Wireless security

paulm17781

Hi All,

the thread about wireless security got me thinking. I have bought a wireless router (arrived today). I want to make it as secure as possible. I was thinking of restricting MAC addresses and using WEP. Is there anything else I should/could do for security? It is a Linksys WRT54GP2 does anyone know of anything extra it may have. I would also like to know holes in it's secuity (if the mods allow this) as I would like to make sure they aren't exploited, probably best to PM these to me.

Thanks,

Paul

carrotcake

rename the router's ssid and change the default password. i also manually assign ip addresses rather than dhcp, but for me that's more of a practical issue than a security one. either way, you need to know all the address info when connecting to the network

MrPudding

There are wayaround WEP, WPA and MAC address restrictions. The thing is is someone going to invest the time to crack your home connection?

I think that for the home user simple stuff like using WEP, MAC address filters and disabling DHCP should be enough for peace of mind. The WRT54GP2 also has IP access control whereby you can limit internet access to certain IP address during certain periods, you may be able to use this as an additional layer of protection. Nothing will stop someone determined to creak your network but it should deter casual leechers and scumbags that would like to steel access of you but lack the brains to do it.

I understand that WPA is better but I have not set it up. Has anyone here any experience of it?

MrPudding

carrotcake wrote:

rename the router's ssid and change the default password. i also manually assign ip addresses rather than dhcp, but for me that's more of a practical issue than a security one. either way, you need to know all the address info when connecting to the network

Actually yeah, I forgot those and it reminds me, disable SSID broadcast.

MrP

carrotcake

MrPudding wrote:

I understand that WPA is better but I have not set it up. Has anyone here any experience of it?

wpa gives me slower transfer speeds than wep (18mb out of 54), but i use it anyway. it doesn't make a difference for using the internet

MrPudding wrote:

Actually yeah, I forgot those and it reminds me, disable SSID broadcast.

i'd tried disabling ssid broadcast before, but my connection would drop quite often. is that a common thing, or just with me?

PixelTrawler

i use wpa with no problems...
do the above restrictions and also change your key once a month or so...

bk

1) Use WPA security

- Remember to use a good long Passphrase that isn't a word in the dictionary and is made up of random lower case letters, uppercase letters, numbers and symbols (+, *, etc.). It should be at least 20 characters long.

You can see very good examples here:
http://www.kurtm.net/wpa-pskgen/

2) Change the name of the SSID

- usually the SSID is some default which a hacker can easily check on the internet to get default passwords etc. So you will want to change the name to something completely different.

Don't use your own name or any way that might identify you or your house.

3) Disable the SSID broadcast

- This will make it harder for a cracker to connect to your wireless access point, however this sometimes might cause problems such as dropped packets, with certain operating systems, so try it, but you might need to re-enable it.

4) Use Mac address filtering

- Not difficult to crack, but makes things harder for a cracker, less experienced crackers would be defeated by this.

5) Change the default admin password on your router and make sure that your router admin panel is set so it can only be accessed through a physical ethernet connection (and therefore not through a wireless connection).

The WPA security is by far the most important step.

When you are setting these steps up, you should only try one step at a time and then add the next security feature, as sometimes these can cause problems.

Sam Vimes

carrotcake wrote:

wpa gives me slower transfer speeds than wep (18mb out of 54), but i use it anyway. it doesn't make a difference for using the internet

i'd tried disabling ssid broadcast before, but my connection would drop quite often. is that a common thing, or just with me?

me too. if i disable ssid broadcast the wireless adapter always picks up my neighbours network. which would be ok except they have wep enabled

jor el

Some practical, non security type, tips.

I'd guess that switching off the router when it's not in use, may also help. If it takes several hours to crack the encryption key, then the cracker may not have enough time if you switch off the router. I'd imagine that he'd have to start over the next time it's on.

Also, if the router is continuously being switched on and off, the leecher will have a very intermittant connection and won't know at what times it might be on. This may deter them a bit more.

Apart from that, do as bk says.

paulm17781

Thanks people. I appreciate this.

I figure an experienced person will be able to get around it I want to stop the likes of the posted in another thread. I can get man (7 or 8) wireless signals in my apartment, only two are secure. I would think that people will go for one of the unsecure, I just want to do my best to prevent any else.

paulm17781

jor el wrote:

Some practical, non security type, tips.

I'd guess that switching off the router when it's not in use, <snip>

I thought of that however it is an ATA too.

jor el

Ah, not much help to you so.

Where did you get it anyway? Looks like a decent ATA and router, might invest in one if I decide to go down the VOIP route. Since my current phone call bill stands at around €1.50 for two months, it's probably not necessary.

bk

paulm17781 wrote:

Thanks people. I appreciate this.

I figure an experienced person will be able to get around it I want to stop the likes of the posted in another thread. I can get man (7 or 8) wireless signals in my apartment, only two are secure. I would think that people will go for one of the unsecure, I just want to do my best to prevent any else.

Yes that is very true, a thief will always go for the easy option, the trick is to always make yourself harder to break into then your neighbours. This is true for all computer security (and household sceurity also), not just wireless. There is no such thing as perfect security, you can only make it hard on a thief and hope they won't bother.

BTW If you use WPA with a really good, long passphrase, it is currently impossible to crack it. It can only be cracked if you use a short passphrase or a weak password (like words from a dictionary, etc.).

WEP on the other hand is a fundamentally flawed protocol, which was badly designed and can be very easily broken without much effort.

skywalker

bk wrote:

make sure that your router admin panel is et so it can only be accessed through a physical ethernet connection (and therefore not through a wireless conenction).

Ive never heard of doing that before, how do you go about that?

Ringo6

Got this in an email, not sure how good it is as I don't have a wireless router.

http://www.connectedhomemag.com/HomeControls/Articles/Index.cfm?ArticleID=49176

jor el

skywalker wrote:

Ive never heard of doing that before, how do you go about that?

Probably depends on your router. There should be an option to allow configuration through the physical ethernet connection only, and not through the wireless connection. It's probably in the security section.

That looks like a pretty decent tutorial there too Ringo6. Explains the difference between WEP and WPA and also that you should change the router's address, SSID, stop SSID broadcast, etc. Worth bookmarking.

paulm17781

jor el wrote:

Where did you get it anyway? Looks like a decent ATA and router, might invest in one if I decide to go down the VOIP route. Since my current phone call bill stands at around €1.50 for two months, it's probably not necessary.

I bought it from Blueface (http://www.blueface.ie). Once I got cable the landline was costing me about €30 p/m (only about 6 for calls) so voip was an ideal way to keep it and my number.

Bk, what is a long passphrase, I always use alphanumerics but I am not sure what it 'long'.

Cheers.

parsi

jor el wrote:

Probably depends on your router. There should be an option to allow configuration through the physical ethernet connection only, and not through the wireless connection. It's probably in the security section.

The Linksys WAG54g didn't explicityly have it - but after the most recent firmware it seemed to have been applied. The WAG54gx2 has it as an option alright.

bk

paulm17781 wrote:

Bk, what is a long passphrase, I always use alphanumerics but I am not sure what it 'long'.

At least 20 characters, with random letters, numbers and characters.
WPA can go up to a maximum of 63 characters.

See here for examples of really good passphrases:
http://www.kurtm.net/wpa-pskgen/

BTW Remember, unlike what you have been told in the past, it is ok to write down the passphrase, as long as you keep it somewhere safe (e.g. a safe in your bedroom, etc.)

A very hard to crack passphrase written down is better then a weak passphrase in your memory.

shltter

paulm17781 wrote:

Bk, what is a long passphrase, I always use alphanumerics but I am not sure what it 'long'.

Cheers.

https://www.grc.com/password

it is a password generator click refresh to generate a new password

paulm17781

Hi all,

I have done just about everything mentioned and I would think it is as safe as it will get now.

Thanks for you help,

Paul

Duiske

bk wrote:

1) Use WPA security

- Remember to use a good long Passphrase that isn't a word in the dictionary and is made up of random lower case letters, uppercase letters, numbers and sumbols (+, *, etc.)

2) Change the name of the SSID

- usually the SSID is some default which a hacker can easily check on the internet to get default passwords etc. So wyou will want to change the name to something completely different.

Don't use your own name or anyway that might identify you or your house.

3) Disable the SSID broadcast

- This doesn't always work, I find some OS's have problems connected to networks with the SSID disabled.

4) Use Mac address filterting

- Not difficult to break, but makes things harder for a cracker, less experienced crackers would be defiated by it.

5) Change the default admin password on your router and make sure that your router admin panel is et so it can only be accessed through a physical ethernet connection (and therefore not through a wireless conenction).

The WPA security is by far the most important thing to do.

When you are setting these steps up, you should only try one thing at a time and then add the next security feature as sometimes these can cause problems.

I think the above post should be sticky(ed). It might be common knowledge to a lot of people, but to the less tech savvy (including myself) it could be very useful.

paulm17781

Duiske_Lad wrote:

I think the above post should be sticky(ed). It might be common knowledge to a lot of people, but to the less tech savvy (including myself) it could be very useful.

I would consider myself very tech savvy but I knew nothing about wireless security. I think that post would be good for anyone who comes here. Maybe add that leeching is illegal.....

skywalker

I was looking at that same WRT54GP2 from blueface myself, paul could you tell me whether that replaces your modem or do you still need to use a modem with it?