I want to find the best way to secure my home wireless network. I know that both WEP and WPA are pretty weak encryption methods; I want an alternative. I was thinking about using MAC access lists on top of RADIUS authentication (by a linux server on the local network.)

My problem with this is that I think any person would be able to sniff the traffic and clone my MAC address. So what's the point of using this? I don't think RADIUS will help either since its an AAA protocol and won't hide the MAC until a session has been negotiated.

Hi,

By the way... it depends, there are (at the moment) two ways of using WPA :

1/ WPA preshared key, which means the use of a shared key between hosts, but with TKIP (temporal key integrity protocol). If you use correct preshared keys (not your company's name ) that should be a good security level (by that I mean that I'm quite sure you have no information secret enough for a professional hacker to spend a month trying to intrude in your network... I may be wrong, but if it is so, then you should think about putting WiFi in a DMZ, 2 levels of firewalls - different OS and versions on each - with IPS, hot redundancy, and so on...).

2/ WPA + radius, which means 802.1X : so your access point drops every packets unless 802.1X negotiation ones, untill you authenticated to the radius : eg you've got to be a registered user in the radius database. Then you use TKIP.

Both WPA modes use EAP, which isn't the most secure encryption method, but it may be used by most OS and most machines since it's not too heavy.

Next step will be WPA2 : 802.1X + AES encryption which is a stronger cypher, but that will wait for the 802.11i standard to come in use... (and it's allready been delayed once at least)

If you want to be still more secure, then let's consider using VPN... but that's complicated when traveling users may come any time and need an access.

Quite true ! MAC address filtering can be bypassed, but as a matter of fact, I believe that if someone who's able to bypass your MAC filtering device really want's to hack into your network, then he will also find some security holes in your AP's software, or in your VPN server's code...

So, finally, I think that :
WEP alone is a joke
WEP + MAC filtering would be quite good for my parents, if they had bought an AP before WAP had existed
WPA preshared-key seems correct for my parents
WPA preshared-key + MAC filtering is sufficient for my parents
WPA + radius is the most convenient way of securing WiFi for someone who cares about security (as every company should)
WPA + radius + MAC : I agree with you on the interest it has.... or hasn't
VPN for real security, but much more complicated management

(hu, I took my parents as an exemple because they use computers but are not the biggest users I know... as a matter of fact they don't have WiFi at all )

Still, I'll be glad to have other points of view on that topic !
(sorry unreal128, my post was no answer to your question...)

Thanks for the very thorough reply. I think I will go with WPA + RADIUS + MAC, it seems the most practical. The WiFi AP's in my neighborhood are growing so I think that any curious attacker would choose an easier target. Sad how many WiFi AP routers I have been able to access based on the default username/password (usually linksys.)

As an addition (though not much of one) you can disable broadcasting your APs SSID.

If I turn it off, how would I connect to it on a Windows and Mac (post - OS X) platform via wireless laptop?

I live in a densely populated building and there are around 12 wireless networks available from my apartment. Once I disable SSID broadcasting (on my AirPort Express) I can't see it in the AirPort menu item any more...which is a good thing.

So to answer your question, the same way I do: enter the network name manually. In Mac OS X you can configure (in the System Preferences > Network > AirPort configuration, make a new one so it's NOT set to "Automatic" location) and enter a "Default network name". Then you should be connected to it every time you boot or re-enable AirPort.

If that fails, which it sometimes does, just enter the network name in the AirPort menu item's "Other" list item with your WEP key.

Don't know how it's done on Windows.

That's cool. I think it applies the same way in windows (just go into the wireless networks and add it by SSID.)

Mind you this is't foolproof security as many promiscuous cards will still see it, but it's a step so why not. It'll cut out all but the determined hackers.

Hi,

I was looking for a bug on Cisco access points GUI and I found this (http://www.cisco.com/univercd/cc/td/...n.htm#wp111746) :
So it seems that Cisco founds that MAC-address + WPA is so useless that they disabled it !