PDA

View Full Version : Wireless Security Questions (My Home Network)


911medic
08-22-07, 12:44 PM
I have a (noob) question regarding enabling security on my home wifi network.

I have an old router (802.11b), and it has MAC address filtering and WEP. So far, I haven't done anything but enable the address filtering for security (yes, I know it can be spoofed/hacked easily). I want to enable WEP, but the last time I tried, I had major problems, likely of my own making and due to my lack of understanding (I had great difficulty connecting and getting back into my router settings to turn it off).

I want to have it enabled, and am going to try again, but here's my question:

My wife's laptop connects both here and at work. If I enable WEP here at home and configure her laptop to connect to it, will it screw up her work connection? This is a BIG deal as I will seriously be in the doghouse if this happens.

And please, I know that MAC address filtering and WEP suck, but they're better than nothing. My goal is to deter the casual wi-fi stealer (oh, look, an unsecured network...I'll just connect). :) I live in a fairly rural area, with only a few close neighbors. I can detect 2 or 3 other wireless networks in my neighborhood.

911medic
08-22-07, 05:13 PM
Looking at some of the other threads here, I'm wondering if I should've posted this in here at all. :D

Monolyth
08-22-07, 06:01 PM
I believe WEP will only apply to the SSID of your home network (basically that connection's profile). It will not apply WEP across all WiFi networks available. So when she goes to work it will enable a separate network connection profile for her work.

So I'd say you'll be alright.

911medic
08-22-07, 06:17 PM
I believe WEP will only apply to the SSID of your home network (basically that connection's profile). It will not apply WEP across all WiFi networks available. So when she goes to work it will enable a separate network connection profile for her work.

So I'd say you'll be alright.Thanks...I'll give it a shot.

evilghost
08-22-07, 06:24 PM
Monolyth is correct, and there's a recent thread with some great infomation. To reiterate some key points, defense in depth is a perfectly acceptable practice. While each vector of security in itself is insecure in some fashion, a layered approach is best.

To highlight some key points:

1) Tune your transmit power and antenna to not cover any area you don't need WiFi access; max power isn't the best solution.

2) Use 128 Bit WEP since that's all you have available.

3) Don't broadcast your SSID, and, set it to something to indicate you're not your average SOHO 'linksys' or 'netgear' user. Something like 'I_WATCH_ASSOCATIONS_AND_WILL_PROSECUTE' or 'Honeypot' are good examples. Even though your SSID is easily discovered with tools like Kismet, it's still a good idea.

4) Enable the firewall on your home computers. Even though your connected through a NAT router, penetration of your WiFi shouldn't be synonymous with local machine penetration.

5) Setup MAC address filtering, as you've already done.

6) Change the router password to something complex and secure to avoid penetration and intentional man-in-the-middle (MITM) attacks via DNS poisoning.

7) Firewall broadcast traffic and GARP (gratuitous ARP) to avoid arpsoof style MITM attacks.

8) Limit the maximum number of client assocations in the router/access-point to the total number of clients you have. No reason to permit 100 assocations if you only have two WiFi clients.

9) Watch your logs!

911medic
08-22-07, 09:49 PM
Thanks EG...

To respond to a few of your points,

1. My router doesn't have "transmit power" control. It is an old Belkin 802.11b router (F5D6230-3), and I see no where in the control panel for it any adjustment of that kind. My laptop (and other wireless devices, I assume) have "transmit power" settings in its driver control panel, is this what you're referring to?

3. This same old router doesn't have a setting to broadcast/not broadcast the SSID. I can change it, but not choose to not broadcast it. (Oh, and "honeypot"? I don't get it...)

4. I do run basic software firewalls on all my PCs, in addition to the router.

6. Router password is fairly obscure. It's not like "b2360fd0c61e" or anything that random, but it's a 10 digit alpha-numeric password, so I hope it's good enough.

7. Using ZoneAlarm free firewall, can you suggest how I can do this? I honestly don't know what GARP is.

8. I can restrict LAN Clients to certain hours, etc, in the router, but I can't limit the max associations in the router control panel.

9. I don't do this enough.

I'm having major issues just trying to enable WEP. More on that to come. Gotta go put the kids to bed...

Thanks for the help, guys.

Bman212121
08-22-07, 10:09 PM
Thanks EG...

To respond to a few of your points,

1. My router doesn't have "transmit power" control. It is an old Belkin 802.11b router (F5D6230-3), and I see no where in the control panel for it any adjustment of that kind. My laptop (and other wireless devices, I assume) have "transmit power" settings in its driver control panel, is this what you're referring to?

3. This same old router doesn't have a setting to broadcast/not broadcast the SSID. I can change it, but not choose to not broadcast it. (Oh, and "honeypot"? I don't get it...)

4. I do run basic software firewalls on all my PCs, in addition to the router.

6. Router password is fairly obscure. It's not like "b2360fd0c61e" or anything that random, but it's a 10 digit alpha-numeric password, so I hope it's good enough.

7. Using ZoneAlarm free firewall, can you suggest how I can do this? I honestly don't know what GARP is.

8. I can restrict LAN Clients to certain hours, etc, in the router, but I can't limit the max associations in the router control panel.

9. I don't do this enough.

I'm having major issues just trying to enable WEP. More on that to come. Gotta go put the kids to bed...

Thanks for the help, guys.

If it's a belkin I would worry about #1 or IMO restricting the number of wireless clients. The range on those aren't that great and they will abosuletly tank with only a few connections on them. I'm not usually one to rag on hardware but we used to have a few belkin routers, and everyone of them were horrible. They are limited in features, part of that though is because it is older, part is they just don't have them. We were having all sorts of problems once you put them under a little load. I'd be tempted to suggest upgrading it depending upon your pc. If you can use Wireless G and WPA it might be worth the upgrade as it will work a lot better and also give you some more security features. (Disable SSID broadcast, WPA, as well as Stateful Packet Inspection (SPI) and better filtering / port forwarding.)

Enough ragging though. I'm trying to figure out where you would enable it, but from looking at their quick reference manual they don't even show anything about the wireless on it. If you could print screen the page the wireless is on, or if you can't find it the login page so we can get an idea how to set it up that would be great.

evilghost
08-22-07, 10:18 PM
Agree, at this point it's really a wise idea to upgrade to something that's going to support WPA or WPA2 so you can mitigate some of the other security concerns.

'Honeypot' is a 'hacker' term for a intentional open system used to discover/collect/audit/monitor 'hacker' activity. A loose allusion would be intentionally leaving your door unlocked and sitting behind the door with a 12ga pointed at it waiting for someone to open it. See http://en.wikipedia.org/wiki/Honeypot_%28computing%29

911medic
08-23-07, 12:03 AM
I'm about at that point of replacing it. My and my wife's laptops both do b/g, but the kids' PC has an adapter that's b-only, so I'd have to replace that as well--not too big of a deal.

Too bad, since it's really worked well for us for 5+ years. Transmits well througout our house and immediate yard area; has no problems handling one hardwired and 3 wireless PCs all connecting thru it simultaneously.

If you want to see the manual for it, you can d/l the pdf here (http://cache1-www.belkin.com/support/dl/F5D6230-3-English-manual.pdf). The relevant page is #48. Here are some screen shots of the Router control panel...

http://img340.imageshack.us/img340/6357/wepautoke9.th.jpg (http://img340.imageshack.us/my.php?image=wepautoke9.jpg)

^^This one shows 128-bit WEP where the router "automatically" generates a key based on a "passphrase" you enter. However, after doing this and hitting "enter," it doesn't display any key that is generated.

http://img340.imageshack.us/img340/1103/wepmanualjq5.th.jpg (http://img340.imageshack.us/my.php?image=wepmanualjq5.jpg)

^^Here's the same page, except I have enabled 128-bit manual. As you can see, it populates all the hex digit pairs fields automatically with dots, so you can't see what it is. I have tried to enter my own key here, and then enter the same one into my laptop's settings, but it won't connect. As soon as you hit "enter" on this page, WEP is enabled, and my laptop disconnects from the network.

So, then I went into my laptop. I had been using Windows Wireless Zero Configuration service to connect, as the Intel ProSet software is really bloated. Here's what that control panel looks like:

http://img340.imageshack.us/img340/3329/windowswirelesszeroweprr9.th.jpg (http://img340.imageshack.us/my.php?image=windowswirelesszeroweprr9.jpg)

As you can see, you can't put in a "passphrase" using this software, only the network key. I tried entering in the key I used in the router control panel...no luck. No connection. I tried both with the decimal places and without...nothing.

Looking a little deeper, I found that the Intel ProSet software does allow passphrase usage, so I downloaded and re-installed it. Here's what that panel looks like:

http://img340.imageshack.us/img340/3107/intelprosetwepub0.th.jpg (http://img340.imageshack.us/my.php?image=intelprosetwepub0.jpg)

Here it says the passphrase HAS to be 13 characters. The Belkin cp doesn't say anything about that, and takes any number of characters. Either way, using a passphrase that I input into the router doesn't work. So, I tried the entire manual key. No go. Nothing I do gets my wireless devices to connect to the router once WEP is enabled. This is what happened last time I tried to enable WEP, and is also why I gave up last time, too.

evilghost
08-23-07, 12:20 AM
G is backwards compatible with B, your B card will work just fine with a G router.

911medic
08-23-07, 12:34 AM
Well, that solves that then...

Recommendations on a good router? Or link to a discussion/reviews?

evilchris
08-23-07, 12:36 AM
At my house, my wireless works as follows:

Connect to Cisco 1231AG via WPA2/RADIUS. WAP is wired to an interface on my ASA5505 that is in between the outside and inside interfaces in security level. To gain access to the inside wired network, I establish an IPSEC VPN connection to the ASA.

This solution can be considered REAL "Wired Equivalent Privacy".

If someone managed to crack my WPA2 stream, they'd wind up with an AES256 encrypted cipher stream.

Bman212121
08-25-07, 01:41 AM
At my house, my wireless works as follows:

Connect to Cisco 1231AG via WPA2/RADIUS. WAP is wired to an interface on my ASA5505 that is in between the outside and inside interfaces in security level. To gain access to the inside wired network, I establish an IPSEC VPN connection to the ASA.

This solution can be considered REAL "Wired Equivalent Privacy".

If someone managed to crack my WPA2 stream, they'd wind up with an AES256 encrypted cipher stream.

LOL, nice setup, but I'm not sure if everyone can afford an ASA for their home. We just got an ASA less than a year ago to replace our PIX at work.

Bman212121
08-25-07, 02:01 AM
@911 Medic: I'm kind of suprised you've had such good luck with the router, but I'm sure quality does vary by model. The ones we had were the white boxes, so yours could have been one of their better ones. Good to hear though that someones had good luck with them.

As of late, my suggestion would have to be something like a linksys WRT300N http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US%2FLayout&cid=1144763513404&pagename=Linksys%2FCommon%2FVisitorWrapper&lid=1340439789B03

It has a ton of features, and has quite a few of those settings that you'd want to change. I'm not sure where PSK falls verus WEP or WPA, but it will do PSK with 256bit AES encryption. You can also set this up with a RADIUS server like Chris is doing. Since Cisco bought Linksys, they have included a lot of the their features into a little more user friendly package, a SOHO device like this is easier for a novice while still providing decent security.

They also have a higher grade model the 350N which has gigabit built in and a storage server which allows you to hook a device up to it for instant network storage or use their media server. I can't comment on how well this stuff works, but I have seen this particular model in use when I went on vacation. (Naturally they plugged it in and called it good, so I just typed in 192.168.1.1 and admin / admin and was able to look around. ;)) http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US%2FLayout&cid=1162354643512&pagename=Linksys%2FCommon%2FVisitorWrapper&lid=4351239789B04

911medic
08-29-07, 11:13 PM
Thanks for the reply...I'm thinking of going with this one: Linksys WRT54GL (http://www.newegg.com/Product/Product.asp?item=N82E16833124190). It's relatively cheap, has Linux-based firmware (so it's easy to flash to 3rd-party versions), and has decent security measures.

I can't afford the more expensive "N" models at the moment.

DiscipleDOC
08-30-07, 10:17 AM
I have a (noob) question regarding enabling security on my home wifi network.

I have an old router (802.11b), and it has MAC address filtering and WEP. So far, I haven't done anything but enable the address filtering for security (yes, I know it can be spoofed/hacked easily). I want to enable WEP, but the last time I tried, I had major problems, likely of my own making and due to my lack of understanding (I had great difficulty connecting and getting back into my router settings to turn it off).

I want to have it enabled, and am going to try again, but here's my question:

My wife's laptop connects both here and at work. If I enable WEP here at home and configure her laptop to connect to it, will it screw up her work connection? This is a BIG deal as I will seriously be in the doghouse if this happens.

And please, I know that MAC address filtering and WEP suck, but they're better than nothing. My goal is to deter the casual wi-fi stealer (oh, look, an unsecured network...I'll just connect). :) I live in a fairly rural area, with only a few close neighbors. I can detect 2 or 3 other wireless networks in my neighborhood.
No it will not. I have WEP enabled at home. it will create multiple profiles for you to be able to use.

evilchris
08-30-07, 12:29 PM
LOL, nice setup, but I'm not sure if everyone can afford an ASA for their home. We just got an ASA less than a year ago to replace our PIX at work.


$550ish MSRP - 70% for Cisco Silver NFR = cheap for me!

BTW: I hear evilghost uses something called "Gamefuel" to secure his network!

911medic
09-07-07, 12:08 AM
Just an update...

I've got the WRT54GL up and running, WPA2 TKIP+AES enabled, SSID changed and not broadcast, password changed, MAC address filtering enabled, and my laptop is connected and working well with good signal strength (actually down a bit from the Belkin, but fine).

Thanks again to those who helped!

evilghost
09-07-07, 07:27 AM
Excellent.