Securing a wireless network?

[BCYL]

I just setup my 802.11g router at home for use with my laptop... Now what do I need to do to secure this network?

I have setup 128-bit WEP and disable broadcasting of my SSID... Is that enough? What else do I need to do?

 

[gunrunnerjohn]

One other thing that's easy to do, and provides another small barrier is to restrict the connections to specific MAC addresses. Since WEP is not all that secure, I'd plan on rotating the WEP keys every couple of weeks at least, keep the hackers off balance.

 

[JackMDS]

May be this can Help.

Link: Wireless Security for the Home User.

 

[InlineFive]

You can't truely secure wireless. Turning on WEP and MAC is like building walls of marshmellows to keep people out. I have some l337 hackers by my house who hacked my router multiple times with all that stuff turned on. So I just leave WiFi off...

-Por

 

[gunrunnerjohn]

Well, if you need wireless capability, your solution really doesn't solve the problem.

Also, your experience is not typical, though certainly possible. Most folks don't have a bunch of hackers just waiting to crack their WEP encryption. In addition, the speed you can crack it depends on the amount of traffic. If there's not significant traffic, it takes days to develop the 128bit WEP key from the traffic.

We're talking about different techniques to minimize the risk, we all know that wireless networks are crackable if you're determined enough.

 

[EmMayEx]

I've been looking at using something like FreeSwan to run a Linux gateway/firewall box that is connected to a wireless router. This allows you to set up an IPSec VPN which most wireless routers will cooperate with. If your wireless clients are Win2K or WinXP machines then they have IPSec software that can be enabled. For Win98 I think there is a IPSec update that can be applied. Then you should be able to exchange packets across the wireless network through secure tunnels (triple DES is the usual option).

In theory this looks great but in practice it appears to be challenging to set up. I haven't had time to try it yet, I'm still in the reading and learning stages. This should offer wireless security that is abour as good as you could hope for with reasonable current technology and it certainly moves the weak link in the security chain away from the wireless portion of the network as long as you aren't careless with key distribution.

Max L.

 

[JackMDS]

The security of Wireless became a Topic that provides people that enjoy Paranoia a new way to exercise their issues.

The negative approach used by people with Paranoid traits. Is similar to:

Do not leave your House you might have an Accident.

Do not eat out you might get food poisoning.

Do not buy a Car it might be stolen.

If for some reason you are using the Wireless for very sensitive work and it is known and desirable to very Hi Priced Paid Hackers. Do not use Wireless.

Otherwise the combo of means already mentioned above will protect you very well.

 

[BCYL]

Thanks for all the replies guys! much appreciated!

I have since turned on MAC address Filtering as well... I think this should be enough for my everyday usage... I'm not doing anything sensitive wirelessly anyways, just normal web surfing, email etc...

 

[SaigonK]

I dont think people understand the amount of traffic you have to pass just to get a single wep key. It isnt like you open a laptop up and instantly turn on some software and break it.
It takes tons of uninterrupted data to do it...so dont panick because someone tells you that you are using WEP and it is weak.


Now this doesntmean you shouldnt protect yourself. Short of a VPN over wireless solution, no current solution is the best. If you can do rotating keys WPA etc then that would be plenty.
WEP and MAC restriction should be fine...just try and notice the kid with the omni-directional pointing at your house....

 

[JackMDS]

Originally posted by: SaigonK
I dont think people understand the amount of traffic you have to pass just to get a single wep key. It isnt like you open a laptop up and instantly turn on some software and break it.
It takes tons of uninterrupted data to do it...so dont panick because someone tells you that you are using WEP and it is weak.

Absolutely Right.

I think that the way to look at it is like you look at Fashion. It goes away after few months.

Last year most repetitive Posts were about "What is the Best Router". Took hundreds of It ?Does Not matter? responses, in combination with the Rock bottom prices, and this kind a question almost disappeared.

In a few months from now the "Jingle" about the "Terribly" unsafe Secured Wireless will disappear too.

 

[Boscoh]

128-bit WEP (use multiple rotating keys if possible)
Disable SSID broadcast
Use MAC-filtering
If possible, lower your power output for the radio to cover only the area you need
If you use only G, disable the B compatibility in your router. This will not only keep out B clients from trying to break in, but it will also keep them from possibly associating (not yet authenticating) and dropping your wireless speed down to B levels. I dont know if the wireless drops to B once the client is authenticated or if it drops to B once it's merely connected to the AP. But, a B client on your G network will drop your speeds either to B or to a mixed-mode which is around 15mbps.

I'd also secure the wireless using IPSec. To do this you're going to need a non-wireless router (unless your wireless router can accept VPN connections) which can accept VPN connections, you could setup a Linux box to do this I suppose. Basically the easiest way to set this up is to statically assign the IP of the wireless router and write an access-list on the non-wireless router (or Linux box) to deny any IP data trying to come from the IP of the wireless router but accept IPSec. The wireless router is going to try to NAT/PAT any wireless clients through whatever IP you have assigned the WAN interface. What will happen is that any clients who are not connected via VPN are going to get denied by the access-list on the non-wireless router, but since IPSec is allowed it's going to be allowed through so that VPN-connected clients can get to the Internet. At that point, an attacker is going to have to brute force your IPSec encryption and figure out your keys. As long as you use something stronger than DES (like 3DES or AES) then you'll be fine.

Personally, I set my wireless up this way and am using 256-bit AES, my IPSec keys change every 15 minutes. There isnt a single laptop or desktop out there that can brute force every possible key to 256-bit AES in 15 minutes. So unless they get lucky and guess my key correctly, they arent getting in. If they do guess it, they have 15 minutes (or however long until the next key change) to use the Internet, get past my personal firewalls on my systems and attack them, or do whatever they want to do until the key changes and they have to start all over again. They more than likely wont guess it correctly the second time.

You are never going to keep someone from breaking WEP, IPSec, spoofing MAC addresses, or any of that stuff. You just wont. The point of encryption and the point of doing all this stuff is to make it so time-consuming, so inconvenient, and so frustrating that they just give up and dont even try. If I spent all this time breaking into someone with the above setup, got in, and the key changed on me 8 minutes later, I'd be pissed off. In fact, if I saw someone was using WEP I probably wouldnt even bother with it, I'd just drive a few miles down the road and find someone who wasnt. That's the effect you're trying to create.

 

[PlatinumGold]

Originally posted by: PorBleemo
You can't truely secure wireless. Turning on WEP and MAC is like building walls of marshmellows to keep people out. I have some l337 hackers by my house who hacked my router multiple times with all that stuff turned on. So I just leave WiFi off...

-Por

and you probably just leave the doors unlocked on your car and the keys in the ignition right??

something is better, no matter how weak, than nothing. locking the car doors, tho relatively ineffective will prevent the joy riders.

btw, NOTHING is truly secure, ANYTHING can be broken into, so should we ALL drop the pretense of security??

 

[Rainsford]

Originally posted by: Boscoh
128-bit WEP (use multiple rotating keys if possible)
Disable SSID broadcast
Use MAC-filtering
If possible, lower your power output for the radio to cover only the area you need
If you use only G, disable the B compatibility in your router. This will not only keep out B clients from trying to break in, but it will also keep them from possibly associating (not yet authenticating) and dropping your wireless speed down to B levels. I dont know if the wireless drops to B once the client is authenticated or if it drops to B once it's merely connected to the AP. But, a B client on your G network will drop your speeds either to B or to a mixed-mode which is around 15mbps.

I'd also secure the wireless using IPSec. To do this you're going to need a non-wireless router (unless your wireless router can accept VPN connections) which can accept VPN connections, you could setup a Linux box to do this I suppose. Basically the easiest way to set this up is to statically assign the IP of the wireless router and write an access-list on the non-wireless router (or Linux box) to deny any IP data trying to come from the IP of the wireless router but accept IPSec. The wireless router is going to try to NAT/PAT any wireless clients through whatever IP you have assigned the WAN interface. What will happen is that any clients who are not connected via VPN are going to get denied by the access-list on the non-wireless router, but since IPSec is allowed it's going to be allowed through so that VPN-connected clients can get to the Internet. At that point, an attacker is going to have to brute force your IPSec encryption and figure out your keys. As long as you use something stronger than DES (like 3DES or AES) then you'll be fine.

Personally, I set my wireless up this way and am using 256-bit AES, my IPSec keys change every 15 minutes. There isnt a single laptop or desktop out there that can brute force every possible key to 256-bit AES in 15 minutes. So unless they get lucky and guess my key correctly, they arent getting in. If they do guess it, they have 15 minutes (or however long until the next key change) to use the Internet, get past my personal firewalls on my systems and attack them, or do whatever they want to do until the key changes and they have to start all over again. They more than likely wont guess it correctly the second time.

You are never going to keep someone from breaking WEP, IPSec, spoofing MAC addresses, or any of that stuff. You just wont. The point of encryption and the point of doing all this stuff is to make it so time-consuming, so inconvenient, and so frustrating that they just give up and dont even try. If I spent all this time breaking into someone with the above setup, got in, and the key changed on me 8 minutes later, I'd be pissed off. In fact, if I saw someone was using WEP I probably wouldnt even bother with it, I'd just drive a few miles down the road and find someone who wasnt. That's the effect you're trying to create.

Not a bad idea at all. However, I think I should point out that newer wireless hardware supports WPA using either TKIP or AES. TKIP fixes the WEP problem of rotating keys by having a base key and then creating a new key at a preset time interval. The thing is, it coordinates that so you don't have to worry about it. I have mine set to create a new key every hour, which doesn't give anyone near enough data to try and crack the key (especially since TKIP fixes several WEP flaws). I would use AES but while my AP supports it, my wireless card in my laptop doesn't. Fortunitly it's only a b card anyways, so I have an excuse to upgrade Sure, it's not perfectly secure, but as Boscoh said, the idea is to make it as difficult as possible so no one makes the effort. Now if I was setting this up for the government I might be a little more paranoid, but who would target my network in particular?