The "best" but oftenly overlooked security feature of Wireless 802.11B---

GprophetB · Nov 9, 2003

Hey fellow ATers,

(lengthy but please read)

Im writing this topic to find out opinions from other wireless users and their view on secure wireless use. I recently bought a Linksys wireless 4 port in one router. Version 4 btw, anyways i have been having problems every since i bought the thing. The pinnacle of the problems being my XP machines obtaining an IP address when their wireless cards were disabled then enabled.

I googled and searched and searched for answers, and at the end of the rubble i found the "latest and greatest" firmware upgrade for my specific router. I ftp'd it and everything went fine, reconfigured everything and while i was doing this i said to my self...

my other computers are having problems "authenticating the WEP key" so basically i said screw this wep key im gonna cut out the middle man and just "filter" my 3 wireless machines MAC addresses so that only my router would sent packets to those 3 MACs... after i did that and got the 3 machines going with no problem i wondered why i even bothered with WEP keys and changing the default channel (which i did anyways).

Now my question for you guys is simple

1.what (if any or all) security measures do you take with your wireless router?

2.Have you heard or know of any way around the MAC filtering (*assuming you set your router password as your own unique password)

3.After thinking of my problem(s) and how i solved them and how i secured them, are you going to install/configure future wireless projects differently in the future

Thanks for your time and interest

SaigonK · Nov 9, 2003

Originally posted by: GprophetB
Hey fellow ATers, (lengthy but please read) Im writing this topic to find out opinions from other wireless users and their view on secure wireless use. I recently bought a Linksys wireless 4 port in one router. Version 4 btw, anyways i have been having problems every since i bought the thing. The pinnacle of the problems being my XP machines obtaining an IP address when their wireless cards were disabled then enabled. I googled and searched and searched for answers, and at the end of the rubble i found the "latest and greatest" firmware upgrade for my specific router. I ftp'd it and everything went fine, reconfigured everything and while i was doing this i said to my self... my other computers are having problems "authenticating the WEP key" so basically i said screw this wep key im gonna cut out the middle man and just "filter" my 3 wireless machines MAC addresses so that only my router would sent packets to those 3 MACs... after i did that and got the 3 machines going with no problem i wondered why i even bothered with WEP keys and changing the default channel (which i did anyways). Now my question for you guys is simple 1.what (if any or all) security measures do you take with your wireless router? 2.Have you heard or know of any way around the MAC filtering (*assuming you set your router password as your own unique password) 3.After thinking of my problem(s) and how i solved them and how i secured them, are you going to install/configure future wireless projects differently in the future Thanks for your time and interest

MAC address security is as simple as WEP, you shoudl really use both. Now that your packets are open entirely, I can see what host they come from and what that MAC address is, I can then spoof it to get on.

GprophetB · Nov 9, 2003

Wow, exactly what i was looking for. Thanks for the input that is a very good point that not everyone (including me lol) would thinkg of.

Another question that is a simple one at that, if i apply a WEP right now, do i have to go around to all 3 of my machines and reconfig that part of them, or will they stay on the network?

All other comments/opinions wanted

thanks-

GB

JackMDS · Nov 9, 2003

Link to: Wireless Security for the Home User.

SaigonK · Nov 9, 2003

You need to reconfigure tham all.

Here are things to try out:

MAC address restricitons
WEP encryption - 128 bit.
Turn off DHCP and use static IP's
If you have the option in your router, assign a MAC address to a specific IP.

You have to push a TON of data to break wep, it isnt done by just sniffing 1 or 2 meg of traffic.
For business i use VPN exclusivley or SSL, depends upon the application and what i need to do.

BlitzRommel · Nov 11, 2003

Sometimes the best security is to keep your wireless network OUTSIDE of your wired network.

JackMDS · Nov 11, 2003

Originally posted by: BlitzRommel
Sometimes the best security is to keep your wireless network OUTSIDE of your wired network.

Hmm? Network? I thought it means together, not outcast.

Matthias99 · Nov 11, 2003

The idea is that, if you don't need the wireless and wired computers to talk to each other (like you just want the wireless for web access, and can plug the system in to transfer files, etc.), then it makes sense to make it so they *can't* talk to each other. This prevents someone from hacking into your wired systems by using the wireless connection.

chsh1ca · Nov 11, 2003

After reading up on how simple it can be to take an app like Netstumbler and successfully go wardriving, I'm beginning to think that Wireless Security is an oxymoron.

Anyway, Mac spoofing is relatively simple, and you should definitely take the approach that any wired network is more trustworthy than a wireless network.

skyking · Nov 11, 2003

Originally posted by: Matthias99
The idea is that, if you don't need the wireless and wired computers to talk to each other (like you just want the wireless for web access, and can plug the system in to transfer files, etc.), then it makes sense to make it so they *can't* talk to each other. This prevents someone from hacking into your wired systems by using the wireless connection.

I am working on a third NIC in my router computer for subnetting off a WAP for that purpose. I have no need for it, but once I get the rules right, I can employ it elsewhere.

p0lar · Nov 13, 2003

Route ALL traffic from your WAP to your external router.

Filter everything that isn't VPN traffic.

Implement a VPN.

Sniff away - you'll *NEVER* decode what's going across my segment, nor will you be able to access anything else.

You can do all this with a 3-NIC linux router with IPTables and FreeSwan. Throw in Snort if you'd like the extra-added bonus of feeling warm and fuzzy knowing that would-be intruders are pounding against a brick wall after the first few nasty packets.

GprophetB · Nov 13, 2003

Originally posted by: p0lar
Route ALL traffic from your WAP to your external router.

Filter everything that isn't VPN traffic.

Implement a VPN.

Sniff away - you'll *NEVER* decode what's going across my segment, nor will you be able to access anything else.

You can do all this with a 3-NIC linux router with IPTables and FreeSwan. Throw in Snort if you'd like the extra-added bonus of feeling warm and fuzzy knowing that would-be intruders are pounding against a brick wall after the first few nasty packets.

now thats a setup!~

p0lar · Nov 13, 2003

It is surprisingly easy to implement - I don't see why those with a linux firewall even *permit* wireless traffic to be unencrypted (not including WEP).

*shrug* If IPSEC didn't require a fair amount of processing horsepower, I suspect that more 'router' manufacturers would implement it for their wireless nodes. I'm sure the IP routing scheme may get somewhat more complicated, but that's the nature of the game - once gain, Security is inversely proportional to convenience.

Another benefit, is that your wireless access to your LAN can be controlled by ACL as opposed to the "hey look at me, I just w-hacked my way into your entire internal Lowes LAN in 48 seconds with my P233MMx Toshiba!"

/=

GprophetB · Nov 13, 2003

Originally posted by: p0lar
Route ALL traffic from your WAP to your external router.

Filter everything that isn't VPN traffic.

Implement a VPN.

Sniff away - you'll *NEVER* decode what's going across my segment, nor will you be able to access anything else.

You can do all this with a 3-NIC linux router with IPTables and FreeSwan. Throw in Snort if you'd like the extra-added bonus of feeling warm and fuzzy knowing that would-be intruders are pounding against a brick wall after the first few nasty packets.

now thats a setup!~

Confused · Nov 13, 2003

Wow...GprophetB, a 5 min DP with someone else intersected between you!

That's gotta hurt!

Confused

AMCRambler · Nov 26, 2003

I'm looking into adding a wireless access point to my existing network, and I'm wondering if you have the 128bit wireless ecryption enabled, does this slow down your connection at all? I would think the added work of encrypting and decrypting would slow things up a bit.

gunrunnerjohn · Nov 26, 2003

Originally posted by: AMCRambler
I'm looking into adding a wireless access point to my existing network, and I'm wondering if you have the 128bit wireless ecryption enabled, does this slow down your connection at all? I would think the added work of encrypting and decrypting would slow things up a bit.

On most SOHO wireless equipment, WEP slows it down a bunch, probably to about 1/2 speed. Add to the fact that it's already a half-duplex connection, and the bandwidth is shared between all the wireless connections, and wireless can quickly become BOG slow.

p0lar · Nov 26, 2003

It will definitely slow it down - to what degree depends largely upon the hardware that the wireless employs. If it has a dedicated VPN circuit (rare, rare rare) then it's negligible, but that's not likely the case.

petey117 · Nov 26, 2003

if your router supports it, turn of SSID broadcasting...this will definately be a good thing to do for security, it would be hard for someone to connect to your network if they don't know the name of it

gunrunnerjohn · Nov 27, 2003

SSID broadcasting is a very weak solution. Since the SSID is broadcast in the messages, as soon as there's traffic, you'll know the SSID of the router.

In truth, there is no decent security for wireless until WPA is generally available. Sure, you can run a VPN over the wireless link, but that's a royal PITA! When WPA is generally available, that will be a decent solution for wireless...

p0lar · Nov 27, 2003

I categorically disagree on the basis that the old adage, "Security is inversely proportional to convenience." holds firm - in all instances, not just WEP.

After all, what person in their right mind passes any kind of secure information across any unencrypted *protocol* in the first place? What is it that you do that is *really* private on the internet once it leaves the edge of your network? HTTPS? TLS? SSH? *shrug* Nothing you do on the internet is 'private'!

I digress... you should implement every security feature possible - one of the main points many people miss in having security on their wireless networks isn't to keep people from snooping, but to keep them from INVADING upon their network via non-segmented wirless. It should *always* be in its own DMZ, something that your run-of-the-mill router/firewall/WAP just doesn't have.

Of course, once again...

"Security is inversely proportional to convenience..." (and expense

)

My $0.02...

The "best" but oftenly overlooked security feature of Wireless 802.11B---

Platinum Member

Diamond Member

Platinum Member

Elite Member

Diamond Member

Golden Member

Elite Member

Diamond Member

Golden Member

Lifer

Senior member

Platinum Member

Senior member

Platinum Member

Elite Member

Diamond Member

Golden Member

Senior member

Senior member

Golden Member

Senior member