Undesirables on network

[addylad]

Hi all

Unfortunately, there have been a few phones gaining access to my network which do not belong to us. I identified that there was an AP which was a bit vulnerable and have changed some settings to make it more difficult to gain access. I have also banned the MAC addresses of said phones. I will be changing from blacklist to whitelist, i.e. having a list of allowed MAC addresses on the network.

However, I'm pretty sure that MACs can be spoofed with relative ease, so I was wondering what I can do to make my network more secure. I used to have a network 'sniffer' and could monitor clients/connections on the network, but I can't remember what it was called.

I have a TP-Link VR900 router and a TP-Link WR702N AP.

Thanks in advance!

 

[ANDARIAL]

100 digit wireless password?
You know something with upper case,lower case numbers+symbols should do it

 

[addylad]

Well it seems odd, I've just changed the key to the AP I thought was the route of the issue, but there's a phone on here right now! Just looking at the main router now.

I think you're right though, stronger passwords needed!

 

[ANDARIAL]

Also change the router password to something stronger
Maybe run a AV scan on your pc.laptop etc incase of any nasties lurking and reading keystrokes etc

 

[randal]

WEP or WPA2? If the latter then time to bump it up to WPA2.

 

[ramdrive]

Update your routers firmware...

Also turn WPS off.

 

[Yaayuh!]

Decent password, WPA2, disable WPS and disable the SSID, that's all that should be required for the average joe.

 

[Caged]

As above, WPA2 with a decent passphrase and turn off WPS. Unless your network gear is fundamentally flawed then you either have a weak passphrase or someone is just telling people what it is.

 

[FerretBoy]

How are you identifying that it is on your network? I have seen windows report phones in the network screen, but they aren't actually on it.

 

[paradigm]

Assuming this is a business, auth by RADIUS (802.1x) rather than simple password.

 

[APM]

Turn broadcast SSID off?

People say it's not worth the effort but I say why not.

 

[matthab]

Do you have any unencrypted homeplugs?

I once witnessed 3 network become one when my neighbours did not set this up. Was quite amusing to fix.

 

[K.C. Leblanc]

Have you locked down the network settings on your laptop so people can't just go in a look at the wireless key?

 

[KIA]

How are you identifying that it is on your network? I have seen windows report phones in the network screen, but they aren't actually on it.

This.

 

[randal]

Do you have any unencrypted homeplugs?

I once witnessed 3 network become one when my neighbours did not set this up. Was quite amusing to fix.

Horrible things. I've seen them cause packet loss on an adjacent wired network, cause a server to periodically reboot, and my favourite was when the TV/Broadcast Licensing people showed up at my mate's house to infer that he was generating massive amounts of high frequency interference from his house. They unplugged the homeplugs and the guy down the end of the road got Radio 4 back.

 

[linktoinsanity]

Decent password, WPA2, disable WPS and disable the SSID, that's all that should be required for the average joe.

Mostly yes, but disabling your SSID is actually less secure.

Source 1: https://blogs.technet.microsoft.com/steriley/2007/10/16/myth-vs-reality-wireless-ssids/

Source 2: http://www.fixedbyvonnie.com/2014/08/3-reasons-why-hiding-wireless-ssid-bad-idea/#.Vyoh-n1-OHs

 

[APM]

MAC whitelisting is no good either because an address can be spoofed but ,again,it could be worthwhile doing.

 

[V F]

Mostly yes, but disabling your SSID is actually less secure.

I think it is better to have it visible so you can use some cracking names.

Skynet Global Defence Network
D-Fens
Router, I Hardly Know Her
Pretty Fly for a Wi-Fi
Police Surveillance