Archived from groups: alt.internet.wireless (More info?)

Perhaps it's paranoia, but I'm concerned about the security offered by my
802.11b Network Everywhere wireless router and would like to upgrade to
something more secure.

Although nothing is foolproof, is there a router that would offer a very
high level of security and not allow other wireless devices onto my network?

In my current setup, I have the following.

1. SSID is set to not broadcast.
2. WEP password enabled.
3. Restrict the number of DHCP ip addresses to 5 (one for each device on
the network).
4. MAC filtering never worked with this router otherwise that would be
enabled as well.

Thank you

Anna

Archived from groups: alt.internet.wireless (More info?)

with so many open or free access portals
the only thief most have to worry about it the kid next door having all the
time he needs cracking wep or WPA, and then pounding away on the ap for
login/pass eventually joining your LAN group just so he can snoop your
online bank account info, Right ?
What other harm can any overly determined access hacker possibly do ? I'd
run no ap security at all if it weren't for a couple of neighborhood kids
jumping onboard slowing me down. City here is trialing now free access in
our downtown area and provided everybody's happy plans on covering the whole
city. Imagine that.. anybody can use it, no security !

New wpa2 is going to outdate anything you buy unless you find one currently
doing AES

"Anna" <no@spam.com> wrote in message
news:gzqcd.739329$M95.717177@pd7tw1no...
> Perhaps it's paranoia, but I'm concerned about the security offered by my
> 802.11b Network Everywhere wireless router and would like to upgrade to
> something more secure.
>
> Although nothing is foolproof, is there a router that would offer a very
> high level of security and not allow other wireless devices onto my
network?
>
> In my current setup, I have the following.
>
> 1. SSID is set to not broadcast.
> 2. WEP password enabled.
> 3. Restrict the number of DHCP ip addresses to 5 (one for each device on
> the network).
> 4. MAC filtering never worked with this router otherwise that would be
> enabled as well.
>
> Thank you
>
> Anna
>
>

Archived from groups: alt.internet.wireless (More info?)

You're already ahead of the game. What you've provided to us is good
level of security for your network. I'll just add the following:
1. Not broadcasting the SSID is simply a minor hurdle. There's no
real advantage to it, but every hurdle counts.
2. If your wireless router has WPA encryption available, enable it.
It is more secure than basic WEP. If you only have WEP, change the
WEP keys once a week or so.
3. I prefer not to use DHCP. Using DHCP allows war drivers to see
your IP address. Therefore, I manually configure my NICs and notebook
cards. Also, don't use the router's default settings. For instance,
if you have a D-Link wireless router, the SSID might appear as DLINK.
Change the default IP address from 192.168.0.1 or whatever it is to
something totally different. For instance, 10.78.1.100. Beware that
some routers wil only allow you to change the last six digits of an IP
address.
4. MAC filtering is a good security measure, however, MAC addresses
can be spoofed. Still, every hurdle counts.
5. Change the default password of your router.
6. Use TCP/IP for internet use only. Use NETBEUI for file and print
sharing.

Take care.

On Sun, 17 Oct 2004 09:03:08 GMT, "Anna" <no@spam.com> wrote:

Perhaps it's paranoia, but I'm concerned about the security offered by
my
802.11b Network Everywhere wireless router and would like to upgrade
to
something more secure.

Although nothing is foolproof, is there a router that would offer a
very
high level of security and not allow other wireless devices onto my
network?

In my current setup, I have the following.

1. SSID is set to not broadcast.
2. WEP password enabled.
3. Restrict the number of DHCP ip addresses to 5 (one for each device
on
the network).
4. MAC filtering never worked with this router otherwise that would
be
enabled as well.

Thank you

Anna

Archived from groups: alt.internet.wireless (More info?)

On Sun, 17 Oct 2004 14:53:30 GMT, Doug Jamal
<bishiv6ERASETHISPORTION@yahoo.com> wrote:

Sounds good, but I have some additions:

>You're already ahead of the game. What you've provided to us is good
>level of security for your network. I'll just add the following:
>1. Not broadcasting the SSID is simply a minor hurdle. There's no
>real advantage to it, but every hurdle counts.
>2. If your wireless router has WPA encryption available, enable it.
>It is more secure than basic WEP. If you only have WEP, change the
>WEP keys once a week or so.

2a. If your wireless router only supports WEP, make sure that you're
using 128bit WEP and that the WEP key is random rubbish that cannot be
decoded by a brute force keyword reassembler.

2b. Select "Open System" instead of "Shared Key" for authentication.
Shared Key sends the WEP key for authentication and is actually less
secure than no authentication.

>3. I prefer not to use DHCP. Using DHCP allows war drivers to see
>your IP address. Therefore, I manually configure my NICs and notebook
>cards. Also, don't use the router's default settings. For instance,
>if you have a D-Link wireless router, the SSID might appear as DLINK.
>Change the default IP address from 192.168.0.1 or whatever it is to
>something totally different. For instance, 10.78.1.100. Beware that
>some routers wil only allow you to change the last six digits of an IP
>address.
>4. MAC filtering is a good security measure, however, MAC addresses
>can be spoofed. Still, every hurdle counts.
>5. Change the default password of your router.
>6. Use TCP/IP for internet use only. Use NETBEUI for file and print
>sharing.

7. If possible, purchase a seperate ethernet router and wireless
access point. With the wireless access point seperate from the
router, it can be turned off when not in use.

8. If possible, purchase a router that will terminate a VPN
connection. (Note that I said "terminate", not "pass thru" ). Linksys
BEFVP41, Dlink DI-808HV, and DLink DFL-300 are examples. Setup your
clients with VPN IPSec client software and build a VPN tunnel to your
VPN router. This will also be handy at hot spots as some ISP's offer
VPN termination service for secure email.

9. Use a directional antenna. If you're going to only use your
network inside your house, put a small (8dBi) patch antenna on one end
of the house and use it to illuminate the rest of the house. Don't
aim it out the window or your attackers will have a better signal than
you're getting inside.

10. Nail down your local security. Shared folders should be password
protected. Important documents and directories should be encrypted.
If you're running a business by email, look into PGP encrypted email.
Anything that can be used for identity theft should be either secured
or removed from the network. Run virus, worm, spyware, and trojan
horse detectors regularly. Use a personal firewall to detect outgoing
security issues. Be careful with Windoze registry backups as some
wireless cards store their WEP keys in the plain text in the registry.

11. Be careful with physical access. It only takes a few seconds to
create an account on your machine. It takes a bit longer for me to
tap your ethernet cable if it's accessible. I broke into one
company's system by sitting in the lobby with my laptop, and just
plugging into a convenient RJ45 ethernet connection. I don't need
wireless to be insecure.

12. Practice sane password selection and management. Using the same
password for everything is a guaranteed disaster. I broke into one
system by tricking the owner into creating an account on my "secure"
server. Of course, he used the same password as he used everywhere
else. I made a good guess that he also used it as his WEP key and
router password. Yep. Anyway, don't use the same password for
everything. Change the important passwords (banking, WEP, email)
regulary...(which nobody actually does) or invest in an S-Key type
password system.


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

Archived from groups: alt.internet.wireless (More info?)

On Sun, 17 Oct 2004 14:53:30 GMT, in alt.internet.wireless , Doug Jamal
<bishiv6ERASETHISPORTION@yahoo.com> wrote:
>3. I prefer not to use DHCP. Using DHCP allows war drivers to see
>your IP address. Therefore, I manually configure my NICs and notebook
>cards.

Eh? If you're using TCP/IP, then your IP is visible to wardrivers. Using or
not using DHCP isn't going to change that.

>Also, don't use the router's default settings. For instance,
>if you have a D-Link wireless router, the SSID might appear as DLINK.
>Change the default IP address from 192.168.0.1 or whatever it is to
>something totally different. For instance, 10.78.1.100. Beware that
>some routers wil only allow you to change the last six digits of an IP
>address.

Agree with all this, tho.

--
Mark McIntyre
CLC FAQ <http://www.eskimo.com/~scs/C-faq/top.html>
CLC readme: <http://www.ungerhu.com/jxh/clc.welcome.txt>


----== Posted via Newsfeed.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeed.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= 19 East/West-Coast Specialized Servers - Total Privacy via Encryption =---

Archived from groups: alt.internet.wireless (More info?)

Jeff L:
>7. If possible, purchase a seperate ethernet router and wireless
>access point. With the wireless access point seperate from the
>router, it can be turned off when not in use.

Some combined router / wifi units can turn of the wifi trough the webpage
interface.
Draytek for one.
Regards,
Martin

Archived from groups: alt.internet.wireless (More info?)

I stand corrected. Thanks.


On Mon, 18 Oct 2004 00:08:23 +0100, Mark McIntyre
<markmcintyre@spamcop.net> wrote:

On Sun, 17 Oct 2004 14:53:30 GMT, in alt.internet.wireless , Doug
Jamal
<bishiv6ERASETHISPORTION@yahoo.com> wrote:
>3. I prefer not to use DHCP. Using DHCP allows war drivers to see
>your IP address. Therefore, I manually configure my NICs and notebook
>cards.

Eh? If you're using TCP/IP, then your IP is visible to wardrivers.
Using or
not using DHCP isn't going to change that.

Archived from groups: alt.internet.wireless (More info?)

"Jeff Liebermann" <jeffl@comix.santa-cruz.ca.us> wrote in message
news:es85n0hnu77a0a6r5k0i75i59brpbcf4t2@4ax.com...
> On Sun, 17 Oct 2004 14:53:30 GMT, Doug Jamal
> <bishiv6ERASETHISPORTION@yahoo.com> wrote:
<snip>
> 2b. Select "Open System" instead of "Shared Key" for authentication.
> Shared Key sends the WEP key for authentication and is actually less
> secure than no authentication.
<snip>

Hmmmm... this is news to me, Jeff. I'm no wireless expert by any stretch of
hte imagination, but Linksys' own built-in WRT54G router help for WEP says:

"Shared Key authentication is more secure [than Open], but all devices on
your network must also support Shared Key authentication."

I have shared key enabled on my wireless AP and on each client as Linksys
recommends, but I'm no expert and would like to know more. Can you go into
slightly more detail as to why Shared is not as secure as Open?

Archived from groups: alt.internet.wireless (More info?)

On Sun, 17 Oct 2004 23:33:24 -0400, "Hackworth"
<NoSpam4Me@spamless.net> wrote:

>
>"Jeff Liebermann" <jeffl@comix.santa-cruz.ca.us> wrote in message
>news:es85n0hnu77a0a6r5k0i75i59brpbcf4t2@4ax.com...
>> On Sun, 17 Oct 2004 14:53:30 GMT, Doug Jamal
>> <bishiv6ERASETHISPORTION@yahoo.com> wrote:
><snip>
>> 2b. Select "Open System" instead of "Shared Key" for authentication.
>> Shared Key sends the WEP key for authentication and is actually less
>> secure than no authentication.
><snip>

>Hmmmm... this is news to me, Jeff. I'm no wireless expert by any stretch of
>hte imagination, but Linksys' own built-in WRT54G router help for WEP says:
>"Shared Key authentication is more secure [than Open], but all devices on
>your network must also support Shared Key authentication."
>I have shared key enabled on my wireless AP and on each client as Linksys
>recommends, but I'm no expert and would like to know more. Can you go into
>slightly more detail as to why Shared is not as secure as Open?

That was probably written by Linksys before the "shared key"
authentication exploit was discovered. If it worked as originally
designed, that would be correct. As usual, the problem is the key
exchange mechanism.

The topic was covered this week in alt.internet.wireless:
http://www.google.com/groups?selm= [...] com&output
http://www.google.com/groups?selm= [...] -berlin.de

Some notes on the topic.
http://user.it.uu.se/~carle/Notes/ [...] urity.html
Note the absurdity of Orinoco using the SSID as the shared key, or of
most vendors using the WEP key as the shared key.
http://openthought.org/blosxom.cgi [...] s/Security
see Feb 10, 2004 article.

Some heavy reading on 802.11 security:
http://www.drizzle.com/~aboba/IEEE/


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

Archived from groups: alt.internet.wireless (More info?)

On Mon, 18 Oct 2004 02:25:48 GMT, Doug Jamal
<bishiv6ERASETHISPORTION@yahoo.com> wrote:

>>Eh? If you're using TCP/IP, then your IP is visible to wardrivers.
>>Using or
>>not using DHCP isn't going to change that.

>I stand corrected. Thanks.

Eh? Methinks you were right the first time.
Let's play encapsulation:
1. Wireless uses bridging, not routeing. Bridges don't know anything
about IP addresses and TCP/IP functions.
2. 802.11 encapsulates 802.3 ethernet packets.
3. Encryption encapsulated the 802.3 headers and payload.
4. The only thing visible (i.e. not encrypted) are MAC addresses. All
the TCP/IP addresses are in the 802.3 ethernet headers (which are
encrypted).
5. NetStumbler shows MAC addresses, not IP addresses. If it could see
IP addresses, it would probably have shown them.

That being said, methinks obscuring the IP address is a waste of time.
Many routers support RARP (reverse address resoltion protocol) which
allows one to query a device by MAC address and return the
corresponding IP address. I have a few other tricky ways to extract
the IP address block from some packets. For example, if someone left
RIP2 (router information protocol) broacast enabled (the default on
many routers), it would broadcast the router table, complete with IP
addresses and routes to connected networks, in the clear.

I don't think that obscuring the IP addresses is much of a security
measure. However, it does slow down the casual hacker. I use
non-default Class C IP blocks for a very different reason. If you're
building a VPN tunnel between two routers, you cannot use the same
Class C IP block on both ends. (Actually it does work with a few
routers, but it's not kosher). So, every one of my customers ends up
with a different Class C IP block, or I can't play VPN tunnel to them.

Also, please stay within RFC-1918 guidelines for private LAN IP
addressing.
192.168.0.1 -> 192.168.255.254
10.0.0.1 -> 10.255.255.254
172.16.0.1 -> 172.31.255.254


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

Archived from groups: alt.internet.wireless (More info?)

Thanks everyone! There's some good tips in here I will look at.

"Jeff Liebermann" <jeffl@comix.santa-cruz.ca.us> wrote in message
news:79h6n0d847t6eu66louhcafp7q5mmageou@4ax.com...
> On Mon, 18 Oct 2004 02:25:48 GMT, Doug Jamal
> <bishiv6ERASETHISPORTION@yahoo.com> wrote:
>
>>>Eh? If you're using TCP/IP, then your IP is visible to wardrivers.
>>>Using or
>>>not using DHCP isn't going to change that.
>
>>I stand corrected. Thanks.
>
> Eh? Methinks you were right the first time.
> Let's play encapsulation:
> 1. Wireless uses bridging, not routeing. Bridges don't know anything
> about IP addresses and TCP/IP functions.
> 2. 802.11 encapsulates 802.3 ethernet packets.
> 3. Encryption encapsulated the 802.3 headers and payload.
> 4. The only thing visible (i.e. not encrypted) are MAC addresses. All
> the TCP/IP addresses are in the 802.3 ethernet headers (which are
> encrypted).
> 5. NetStumbler shows MAC addresses, not IP addresses. If it could see
> IP addresses, it would probably have shown them.
>
> That being said, methinks obscuring the IP address is a waste of time.
> Many routers support RARP (reverse address resoltion protocol) which
> allows one to query a device by MAC address and return the
> corresponding IP address. I have a few other tricky ways to extract
> the IP address block from some packets. For example, if someone left
> RIP2 (router information protocol) broacast enabled (the default on
> many routers), it would broadcast the router table, complete with IP
> addresses and routes to connected networks, in the clear.
>
> I don't think that obscuring the IP addresses is much of a security
> measure. However, it does slow down the casual hacker. I use
> non-default Class C IP blocks for a very different reason. If you're
> building a VPN tunnel between two routers, you cannot use the same
> Class C IP block on both ends. (Actually it does work with a few
> routers, but it's not kosher). So, every one of my customers ends up
> with a different Class C IP block, or I can't play VPN tunnel to them.
>
> Also, please stay within RFC-1918 guidelines for private LAN IP
> addressing.
> 192.168.0.1 -> 192.168.255.254
> 10.0.0.1 -> 10.255.255.254
> 172.16.0.1 -> 172.31.255.254
>
>
> --
> Jeff Liebermann jeffl@comix.santa-cruz.ca.us
> 150 Felker St #D http://www.LearnByDestroying.com
> Santa Cruz CA 95060 AE6KS 831-336-2558

Archived from groups: alt.internet.wireless (More info?)

On Sun, 17 Oct 2004 14:53:30 GMT, Doug Jamal
<bishiv6ERASETHISPORTION@yahoo.com> wrote:

>3. I prefer not to use DHCP. Using DHCP allows war drivers to see
>your IP address. Therefore, I manually configure my NICs and notebook
>cards.

Notwithstanding the whole debate already posted which follows this
post, I run my system in a similar way to the OP. She has reduced her
DCHP pool to match the number of devices she attaches. To me that's
good thinking, but then I would say that because I've done it myself.
In my case that's four IP addresses. But I've gone one stage further
as each of those four is reserved for allocation to a particular MAC
address. Therefore if someone does manage to crack the encryption the
router still will not issue an IP address. Surely this particular
"hurdle" would be lost completely by using static IP on each of the
WLAN computers?

Additionally, the software firewall on the server is configured to
accept connection from only those four addresses and reject everything
else so if someone did manage to connect outside of this range they'd
be denied access to anything except the internet.

As an aside, there are only four shares, all of which are accessible
by only two usernames and one of those has read only access to three
of them. Directories that contain sensitive files, such as they are,
are restricted to only my username, encrypted and password protected
by the software to which they belong, not that there's anything on my
system to make it even worth cracking the WEP let alone trying to hack
through ZoneAlarm, then hack the username and password needed to get
access to the shares and then hack the passwords on individual
spreadsheets! Besides, with four other wireless networks "visible"
from my house, three of which have no encryption enabled, I like to
think they'd be targetted first!

Archived from groups: alt.internet.wireless (More info?)

Why not just disable DHCP altogether? If you only have a few
workstations to configure, just configure 'em manually.

- Steve

On Fri, 22 Oct 2004 10:28:26 +0100, Simon Pleasants
<plesbit@hotmail.com> wrote:

>On Sun, 17 Oct 2004 14:53:30 GMT, Doug Jamal
><bishiv6ERASETHISPORTION@yahoo.com> wrote:
>
>>3. I prefer not to use DHCP. Using DHCP allows war drivers to see
>>your IP address. Therefore, I manually configure my NICs and notebook
>>cards.
>
>Notwithstanding the whole debate already posted which follows this
>post, I run my system in a similar way to the OP. She has reduced her
>DCHP pool to match the number of devices she attaches. To me that's
>good thinking, but then I would say that because I've done it myself.
>In my case that's four IP addresses. But I've gone one stage further
>as each of those four is reserved for allocation to a particular MAC
>address. Therefore if someone does manage to crack the encryption the
>router still will not issue an IP address. Surely this particular
>"hurdle" would be lost completely by using static IP on each of the
>WLAN computers?
>
>Additionally, the software firewall on the server is configured to
>accept connection from only those four addresses and reject everything
>else so if someone did manage to connect outside of this range they'd
>be denied access to anything except the internet.
>
>As an aside, there are only four shares, all of which are accessible
>by only two usernames and one of those has read only access to three
>of them. Directories that contain sensitive files, such as they are,
>are restricted to only my username, encrypted and password protected
>by the software to which they belong, not that there's anything on my
>system to make it even worth cracking the WEP let alone trying to hack
>through ZoneAlarm, then hack the username and password needed to get
>access to the shares and then hack the passwords on individual
>spreadsheets! Besides, with four other wireless networks "visible"
>from my house, three of which have no encryption enabled, I like to
>think they'd be targetted first!