Peachy Posted May 18, 2005 Share Posted May 18, 2005 Well, I've been playing around with my new notebook for the past month and quite like it. It has a Centrino configuration (Pentium M 725) and thus, an 802.11g wireless adapter built-in. So, I decided to upgrade my D-Link 614+ (802.11b) router/AP to 802.11g. In the process, I also decided to increase my security from WEP to WPA. I feel more secure, but not everyone has the means to setup a full-blown RADIUS server with certificate infrastructure.George Ou has written some very informative articles about wireless LAN security including: The six dumbest ways to secure a wireless LAN and Wireless LAN Security Guide: Security for any organization large or small.If you're thinking, "I'm not an enterprise business, I can't afford Windows Server 2003", don't sweat it. LucidLink offers a free 3-user Home Office version of their software-based RADIUS server. Failing that, you should use at minimum WPA-PSK (Wi-Fi Protected Access/Pre-Shared Key) which might only entail buying WPA compliant router/access points and LAN cards. But, if you are going to do wireless and are serious about security, then it's a small price to pay. Quote Link to comment Share on other sites More sharing options...
Jeber Posted May 18, 2005 Share Posted May 18, 2005 In addition to encryption, I have changed the SSID, changed the LAN IP of the router, restricted the number of IP addresses issued by the router to six times the number of devices on the network and made the range non-standard (i.e. .57-.x instead of .100-.199), employed MAC filtering, turned off SSID broadcast and disabled "ping from WAN side". Even so, I still encourage everyone in the house to do secure work on the LAN network, not the wireless side. Quote Link to comment Share on other sites More sharing options...
lewmur Posted May 18, 2005 Share Posted May 18, 2005 In addition to encryption, I have changed the SSID, changed the LAN IP of the router, restricted the number of IP addresses issued by the router to six times the number of devices on the network and made the range non-standard (i.e. .57-.x instead of .100-.199), employed MAC filtering, turned off SSID broadcast and disabled "ping from WAN side". Even so, I still encourage everyone in the house to do secure work on the LAN network, not the wireless side.<{POST_SNAPBACK}> Restricting the number of IP's or changing the .100 .199 range, only affects the DHCP IP's assigned. Won't bother someone setting a static IP. To do that, you need to change the 192.168.0 or 192.168.1 IP of the router to something harder to find. Like 192.168.xxx.x And change the subset mask from the default 255.255.255.0 to 255.255.xxx.xxx. Then, turn off DHCP and set static IP's on your LAN NIC's with matching IP range and subset mask. The only reason for DHCP is to make things easier for the LAN administrator. But it also makes it easier for the cracker. Quote Link to comment Share on other sites More sharing options...
Peachy Posted May 18, 2005 Author Share Posted May 18, 2005 I might add, disable remote management of the router and change the administrator password. Remember, D-Link routers don't even have a password for the Admin account! Quote Link to comment Share on other sites More sharing options...
zlim Posted May 18, 2005 Share Posted May 18, 2005 (edited) I was going to check None but not because it was too, just never got around to changing it.clueless user still trying to get up to speed...no WEP nor WPA (been meaning to get to it but after reading the article, I'm glad I didn't spend the time). I did change the SSID and pass as soon as I got it working. No MAC filtering but I did restrict the number of users.Guess I'll need to do some reading on what a radius server is before I start asking another round of stupid questions. Edited May 18, 2005 by zlim Quote Link to comment Share on other sites More sharing options...
Peachy Posted May 18, 2005 Author Share Posted May 18, 2005 I was going to check None but not because it was too, just never got around to changing it.clueless user still trying to get up to speed...no WEP nor WPA (been meaning to get to it but after reading the article, I'm glad I didn't spend the time). I did change the SSID and pass as soon as I got it working. No MAC filtering but I did restrict the number of users.Guess I'll need to do some reading on what a radius server is before I start asking another round of stupid questions. <{POST_SNAPBACK}> Liz, WEP is still better than nothing. RADIUS is an acronym for Remote Authentication Dial-In User Service, an authentication and accounting system used to login users to a network. Every ISP uses some form of RADIUS to let you onto their network. In a Windows network it's very easy to setup: just install Internet Authentication Service (IAS) on a member server. There is an Open Source project called FreeRADIUS for those who don't want to pay the Microsoft tithe. Once the server is setup (including getting a security certificate for it; i.e., a public/private encryption key), it's very easy to set your router/access point to authenticate wireless users with it. But setting up a RADIUS server is not for the faint of heart. Microsoft has published a very good step-by-step guide for doing this (although I did find an error in the document that doesn't make it foolproof! Read their article: Step-by-step Guide for Setting Up Secure Wireless Access in a Test Lab to see what's involved. Quote Link to comment Share on other sites More sharing options...
Jeber Posted May 18, 2005 Share Posted May 18, 2005 When it comes to networking, there are no stupid questions, believe me. D-Link routers don't even have a password for the Admin accountNot by default, but there is the option to set one during the setup wizard (which I wish people would avoid) and you can set one within the configuration as well.lewmur, the reason I do it that way is to keep a pool of IPs that can be dynamically assigned. I prefer having dynamic IPs on the computers. Static IPs can become targets, and a moving target is harder to hit. Quote Link to comment Share on other sites More sharing options...
siebkens Posted May 19, 2005 Share Posted May 19, 2005 D-Link wireless router set as switchchanged default ssidadded admin passwordI tried to set my wireless network to allow a specific MAC address, but was shut out. <sigh>So, I fell back to 64-bit WEP encryption. Quote Link to comment Share on other sites More sharing options...
Peachy Posted May 19, 2005 Author Share Posted May 19, 2005 D-Link wireless router set as switchchanged default ssidadded admin passwordI tried to set my wireless network to allow a specific MAC address, but was shut out. <sigh>So, I fell back to 64-bit WEP encryption.<{POST_SNAPBACK}> Sieb, you need to at least use 128-bit WEP. Why only 64-bit? When you set the MAC filtering, make sure you add the wired computer that you're doing the configuration with and not just the wireless device. Quote Link to comment Share on other sites More sharing options...
Jeber Posted May 19, 2005 Share Posted May 19, 2005 Did you disable DHCP in the D-Link router? If it's linked to another router, you need to connect them LAN port to LAN port. Disable DHCP, set a static IP on the router/switch and it should work. (However, D-Link will not offer tech support when you use a device in a configuration for which it was not designed. But that's OK, you've got us. )When using MAC filtering, always remember to clone the MAC address of the machine you're using first (I speak from embarrassing experience). Quote Link to comment Share on other sites More sharing options...
Jeber Posted May 19, 2005 Share Posted May 19, 2005 Darn you, Peachy! I've just spent the last hour and a half following link after link in that George Ou blog you pointed to. There's a wealth of really good information there. I'm printing out several of them to take to work tomorrow. Quote Link to comment Share on other sites More sharing options...
Grasshopper Posted May 19, 2005 Share Posted May 19, 2005 My Linksys wifi router has WPA TSK but my laptop with Atheros Super G doesn't. I couldn't find a BIOS update, so I've gotta stick with WEP 128. Quote Link to comment Share on other sites More sharing options...
Peachy Posted May 19, 2005 Author Share Posted May 19, 2005 Jeber, hee, hee! Quote Link to comment Share on other sites More sharing options...
JackR Posted May 20, 2005 Share Posted May 20, 2005 If you really want to protect your Wired Network: Network Segregation - Adding security to Wireless Network (or to any peer to peer Network).:sun; Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted May 20, 2005 Share Posted May 20, 2005 Excellent information! Thanks Peachy! :thumbsup:Did you run into any gotchas with the radius server besides additional cost for equipment, etc.? Or did you just use some computer you had laying around? Quote Link to comment Share on other sites More sharing options...
Peachy Posted May 21, 2005 Author Share Posted May 21, 2005 Fran,I just copied a VMWare image of a Windows Server I already had, joined it to my domain, and then installed IAS. Added the computer and user accounts and enabled dial-in access for each. Attached a wireless LAN Group Policy and then added and configured the access point in IAS. Set it up for WPA-Enterprise and I was good to go. The nice thing about VMWare is that it pays for itself in hardware savings.It even authenticates Windows Mobile 2003 clients: Quote Link to comment Share on other sites More sharing options...
Peachy Posted May 22, 2005 Author Share Posted May 22, 2005 For anyone interested in having RADIUS WPA without a full-blown RADIUS server, you may be interested in tinyPEAP Win32, a small RADIUS server that runs as a Windows service. Just set up your Access point to the IP address of the computer running tinypeapd as the RADIUS server. For the brave and not faint of heart who have a Linksys WRT54G router/wireless access point, there is a beta firmware from tinyPEAP that you can upload to the WRT54G to add a RADIUS server to the device. This is a beta firmware and is not suppported by Linksys so you risk voiding your warranty. Do not do this if you are running a production WLAN. Build a real RADIUS server instead.Note: This will not work with v2.2 and v3.0 of the router. It will only work with v2.0 or older. Quote Link to comment Share on other sites More sharing options...
henderrob Posted May 22, 2005 Share Posted May 22, 2005 I checked WEP and read the article and then pulled the box to my Wireless-G Base Station from MS and found out that it is WPA and admin password necessary.My son and I bought it to share our cable broadband with my PC wired to Base Station and my son's laptop on wireless broadband access. We haven't networked our computers though. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted June 2, 2005 Share Posted June 2, 2005 Got that right Temmu!Peachy, that sounds awesome! Quote Link to comment Share on other sites More sharing options...
John Scott Posted July 29, 2005 Share Posted July 29, 2005 Peachy, thanks for the link on LucidLink's free RADIUS (3 user) server. I downloaded it, installed it in 10-15 minutes and it worked the first time. This is something that I have been looking to do for some time. This fits my needs just fine as most of my home network is a wired network. For the wireless part, I have a laptop, a work laptop, and my sister-in-law's laptop when she comes to visit. Thanks for the information. - John - Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.