Securing APs

Ok, how many of you have run into this:

Your at a friends or a business and you find a AP that is completely unprotected? I have found a bunch of sites where people have installed "dumb" APs, just a standard wifi Access Point so they could use their notebook or whatever. These APs have no security features AT all built in. No challenge, no password, nadda.

One site I went to recently, I was helping rebuild a failed BDC, and I turned on my notebook to download some files, when I realized I had a wifi connection. Sure enough the owner had put a cheap no name brand AP into a workgroup hub so he could use his notebook during meetings. I couldn't actually hit the LAN without challenge, but I was able to hit the gateway out to the net. I could browse the resources without a problem and got into a number of user shares that were open.

I guess I am wondering how many people are using APs and how they secure these dumb boxes down.

I ALWAYS encrypt mine...

And welcome anything more I can learn on how to better secure them...

But I have run into quite a few wide open ones myself.

I have one. Generally it's fairly simple:

• 1. Change the default admin pass.
  
  2. Change the name of the AP from something less identifying (best name I've seen yet: BigPimpinConsulting)
  
  3. Remove the ability to alter the AP remotely (don't know why but many of the home/SOHO ones have this feature)
  
  4. Turn off DHCP
  
  5. Turn off SSID broadcasting
  
  6. Turn on WEP-128bit (at minimum) but ideally WPA
  
  7. Turn on, if possible, MAC address filtering
  
  8. Firewall attached to AP limiting what can come in and go out (if need be, put host based firewalls to help with this). The land line can connect to the firewall if there isn't one included with the AP.
  
  9. Log, log, log. And check them! (what a concept). Gives an idea of what's being used and such.

Other standard practises also apply like changing passwords and such but this should be a good enough start.

MsMittens your need to sticky that post and throw it in the wireless forum. That would save some people a serious amoutn of typing.

I've only ran into two or three completely unsecured WAPs in a workplace. Small business that has a block of time with a local consulting company and a user that has physical access to a switch.

-a little off topic, but I run into this a lot. One neighborhood I pass through on the way to work has (it seems) 70+ Linksys WAPs. So I started "looking about" and noticed that some were channel 10, 2, 11, most were 6.

After a few minutes (staying in one palce) I would loose a connection to an unsecured access point and my card would attempt to connect to either a secured point or just re connect to another access point on a different channel.

Make me wonder how anyone in that neighborhood connects to the net for any given amount of time. Most appartment complex I visit have the same issue. (Thin Walls)

I found that it's not the issue of other APs conflicting but rather wireless phones. I know at my place there's about half a dozen or so various APs, all on the same channel with little interference. However, when I use our phone (one of those 2.4Ghz gizmos) *poof* goes the connection.

I've posted this before, but here it goes...

Your neighbor has a 1 in 3 chance of choosing a channel that conflicts with your channel choice, since there are only 3 truly non-overlapping channel choices (see below).

The IEEE 802.11 standard defines a total of 14 frequency channels.

The US uses channels 1 - 11
Most of Europe uses channels 1 – 13
France uses 10 – 13, Spain uses 10 – 11
Japan uses 1 - 14

The channel represents the center frequency that the transceiver within the access point uses. There is 5 MHz separation between the centre frequencies. (for example 2.412 GHz for channel 1 and 2.417 GHz for channel 2). The signal falls within 11 MHz of each side of the center frequency.

This means that an 802.11b/g signal overlaps with several adjacent channel frequencies. This leaves only three channels that can be used without causing interference between access points. These are channels 1, 6, and 11 in the US. (they are 1, 7, 13 in Europe).

In short, in the US, there are only 3 non-overlapping channels (1, 6 and 11). Depending on the signal level recieved from your neighbor's network, it could be having a significant impact on the performance of your network (and yours on his too). If your neighbor is using channel 2, then you should choose a channel at least 5 away. 7 would work, but if another neighbor chooses 6 (default on most APs), it will conflict. The safest choice for you, would be channel 11.

Peace always,
<jdenny>

Quote:

---

Originally posted here by MsMittens
I found that it's not the issue of other APs conflicting but rather wireless phones. I know at my place there's about half a dozen or so various APs, all on the same channel with little interference. However, when I use our phone (one of those 2.4Ghz gizmos) *poof* goes the connection.

---

Thats why I refuse to buy a 2.4Ghz phone. Someone wasn't thinking when they assigned that spectrum out.

Quote:

---

1. Change the default admin pass.

2. Change the name of the AP from something less identifying (best name I've seen yet: BigPimpinConsulting)

3. Remove the ability to alter the AP remotely (don't know why but many of the home/SOHO ones have this feature)

4. Turn off DHCP

5. Turn off SSID broadcasting

6. Turn on WEP-128bit (at minimum) but ideally WPA

7. Turn on, if possible, MAC address filtering

8. Firewall attached to AP limiting what can come in and go out (if need be, put host based firewalls to help with this). The land line can connect to the firewall if there isn't one included with the AP.

9. Log, log, log. And check them! (what a concept). Gives an idea of what's being used and such.



Other standard practises also apply like changing passwords and such but this should be a good enough start.

---

Hi Ms M.
Yes, all the above makes prefect sense, and as a rule I set the APs up this way. But the boxs I am talking about are even dumber then this. They tend to be older no name brand 802.11b (I will try and grab the brand name off the one at the site I was refering too) but they have NO admin configuration internally at all, other then a "web" based set up page that allows you to put in the units IP and the DHCP/DNS servers IP.If you dont put in an IP it will grab one dynamically. These units are NOT routers/APs but just APs all by them selves. They have no WEP, no SSID, no MAC filtering, no admin password, nothing like that. It is almost like they were designed to be part of a "Master/slave system" and when they don't find a master, they just refer to DHCP. But in general when I have run into these units, they have been hung off one hub or switch and they are wide open. The one that comes right to mind at the moment happens to be running on a NT4.0 based network and doesnt even have a wireless connection tools that Win2K server has. While I was there I did play a bit and I have to admit, it gave a good solid connection to my Thinkpad, my Powerbook, and my RH9 notebook without issue. The owner said that he liked that his customers could hit the network wirelessly to transfer files over. So I am not going to be able to do much to lock this down or get him to replace it with a different unit.

I am sorry I wasn't clearer in my first post.

Quote:

---

But in general when I have run into these units, they have been hung off one hub or switch and they are wide open. The one that comes right to mind at the moment happens to be running on a NT4.0 based network and doesnt even have a wireless connection tools that Win2K server has.

---

Wow. I haven't seen APs like that but given this statement I would suggest getting a SOHO router/firewall and attaching the devices to them. Then put a RADIUS or some other authentication behind it.