uart

Basic Wireless Network Security?

Recommended Posts

Hi Guy's At this point I've only ever set up very simple networking and have not yet set up anything wireless. A friend has just bought a wireless router to network his home computer and laptop and I was going to help him set up some basic security. I'm interested in getting some information (like a guide or "how to") on setting up just the basic security for a wireless network. Can anyone provide some useful links?

BTW. Perhaps this is the wrong thing, but preferably I'd like to start with just the most rudimentary method for securing the network from only the most casual potential intruder (like a neighbor who just happens to pick up the signal but has no actual hacking knowledge for example). Hopefully I'd like to keep it as simple as possible, even if it's not the strongest method.

Thanks :)

Share this post


Link to post
Share on other sites

All you need to do is setup WPA with a strong pre-shared-key. You have to type the key into the router's configuration as well as into each of the computers that will connect to it.

Don't use WEP. Don't bother with MAC address filtering. Don't shut off SSID broadcast. Everything other than WPA is a useless security measure that is trivially bypassed by automated attacks that complete virtually instantly. (WEP lasts a little longer but can be cracked in about 3 minutes --using the slightly cheap kickoff method-- and not much longer using less noticeable snooping methods).

Share this post


Link to post
Share on other sites
All you need to do is setup WPA with a strong pre-shared-key.  You have to type the key into the router's configuration as well as into each of the computers that will connect to it.

Don't use WEP.  Don't bother with MAC address filtering.  Don't shut off SSID broadcast.  Everything other than WPA is a useless security measure that is trivially bypassed by automated attacks that complete virtually instantly. (WEP lasts a little longer but can be cracked in about 3 minutes --using the slightly cheap kickoff method-- and not much longer using less noticeable snooping methods).

218655[/snapback]

I disagree.

Change the SSID. Shut off broadcast. Use MAC address filtering. use the best encryption you can - typically this is WPA Pre-Shared Key and AES encryption. Allow only whatever speed you're going to use. No need in allowing B to connect if you're only using G for example. Even turn off DHCP on your network if you don't need it. Why? Some wannabe without real knowledge of WiFi networks will be discouraged by this. Best to keep out as much vermin as you can. It's so humiliating to be hacked by an ignorant fool ;)

Share this post


Link to post
Share on other sites

Like I said above HTMK everything except WPA is nearly instantaneously bypassed by the simplest script kiddie stuff. MAC addressing sniffing is instantaneous. SSID discovery is instantaneous. WEP cracking is trivial --a couple minutes.

WPA is the only thing that matters. If it is enabled neither random joe, nor elite hacker (in a reasonable amount of time) will be able to steal your wireless. Some wireless cards have trouble if SSID broadcast is turned off, and MAC filtering wastes your time. All create more difficulties for a user, while providing zero benefit!

Share this post


Link to post
Share on other sites

It would be nice to have a WPA-capable router.

Share this post


Link to post
Share on other sites

Gilbo is spot on here. WPA is the ONLY way to go. If either your router or adapter don't have WPA, then send it back and get another one. It only takes a few seconds to setup, u just tell the router to use WPA and assign a password then do the same on your adapter.

Turning off SSID broadcast just makes it harder for your own computer to find the router which can cause setup problems. MAC filtering is just annoying to setup as u have to go track down MAC addresses for each computer and enter them. Heaven forbid you have a guest with a laptop (co-worker, students doing homework, even a LAN party) and have to enter in all their MACs. It is only more work for you, and doesn't make your network one bit safer.

Changing the SSID is a good idea if only to prevent your computer from latching onto any other "linksys" network out there. Name it something you will recognize, but dont (as i've seen people do) put "The Smiths Network" or "12345 Street Network" or "Bob Smith" for your SSID. Keep it simple like "homeoffice" or similar.

Share this post


Link to post
Share on other sites

I prefer politcal or otherwise controversial statements for wireless SSIDs. "LeafsSuck" is particularly close to my heart, "DontBeAConservative" is another good one :D.

Share this post


Link to post
Share on other sites

So you're saying MAC filtering at the Router is useless? like I have a firewall where I have static IPs added for only our computers, and DHCP turned off... that is useless? The wireless Access point is just wep. maybe should get a new one with WPA that does G access...

Share this post


Link to post
Share on other sites
So you're saying MAC filtering at the Router is useless? like I have a firewall where I have static IPs added for only our computers, and DHCP turned off... that is useless? The wireless Access point is just wep. maybe should get a new one with WPA that does G access...

218686[/snapback]

basically... Yes.

The way it works is this.

-You turn on your computer and it looks for the router

-It finds the router and says "May I connect?"

-The router, seeing that only certain MACs are allowed to access, asks for your computer's MAC

-Your computer gives the MAC and if it matches then it is allowed access

The problem, is that anyone who knows how to google can "listen" in on this conversation between your computer and the router since this is an unencrpyted conversation. Then that same person can have his/her computer use the same MAC address and connect to your router and your router has no idea its not you.

Similar issue with SSID broadcasts. Lets say you name your network "LeafsSuck" and choose not to broadcast. OK, thats great for the router. But when you turn on your computer, it starts broadcasting "Hey *LeafsSuck*, are you there for me to connect? Hello? *LeafsSuck* are yout there?" If you are in range of the router, it will reply "Yes I'm here, go ahead and connect". And since this is an unencrypted conversation just like above, anyone who is "listening" can hear and they know your network name.

Static IPs fall in the same boat. And DHCP only "automatically" assigns an IP, there is nothing preventing anyone from assigning their own. Of the top of my head, most default IPs would be in the series of 192.168.1.XXX or 192.168.0.XXX or 10.10.10.XXX. You could make up some random IP range, but again, that information is available to anyone who "listens"

The only people this is a deterrent for is the people who check "View Available Networks" and don't see your network in the list (if SSID is disabled) or try and connect, are denied (if MAC filtering is enabled) and give up right there. If you depend on this method of security, then you can safely assume that every teenager within range of your router has access to your network.

I don't know how else to say it more clearly, but WPA right now is the best thing you can do to a wireless network. It doesn't matter if they have your SSID, MAC, IP or anything else they can't get in. All the other methods just involve more hassle for you and not one bit more of security...

Share this post


Link to post
Share on other sites
I prefer politcal or otherwise controversial statements for wireless SSIDs.  "LeafsSuck" is particularly close to my heart, "DontBeAConservative" is another good one  :D.

218683[/snapback]

That's right they do! GO RANGERS!

Share this post


Link to post
Share on other sites
I prefer politcal or otherwise controversial statements for wireless SSIDs.  "LeafsSuck" is particularly close to my heart, "DontBeAConservative" is another good one  :D.

218683[/snapback]

That's right they do! GO RANGERS!

218688[/snapback]

Some others I have seen are:

"IKnowYourIP", "HackME", "GateKeeper", and "733tNET"

Share this post


Link to post
Share on other sites

Thanks for the info guys. I took Gilbo's advice and just enabled WPA in the router. That's really what I wanted, one simple measure.

Am I correct in thinking that with WPA enabled (but no MAC filtering etc) that if this guy wants to add a second laptop to the network at some future time that he wont even need to go into the router set-up? Will he merely need to give the new laptop the correct "network key" the first time he goes through the procedure of joining the network? If so then that is ideal, because he can manage that without my help.

Share this post


Link to post
Share on other sites
Am I correct in thinking that with WPA enabled (but no MAC filtering etc) that if this guy wants to add a second laptop to the network at some future time that he wont even need to go into the router set-up? Will he merely need to give the new laptop the correct "network key" the first time he goes through the procedure of joining the network? If so then that is ideal, because he can manage that without my help.

218717[/snapback]

Exactly uart. All he needs is the network key.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now