Wireless security

sdfuk · 8 Apr 2006 at 15:24

Hi

Just about to install my router (Linksys WAG54GX2). It will be "wired" to my main PC but wireless for the wife's laptop.

Here are a list of the main security issues that I have found to put in place.

Have I covered everything? Please let me know if there are any other issues?

Thanks S......

1) Don't use TCP/IP for File and Printer sharing!
2) Follow secure file-sharing practices
Share only what you need to share (think Folders, not entire hard drives)
Password protect anything that is shared with a strong password.
3) Turn on (Compatible) WPA / WEP Encryption
6) Secure your wireless router / Access Point (AP)
7) Disallow router/ AP administration via wireless
8) Use MAC address based Access and Association control
9) Don't send the ESSID
10) Don't accept "ANY" ESSID
11) Use VPN
12) Change the Default Administrator Password:

I also found the following:

1.Assign Static IP Addresses to Devices

Most home networkers grativate toward using dynamic IP addresses. DHCP technology is indeed quick and easy to set up. Unfortunately, this convenience also works to the advantage of network attackers, who can easily obtain valid IP addresses from a network's DHCP pool. Turn off DHCP on the router or access point, set a fixed IP address range, then set each connected device to match. Use a private IP range (like 10.0.0.x) to prevent computers from being directly reached from the Internet.

Clarkey · 8 Apr 2006 at 16:40

thats pretty over the top if you ask me. WPA, MAC filtering and hidden SSID is enough tbh unless you have a serious case of paranoia.

sdfuk · 9 Apr 2006 at 20:06

Ok, Cheers

The list was just what I found off the internet/magazines.

Will do those 3

Thanks
S

Fred · 9 Apr 2006 at 20:56

Isn't just MAC filtering and hidden SSID enough?

Thats all I'm runing on my network at atm.

OllyM · 9 Apr 2006 at 20:59

No, MAC address filtering and hiding your SSID is absolutely useless. You may as well leave it wide open.

I don't bother doing either to my network, I just use WPA with a decent password.

Your SSID can be picked up by Kismet in seconds, it makes it more difficult to set up new computers, it actually breaks the wifi standard and it can mean other people can't see your network so will set theirs up on the same channel, causing inteference. Don't do it!

MAC address filtering is also a waste of time. Your network is unencrypted, your MAC address is sent with every wireless packet sent and received. It doesn't take long to pick one up and spoof it. Bingo, you're connected.

Fred · 9 Apr 2006 at 21:05

Damn

Looks like I need to revise my setup, although to be honest, I live in a dead end street with only one neighbour either side that would pick up any signal.

Still....WPA it is

Thanks for the info OllyM :cool:

E1mo · 9 Apr 2006 at 21:17

Definitely go with WPA or WPA2 if possible. Drop back to WEP if you have problems with any of your wireless clients connecting, its a lot better than nothing.

#Chri5# · 9 Apr 2006 at 21:25

Clarkey said:
thats pretty over the top if you ask me. WPA, MAC filtering and hidden SSID is enough tbh unless you have a serious case of paranoia.

Advanced paranoia here - IPSEC VPN with AES for wireless clients

Fred · 9 Apr 2006 at 21:49

Just tried WPA and managed to lock myself out the router :confused:

Seemed to connect then drop....just continuously kept connecting then dropping.

Thought I'd screwed up the key...reset router...setup router...same thing happened :confused:

Back to Hidden SSID, and MAC filtering atm....will try WEP next time.

OllyM · 9 Apr 2006 at 21:49

#Chri5# said:
Advanced paranoia here - IPSEC VPN with AES for wireless clients

Wow, that's slightly over the top.

I'll VPN back to the office if I'm using an unsecured WiFi connection out and about though (i.e. a BTOpenzone hotspot), as obviously it's encrypted then. Plus I get a proper public IP address without any port blocks, and can relay email etc. as normal.

aaazza · 9 Apr 2006 at 22:55

Fred said:
Just tried WPA and managed to lock myself out the router

Seemed to connect then drop....just continuously kept connecting then dropping.

Thought I'd screwed up the key...reset router...setup router...same thing happened

That's why I don't use wireless at the moment

aaazza

#Chri5# · 10 Apr 2006 at 11:27

OllyM said:
Wow, that's slightly over the top.

I'll VPN back to the office if I'm using an unsecured WiFi connection out and about though (i.e. a BTOpenzone hotspot), as obviously it's encrypted then. Plus I get a proper public IP address without any port blocks, and can relay email etc. as normal.

Belt and braces I know, but given it's all done in hardware by my firewall / WLAN box of tricks (a SonicWall TZ150W), it'd be rude not to use it properly.

To the outside world it looks like an unsecured WLAN. You can associate, and get assigned an IP (from a totally different range that my LAN uses). However, without the VPN client and the IPSEC PSK, you won't get anywhere.

OllyM · 10 Apr 2006 at 11:29

I guess I'll let you off then

You should get it to redirect any HTTP requests to a page telling them that using WiFi connections without permission is illegal, and that their details have been logged. Sure that'd be fun.

It's certainly the most effective WiFi encryption, anyway!

Skilldibop · 10 Apr 2006 at 11:38

Sonicwall for the win. Shame the VPN client won't do IPX properly

Else it'd be perfect.

Though give it credit, i have no idea whether you can actually do IPX over an IP based VPN....probably not thinking about it.

Mr Blonde · 10 Apr 2006 at 12:54

A few extra things I've always done apart from using WPA with a long random passphrase..

1. Turn down the antenna power output of the router/access point so it just covers your own network. Stops most neighbours from having a casual look.
2. Change the Admin logon password on the router/access point.
3. If all of your wireless equipment is 802.11g compliant then turn off access to 802.11b components - make it a g mode only network.
*A lot of promiscuous mode equipment is b mode, thus stopping unauthorised access on this front.

Something I heard but I don't know whether it works is to use mac address filtering. Then set your subnet mask to 255.255.255.248 (gives 6 addresses) and assign any extra unused IP addresses to non-existent mac addresses. So there's no free IP addresses for anyone to hijack even if they knew the network existed.
Is this flawed or does it work?

GuruJockStrap · 10 Apr 2006 at 13:25

Mr Blonde said:
Something I heard but I don't know whether it works is to use mac address filtering. Then set your subnet mask to 255.255.255.248 (gives 6 addresses) and assign any extra unused IP addresses to non-existent mac addresses. So there's no free IP addresses for anyone to hijack even if they knew the network existed.
Is this flawed or does it work?

Won't work as you can use a program like Net Stumbler to identify the MAC addresses of PC's connected to an access point and then another peice software to clone one of those MAC addresses I believe.

WPA encryption has yet to be cracked (tell a lie, it has but with a key of under 20 charcters).

Go here: http://www.yellowpipe.com/yis/tools/WPA_key/generator.php

And generate a maximum security, 63 character key.

Use WPA AES or TKIP. Theres also WPA2 if you've got the hardware to support it. AES is regarded as more secure than TKIP but both offer far superior security than WEP.

Should provide more than enough security for a home LAN and far superior to WEP.

GuruJockStrap · 10 Apr 2006 at 13:34

Fred said:
Just tried WPA and managed to lock myself out the router

Seemed to connect then drop....just continuously kept connecting then dropping.

Thought I'd screwed up the key...reset router...setup router...same thing happened

Back to Hidden SSID, and MAC filtering atm....will try WEP next time.

I've just had this problem and managed to fix it. Using WPA2 AES.

Are you using Windows to manage the wireless connection or the software that comes with your wireless adapter?

Mr Blonde · 10 Apr 2006 at 13:44

GuruJockStrap said:
Won't work as you can use a program like Net Stumbler to identify the MAC addresses of PC's connected to an access point and then another peice software to clone one of those MAC addresses I believe.

Even with a spoofed mac address would they still be able to gain access if all of the available IP addresses on the network are already assigned, or wouldn't the router/ap be able to distinguish between them and so allow access?

#Chri5# · 10 Apr 2006 at 22:14

OllyM said:
I guess I'll let you off then

You should get it to redirect any HTTP requests to a page telling them that using WiFi connections without permission is illegal, and that their details have been logged. Sure that'd be fun.

It's certainly the most effective WiFi encryption, anyway!

It his Wireless Guest Services built in, so if somebody without the VPN client installed tries to access the Web via your WiFi, there's a whole raft of options you can set. Custom login page isn't a problem. More here if you're having a dull day at work tomorrow

Fred · 11 Apr 2006 at 13:38

GuruJockStrap said:
I've just had this problem and managed to fix it. Using WPA2 AES.

Are you using Windows to manage the wireless connection or the software that comes with your wireless adapter?

I'm currently using the software that came with the adapter (Netgear WPN111 usb with a Netgear DG834PN (if i remember rightly) router).