* *** WIRELESSSECURITY TXT - 3 Dec 2011  14:15:04 - JKNAUTH


              North Bend Clubhouse Wireless Network
              ===== ==== ========= ======== =======


Using hardware donated in 2006 and then updated in 2011 (see
http://nbtha.org/Misc/Donations.htm), we have set up a wireless network
at the Clubhouse for North Bend residents and their guests.  This
network provides easy highspeed access to the Internet in and near the
Clubhouse.  If your notebook PC has a wireless adapter and associated
software, it should be easy to set up a profile on that PC to use the
North Bend Clubhouse wireless network.  The steps to do this are
described in detail below.

It is very important to keep in mind that this is an open network.  Data
passing thru it is not encrypted.  This is probably in contrast to how
data is handled on a wireless network at your workplace, or how data
should be handled on your wireless network at your home.  For reference,
at the end of this article we have included some information about
securing your home wireless network, but this is not the configuration
used for the Clubhouse wireless network.

Using the Clubhouse wireless network is similar to connecting thru a
wireless hotspot at a library, coffee shop, airport, copier store, etc.
It is great for surfing the web; however, it is definitely the wrong
thing to use for sending or receiving unencrypted data that you want
kept secret.  Think of it as talking on a party line with hundreds of
people listening, or as connecting your PC on a phone line which is
always being tapped by the government, al Qaeda, the NY Times, the
National Enquirer, your minister, your worst business competitor, your
spouse, your nosey neighbor, etc.  Some partial protections are
discussed below, but unless you *know* your data is encrypted while
passing thru the whole Internet, it is best to consider that anything
you send or receive on the wireless part of the Internet can be observed
by anyone, especially those you most wish not to see it.

This wireless network is intended for simple Internet surfing by North
Bend residents and their guests.  It is not intended to be used by
anyone to download huge amounts of data, e.g., an online movie.


Summary
=======

Here are the key points of this article:

1) It should be easy for you to set up your wireless device (laptop,
   smart phone, tablet, etc.) to access the Clubhouse wireless network.
   You can get the required SSID network name by contacting the NBTHA
   Office.  A section near the end of this article describes in detail
   how to configure a wireless profile on Windows XP using the default
   Windows XP software.  Something similar applies to other Windows
   systems.  Some program provided with the wireless adapter in your PC
   may be used for the setup.  The exact procedure differs from device
   to device.

2) The North Bend Clubhouse wireless network is not intended to be
   secure.  We have made some configuration choices to make the network
   easily available to North Bend users and traded off much security to
   do that.  However this means you must take some explicit precautions
   to keep your sensitive data private when it passes thru the wireless
   network, e.g, by using

   * HTTPS web pages, when appropriate
   * Webmail to do e-mail; some popular options are listed below
   * Virtual Private Networks, if available

3) You should protect your PC from intrusions by malware (viruses,
   worms, spyware, etc.)  Of course you should provide such protection
   no matter how you connect to the Internet, whether connecting at your
   home, at work, via the Clubhouse wireless network, or by any other
   means.

4) If you have a home wireless network, some suggestions are provided to
   make your own network more secure.  By contrasting the Clubhouse
   network with your own and understanding the configuration choices we
   have made, you can better understand the security vs. ease-of-use
   tradeoffs you can make for your own network.


Wireless Router Configuration Choices We Have Made
======== ====== ============= ======= == ==== ====

This section describes some explicit tradeoffs we have made, balancing
ease of use of the wireless network vs. security.  For your home
wireless network (as described at the end of the article), you should
probably make different configuration choices.

A wireless network is identified by an SSID (Service Set Identifier).
The SSID (also called the network name) is displayed by Windows when
your PC is connected to that network.  Other wireless devices make the
SSID information available in a similar way.  If the network
administrator so chooses, the hardware for a wireless network can be set
to broadcast that network's SSID, indicating it is a network to which
your device might attach.  There are pros and cons for broadcasting the
SSID.  We have chosen not to broadcast ours, to somewhat lessen the
number of interlopers who might try to use our network.  Note this
doesn't prevent someone with the right equipment from eavesdropping and
discovering the unbroadcast SSID.

However if the SSID is not broadcast, this means a legitimate user must
know the SSID beforehand to be able to connect to that network.  Contact
the NBTHA Office to get the current SSID for the North Bend Clubhouse
wireless network.

The second configuration choice is whether to encrypt data passing thru
the Clubhouse wireless network.  We have chosen not to use encryption.
Mainly this is because it would be very difficult to distribute and keep
secret the required passwords.  Each user would have to know the current
password and keep it secret (not likely).  Moreover, there are multiple
types of encryption, some much better than others, but all users on the
wireless network have to use the same encryption type.  This means the
network encryption would have to be downgraded to the level supported by
the weakest user.  All in all, we decided it would be best to clearly
say up front "We are doing no encryption." rather than to give people
some false sense of security by using a level of encryption that can be
easily broken.  This then requires users to be responsible for
protecting their own data, as described in the next section.

The third configuration choice is whether use of the Clubhouse wireless
network should be limited to specifically identified wireless devicess.
If we used that option, our router could be programmed with a list of
about fifty allowed wireless Ethernet MAC addresses; a wireless Ethernet
MAC address is a hardware address unique to a device's wireless adapter.
We could record the legitimate North Bend devices to be allowed and
disallow all others.  However, this is more of a bureaucratic task than
we want to take on because the list would change often.  Also, the limit
of fifty would probably be exceeded before long.  Finally, someone with
the right equipment can easily get around this filter.  We have decided
not to restrict the network to specific wireless devices.


Security Considerations When You Use the Wireless Network
======== ============== ==== === === === ======== =======

The bottom line is:

   *** ASSUME YOUR PC IS CONSTANTLY BEING WATCHED! ***

Internet Browsing
-------- --------

The Internet provides ways to keep sensitive information private.  When
your PC interacts with a web page on some host computer, the
communication protocols used are typically HTTP or HTTPS; the "S" in
HTTPS stands for "Secure".  The protocol used can be seen from the web
page's address on your browser's address bar.  Browsers also typically
display an icon of a closed lock somewhere near the bottom of their
window when working with an HTTPS web page.  Additionally, the Firefox
browser colors its address bar yellow when you are interacting with an
HTTPS web page.

HTTPS web pages should be used when data must be kept private.  The
information is encrypted before it is sent by the PC to the web page
host (or vice versa) and is not decrypted until it is received by the
host or the PC.  Thus the data is guaranteed to be encrypted all the way
between your PC and the web page host computer.  In contrast, traffic
with an HTTP web page is sent unencrypted.

In fact, HTTP data may be encrypted and then decrypted as it passes thru
*some* parts of the Internet, but there is no guarantee that it will be
encrypted at the time it passes thru a part of the Internet where
someone might be snooping and thus can easily see what had been sent.
In contrast, HTTPS data is safe because it will be encrypted along the
entire path between sender and receiver.

This distinction between HTTPS and HTTP is important when the traffic
passes thru a part of the Internet, e.g., our wireless network, which
does not do its own additional encryption.  HTTP traffic thru such a
network is "in the clear".  Anyone who can snoop such data from the
network can easily read it; it won't be just a meaningless set of
encrypted bits.  Thus if you want to protect your data thru our wireless
network, you must use an HTTPS web page or the equivalent, as described
below.  Of course for most web pages you view, the data is not sensitive
and HTTP is perfectly adequate.

Virtual Private Networks
------- ------- --------

If your workplace provides a secure VPN (Virtual Private Network)
facility for you to access that work location thru the Internet, the VPN
can be safely used thru the Clubhouse wireless network.  A secure VPN
provides end-to-end encryption similar to what HTTPS provides.

E-Mail
------

The amount of data security provided for e-mail varies widely.  If your
data passes thru an unencrypted network, like ours, or thru any part of
the Internet that cannot be trusted, you need some sort of end-to-end
protection for that data.  For example, have everything encrypted
between your PC and your mail server; this includes your e-mail userid,
password, and any sent or received e-mails.  Some PC e-mail programs and
e-mail servers provide an SSL (Secure Sockets Layer) option to provide
this protection.  You must choose this option to get the secure support.

However, some servers do not provide such an option because they assume
you are directly connected to their network and their server is located
within a protected part of that network.  Thus even though data flows in
the clear, they assume the network cannot be easily accessed by snoopers
to see the data.  They don't consider that the data might be snooped
somewhere between your PC and their network, e.g., in an unencrypted
wireless network that is attached to their network.

If your e-mail program and server provide an SSL option, you should use
it.  If this option is not available, all is not lost.  Many e-mail
servers also provide a webmail option which allows you to do most e-mail
functions using a web page interface secured with SSL.  You should see
an HTTPS address when using such a facility, typically with a closed
lock icon displayed somewhere in your browser's window.  This means your
e-mail traffic is being encrypted all the way between your PC and the
e-mail server.

Here are some examples of such webmail facilities:

  RoadRunner  https://webmail.nc.rr.com
  EarthLink   https://webmail.earthlink.net
  Yahoo       http://login.yahoo.com  (choose "Submits over SSL" option)
  Gmail       https://mail.google.com/mail
  Hotmail     https://login.passport.net/uilogin.srf?lc=1033&id=2&vv=330
  AOL         http://site.aol.com/aolmail  (then click on the link that
                  takes you to AOL's secure logon page)

Even if you use webmail or SSL, the e-mail might be decrypted as it
passes beyond your original mail server on its way to the ultimate
destination.  This may be because some point further along the path (for
example, the person to whom you are sending e-mail) does not support
SSL.  If you really want to totally protect e-mail data, you and your
e-mail correspondent need to do end-to-end encryption of the e-mail text
using tools not described in this article, e.g., the Pretty Good Privacy
(PGP) tool.  That consideration applies independent of the use of the
North Bend Clubhouse wireless network.  Unless you use such precautions,
any e-mail you send or receive should be considered open to everyone, no
matter how you connect to the Internet.

Other Internet Interactions
----- -------- ------------

You may have other ways you communicate over the Internet: chat
sessions, FTP uploads/downloads, streaming, etc.  For anything you do
that you aren't sure is encrypted, assume you are being watched.  The
reponsibility of protecting your privacy is your own.



Protection of Your Device on the Clubhouse Wireless Network
========== == ==== ====== == === ========= ======== =======

When you attach to any wireless network, whether at the Clubhouse, at
home, or anywhere else, you should get in the habit of checking the SSID
of the network you are connecting to.  This is just to make sure you are
using the network you think you are.  You probably will have your PC set
to automatically select the networks in some specific order or some
signal strength.  Circumstances might cause you to accidentally be
automatically attached to a different network than you expected.  If you
see this has happened, you can probably disable your PC's wireless radio
(causing a disconnect), then reorder the automatic selection list, and
finally reenable the radio to cause a new connection, this time to the
correct network.

For PC protection, let's start by assuming you already have appropriate
anti-malware software running on your PC.  (See the "Securing Your Home
Wireless Network" section below, which has recommendations for
protecting your system at home.)  If you don't have such anti-malware
software on your PC or don't keep it up-to-date, you are already exposed
when you connect your PC to the Internet at your home or anywhere else.
Connecting to our wireless network won't cure your existing problems.
Our wireless router does provide a firewall between the Internet and the
devices using the Clubhouse wireless network, but that does not
guarantee that no malware can get thru.

The IP address range for devicess attached to the Clubhouse wireless
network is 192.168.1.x.  When you connect to the wireless network, if
your device's firewall software asks you whether to consider the
192.168.1.x network as "Public"/"Internet" or "Trusted", you should
select "Public"/"Internet".  That means you consider communication for
such addresses as no more trustworthy than communication with any other
address found out in the wild and woolly Internet.



Building a Wireless Profile on Your Windows XP PC
======== = ======== ======= == ==== ======= == ==

Windows XP includes some wireless software by default.  Here is a
procedure using that support to add a profile for accessing the North
Bend Clubhouse wireless network.

1) Select the wireless icon in the system tray to display the Wireless
   Network Connection Status window.

2) Select Properties to display the Wireless Network Connection
   Properties window.

3) Select the Wireless Networks tab.

4) Select Add and fill in the dialog as follows:

   (The required SSID network name can be gotten from Jeff Knauth or Jim
   Frank.  E-mail addresses are at the end of this article.)

   On the Association tab:

      Network name (SSID):    <enter the SSID for the Clubhouse network>
      Network Authentication:  Open
      Data encryption:         Disabled

      Leave unchecked "This is a computer-to-computer (ad hoc) network"

   On the Connection tab:

      Leave checked "Connect when this network is in range"

5) Select OK.

   This will add a new entry in the Preferred Networks list.  The order
   of the entries can be changed by selecting an entry and selecting the
   "Move Up" or "Move Down" button.  Windows will try to connect to the
   networks in the order listed; if unable to connect, it will then try
   the next one in the list.

As an alternative to steps 1 and 2 above:

1) Right-click the wireless icon in the system tray and select "View
   Available Wireless Networks" to display the Wireless Network
   Connection window.

2) Select "Change advanced settings" under Related Tasks on the left to
   display the Wireless Network Connection Properties window.



Securing Your Home Wireless Network
======== ==== ==== ======== =======

Below are the recommended settings for your home wireless router to
secure your wireless network as much as possible.  You can relax the
settings at the expense of giving up some security.  Please keep in mind
that a dedicated hacker with the right snooping hardware and software
can pretty easily break into any wireless network unless you are using
the strongest encryption possible.  However, the following should keep
out the casual snooper or prevent someone from connecting to your
network accidentally.

* Change your router's administrative password and SSID from the
  defaults set by the manufacturer.

* Do not allow remote access to your router's administrative account.

* Use the highest level of encryption possible, e.g., WPA-PSK with AES.

* Do not broadcast your SSID.

* Use an Ethernet MAC address filter list to restrict access to only
  your PCs.

You must have a compatible wireless profile on your PC to enable that PC
to access such a protected home network.  Note that you would need a
second profile on your PC to access the less secure Clubhouse wireless
network.  The "Building a Wireless Profile on Your Windows XP PC"
section describes how to build a profile to access the Clubhouse
network.

As stated above, you should get in the habit of checking the SSID of the
network you attach to.  Otherwise you might be connected to a different
network from the one you expected and might not take the proper security
precautions, e.g., you might use unprotected e-mail instead of the
required webmail/SSL.

Of course you should have adequate anti-malware support on your PC.
This is software that protects your PC against viruses and spyware and
provides a firewall against certain threats from the Internet.  A good
firewall also protects the Internet against threats from bad software on
your PC.  Such anti-malware software is needed no matter what network
you attach to.  See http://jgkhome.name/PC_Info/PC-InetNotes.htm for
further information on this subject.


References
==========

These references on network security are old (and haven't been checked
recently), but may be helpful:

The http://www.linksys.com web site has a good overview in text form.
Hover your mouse cursor over the Learning Center item in the bar near
the top of the page; then select Network Security.  The text files are
linked to from the menu on the left side of the page.

The Linksys web site also has a course in Flash form, which requires
prior installation of the Macromedia Flash player.  This is linked to
from the image on the right side of the page.  They also supply a link
for installing the Flash player if you don't already have that tool on
your PC.  This Flash-based course uses audio as well as video, so a
sound card and speakers are required.

These web pages describe in more detail some simple steps you can take
to make your home wireless network more secure:
http://compnetworking.about.com/od/wirelesssecurity/tp/wifisecurity.htm
http://www.connectedhomemedia.com/HomeControls/Articles/Index.cfm?ArticleID=49176

Sessions 10, 11, and 13 of these audio broadcasts (also available in
text form) will give you a very good technical background on many
wireless security topics:  http://www.grc.com/SecurityNow.htm.

This is a whitepaper, which eventually gets around to trying to sell you
JiWire's VPN product, but it has good information on wireless security
along the way:  http://www.jiwire.com/whitepaper-section1.htm

These are detailed, but somewhat dated, articles on wireless subjects:
http://www.windowsecurity.com/articles/Wireless_Security_Primer_101.html
http://www.windowsecurity.com/articles/Wireless_Security_Primer_Part_II.html

You can find a number of other references by doing a Google search on
wireless+security.


                  Jeff Knauth      jknauth@nc.rr.com