How do I secure my wireless network?

[blstriker]

I just got a Linksys WAP 11 and it works great, however, it seems pretty insecure to me. My question is how to I make this network secure?

1. It seems like anybody inside my range can get access to the SNMP configuration panel. How do I block access to this?

2. How do I protect my network from war driving and netstumbling my network?

3. Will the mac address specific permissions block people from going into the SNMP control panel?

4. How do I change the defualt password of the wap 11?

5. With WEP disabled, how easy is it to crack into my network?

6. Does WEP prevent people from getting free access or does it prevent them from looking into the wireless data stream?

I know the questions are redundant, but this really worries me.

Thanks!

 

[ScottMac]

Well, it used to be that the SSID would keep most folk from tapping the segment without a little work, but on my laptop with XP, after it comes up, it asks if "XXXX" is the segment I'd like to connect to....so SSID is now just for a segment ID (I mean, it always was, but other folks would have to guess it).

With WEP disabled, pretty much anyone can connect to your system...i.e., if they can see it, they can connect to it. XP will offer it up without even asking for it. I have wireless at home and at work, it gives me a list asks which one I want....

With WEP enabled, they won't get become "associated," and cannot get to any part of the wireless system. Even the 40 bit encryption is fairly strong against all but the hard-core. 128bit is obviously better, but if the hacker knows how to do 40 bit cracks, chances are they'll know 128bit cracks as well...it just (usually) takes longer. Unfortunately, it's a predictable system, so once it's broken, it's wide open (until you change the key(s)). The cracks produce the key...they connect just like anyone else. Some wireless let you view connected users, some wireless will let you limit access by MAC address (in addition to the SSID and WEP).

If the wireless system is going into a business, it's recommended that it be located external to the production net, with a VPN through the firewall (adding an additional layer of much stronger encryption).


Convienience has it's risks, I guess.

FWIW

Scott

 

[n0cmonkey]

Sorry ScottMac, but there are automated tools out there to crack this poor excuse for encryption. Of course, doing this requires a certain chipset for the wireless card... But it happens to be acheap card.

Make sure you only allow certain Mac addresses to connect to your network. Also, use the encryption, some people dont know how to break it yet (although I cant imagine many). Make sure you keep up on all your patches, and do outbound filtering on your internet connection.

 

[blstriker]

Thanks for the info, it's very helpful. Like you said, the SSID doesn't seem to be very useful since my wireless card automatically detects the SSID. What is the point of that! This means the only barriers left would be WEP or MAC addresses. Wow..

Thanks again,

 

[ktwebb]

"Like you said, the SSID doesn't seem to be very useful since my wireless card automatically detects the SSID"

"but on my laptop with XP, after it comes up, it asks if "XXXX" is the segment I'd like to connect to"

All of that is because "broadcast SSID" is on. It's used as a tool in case you forget your SSID or something like that. At least thats the best thing I can think of. Always been a mystery to me. Can't speak to the consumer based 802.11b products but on a corporate AP you can turn this "feature" off.

 

[JackMDS]

The Hacking thing is a probability issue.

The famous Wireless Tapping experiments were done in NYC at the business district. They build a special detection system, and they knew that they are going to get something because in the area that they did it there is many Wireless Corp. A/Ps.

Entry level Wireless is pretty limited in distance and strength. In close environment you lose the signal very fast. If you use MAC address casual listeners will not pick the signal.

If somebody made is mind to Hack you they can, but with same effort (or less), they can Hack your Internet server that you leave via DSL or Cable (as described on your site).

 

[Davegod]

i recall reading an issue of UK PC Format (maybe PC Pro, actually, im not sure) where they were reporting on going around london with a laptop with a wireless network card and getting straight into various company's networks, with full access. The excercise was repeated on some TV show we have, i think it was the Mark Thomas show. The mag mentioned above did it after getting a few letters about people installing their wireless card and finding immiately they could access a neighbours' system (they lived in an apartment), some of them laughing about the amount of porn their seemingly 'good people' neighbours had.

from what i read (hazy in memory) theres some steps to take but theyll only stop the accidental breaches, not anybody determined. However, consider that essentially the same applies to your internet connection - although its easier to specificly target an individual/company with the wireless network security joke.

the only way to stop unauthorised access is either a LAN with no connection to the outside world and pretty sturdy doors, or an encryption program called Pretty Good Privacy, which only protects your files from prying eyes, not preventing them from being deleted etc. Theres also a program called Magic Folders which will hide the folder's existence, theres other programs but MF less well known so hackers look for it less... if you choose this then rename its own folder and .exe file, to make it harder to detect the program 🙂 Still doesnt stop people messing about with the rest of the system but its protection for secret files.