Limiting AP Range for Security Purposes
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Limiting AP Range for Security Purposes

  1. #1
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718

    Limiting AP Range for Security Purposes

    Within the wireless realm, there exists many devices to boost the AP signal (repeaters, bridges etc.) Now, this may sound like an odd question, but are there devices that can limit the AP's signal strength? I'll explain why I'm asking.
    Let's assume the average wireless router can transmit give or take 300 feet. Obviously there are physical ways to limit the AP range (walls, obstacles etc). Now let's say I have a small, open studio type (no walls etc) office space, that doesn't need the full 300 foot range the router provides. Let's add to that that my office is located on a main street in the downtown area situated about 20-30 feet from the main road (with windows of course)...a.k.a the perfect place for rogue sniffers driving by to try and connect to my network. Also assume I currently have all the proper security measures in place that are available for my wireless network.
    Now, here's my question. Does a device exist that can actually weaken the signal around the perimeter of my office space, so that my signal won't stretch beyond the exterior of the office?
    A sort of wireless 'wall' if you will. Maybe something that actually recieves the signal of my wireless router and blocks any further transmission of it to the exterior. I'm not sure how you could actually 'direct' the signal itself so that you don't loose connectivity within the perimeter. I googled around using key words like "limiting AP range" but found mostly articles relating to placing the AP around physical obstacles to prevent the full range but nothing on actual devices that can limit the AP range. Does such a device exist?
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  2. #2
    Senior Member
    Join Date
    Mar 2005
    Posts
    400

    Exclamation

    Ever try Wireless reflecting paint?

    Hawked here: http://www.forcefieldwireless.com/defendair.html

    Hey, you could even use alternating layers of insulating paint to get real big capacitors and shock the heck out of unsuspecting people who grab the door knob.

    ZT3000
    Beta tester of "0"s and "1"s"

  3. #3
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662
    You could also check the settings in your access point. I know the access point I'm running (Dlink, forgot specific model) has settings to change the signal strength in percentage. Just connect to your AP with a web browser and check around. Probably there somewhere.

    - Xierox
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

  4. #4
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Sure... reduce its power. Any number of ways to do this, including just looking on ebay for an old UPS that is on permanent brown out mode.

    cheers,

    catch

  5. #5
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    REduce Transmitter Power (as mentioned) in the AP settings
    Connect extra cable between the AP and the Aerial (this will reduce the reciever sensitivity)
    Place a metal sheet in the direction you DONT NEED Coverage..(basic if you want details..pse ask) this is similar to ZT3000's reflective paint
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  6. #6
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Shag, these are all good suggestions; I'm gonna rock the boat.

    Why reduce the signal? Are you using WPA with AES encryption? If not, range doesn't matter. Seriously...you can reduce the signal...I'll just get a bigger antenna to point at your studio.

    It's not a bad idea, to go along with using the right encryption, mac filtering, etc. You may have already considered these things...I just wanted to make sure you ARE considering them.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  7. #7
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    I appreciate all the suggestions. thanks again.
    Reducing the transmitting power is a good idea. I also use a D-Link (DI-784) to be precise. What I'm concerned about with the transmitting power is that two particular PC's connected to the LAN seem to have connectivity issues when I decrease the transmitting power to 75%. I checked all the electronic devices in my office...none operate on the 5ghz range (we use 802.11a only). Once I put the transmitting power back up 100%, the problem disappears.

    Why reduce the signal? Are you using WPA with AES encryption?
    Current Settings:
    WPA-PSK with TKIP encryption (37 character passphrase - combo of letters/numbers/symbols)
    MAC Filtering
    Limited IP Range to number of computers in office
    Static IP's
    Changed the default SSID
    Changed all default passwords to maximum length more complicated passwords
    Disabled any/all options that offer an avenue for remote attacks (such as remote management, etc.)
    Disabled the ping responses to the WAN side
    Modified the default firewall settings to limit outbound traffic (generally to ports 80, 443, 25, 110) etc. your typical outbound ports
    Modified log options to allow me to see all traffic (by default my D-Link logging didn't show all the traffic I was looking for)

    I think that's it. As it stands now, this reflecting paint may be the way to go. I just have to talk with the guys at work to make sure it's ok to paint the walls with this reflective paint...maybe a nice hot pink and purple zebra striped look?
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  8. #8
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662
    Originally posted here by ShagDevil
    Current Settings:
    WPA-PSK with TKIP encryption (37 character passphrase - combo of letters/numbers/symbols)
    MAC Filtering
    Limited IP Range to number of computers in office
    Static IP's
    Changed the default SSID
    Changed all default passwords to maximum length more complicated passwords
    Disabled any/all options that offer an avenue for remote attacks (such as remote management, etc.)
    Disabled the ping responses to the WAN side
    Modified the default firewall settings to limit outbound traffic (generally to ports 80, 443, 25, 110) etc. your typical outbound ports
    Modified log options to allow me to see all traffic (by default my D-Link logging didn't show all the traffic I was looking for)
    What about turning off the SSID broadcast?

    - X
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

  9. #9
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    xierox,
    I'm not a huge fan of security through obscurity. IMO, disabling the SSID can be likened to the Children's Psych concept of "If I don't see it, It doesn't exist". Also, I don't want to chance any confusion by disabling the broadcast. As it stands now, I feel that the security mechanisms in place should suffice. I'm not saying disabling the SSID is stupid, it's just not something I feel is worth the effort.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  10. #10
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,429
    WPA-PSK with TKIP encryption with a 37-character password like the one you have is as close as you can get to a secure network - apart from AES. Did you check to see if your router and wireless cards support it?
    Even without AES, I wouldn't loose one second of sleep over the security of my wireless

    Get rid of the MAC filtering - it'll only give your attacker more info, and it's worthless. And I fully agree with your point on turning off SSID broadcast, Shag

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •