ith the rapid growth and great diffusion of wireless coverage, a key topic is whether or not you should keep open your wireless connection, allowing strangers to use your bandwidth if they want. Many people think that this is very harmful, many other think that it’s only a matter of basic politeness, like offering a hot cup of tea.
To tell the truth, I am among the second ones: wouldn’t it be great if in every place you can visit you could find an open wireless network to check your email, blog, feeds and so on? That’s why I’m a Fon member, and why I share my connection at home through a Fonera router.
But in these last weeks I’m also trying to keep my wireless router (a Linksys WRT54GL) open with free access (no WEP, no WPA or WPA2, …), allowing my guests and occasional users to connect to the web, while in the meantime trying to avoid my neighbours’ leeching.
The key point is: I completely agree in sharing wireless with other users, but not with regular selfish leechers that greedly sink your connection with tons of downloading.
I know that the my “open your wifi” invite sounds a little bit crazy, but my opinion is that you don’t defeat the enemy by locking yourself in a little dark room: it’s not closing your wifi (and leaving all your ports open) that you’re safe.
As you may know, there are several ways to secure a wireless connection. From weakest to safest:
- Disabling SSID broadcast: very weak, during the handshake the SSID is transmitted in clear, and all your communications will be in clear.
- Selective MAC-address access: MAC address can be spoofed, and anyway all the communication will go in clear.
- WEP: very weak, it can be broken in less than one hour, since the key generation that will provide seeds to the RC4 algorithm is not so smart, even if RC4 by itself is safe. Traffic is encrypted, but not in a safe way.
- WPA: stronger than WEP, it can be broken only by capturing an handshake session, and trying an offline brute-force attack. If you choose a “good” password, it is reasonably safe. Traffic is encrypted.
- WPA2: better than WPA, the safest as of today, traffic encrypted.
So, what kind of threats can you meet in opening your wireless? I tried to fill a list of reasonable threats, and subsequently tried to take some countermeasures. Here’s the list.
1) Open Wireless = “ACME Free Bird Seed”?
As I mentioned before, one of the first thing you can notice when you open your wireless is your neighbours regularly stealing your connection. If they grab all your “free bird seed” (I did not find any suitable free-bird-seed image to put here…), you can use your router’s MAC ACL (Access Control List), putting their MAC address in the blacklist so they can no longer connect. If they are above the common user-level, they can always try to change their MAC address, but you can always block their new address.
2) Split your WiFi
The key point in opening a wireless is that you’re not only allowing everybody to connect to your network, but every single bit you send (except for the ones protected by some security protocols) will go through the air completely in clear, without any kind of encryption. An attacker can use a sniffing software (like Wireshark) to read all the webpages you load, your mail and so on.
This is the only point that blocked me from opening my wireless for a while: my privacy.
A good move you can take to avoid this is splitting your WiFi into two networks. Maybe your router is one of the many ones supported by the DD-WRT firmware, a free professional-like firmware that allows you (among many other possibilites) to create different “virtual networks”. My router supports DD-WRT, so I used it to create two different networks within the same radio transmitter: a protected one (with WPA2) for me, and a free one for my guests completely open and separated from the other network and the Ethernet part of my private net.
With this kind of configuration you can offer free wifi while keeping your traffic protected (if somebody is interested in this, please comment to this post (or write me) and I will post a tutorial about this).
If you can’t split your wifi, there are some other methods to build a secure channel over an insecure wireless link: if you have some skills in networking, you can setup an IPsec tunnel or an SSH tunnel to your SSH or IPsec capable router, or through another server on your wired private network (if you’ve one). This is also recommended if you frequently use public and unknown AP with your laptop.
3) Blocking Traffic
If you’re worried about what your “guests” can download, or if you’re worried to receive a cease-and-desist lettere from your provider (P2P docet), you can always selectively block some services. On my public wifi signal, the only allowed traffic is HTTP/HTTPS, mail protocols (POP3, IMAP and SMTP and their encrypted versions), some IM protocols (AIM, JABBER, MSN, …) and SSH.
You can setup these rules inside your router’s firewall. In my router, since the firmware is linux-based, this is provided by iptables.
In this way somebody connecting to my wireless can only surf, check email and do some “SSH-ing”, while all P2P protocols are blocked by default. You can also make some bandwidth throttling, but I preferred to leave full bandwidth.
4) Security?
At this point you’ve provided a good level of insurance against attackers, providing free internet (you can look at yourself as a 21st century Good Samaritan), and in the meantime ensuring confidentiality for your own data and traffic.
Ok, I know what you’re thinking: there are a lot of other possible threaths, like somebody downloading pedo-pornographic movies through HTTP and so on. You can have technically also legal problems, since in some countries (like in Italy, where I am) you shouldn’t allow somebody to connect to a WiFi AP if you don’t ask him his ID card and register it (thanks to the post 11th September anti-terrorism Pisani Law). I know all these things. But I think that if we take care of all possible problems we can have in life, we will not live happy. :)
And you? What do you think about opening your wifi? Do you think I’m totally crazy?
No! I think you would make an awosome neighbour. I like the idea and I have the ability to lockdown and secure my internal LAN if I opt to share my WiFi, but from my experience leecher’s don’t care about you or your needs. You still need a decent router to be able to control trafic rates. A Linksys running DD-WRT?