The Old Joel on Software Forum: Part 3 (of 5) - Securing the Wireless Network

Securing the Wireless Network

Thank you to all the posters for their help in answering my queries on setting up a wireless home network.

Based on the feedback, I purchased a http://www.linksys.com/products/product.asp?grid=33&scid=35&prid=544

It took me three hours to set up - I am not sure whether it was my lack of technical knowledge or the instructions were really bad. I am now sitting in the living room, happily typing this post in on my Notebook.

What puzzles me is that when I switched on my Notebook, it immediately recognized the wireless network - it did not ask for any passwords and I had a warning, during the connection, that the network was not secure.

When I set-up the Linksys router to my PC, I did change the default password.

Is there anything I can do to make this network secure? I live in a densely populated neigborhood, I am sure my neighbors will be able to access the network as it stands.

WiFi
Thursday, September 25, 2003

I have the same model -- it's a very good one. As you've discovered though, it (like most home routers) has encryption turned off by default.

To turn it on, do the following:

1. Go to the router's administration pages. (By default, http://192.168.1.1) You may have to enter a password to get to the admin screen -- this password is only for being able to access the router's administration pages, not for wireless security. (You should change this password to something unique, by selecting the Password tab.)

2. On the main admin page, select "WEP: Mandatory." (WEP = Wireless Equivalent Privacy.)

3. Select 128-bit encryption (the strongest.)

4. Click "WEP Key Setting." Create a password by choosing a hard-to-guess phrase, and enter it into the Passphrase box. Hit "Generate." It will convert that into a numeric password. Hit Apply.

5. The router should restart. When it does, Windows will prompt you to enter a "network key" (the numeric password) before you can log onto the wireless connection. Then, you'll know that your connection is secure.

If you're the paranoid type, you can also turn off file sharing and printer sharing, and/or install a personal firewall (like ZoneAlarm), on each PC for extra security. However, using the router's default firewall settings, along with with WEP, provides reasonably good security.

(If you've been using your broadband connection without any firewall protection until now, though, you'll definitely want to run a virus scan on your system to make sure it hasn't already been compromised. )

Robert Jacobson
Thursday, September 25, 2003

Note WEP is NOT SECURE. It can quite easily be cracked with a packet sniffer. However if your area is anything like mine I have at least one open WiFi network (note the owners of this network are "public access" types so this is on purpose) within reach so I can't see why anyone would bother.
If you want to do this securely you will need a VPN on top as well.
In practice to my mind WEP is good enough, any intruder to gain access must have have "cracked" the password and is therefore a criminal in most countries, to my mind that makes it just as likely they would have broken down your door to gain physical access to your machine.
I always think of WEP as being like locking your front door, whereas VPN stuff is like putting your valuables in a bank vault.
Since for most hackers to gain access to your WiFi network they'll need physical proximity this shouldn't be a problem.

Allowing access only to specified network cards isn't a bad idea, however spoofing MAC addresses is relatively trivial.

Peter Ibbotson
Thursday, September 25, 2003

You might also wish to upgrade the firmware on your hardware. All my wireless devices have WPA now, which is much better than WEP.

Brad Wilson (dotnetguy.techieswithcats.com)
Thursday, September 25, 2003

You can disable SSID broadcasting (that's what let your notebook know that there was a network available). Also, change the default name (which is invariably Default or Linksys). Security through obscurity.

Lou
Thursday, September 25, 2003

WEP is resonably secure for hiome use. It takes well over 1 million MAC packets for WEP to be cracked when 128 bit keys are used. (That would be around 1Gig of data).

I've used airsnort against my own home network and never been able to crack the keys, even when downloading large abounts of data. For home use, you're unlikely to crack WEP merely because the amounts of data transfered is not large enough.

On linux, you can generate keys using

hexdump /dev/random

Its a good idea to change your keys once/month.

nat ersoz
Thursday, September 25, 2003

You trying to break into your own network, nat? You're a weird one alright :-)

Thursday, September 25, 2003

Also check to see if you can limit access to the wireless network based on the connecting computers MAC address. This way only PCs you own can connect. MACs can be cloned but it helps in making your network more obscure.

Jeff
Thursday, September 25, 2003

Brad, which ones have WPA? I know SMC don't offer it yet so who does?

Peter Ibbotson
Thursday, September 25, 2003

I use all Linksys wireless gear.

I have a Linksys WRT54G which I'm using as my gateway router and my 802.11b/g service.

I have three WAP54Gs in bridge mode, distributed wired access among disconnected sections of the house (for example, to the living room, for the Xbox, PS2, and Audiotron).

I have a PCMCIA 802.11g card, and two PCI 802.11g cards.

In all cases, newest firmware and/or drivers give you access to WPA.

Brad Wilson (dotnetguy.techieswithcats.com)
Thursday, September 25, 2003

Actually, the BEFW11S4 only supports WEP encryption, not WAP. (At least not yet.)

However, this is generally sufficient for home users. Yes, WEP can theoretically be cracked. As Nat says, though, it would take a long time to crack a home user's connection since it requires analyzing > 1 GB of packets. It's highly unlikely that any of your immediate neighbors (within wireless range) are going to go to that trouble, or that someone's going to sit in a car with his laptop outside of your house for days waiting to crack your key.

Robert Jacobson
Thursday, September 25, 2003

Filtering by MAC has no effect:

ifconfig eth1 hw ether xx:xx:xx:xx:xx:xx

Sets a linux MAC address. Tested on my Cisco Aironet and it works. Nothing is sacred... (damn linux users).

And yup, I'm a little paranoid about security.

nat ersoz
Thursday, September 25, 2003

And yes, you can snoop the user's mac address.

nat ersoz
Thursday, September 25, 2003

WOW,,,no,, not GREAT,, but WOW,, I just learned a ton from reading these postings. I am a novice to wireless so am educating myself on the security aspects. Just bought a laptop and WRT54g. Have it up and running but had to disable the WEP to do it. Got to go back and secure things up a bit. Thanx to y'all for the info..

Jim J.
Monday, August 23, 2004