On Fri, Oct 24, 2014 at 8:40 AM, Dan Penoff via Mercedes < mercedes@okiebenz.com> wrote:
> Just leave it out there, but enable security. WPA for sure, as WEP has > been compromised for years. Change the admin account credentials to > something secure. Use good password practices (8 character minimum, a mix > of numbers, upper/lower case letters and characters, no dictionary words.) > For the record I leave one of my access points open, and the neighbors occasionally use it if they have need. So far I've not had any issues with malicious folks. I've had at least one open access point since 2003 or so. That said I have some network isolation, and I don't recommend it unless you have a fair amount of experience in networking and wireless. For security, use WPA2 with AES (default) only, WPA is "easy" to hack. Enable key refresh < 1 hour if you can. WPA variants will enforce the shared key >8 characters, feel free to use special characters also. There is nothing wrong with hiding your SSID, but you'll have to remember it when you configure new systems, and it does not do much in the way of security as Dan has pointed out. I don't hide mine, even on the secure APs, because it is so much easier to configure things with the SSID broadcasting. There are a few risks to an open/hacked access point: 1) someone can get on your network and exploit any open systems/devices. They might print stuff, hack Windows, browse your NAS or Windows shares, etc. This is the same as if you have these devices directly connected to the internet, or are port forwarding. IMO this is the biggest risk, so my open access point is on a different network than my infrastructure for this reason. 1a) someone might use your internet connection to download stuff, like maps or email or even technical support web pages. Possibly illegal stuff too, I suppose, though most people would be too polite to do that. Keep in mind that anyone who is using your connection is within range of your antenna, which is probably a little wire inside a plastic box. Even with an extended-range adapter you are looking at a few hundred feet, unless you are actively involved. 2) someone can use DNS forwarding to intercept your connections to web sites. Fortunately most sites are using SSL by default now, so Facebook/Gmail/Yahoo/banks should be safe, as long as you don't thoughtlessly click through the "someone is intercepting your traffic!" page. (At the moment, and I think Chrome is exempt here, there is a technical way to silently intercept an SSL page, but you'd have to be on someone's really bad list for them to bother. I've never heard of anyone doing it outside of the demonstration.) 3) someone can intercept any non-encrypted traffic. Big players in the non-encrypted-traffic space are apps, Adobe, web news services, FTP, usenet, torrents, and so on. Basically anything your ISP can read, can be read on an open or compromised access point. Of course, someone could be doing #2/3 off your cable or phone line (unless you have a VPN configured on your router), so having an open access point just makes their job easier. Best, Tim no longer gets paid for this particular thing :) > > _______________________________________ http://www.okiebenz.com To search list archives http://www.okiebenz.com/archive/ To Unsubscribe or change delivery options go to: http://mail.okiebenz.com/mailman/listinfo/mercedes_okiebenz.com All posts are the result of individual contributors and as such, those individuals are responsible for the content of the post. The list owner has no control over the content of the messages of each contributor.