wireless security ideas
Results 1 to 10 of 10

Thread: wireless security ideas

  1. #1
    Member
    Join Date
    May 2005
    Posts
    92

    wireless security ideas

    Hi all,


    I have been asked to appear on our local cable channel for our schools to explain some of the security considerations for home users setting up wireless APs (see my charm and good looks are good for something). I am pretty experienced with wireless so I don't need technical info, but I'm not sure what topics would be useful to my end users and what I should avoid due to complexity levels.

    The driving idea behind me going on there is the powers that be believe a lot of people will be getting wireless networking devices for Christmas and they want those people to be relatively safe. (hell just for the open ones that are already out there) Remember we're not trying to stop the person that wants to get in... obviously everyone here can crack wireless, we just need "reasonable" security.

    I guess I'm asking if anyone has done anything like this or if you guys have ideas on what I should cover. My ideas so far include:

    Changing default IP range and making it as small as possible
    creating a SSID then not broadcasting it
    MAC filtering
    WEP or WPA (depends on some of their wireless adapters on their laptops, and driver updates are out of the question we're talking about users that are incapable of those concepts)


    My ideas that are not wireless related but will still come into play with a lot of all in one devices are:

    changing the default administration port on the device connected to the internet
    disabling the remote administration feature
    changing the default password on the access point
    only sharing folders to machines that you specify on your network
    only sharing printers to machines that you specify on your network


    I also plan on having a technical document up on the intranet so they can see some of what I say and some examples.

    I would have thought this was an easy topic, but when you think about explaining it there are a lot of considerations because we all know that if the end user can't understand it they just won't do it. In this case it's their own systems and in their best interest so I want to make it understandable for their sakes.


    Thanks in advance for the help everyone,

    The_Captain
    "Experience is the hardest teacher, it gives the test first and the lesson after." Anonymous

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Show a map of the local neighborhood with all the unprotected wifi networks with huge blinking red dots..

    Hey! That's my street! WTF? There's a blinking red dot on my house?!?!

    That'll get their attention..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Member
    Join Date
    May 2005
    Posts
    92
    Ha ha,

    I think that would be great... only problem is.. in one drive down half a mile stretch i came across 38 open access points. This school district is many many miles of city my whole map would be red.
    "Experience is the hardest teacher, it gives the test first and the lesson after." Anonymous

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Oeps.... I think you need to get on the air a.s.a.p.!
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member
    Join Date
    Aug 2001
    Location
    Calgary, AB Canada
    Posts
    140
    Something I'd warn them about is to use a STRONG password, even with WPA. I've seen a video (not sure how creadible it is, and I can't remember where it was) that WPA could be cracked in about 10 minutes if the password is smaller from a dictionary. WEP is easy either way, using Auditor Linux
    Alcohol & calculus don't mix. Never drink & derive.

  6. #6
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    I'd warn them about listening to the sales-droids in the stores. Make sure the droid matches the equipment they want (802.11b-g, USB adapters, laptop PCMCIA, etc.), but take most of what they say with a grain of salt. Most of the droids I've encountered, even in the "good" tech stores, know next to nothing.

    I think you have the bases covered. And, yeah, you've got your hands full. Trying to bring this to the masses is difficult. That's why you see all the open wireless when you drive around.

    One of the good points to bring up is that many of the manufacturers have very good support staff for when you set up the wireless routers and such for the first time. They will walk you through the "good practices" for security and configuration, if you know the questions to ask.

    Maybe that would be a good thing to provide at the end of the session, a list of specific questions the users can ask the vendor support folks when they call for help in setting up their equipment.

    1. How do I set the administrator password?
    2. How do I change the administrator user name?
    3. How do I limit the wireless connections to specific systems?
    4. How do I prevent someone from finding my wireless network?
    ...

    Eh?

  7. #7
    Senior Member
    Join Date
    Aug 2001
    Location
    Calgary, AB Canada
    Posts
    140
    Also, you might want to cover the basics of 'channels' If all their neighbors bought cheap 802.11b AP's and are all running channel 1, 4, and 6, perhaps they should try channel 11? Something like that, it will help educate people that channels are important, and can hopefully avoid conjestion and interference.
    Alcohol & calculus don't mix. Never drink & derive.

  8. #8
    When using wireless it's very important to use WPA. This is because WEP is totally insecure and easily crackable, and has been for some time. Those people buying wireless access points this year for christmas really should look for a solution like WPA with strong authentication measures like PKI. It's also very important (and I cant stress this enough) to use strong complex alphanumberic passwords. Because really at the most basic level, this is all the person is going to have protecting their wireless access point.

    Psssstttt! Let me tell you a secret...

    All this no SSID broadcast and MAC address filtering is nothing more then snake oil. These solutions really are not offering any security at all, they are just increasing the degree of complexity needed by an attacker. Sure they will definatly deter kiddy's and this is good, but will do nothing to deter a meticulous, and knowledgable attacker. SSID's and valid MAC addresses can all be sniffed. This is why it is very important to use strong passwords and reliable authentication methods. Also it's would probally be a good idea to try to reduce all unnecassary traffic on your wireless access point, this reduces the footprint thus making it harder to attack.
    We are a generation without a middle. We have no great war or depression. Our war is a spiritual one, our depression is our lives. We were all raised to believe that we\'ll all be millionaires and rockstars - But we won\'t.
    And we are slowly learning this fact...And we are VERY pissed off about it!

  9. #9
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    Something I'd warn them about is to use a STRONG password, even with WPA. I've seen a video (not sure how creadible it is, and I can't remember where it was) that WPA could be cracked in about 10 minutes if the password is smaller from a dictionary
    dstevens is absolutely correct.
    All this no SSID broadcast and MAC address filtering is nothing more then snake oil.
    Neptune is also very correct.
    Now, I don't want to seem like I'm about to pet my ego (which I am anyway ) but, you can read this old thread I started about this subject matter. Once you understand the basics of the the "4 way handshake", you'll be amazed that, just about the only thing stopping a skilled cracker from entering your WPA-PSK protected network is a solid passphrase.
    hope this helps you a bit.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  10. #10
    Banned
    Join Date
    Jun 2005
    Posts
    445
    I would go for more than just "securing" the wireless... Make them aware of what wireless really means. Let them know their private information is more vulnerable.

    Teach them safe surfing habits too.

    The main thing I would reinforce as far as security goes is MAC filtering and WEP/WPA. Disable remote administration, universal plug and play, etc. is also good.

    And teach them to keep and check logs. This will usually involve configuring a logging server with most smaller routers. Show them what all the bullshit in the log means. They don't need everyhting, but they need the basics.

    Last thing... Routers need security updates too. Don't forget to teach them how to intall updated firmware.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •