securing a wireless network

Boston

might be in the wrong place. But i'm about to pruchase (week or two) a wirelss adsl modem and router to set up a nice little wireless network. Now i don't know much about cracking/hacking, but i do know with the right hardware and software its pretty easy to get into a wireless network. What i want to know is how do i encrypt/ secure my wireless network. No point in have a state of the art firewall on the router, if the local pleb can hack into my broadband connection. This is very important as theres a cap on my adsl service (utv).

flywheel

for my home one I changed the default AP name, username and password; closed the network so it didn't broadcast the name (SSID), switched on WEP and configured a MAC address access control list

also located that the signal is degraded outside the front but that it covers the garden out the back (for those last few days of summer!)

VBNets have a tutorial / faq on their site coving security issues:
http://www.vbnets.com/tutorials/security.html

hth,
BrianG

quozl

It's only worth putting an amount of effort into securing something proportional to the chances and costs of it being broken into imo.

Odds are pretty slim anyone will break into your network if you turn on wep and mac filtering. Not because it's particularily hard, but because most people dont know how, couldnt be bothered logging enough traffic to crack the wep keys, and are very lazy.

They'll go elsewhere.

If you really want to make things more secure you can set up an ipsec(really secure, pain in the hole) or pptp (less secure, less hassle to setup) vpn, and require people to log into that to get onto the internet. I just don't think it's worth the hassle though.

Greg

Boston

well lets put it this way, if someone gained access to my computer, through a hole in the wireless network, they could cost me allot of money, therefore i'll make every effort to stop them. thank you for the link DubWireless i wil lcheck it out.

BigEejit

I'll add that you should set the highest level of wep your gear can handle ... of course this may not be an option if you are getting bad signals around the house .... (wep might reduce throughput drastically) ... I have 152bit going and am not suffering any lowering of throughput anywhere in the house ...

I was of the impression that a MAC access control list was fairly secure ... just have to stop telling people the mac addresses of your gear ... and as was pointed out by DubWireless dont broadcast your SSID and change everything from default ....

Of course one of the other things to do is get different gear than most other people (I have 802.11a gear, not a lot of that floating around )

Boston

keep in mind this is the fire tiem i've used anythign wireless besides a door bell. i don't know what wep is or ssid. I'm sure though i'll figure it out once the equipment arrives. i'll be using 802.11g

quozl

Originally posted by BigEejit
I was of the impression that a MAC access control list was fairly secure ... just have to stop telling people the mac addresses of your gear

It's easier to bypass than wep as you need less traffic. Run kismet or any other decent wireless sniffer. Analyse the logs with ethereal or any other decent network traffic analyzer and pick out the macs. Then use one of those mac's when you dont see it associated with the ap's.

But I still stand by my opinion that if you stick on wep and mac filtering it's unlikely that anyone will bother to break in (despite it still being damn easy)

Greg

Boston

Originally posted by quozl
It's easier to bypass than wep as you need less traffic. Run kismet or any other decent wireless sniffer. Analyse the logs with ethereal or any other decent network traffic analyzer and pick out the macs. Then use one of those mac's when you dont see it associated with the ap's.

But I still stand by my opinion that if you stick on wep and mac filtering it's unlikely that anyone will bother to break in (despite it still being damn easy)

Greg

i look at it this way, if i could do it to a neighbour, i probably would.

Boston

whats the story with bluetooth, from what i can see its slower and more expensive, but response times are faster. why do people use it.

flywheel

you could also look into using an Access Point where you can customise the Antenna Transmit Power and look into the physical location of the Access Point - that will determine where the coverage extends i.e. the area where someone can 'hear' your access point

a stroll around doing a home site survey to see where coverage is available will show where your signal extends and you may be able to adjust the antenna settings / location to limit to an acceptable range

for my situation at home, someone would have to break into the back garden or the house itself and have the time / effort to crack the AP - sure it could happen but i'm going to live with that level defence

i also use a Bluetooth Access point whose range is much more limited than WiFi - but that may be more of an issue depending on the area you want to cover

BrianG

flywheel

Originally posted by Boston
whats the story with bluetooth, from what i can see its slower and more expensive, but response times are faster. why do people use it.

bluetooth access point:

- doesn't drain my pda's battery like wifi

- the belkin one i use allows me to share the usb printer with all the windows computers in the house

Boston

hmm if i bought a usb printer, and a usb wifi network adaptor, could i share it will all pc's in that fashion? just i find the printer a bit of a pain

flywheel

Originally posted by Boston
hmm if i bought a usb printer, and a usb wifi network adaptor, could i share it will all pc's in that fashion? just i find the printer a bit of a pain

afraid not - the printer wouldn't know what to do with it and the adapter wouldn't have the tech in to to act as a server

there are WiFi access points with USB ports to share printers... and alternatively this is the most compact option I've seen from D-Link DP-311P for parallel/centronix port printers

BrianG

Capt'n Midnight

ie. they only work when conected to something intelligent.

If the printer has a NIC or you have a jetdirect box you could use a Ethernet Converter to print wirelessly.


Security:
WiFi is just as secure as connecting to the internet
though eavesdroping on the traffic is a little easier - unlike the intenet eavesdroppers have to be physically close.

If your machine is important to you
I take it
-You do have a firewall
-You have patched windows / IE again THIS WEEK (another 3 big patches)
- you have blocked all shares and turned off all unneeded services and set access on all relevant folders....

'cos if you haven't already done the above there is no point in locking the back door when the windows are open....

quozl

Originally posted by DubWireless

for my situation at home, someone would have to break into the back garden or the house itself and have the time / effort to crack the AP - sure it could happen but i'm going to live with that level defence

Or they could just use a moderate gain directional antenna, like the 16db yagi I have on the table beside me And get a better signal to your network from across the road than you do in the same room.

AP placement is a good idea, but just like wep and mac filtering it's only a mild deterrant.

Something like ipsec is a serious deterrent.

Greg

crowbar

Originally posted by quozl
Or they could just use a moderate gain directional antenna, like the 16db yagi I have on the table beside me

that sounds amazing! so a good directional antenna boost both the received and the transmitted signals, even when talking to the crappy omni antenna on the ap? are you not still dependent on the power level that the ap is transmitting at?

flywheel

Originally posted by quozl
AP placement is a good idea, but just like wep and mac filtering it's only a mild deterrant

i realise anyone determined enough to break in to use my internet connection would be able to - or they could travel a little further around the corner and find a wide open one

i'm happy with the steps i've taken - which pretty much follows along the point you made originally about the effort(/time/cost) involved being proportional to the chances / cost of being broken into

if the internet connection was that important to secure i'd lay cable

Originally posted by quozl

Something like ipsec is a serious deterrent.

that and other possibilities are also listed in the tutorial above

BrianG

Rew

Originally posted by crowbar
that sounds amazing! so a good directional antenna boost both the received and the transmitted signals, even when talking to the crappy omni antenna on the ap? are you not still dependent on the power level that the ap is transmitting at?

Iv used directional antennas to get a signal from an AP where prevviously i couldn't.

With a mag mount antenna u could get signal from the road outside my bedroom but with a standard card no anteena u couldn't get anything evenin my bed room (AP in the Hall and the walls are reinforced with steel)