I'll try to keep this post short, but the main idea is that apparently wireless and security don't really mix well. At least if you are not an expert in this area. While I started learning about this stuff, I got really worried on how easy is to setup things in a totally insecure way.
Sure, there are plenty of alternatives to get your network secure. But, for the average user, it might be a lot to learn: you got to know what all these three-letter acronyms mean (WEP, WPA, DES, etc), you need to understand what types of attacks are possible (active/passive, man-in-the-middle and so on and so forth). At least on the last subject, there are all sorts of strange ways to attack a wireless network. And my wife won't enjoy spending a weekend reading all this...
I would really love to see some sort of idiot-proof, easy-to-understand method that makes your entire wireless network 100% secure. Unfortunately, this is not possible today, simply because the notion of wireless security goes beyond a single operating system. You have to configure your router too. And your laptop. And your wireless camera (if you have one). And every other wireless device you add in your network... Wouldn't be nice to have a really simple process, like just using a USB thumb drive to migrate the secret key between all these devices to make the entire network secure by default?
Anyway, here is what I found in my short experience:
- Avoid using WEP as an encryption protocol. Apparently, WEP has several security problems. Use a more mature encryption protocol instead. Everything that starts with WPA-xxx should be probably OK (or at least this is my assumption).
- In my personal experience, WPA-TKI seemed to be the encryption protocol that was the easiest to setup. Both my wireless router and my tablet seemed to support it pretty well. The shared secret is a simple ASCII string which is easier to memorize compared to something which looks like a GUID.
- In your router, disable SSID discovery. This is good as a preventive measure; however, be aware that a passive attacker can figure the SSID anyway (the "disable" feature applies only to the beacon frames).
- Use MAC filtering whenever possible! I could find an easy way to enable MAC filtering at the router side. But my tablet (a HP tc1100, not the latest one with the "802.11g" feature) I couldn't find any way to do any MAC filtering. You might say that I'm really paranoid, I know :-). But it doesn't make sense to have filtering only on one direction...
That's it. And, by the way, if I got anything wrong, or missing, I would be glad to get any feedback!