perform additional configuration of that router to enable access across it.
Are you sure that you wouldn't really rather get security cameras that support WPA? It would make many things much easier.
And more secure.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.