wireless network

[fishyheid]

Also, switch off the SSID broadcasting and limit the list of MACs that can connect.

[PBrown]

Quote:

Originally Posted by fishyheid

Also, switch off the SSID broadcasting

This can cause problems with some devices, particularly mobile devices like Palm's & Pocket PC's. Personally I've never been a fan of 'security though obscurity' and I leave mine on.

Quote:

and limit the list of MACs that can connect.

That's an excellent recommendation, just remember that you have it set, so that you never spend a couple of hours swearing at various boxes trying to get them talking to each other.

cheers,
Paul

[String]

Quote:

Originally Posted by PBrown

That's an excellent recommendation, just remember that you have it set, so that you never spend a couple of hours swearing at various boxes trying to get them talking to each other.

cheers,
Paul

Or just get the 20k mac spoofing windows applet that bypasses this protection neatly and in seconds.

I agree disabling SSID broadcast is pointless, anyone with any wireless sniffing tools will see it just as quickly as they would if its on so it just inconveniences older legit devices that may want to use it.

[mark w]

Also being interested and cautious about the use of wireless networks, I read the original question with interest, and also the responses, however personally a lot of the terms and responses were somewhat lost on me, would it be possible for someone to give the definative idiots guide to making a wireless network secure, preferably in a manner that even us heating engineers will be able to easily understand, while I do appreciate there are many of you who have an excellent understanding of computers and networks etc. I for one have a more limited understanding of the subject, I tried to alter the setting last night on my BT home hub after reading this post, something like the broadcasting setting and the requests for new connections, and the damm thing locked me out completely, I could not even reconnect to it myself, using my own laptop. The only way back on i could find was to reset it back to its factory settings using the button on the back...........
So please my request:
A simple idiots guide to securing a wireless network.

[JAG]

Quote:

Originally Posted by mark w

Also being interested and cautious about the use of wireless networks, I read the original question with interest, and also the responses, however personally a lot of the terms and responses were somewhat lost on me, would it be possible for someone to give the definative idiots guide to making a wireless network secure, preferably in a manner that even us heating engineers will be able to easily understand, while I do appreciate there are many of you who have an excellent understanding of computers and networks etc. I for one have a more limited understanding of the subject, I tried to alter the setting last night on my BT home hub after reading this post, something like the broadcasting setting and the requests for new connections, and the damm thing locked me out completely, I could not even reconnect to it myself, using my own laptop. The only way back on i could find was to reset it back to its factory settings using the button on the back...........
So please my request:
A simple idiots guide to securing a wireless network.

Any of the links I mentioned in post #3 should give you an idea.

[Jay_Benson]

What we do, in addition to running WPA, is to decouple the 50 Hz alternating current power supply module during periods of minimal data traffic. In layman's terms this is switching off when we don't need it. Pretty well foolproof and when it is switched off I defy any hacker to get it going.

[PBrown]

Quote:

Originally Posted by String

Or just get the 20k mac spoofing windows applet that bypasses this protection neatly and in seconds.

a. that assumes I was trying to connect a windows PC
b. it doesn't help when you forget that the protection is on in the first place!

Quote:

Originally Posted by mark w

So please my request:
A simple idiots guide to securing a wireless network.

Unfortunately every device is slightly different, so it is almost impossible to produce a simple 'click here' , 'type this' , 'click here' type of guide, apart from anything else, different manufacturers use slightly different terminiology for the same thing. My general recommendation's would be:

1. Set up the wireless router first.
2. Make changes to the wireless router using an ethernet cable (bit of wire), not the wireless connection.
3. Make one change at a time, check each device is ok before making the next.

More specific recommendations on setting up the wireless router:

1. Visit the manufacturers website and download the latest firmware. If it is newer than your existing firmware, upgrade the box.
2. Change the default administrator password
3. Change the default channel that wireless is broadcasting on (doesn't affect security, but should stop interference with any neighbours)
4. Change the default SSID to one which is meaningful to you, as already discussed this isn't so much about security, but it helps to make sure you are trying to connect to your network and not a neighbours
5. Set up a MAC (device) access list
6. Enable encryption, using WPA-PSK. Use a long key (the maximum your device will support), make it random, use numbers and mix of upper & lower case letters
7. If you are only going to use one PC, or you will never want to share data between PCs, turn on wireless isolation (I don't think this will apply to many people).
8. If you are using your router as a DHCP server (probably most people) limit the number available addresses to the number of devices you expect to attach.
9. Disable remote (from the internet) management.
10. Turn on logging & set it up to send you an email with the log daily.
11. Write down & store in a safe place the default admin password (in case you need to do a factory reset), your new password, and the WPA-PSK.
12. Reduce the modes being supported to just those required by your specific devices (a/b/g/n)
13. Do a backup of the settings, or write them down.

anybody else got any more? or want to clarify/expand on these?

cheers,
Paul

[String]

Quote:

Originally Posted by PBrown

a. that assumes I was trying to connect a windows PC

Well its even easier under a *nix based OS.

Quote:

[*]Change the default administrator password

make the password not easily identifiable, ie dont use surname, car registration number, pets name and so on. Put some numbers in there as well as a mix of upper and lower case letters.

Quote:

[*]Change the default SSID to one which is meaningful to you, as already discussed this isn't so much about security, but it helps to make sure you are trying to connect to your network and not a neighbours

Make sure you dont do what a lot of people do and put your name and/or address in - you want it so you know which to connect to but someone else couldn't read and immediately identify as you or your property.

[Bantam]

As a CCSP I'll point out the obvious stuff so it helps a little;

Looking at this from a hacker's point of view (i.e. someone sat outside your house trying to look at the contents of your PC / Email or so-forth.)

It doesn't matter if you do or don't broadcast the SSID. It's easily obtainable in seconds using a wireless packet sniffer, as is your MAC address

It doesn't matter if you do or don't use MAC authentication - again, as String rightly points out, it doesn't take more than a few seconds to change my MAC address to be the same as yours.

WEP encryption code retrieval using the German tool takes a very short time to run and with the above will give me full access to your network.

So you've set static IP's without DHCP. Again, no problem. I can sniff that information again so I can work out your IP address range.

Your best minimum defence is all of the above, except use WPA-PSK instead of WEP as it has no known crack, yet...

So why would someone want to do it? Well, if I can get onto your WLAN, I'm behind your firewall, which means if you don't have a software firewall running on your machines, essentially I can use exploitation tools to force my way into your machine, and plant a keylogger or trojan, allowing me to groom all your passwords, usernames, bank details etc.. etc.. etc..

Worse than that, if I know your WEP key, I can decrypt all your wireless conversations on the fly using a wireless packet sniffer, and assuming your sending plain text information I can see details you probably don't want to see. Even if you're just copying it between machines locally.

So the best form of defence is to make sure *everything* is turned on and encrypted, using a strong encryption such as WPA-PSK , and make sure the ineffective but better than nothing Windows Firewall is turned on.


And hope your neighbours internet connection is less secure than yours so the scrotes target them!

Oh - a good tip for passwords - pick your favourite book, and use the first letters from each word from a random paragraph, including punctuation if possible, and add some numbers in (such as page number or something). Change the capitalisation too. So 18IfUR,arbU is a good password, for example.

[ianfirmin]

Lots of good advice here (I'm in the business too). A couple of things to add. Choosing a clear channel can be very helpful. Do a survey of nearby wireless AP's (access points) and pick a channel as far away from them as possible.

Consider signal strength.
Most AP's transmit at maximum strength but many can be adjusted. Why broadcast to the whole street when you just need your lounge covered?

Finally, simply don't use wireless unless you have to. It's crap technology for all the reasons mentioned. Is your broadband connection in the same room? Then run a cat5 cable around the skirting board. Or, consider using ethernet over the power lines. The latest kit for doing this is greatly improved and your ring main can become your secured wired network.

Atb
Ian