Jump to content

Wi-Fi Wireless LAN Security


Which wireless security scheme do you use?  

17 members have voted

You do not have permission to vote in this poll, or see the poll results. Please sign in or register to vote in this poll.

Recommended Posts

Peachy

Well, I've been playing around with my new notebook for the past month and quite like it. It has a Centrino configuration (Pentium M 725) and thus, an 802.11g wireless adapter built-in. So, I decided to upgrade my D-Link 614+ (802.11b) router/AP to 802.11g. In the process, I also decided to increase my security from WEP to WPA. I feel more secure, but not everyone has the means to setup a full-blown RADIUS server with certificate infrastructure.George Ou has written some very informative articles about wireless LAN security including: The six dumbest ways to secure a wireless LAN and Wireless LAN Security Guide: Security for any organization large or small.If you're thinking, "I'm not an enterprise business, I can't afford Windows Server 2003", don't sweat it. LucidLink offers a free 3-user Home Office version of their software-based RADIUS server. Failing that, you should use at minimum WPA-PSK (Wi-Fi Protected Access/Pre-Shared Key) which might only entail buying WPA compliant router/access points and LAN cards. But, if you are going to do wireless and are serious about security, then it's a small price to pay. :hysterical:

Link to post
Share on other sites
Temmu

wep with 128 bit key. oops. read the articles!as you say, i've not set up a radius server.good read, thanks peachyps, also read the cited tomshardware article on how to crack wep in 5 - 10 minutes. yikes!

Edited by Temmu
Link to post
Share on other sites

In addition to encryption, I have changed the SSID, changed the LAN IP of the router, restricted the number of IP addresses issued by the router to six times the number of devices on the network and made the range non-standard (i.e. .57-.x instead of .100-.199), employed MAC filtering, turned off SSID broadcast and disabled "ping from WAN side". Even so, I still encourage everyone in the house to do secure work on the LAN network, not the wireless side.

Link to post
Share on other sites
lewmur
In addition to encryption, I have changed the SSID, changed the LAN IP of the router, restricted the number of IP addresses issued by the router to six times the number of devices on the network and made the range non-standard (i.e. .57-.x instead of .100-.199), employed MAC filtering, turned off SSID broadcast and disabled "ping from WAN side".  Even so, I still encourage everyone in the house to do secure work on the LAN network, not the wireless side.

Restricting the number of IP's or changing the .100 .199 range, only affects the DHCP IP's assigned. Won't bother someone setting a static IP. To do that, you need to change the 192.168.0 or 192.168.1 IP of the router to something harder to find. Like 192.168.xxx.x And change the subset mask from the default 255.255.255.0 to 255.255.xxx.xxx. Then, turn off DHCP and set static IP's on your LAN NIC's with matching IP range and subset mask. The only reason for DHCP is to make things easier for the LAN administrator. But it also makes it easier for the cracker.
Link to post
Share on other sites
Peachy

I might add, disable remote management of the router and change the administrator password. Remember, D-Link routers don't even have a password for the Admin account! :hysterical:

Link to post
Share on other sites
zlim

I was going to check None but not because it was too, just never got around to changing it.clueless user still trying to get up to speed...no WEP nor WPA (been meaning to get to it but after reading the article, I'm glad I didn't spend the time). I did change the SSID and pass as soon as I got it working. No MAC filtering but I did restrict the number of users.Guess I'll need to do some reading on what a radius server is before I start asking another round of stupid questions. :hysterical:

Edited by zlim
Link to post
Share on other sites
Peachy
I was going to check None but not because it was too, just never got around to changing it.clueless user still trying to get up to speed...no WEP nor WPA (been meaning to get to it but after reading the article, I'm glad I didn't spend the time). I did change the SSID and pass as soon as I got it working. No MAC filtering but I did restrict the number of users.Guess I'll need to do some reading on what a radius server is before I start asking another round of stupid questions.  :D

Liz, WEP is still better than nothing. RADIUS is an acronym for Remote Authentication Dial-In User Service, an authentication and accounting system used to login users to a network. Every ISP uses some form of RADIUS to let you onto their network. In a Windows network it's very easy to setup: just install Internet Authentication Service (IAS) on a member server. There is an Open Source project called FreeRADIUS for those who don't want to pay the Microsoft tithe. Once the server is setup (including getting a security certificate for it; i.e., a public/private encryption key), it's very easy to set your router/access point to authenticate wireless users with it. But setting up a RADIUS server is not for the faint of heart. Microsoft has published a very good step-by-step guide for doing this (although I did find an error in the document that doesn't make it foolproof! Read their article: Step-by-step Guide for Setting Up Secure Wireless Access in a Test Lab to see what's involved.
Link to post
Share on other sites

When it comes to networking, there are no stupid questions, believe me. :)

D-Link routers don't even have a password for the Admin account
Not by default, but there is the option to set one during the setup wizard (which I wish people would avoid) and you can set one within the configuration as well.lewmur, the reason I do it that way is to keep a pool of IPs that can be dynamically assigned. I prefer having dynamic IPs on the computers. Static IPs can become targets, and a moving target is harder to hit. :D
Link to post
Share on other sites
siebkens

D-Link wireless router set as switchchanged default ssidadded admin passwordI tried to set my wireless network to allow a specific MAC address, but was shut out. <sigh>So, I fell back to 64-bit WEP encryption.

Link to post
Share on other sites
Peachy
D-Link wireless router set as switchchanged default ssidadded admin passwordI tried to set my wireless network to allow a specific MAC address, but was shut out.  <sigh>So, I fell back to 64-bit WEP encryption.

Sieb, you need to at least use 128-bit WEP. Why only 64-bit? When you set the MAC filtering, make sure you add the wired computer that you're doing the configuration with and not just the wireless device.
Link to post
Share on other sites

Did you disable DHCP in the D-Link router? If it's linked to another router, you need to connect them LAN port to LAN port. Disable DHCP, set a static IP on the router/switch and it should work. (However, D-Link will not offer tech support when you use a device in a configuration for which it was not designed. But that's OK, you've got us. ;) )When using MAC filtering, always remember to clone the MAC address of the machine you're using first (I speak from embarrassing experience).

Link to post
Share on other sites

Darn you, Peachy! ;) I've just spent the last hour and a half following link after link in that George Ou blog you pointed to. There's a wealth of really good information there. I'm printing out several of them to take to work tomorrow.

Link to post
Share on other sites
Grasshopper

My Linksys wifi router has WPA TSK but my laptop with Atheros Super G doesn't. I couldn't find a BIOS update, so I've gotta stick with WEP 128.

Link to post
Share on other sites
Guest LilBambi

Excellent information! Thanks Peachy! :thumbsup:Did you run into any gotchas with the radius server besides additional cost for equipment, etc.? Or did you just use some computer you had laying around?

Link to post
Share on other sites
Peachy

Fran,I just copied a VMWare image of a Windows Server I already had, joined it to my domain, and then installed IAS. Added the computer and user accounts and enabled dial-in access for each. Attached a wireless LAN Group Policy and then added and configured the access point in IAS. Set it up for WPA-Enterprise and I was good to go. The nice thing about VMWare is that it pays for itself in hardware savings.It even authenticates Windows Mobile 2003 clients:14844265_42c798d46a_m.jpg :D

Link to post
Share on other sites
Peachy

For anyone interested in having RADIUS WPA without a full-blown RADIUS server, you may be interested in tinyPEAP Win32, a small RADIUS server that runs as a Windows service. Just set up your Access point to the IP address of the computer running tinypeapd as the RADIUS server. For the brave and not faint of heart who have a Linksys WRT54G router/wireless access point, there is a beta firmware from tinyPEAP that you can upload to the WRT54G to add a RADIUS server to the device. This is a beta firmware and is not suppported by Linksys so you risk voiding your warranty. Do not do this if you are running a production WLAN. Build a real RADIUS server instead.Note: This will not work with v2.2 and v3.0 of the router. It will only work with v2.0 or older.

Link to post
Share on other sites
henderrob

I checked WEP and read the article and then pulled the box to my Wireless-G Base Station from MS and found out that it is WPA and admin password necessary.My son and I bought it to share our cable broadband with my PC wired to Base Station and my son's laptop on wireless broadband access. We haven't networked our computers though.

Link to post
Share on other sites
  • 2 weeks later...
  • 1 month later...
John Scott

Peachy, thanks for the link on LucidLink's free RADIUS (3 user) server. I downloaded it, installed it in 10-15 minutes and it worked the first time. This is something that I have been looking to do for some time. This fits my needs just fine as most of my home network is a wired network. For the wireless part, I have a laptop, a work laptop, and my sister-in-law's laptop when she comes to visit. Thanks for the information. - John - :thumbsup:

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...