July 3rd, 2004, 12:04 AM
From the Linksys WRT54G
Virtual Private Networking (VPN) is typically used for work-related networking. For VPN tunnels, the Router supports IPSec Pass-Through and PPTP Pass-Through.
* IPSec - Internet Protocol Security (IPSec) is a suite of protocols used to implement secure exchange of packets at the IP layer. To allow IPSec tunnels to pass through the Router, IPSec Pass-Through is enabled by default. To disable IPSec Pass-Through, uncheck the box next to IPSec.
* PPTP - Point-to-Point Tunneling Protocol is the method used to enable VPN sessions to a Windows NT 4.0 or 2000 server. To allow PPTP tunnels to pass through the Router, PPTP Pass-Through is enabled by default. To disable PPTP Pass-Through, uncheck the box next to PPTP.
July 3rd, 2004, 12:13 AM
To me that means that it allows the protocols through to an internal server as opposed to managing the tunnel themselves.
OTOH, I never played with trying to create a tunnel to the router but looking at them they don't seem to be anywhere near sophisticated enough to manage it. When I create the tunnel from inside I think I had to allow the "pass through" to allow it to connect to the outside "provider"..... I could be wrong.... But I don't think so..... Love to be shown how.... It would be nice.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
July 3rd, 2004, 12:32 AM
I know, Tiger... I was just proving your point - the WRT54G is probably one of the most "sophisticated" wireless routers for home use, and all it supports is IPSEC pass-through.
Linksys' solution that provides actual VPN starts at like $160:
That site also has a nice reference card, btw.
July 3rd, 2004, 12:38 AM
Good tutorial. Unfortunatly, you didn't cover RADIUS servers at all (which is what I hoped to learn about, guess I need to hit google). Also, my router allows for a few different encryption methods. The 2 you talked about (WEP and TKIP) and it also allows AES encryption. Obviously TKIP is better then WEP, but what about a comparison between TKIP and AES. I'm not that well versed in different encryption methods. I guess that would be a topic in the cryptography forum.
You are so bored that you are reading my signature?
July 3rd, 2004, 01:10 AM
I might be a complete retard, but what does a RADIUS server have to do with anything? Are RADIUS servers not what ISP's use to give out their internet connections? How exactly does it all tie in?
It's only for dial up too, PPoE is what broadband uses.
<--Best hardware/gaming news out there--|
<--Gamers will love this one
Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.
July 3rd, 2004, 01:20 AM
Wow - just got back from supper and I didn't expect anywhere near this much discussion, thx!
Yeah, I couldn't find anything to specifically encrypt the SSID but I *think* anything that encrypts everything transmitted over the network would also encrypt the SSID along with everything else. Also, I've heard that when someone does happen to get bits of info through screwups in the encryption (yeah, not a very technical explanation but hey...I'm learning right along with you guys on this one...) - it's not likely to be the SSID that they get (which is what they need). About turning the SSID broadcast off - I read something somewhere that said it would cause some kind of conflicts but I can't find it again. I recall that it's just a small drop in effeciency though so preventing the SSID from being broadcast can be a very effective preventative measure although there may be some slight cost to it.
The way I understand it is that if you use any encryption then the SSID will be encrypted anyway when the connections take place.... and SSID broadcast is off.... I think.... - Tiger Shark
I did some research on VPN's but didn't include them into this tutorial because I never gained a good understanding of exactly what it is that they do. There will be a part 2 to this though to cover things more indepth - this was meant to be an introduction. Oh, and thx for the compliment!
Nice article, btw, very well put together. In addition, I'd like to add that you can also secure wireless networks with the implementation of a VPN. Using a VPN for one, will encrypt all of the data passing through it, even if you don't use wep, which is weak anyways. The VPN could be used as a gateway, forcing users to authenticate before being allowed access to network resources. VPN over wi-fi is a great way to secure a not so secure your wireless network. - PuReExcTacy
Lol, I like kudos....
I think you're actually asking 2 different questions. Any key can be weak if it can be guessed or maybe brute forced somehow? Having four different ones is better than just one only in that once you have one of them, you can only access a fourth of things transmitted...unless it's configured somehow so someone would need *all four* keys to read anything...there's a thought. Haven't heard of anything like that tho. Of course - with any information you get from cracking one it becomes easier to crack the others... The problem isn't not having enough keys - it's the fact that the key(s) stay the same for an indefinite period of time and it only takes about a day (or less) to crack one. TKIP fixes this problem by automatically changing the keys after every 10,000 packets of information sent over the network. How long that takes of course depends on the volume of traffic flowing across the network... Somebody said something like 40 minutes? No clue if that's accurate. Also the newer protocol 802.1X is supposed to dynamically assign encryption keys to all LAN devices. More on 802.1X and related protocols will be in the next tutorial.
Ok, so question: given that WEP is a wee bit weak, how much of a difference does it make to use more than one key? Our USR can use up to four WEP keys, but I'm thinking, is it pointless, since you'd just have four weak keys, or does it make a significant difference? - AngelicKnight
Crap, t'would seem I completely missed something that should have gone in this tutorial....I'm really sorry. I promise to put a decent section on AES (and comparisons) in the next tutorial. That may not be for another month tho... I'll be researching the latest developments in WLAN and WAN security and I'll probably go into detail about the difference between the two networks next time too. Thx a lot to PhishPhr33k for giving me ideas about what to research next! Also thx to everyone for your responses!
Good tutorial. Unfortunatly, you didn't cover RADIUS servers at all (which is what I hoped to learn about, guess I need to hit google). Also, my router allows for a few different encryption methods. The 2 you talked about (WEP and TKIP) and it also allows AES encryption. Obviously TKIP is better then WEP, but what about a comparison between TKIP and AES. I'm not that well versed in different encryption methods. I guess that would be a topic in the cryptography forum. - annihilator_god
July 3rd, 2004, 01:39 AM
Grunt, I literally have no idea what RADIUS servers are. All I know is that my router has multiple security modes for wireless networking. These include WEP, WPA pre shared key, WPA RADIUS, and RADIUS. It looks to be a method of authentication, so that would be a way to log in, right? Obviously i need to do more research since I have no idea. Which is exactly what I'm doing right now.
You are so bored that you are reading my signature?
July 3rd, 2004, 01:53 AM
WPA is short for wifi protected access. Here is an exhaustive tutorial on WPA. Works with TKIP and uses authentication. I can't believe I missed this - it fits perfectly into this tutorial. It uses EAP which is short for Extensible Authentication Protocol... Unfortunately I'm short on time right now but I'll try and edit the tutorial to include a section on WPA as it certainly seems to fit. *slaps self in forehead*
It should be noted that WPA is an interim standard that will be replaced with the IEEE’s 802.11i standard upon its completion.
Added a part about WPA. Next will be on AES.
July 3rd, 2004, 03:53 AM
Last I checked using IPSec encryption for Wi-Fi networks only allowed the ip header to be encrypted.
Addressing WEP, yeah, it's weak even @ 128-Bit. It uses the RC4 stream and isn't implemented very well in WEP. WEP keys are static.
TKIP is the new WPA default standard. It also uses RC4 stream only as was mentioned earlier it uses a long IV (initialization vector) and the keys are changed much sooner on a xxx packet basis. Thanks to a nice implementation, weak RC4 or not, this type isn't easily crackable.
AES is the strongest WPA type of encryption for Wi-Fi LANS currently available. It uses the Rijndael encryption algorithm. Yes, this is "better" than TKIP but also adds much more cpu overhead to the equation. Using 256-Bit AES here hits performance noticably on my machine but it's very strong encryption.
Disabling SSID broadcasting and applying Mac-Filtering are good ideas... even though they still can be worked around. This has already been mentioned in detail. I won't bother.
If you don't need to access your internal LAN from the outside WAN (internet) then disable remote administration. There's no need for it. By default all of the routers I've played with have this off with their factory settings.
If you don't need DHCP disable it.
Port-Forwarding -don't use it unless you need it (running services to be accessed by WAN).
WPA (Radius Server) is only needed if you have a server that's dedicated to distributing keys to all of the hosts on your network. Since many soho environments don't have a dedicated server for this they use WPA-PSK (PreShared Key). Radius Servers are normally found in corporate enviroments and larger networks with many hosts. This is not saying you couldn't have a small soho network utilize this.
July 3rd, 2004, 04:26 AM
Thx Mark_Anderson. I also heard that AES is primarily used by the military....it's supposed to be incredibly strong and I also read that it is a resource hog (like you said) and is expensive. I've been afk for a few hours but I intend to add something on AES to this tutorial too...I think that's it for this one though after that...unless I've missed something else that needs to be in this one too. Any suggestions? Seriously though, thanks Mark, you really seem to know your stuff.
Done. I believe everything is accurate but I'd very much like to get a second opinion. I tried to check everything with sources but sources aren't always accurate... Anyway, I think that this is now a well-rounded introduction to Wi-Fi security. More to come later! Stay tuned!