Answers - 2
Source: Tom's Guide US | Keywords: wireless, faq, security
- 1. The Questions
- 2. Answers - 1
- 3. Answers - 2
3. Answers - 2
• How do I keep wireless clients from using my wireless router?
It depends on what you mean by "using". Most routers have the ability to prevent groups of users from accessing Internet-based programs and services. This feature goes by different names including, Port Filtering, Access Control, Outbound Firewall Access rules, and others. But they all allow you to block Internet access to things like Web browsing, file transfers, mail, newsgroups, etc. by blocking the port used by the application for particular IP addresses that you program. The Port Filtering feature, however, does not prevent users from connecting to each other through the router's switch for File and Print sharing services. All it does is block access to the Internet-based services that you specify.
Many Wireless Access Points, which are technically bridges and not routers, have a feature called Mac Address Filtering or Association Control. This basic form of this feature allows you to enter a list of MAC addresses for clients that will be blocked from assessing the wired LAN that the AP is connected to. Sometimes you get two lists, one for blocked users and one for allowed users. Note that this feature controls LAN access, leaving decisions about Internet access up to whatever is providing your LAN's connection to the Internet, i.e. your router.
So what happens on a Wireless Router, which is conceptually the combination of a router and wireless Access Point? Well, it all depends on how the router's designed. As we described above, the router's Port Filtering feature is primarily focused on Internet access control and probably doesn't prevent wireless clients from accessing your wired LAN.
So what's a wireless router buyer to do? The best advice we have is to look for a feature in the wireless section of the router's administration screens that lets you enter MAC addresses of wanted or unwanted clients. Chances are, you'll have found the ability to control wireless client AP association. If your wireless router only provides IP address-based Port Filters or Access controls located in the router's firewall or other non-wireless admin sections, your product probably does not have wireless Association controls, and will let wireless clients access wired LAN clients unless you enable WEP encryption to block wireless client access.
Note that MAC Address filtering doesn't guarantee that blocked clients won't connect. Knowledgeable users can watch wireless traffic, grab the MAC address of an authorized user and change the MAC address on their own wireless card to match it. This is known as MAC address "spoofing".
• Does WEP impact the ability to hold a wireless connection?
It shouldn't. It may, however, slow down the connection, sometimes as much as 40 to 50%. This effect has been virtually eliminated in most, but not all current wireless product designs.
• If I disable SSID (or ESSID) Broadcast on my Access Point or wireless router, is it true that only users who I've given my SSID to will be able to connect?
No. Disabling an AP's SSID Broadcast function just prevents it from transmitting the SSID. The AP will still respond to any client that wants to associate with it and that sends a matching SSID.
For example, WinXP's built-in "Zero Config" wireless utility automatically stores every SSID that it receives. If your AP is using the same SSID as one that the client previously stored, the client will be able to connect to your AP, even if you have SSID Broadcast disabled.
Since the SSID is always sent "in the clear", i.e. unencrypted, it's also possible for anyone using freely available "sniffing" tools to monitor traffic near an AP and grab the SSID from clients that already know it.
In spite of all this, it's still good security practice to disable SSID broadcast, change the default SSID for your wireless LAN and use the same techniques used for choosing a strong password to keep your WLAN secure from casual snoopers.
• How do I let someone access my wireless network, but only when I want them to?
Once someone is given (or finds) your wireless LAN's ESSID, and if you are not running WEP encryption, that person can use your WLAN whenever they want. You can block them, however, by enabling WEP, using a non-obvious WEP key, and not giving out the WEP key information. You can also use your AP or wireless router's MAC Address filtering controls and allow access only to desired clients.
Unfortunately, these capabilities have no time-of-day controls in presently available equipment. So you'll have to manually enable and disable them when you want to control access.
However a very low-tech solution is to shut off your router and Access Point when you're not around, or simply put it on a timer (yup, just like the ones you buy to turn lamps on and off).
• What are WPA and WPA2?
WPA stands for Wi-Fi Protected Access and is a subset of the IEEE 802.11i draft standard intended to replace WEP (Wired Equivalent Privacy) as the primary means of securing 802.11-base wireless networks.
WPA consists of methods to strengthen data encryption (Temporal Key Integrity Protocol [TKIP], message integrity check [MIC], extended initialization vector [IV] with sequencing rules, and a re-keying mechanism) and to provide user authentication. There are actually two authentication mechanisms, one for "enterprise" users using 802.1x and Extensible Authentication Protocol (EAP), and another for home users using a Pre-Shared Key (PSK) method.
WPA2 is the implementation of the full 802.11i standard and adds stronger AES (Advanced Encryption Standard) encryption and a few other improvements to WPA. Both WPA and WPA2 are much more secure than WEP.
To use WPA or WPA2, you may need a firmware update for your older Access Point or wireless router, and new driver (and maybe firmware) for each wireless adapter on your network. Note that manufacturers may not offer WPA upgrades for all their existing products, especially older 802.11b-only products. You also won't be able to get upgrades for 802.11a-only products. You may also experience a loss of throughput when WPA is enabled on some older products.
See the TomsNetworking Wireless Security for the Rest of Us article and the Wi-Fi Alliance's WPA website for more information.
- Previous page Answers - 1
- Next page Answers - 3
