Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: How to secure a wireless network.

  1. #1
    Senior Member
    Join Date
    Mar 2003

    How to secure a wireless network.

    As far as I know, this has not been done in the past. PM me if it has.

    It does complement the tutorial that thehorse13 linked off of M$'s site.

    How to secure your wireless set up. As always, anyone with anything to add, especially about an area that I did not cover, is surely welcome. This will not cover anything, but will get those who are just getting started into wireless a little head start. Some security is better than no security.

    1) Your network name (SSID)
    Your wireless network equipment will come with a default SSID (Service Set Identifier) from the manufacturer, usually the manufacturer’s name. (Linksys, DLink, whatever) Change this. Make it something that most people will not be able to easily guess. Using something complicated like “MyL1ttl351573r153V1l” may not be necessary for this part. Just pick something at least eight letters in length that your average farm animal couldn’t guess.

    <Need some examples: if it’s a home network, and your name is steve, name it stevenet. It’ll make you feel powerful “I have my own network, welcome to stevenet” as well as get rid of the silly default SSID>

    2) Change your router’s default password.
    Duh. Most routers will announce themselves if you type in their IP addresses. “Hi! I’m a linksys BEFSR11 WAP. Want to play?” You need to change your default password, because otherwise 31337 hackerboy down the street with a list of default manufacturer’s passwords (which are all conveniently available from the manufacturer’s website) can easily change your AP settings to something that he likes so he can get up on your network.

    3) Use Encryption

    4) When using said encryption, use the highest bit WEP available. You may have to use the utility that came with your wireless card instead of the default windows props box. 128 bit or more is pretty darn secure, but if you have to go with 64 for whatever reason (mismatched equipment, etc.) then 64 bit is better than nothing.

    5) When determining the passphrase for your encryption, do something complicated. The more complicated the better, (in this case, the “mylittlesisterisevil” phrase from above may be nice. If you have high encryption and a weak passphrase, you have weak encryption.

    Even better, make up your own encryption key. Enter in the numbers and letters yourself, to make sure that you don’t do something easy. Yes it’s tedious. But it’s better for you. Also, be sure not to dispose of the notepad you use in the process in a careless way. If someone gets your notes on your wireless network, all of your work is in vain.

    6) Pick a non-default channel.

    7) If possible, use a static set of local IP addresses, and configure your router to allow only those IP addresses. This will cut down the room other people will have to hop in on your network, unless one of your machines is not on.

    8) Research your Wireless Access Point, and see if google or anything else shows up with known problems/exploits for it. Consider a firmware upgrade if you find a bunch of problems with your current set.

    9) <<Disputed Topic>> Use a separate firewall/router to connect to the outside world. Keeping your AP behind a firewall means that it won’t announce itself to anyone who knows your IP address. Yes, this gets a little redundant, but it means that you are less likely to get hacked (easily) Using a linksys, dlink, or belkin wireless AP behind a Watchguard SOHO firewall, or something similar, works quite nicely.

    10) Authentication (I need help on this one) I’m not the most familiar with authentication, but I know that proper manipulation adds yet some more security to your wireless network. TheHorse13’s linked tut (at top of this thread) has some more info on it.

    Once again, additions are welcome. I hope this helps out those entirely unfamiliar with the 802.11 group.

    One more (obvious) thing. Make sure all your hardware is compatible. I’ve seen people buy incompatible hardware, and then make their security weak just so they can get it to work. If you are going to go wireless, at least do it correctly.
    i\'m starting to think that i\'m bound to always be the first guy on the second page of the thread.

  2. #2
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Due to a flaw in the initialization vector in WEP encapsulation both the 64-bit and 128-bit keys are vulnerable to statistical attacks and are considered un-secure at any key size. I reccomned implementing additional measures such as LEAP or PEAP. Also some wireless AP's are vulnerable to layer 2 attacks which manipulate routing tables allowing man in the middle attacks.

    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  3. #3
    Senior Member
    Join Date
    Mar 2003
    that is a good point, as the long encryption key will be a set size in each form of encryption. the point i was trying to make is that any wireless nic driver will generate the encryption key based off of a passphrase. if your passphrase is lame, then the encryption essentially doesn't matter, and any skript kiddiot with a little time can crack it.

    mentioning LEAP is a good point, though.
    i\'m starting to think that i\'m bound to always be the first guy on the second page of the thread.

  4. #4
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    cali forn i a
    Hey sounds like a good tutorial just i'm too lazy to read it...to early in the morning. I've never seen a wireless tut. on here but that doenst matter since i'm just a noob or whatever. Thanks for the tutorial.

  5. #5
    Senior Member
    Join Date
    Mar 2003
    just a few additional links..

    http://csrc.nist.gov/publications/dr...t-sp800-48.pdf (NIST Wireless security booklet)
    http://www.practicallynetworked.com/...ess_secure.htm (another really good tutorial)
    http://www.practicallynetworked.com/...s_security.htm ( set of articles about 802.11* - from the same group as the linked tut)
    http://www.cs.umd.edu/~waa/wireless.html (paper about security problems with wireless, including what Maestr0 mentioned on the keysize issues.)
    http://www.practicallynetworked.com/howto/ (set of tutorials including 802.11 setup, etc.)

    hope this helps some. the practicallynetworked.com tutorial goes a little bit more in depth on some issues than mine, but still doesn't mention everything.

    i\'m starting to think that i\'m bound to always be the first guy on the second page of the thread.

  6. #6
    Senior Member
    Join Date
    Nov 2002
    - WEP and SSID won't give any garanties. Just keep out kids of the block!

    - Doing filtering on IP addys is simply useless. WiFi is a broadcast media, and by sniffing an intruder will easily get IP range info.
    You'd better perform a MAC filtering since it's a lot harder to modify or spoof!

    - Authentication: Every one what get interest into WiFi should be aware of a real good protocol: 802.1x (implemented into XP, and available for *nix on sourceforge)
    It's not 100% intrusion proof but it require a talentued intruder...

    - IEEE is thinking about WiFi next generation. Because for now on 802.11 is not a very good protocol. For the following reason:
    °Topology: an central and unique WAP with clients.
    But what if a client is moving to far from the WAP and in the mean time is in the
    °neighbohood of another WAP (changing NIC config, and using Mobile IP... beurk!!! )
    Security: no needs to tell its unsecure, isn't it?

    So here is the scoop: There is a standard maturating during the last 4 years and that is getting more and more implemented by majors (CISCO is investing huge ressources on it).
    This standard is 802.16 (Tada!!!)

    here comes a PDF for the braves (with radio/waveform bacgound): http://grouper.ieee.org/groups/802/1...0216-02_05.pdf
    [shadow] SHARING KNOWLEDGE[/shadow]

  7. #7
    Senior Member
    Join Date
    Mar 2003
    good point networker...

    i wrote this tut as a "wireless newb's guide on how to not be completely retarded" people working with sensitive info need to put a little more effort into it.

    >>while changing the SSID and WEP won't prevent pros from breaking in, they will keep out your average skript kiddie, as well as trip up netstumbler and similar programs. most people who have information sensitive enough to warrant taking this stuff further should do some serious research on it, and consider using a third party encryption program, etc.

    your average home user who just doesn't want to be 0wn3d by the 13 year old next door should recieve better protection by following the points i mentioned.
    i\'m starting to think that i\'m bound to always be the first guy on the second page of the thread.

  8. #8
    Senior Member
    Join Date
    Sep 2001
    Originally posted here by sickyourIT
    if your passphrase is lame, then the encryption essentially doesn't matter, and any skript kiddiot with a little time can crack it.
    The thing is, if the cipher is lame, it doesn't matter how good the passphrase is; it takes less time to do the statistical attack on WEP than to bruteforce the passphrase/key.

    In the mean time, WPA (WiFi Protected Access) has started being offered an a firmware/driver update to adapters and access points (For linksys: http://www.linksys.com/press/press.a...123&cyear=2003) which is a subset ("stop-gap") of the forthcoming 802.11i wireless security protocol/standard. Unfortunately, upgrading to 802.11i will most likely be impossible to older wireless devices as it will require more power since it will use AES for cipher.

    Of course, one alternative that has been used by many organisations and even home users is to VPN over the WAN and block all non-vpn traffic.

    Credit travels up, blame travels down -- The Boss

  9. #9
    Senior Member
    Join Date
    Apr 2004
    OK. One thing missed about SSIDs.

    As well as changing your SSID, one should also stop a router from "Broadcasting" it.

    This means that the router will not be telling the whole block around your place that your SSID is "SSID" but it'll accept the conections only from the computers telling that they are from "SSID" network.
    Don\'t post if you\'ve got nothing constructive to say. Flooding is annoying

  10. #10
    Senior Member
    Join Date
    Dec 2004
    unfortunatly, just because you turn off broadcasting, it doens't mean the AP is hidden. due to the nature how wireless works, there are ways to make it show itself - eventhough you turned off broadcast. but its a good measure to take.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts