Wi-Fi Wireless LAN Security

[Peachy]

Well, I've been playing around with my new notebook for the past month and quite like it. It has a Centrino configuration (Pentium M 725) and thus, an 802.11g wireless adapter built-in. So, I decided to upgrade my D-Link 614+ (802.11b) router/AP to 802.11g. In the process, I also decided to increase my security from WEP to WPA. I feel more secure, but not everyone has the means to setup a full-blown RADIUS server with certificate infrastructure.George Ou has written some very informative articles about wireless LAN security including: The six dumbest ways to secure a wireless LAN and Wireless LAN Security Guide: Security for any organization large or small.If you're thinking, "I'm not an enterprise business, I can't afford Windows Server 2003", don't sweat it. LucidLink offers a free 3-user Home Office version of their software-based RADIUS server. Failing that, you should use at minimum WPA-PSK (Wi-Fi Protected Access/Pre-Shared Key) which might only entail buying WPA compliant router/access points and LAN cards. But, if you are going to do wireless and are serious about security, then it's a small price to pay.

[Jeber]

In addition to encryption, I have changed the SSID, changed the LAN IP of the router, restricted the number of IP addresses issued by the router to six times the number of devices on the network and made the range non-standard (i.e. .57-.x instead of .100-.199), employed MAC filtering, turned off SSID broadcast and disabled "ping from WAN side". Even so, I still encourage everyone in the house to do secure work on the LAN network, not the wireless side.

[lewmur]

In addition to encryption, I have changed the SSID, changed the LAN IP of the router, restricted the number of IP addresses issued by the router to six times the number of devices on the network and made the range non-standard (i.e. .57-.x instead of .100-.199), employed MAC filtering, turned off SSID broadcast and disabled "ping from WAN side".  Even so, I still encourage everyone in the house to do secure work on the LAN network, not the wireless side.

<{POST_SNAPBACK}>

Restricting the number of IP's or changing the .100 .199 range, only affects the DHCP IP's assigned. Won't bother someone setting a static IP. To do that, you need to change the 192.168.0 or 192.168.1 IP of the router to something harder to find. Like 192.168.xxx.x And change the subset mask from the default 255.255.255.0 to 255.255.xxx.xxx. Then, turn off DHCP and set static IP's on your LAN NIC's with matching IP range and subset mask. The only reason for DHCP is to make things easier for the LAN administrator. But it also makes it easier for the cracker.

[Peachy]

I might add, disable remote management of the router and change the administrator password. Remember, D-Link routers don't even have a password for the Admin account!

[zlim]

I was going to check None but not because it was too, just never got around to changing it.clueless user still trying to get up to speed...no WEP nor WPA (been meaning to get to it but after reading the article, I'm glad I didn't spend the time). I did change the SSID and pass as soon as I got it working. No MAC filtering but I did restrict the number of users.Guess I'll need to do some reading on what a radius server is before I start asking another round of stupid questions.

Edited May 18, 2005 by zlim

[Peachy]

I was going to check None but not because it was too, just never got around to changing it.clueless user still trying to get up to speed...no WEP nor WPA (been meaning to get to it but after reading the article, I'm glad I didn't spend the time). I did change the SSID and pass as soon as I got it working. No MAC filtering but I did restrict the number of users.Guess I'll need to do some reading on what a radius server is before I start asking another round of stupid questions. 

<{POST_SNAPBACK}>

Liz, WEP is still better than nothing. RADIUS is an acronym for Remote Authentication Dial-In User Service, an authentication and accounting system used to login users to a network. Every ISP uses some form of RADIUS to let you onto their network. In a Windows network it's very easy to setup: just install Internet Authentication Service (IAS) on a member server. There is an Open Source project called FreeRADIUS for those who don't want to pay the Microsoft tithe. Once the server is setup (including getting a security certificate for it; i.e., a public/private encryption key), it's very easy to set your router/access point to authenticate wireless users with it. But setting up a RADIUS server is not for the faint of heart. Microsoft has published a very good step-by-step guide for doing this (although I did find an error in the document that doesn't make it foolproof! Read their article: Step-by-step Guide for Setting Up Secure Wireless Access in a Test Lab to see what's involved.

[Jeber]

When it comes to networking, there are no stupid questions, believe me.

D-Link routers don't even have a password for the Admin account

Not by default, but there is the option to set one during the setup wizard (which I wish people would avoid) and you can set one within the configuration as well.lewmur, the reason I do it that way is to keep a pool of IPs that can be dynamically assigned. I prefer having dynamic IPs on the computers. Static IPs can become targets, and a moving target is harder to hit.

[siebkens]

D-Link wireless router set as switchchanged default ssidadded admin passwordI tried to set my wireless network to allow a specific MAC address, but was shut out. <sigh>So, I fell back to 64-bit WEP encryption.

[Peachy]

D-Link wireless router set as switchchanged default ssidadded admin passwordI tried to set my wireless network to allow a specific MAC address, but was shut out.  <sigh>So, I fell back to 64-bit WEP encryption.

<{POST_SNAPBACK}>

Sieb, you need to at least use 128-bit WEP. Why only 64-bit? When you set the MAC filtering, make sure you add the wired computer that you're doing the configuration with and not just the wireless device.

[Jeber]

Did you disable DHCP in the D-Link router? If it's linked to another router, you need to connect them LAN port to LAN port. Disable DHCP, set a static IP on the router/switch and it should work. (However, D-Link will not offer tech support when you use a device in a configuration for which it was not designed. But that's OK, you've got us. )When using MAC filtering, always remember to clone the MAC address of the machine you're using first (I speak from embarrassing experience).

[Jeber]

Darn you, Peachy! I've just spent the last hour and a half following link after link in that George Ou blog you pointed to. There's a wealth of really good information there. I'm printing out several of them to take to work tomorrow.

[Grasshopper]

My Linksys wifi router has WPA TSK but my laptop with Atheros Super G doesn't. I couldn't find a BIOS update, so I've gotta stick with WEP 128.

[Peachy]

Jeber, hee, hee!

[JackR]

If you really want to protect your Wired Network: Network Segregation - Adding security to Wireless Network (or to any peer to peer Network).:sun;

[Guest LilBambi]

Excellent information! Thanks Peachy! :thumbsup:Did you run into any gotchas with the radius server besides additional cost for equipment, etc.? Or did you just use some computer you had laying around?

[Peachy]

Fran,I just copied a VMWare image of a Windows Server I already had, joined it to my domain, and then installed IAS. Added the computer and user accounts and enabled dial-in access for each. Attached a wireless LAN Group Policy and then added and configured the access point in IAS. Set it up for WPA-Enterprise and I was good to go. The nice thing about VMWare is that it pays for itself in hardware savings.It even authenticates Windows Mobile 2003 clients:

[Peachy]

For anyone interested in having RADIUS WPA without a full-blown RADIUS server, you may be interested in tinyPEAP Win32, a small RADIUS server that runs as a Windows service. Just set up your Access point to the IP address of the computer running tinypeapd as the RADIUS server. For the brave and not faint of heart who have a Linksys WRT54G router/wireless access point, there is a beta firmware from tinyPEAP that you can upload to the WRT54G to add a RADIUS server to the device. This is a beta firmware and is not suppported by Linksys so you risk voiding your warranty. Do not do this if you are running a production WLAN. Build a real RADIUS server instead.Note: This will not work with v2.2 and v3.0 of the router. It will only work with v2.0 or older.

[henderrob]

I checked WEP and read the article and then pulled the box to my Wireless-G Base Station from MS and found out that it is WPA and admin password necessary.My son and I bought it to share our cable broadband with my PC wired to Base Station and my son's laptop on wireless broadband access. We haven't networked our computers though.

[Guest LilBambi]

Got that right Temmu!Peachy, that sounds awesome!

[John Scott]

Peachy, thanks for the link on LucidLink's free RADIUS (3 user) server. I downloaded it, installed it in 10-15 minutes and it worked the first time. This is something that I have been looking to do for some time. This fits my needs just fine as most of my home network is a wired network. For the wireless part, I have a laptop, a work laptop, and my sister-in-law's laptop when she comes to visit. Thanks for the information. - John -