Jump to content
///M5

Wireless LAN Security

Recommended Posts

<-- Noob

I haven't ever had a wireless connection before as my old house was completely wired, considering this I am not sure of the proper & logical way to secure my wireless network. Amusingly, I can use my neighbors both here and at my old house but considering the price of routers these days wanted to install my own for flexibilty. So, any recommendations or primers on doing this the right way? I figure I am not the only one here not in the know so I thought I start a thread. Any input would be appreciated!

Share this post


Link to post
Share on other sites

This is what i do-

Determine how many pcs will be on your network always. Me, i always have 4 pcs connected.

Now, go to all of these pcs, go to start, run, type in cmd press enter.

Type in - ipconfig/all then press enter.

write down the MAC address of every pc.

Now, you should be set.

In your router's config page, set the maximum number of pcs to allow on the network at any given time.

Now, go to the MAC filter page and type in every MAC address of these pcs AND any other pc that may ever need to get on the network but not necessarily on all the time(pc you would still trust that is).

What this does is ONLY allow those pcs access to your network physically.

Lastly, set your encryption method to WPA or PKIS with AES encryption. Do some research on which you think is the BEST. Then of course set your encryption key.

With this method, someone will also have to know this 56 digit key(i think it's that long) just to logon, and then they could only get on if at least 1 of the pcs on your network is turned off, but then they would also have to have the same MAC address as another pc which means they would have had to be in your house and found your MAC address of another pc and disable it's internet use right before they sign on.

Sounds like something in a movie, hehe.

Hope that helps.

Share this post


Link to post
Share on other sites

normally when you install the wireless router it asks you if you want to set it up as a secure network or a public one...then all you do is just type in a computer name and password...whoever wants to use your internet must have the name ans password. I set up my wireless in 10 minutes

Share this post


Link to post
Share on other sites

but password cracking is so easy now. You can use a PS3 to crack passwords in minutes.

Share this post


Link to post
Share on other sites

Sean, shoot me an email and I can give you all sorts of info on securing wireless. It is my profession after all.. :)

Best,

Mark

Share this post


Link to post
Share on other sites

I'm not network admin savvy but i have heard of some sort of wifi sniffer that can slowly but successfully steal a WEP key, so who knows what other tools are out there for hackers.

Share this post


Link to post
Share on other sites

I hear ya Shizzzon. Precisely why I went the MAC address route...

It's my understanding that the MAC address is unique to each NIC and as such, when you filter on MAC, it's pretty much the end of the security story.

I reckon that begs the question... can MAC addys be spoofed?

Edited by Dave Brooks

Share this post


Link to post
Share on other sites

well, i have heard of this happening but do not know how it's possible but I read a while back that a big con of filtering MAC address is when a hacker got in, he would clone one of the filtered mac addresses to his NIC, gain full access somehow, then remove all other MAC addresses so only he can be on your network.

Do not ask me where or how this is possible, i just know it's "supposedly" possible, but with hacking, anything's possible.

Share this post


Link to post
Share on other sites
well, i have heard of this happening but do not know how it's possible but I read a while back that a big con of filtering MAC address is when a hacker got in, he would clone one of the filtered mac addresses to his NIC, gain full access somehow, then remove all other MAC addresses so only he can be on your network.

Do not ask me where or how this is possible, i just know it's "supposedly" possible, but with hacking, anything's possible.

I'm thinking that's some stout hackin' skillz. Anybody that has that kinda mad skill is welcome to hack my stuff all day long! LOL

Share this post


Link to post
Share on other sites

Spoofing MAC addresses is easier than cracking WEP keys btw.

The most secure thing to do is to use WPA and kill the SSID from being broadcasted. It's still going to show up if someone has a sniffer, but if there are other wireless networks to choose from, yours will be the low priority.

WPA is extremely difficult to crack. Almost impossible for most hackers, and they certainly aren't going to be able to crack it in the time spent in a car outside of your house. It's really not worth their time.

Share this post


Link to post
Share on other sites

I use Shizzon's methond and it helps a lot. Also add in Johnecon's approach to not broadcasting the SSID help s alot. Ultimately if someone really want's to get in... they will find a way to get in, but overall it's pretty secure so long as you limit the router and use the right sort of encryption for the wep key. There are other ways to make it more secure, but they are expensive and require code hopping technology.

Share this post


Link to post
Share on other sites

WPA are very strong....WEP is extremely flimsy. Programs like Aircrack-NG get through that in minutes.

Share this post


Link to post
Share on other sites

Hi Guys,

Shizzon covered a fair bit already and for the most part, sums up what the majority of folks can do to lock things down. There are a couple of more things that can be added (and will once I get into work and look through my notes). Bottom line is to apply best practices when and where you can without going overboard and sacrificing functionality. One thing I always say - there's security and then there's paranoia. :)

Neil hit it with WEP tho. Its old technology and weak from the get-go and it shouldn't be used.

I'll throw up some info tomorrow if I have time to do so.

Best,

Mark

Share this post


Link to post
Share on other sites

Rock on. I really appreciate all your input guys. I hope others find it useful as well :fing34:

Share this post


Link to post
Share on other sites

If i knew how to get ahold of one of my friends, he works for Geek Squad's Main HQ's and is a manager there. He got the job for how smart he is basically.

He has told me some hacking stories he has done to people who have "attempted" to mess with him in the past. He's good company, just someone i know who keeps up with today's technology.

I wish i had studied hacking in the past so i knew more about security before starting my own network.

If you need to check who is connected or who you are connected to-

go to command prompt, type - netstat press enter.

If you need to see who a certain ip address is, go here - www.whois.sc

if you need to see how to get to a certain ip address, like from router to router, go to command prompt, type in - tracert(press space bar)then enter their ip address and press enter.

IF you need to hack someone, don't ask

IF you run a wireless network and people who live around you are very tech savvy and you could be suspicious of their intelligence, do not share files\folders on any pc if you feel they are smart enough to get through your router.

Get a program that can not only monitor(such as a firewall) but log all inbound and outbound ip addresses that come in contact with the router. PeerGuardian is one of these programs that keeps track of what is pinging you and who you are pinging. If something happened, you can read logs saved and find who was on your pc down to the exact minute.

All this stuff i named isn't things you need to do every now and then, just things to know if you ever needed to know.

Share this post


Link to post
Share on other sites

Ok, here are recommendations for securing your wireless router. This is based on industry best practices and other advanced organizations like SANS and CERT. Please note that applying all recommendations may or may not affect overall functionality, so weigh the risk accordingly before moving ahead with it.

1.) Obtain latest firmware upgrade for your router and upgrade the device. Nine times out of ten there is a new firmware revision for your unit. If your router does not support flash upgrades, throw it out and purchase one that does.

2.) Change the administrator password on the web console. You have no idea how many people do NOT do this. Chose a password of at least eight alpha-numeric characters. Include special characters as well.

3.) Change the SSID or 'workgroup' name of the router. All routers have a default name and if left unchanged, will be easy to identify. Do not change it to your address or something easy to identity - make the name unique so only you know it.

4.) Turn off SSID broadcasting. All routers love to broadcast themselves. No one needs to know your router is there but you.

5.) Enable encryption. Do NOT use WEP. If your router only supports WEP, throw it out and buy one that supports WPA, WPA2 or AES.

6.) Turn off DHCP and hard code your IP addresses into the systems that will be using the router. Do NOT use the default address space that the router comes configured with. This is usually 192.168.0.x or 192.168.1.x. You can use any of three non-routable IP address spaces - 10.x.x.x; 172.x.x.x or 192.168.x.x. I usually use 192.168.125.x or something higher in the subnet range.

7.) Enable MAC (media access control) address restrictions. In Windows, open a command prompt (cmd) and type in IPCONFIG /all. Record the 12 character number of the network card and input it into your router. Do this for all systems that will be connecting to the router.

8.) Many wireless routers function much like a firewall. By default, true firewalls operate on a "deny all with exceptions" rule set. If you know what it is you will be using your computers for, apply the 'deny all outbound' rule and set up exceptions for your connecting systems. A good example of this would be allowing only HTTP, FTP, SSH and perhaps a custom game. By doing this you are minimizing the threat of unsolicited outbound communication that may result in "data leakage" (if you pick up a Trojan that wishes to communicate with an outside host for example). This can be a daunting task, and may result in many adjustments, but in the long run it can be worth the hassle.

9.) If you have one or more systems hosting an Internet service (maybe a game server or web server), set up a "DMZ" within your router and place that system in the DMZ. The router will create a logical 'deny all' zone between your server and your other computers so in the event where your server becomes compromised, the attacker would not be able to access your other computers. He/she is limited to only that system in the DMZ.

10.) Make sure you set the time in the router and synchronize it with a time server on the Internet. There are many public time servers you can connect to - just do a Google search. Why am I recommending this? Because you will then enable logging on your router, and set it up to log hacking attempts and other potentially malicious (or unsanctioned) communication. Then, periodically review these logs to see what, if anything is occurring. If you detect something strange on your network, having these logs is a good tool to figure out what is going on.

11.) If your router has the capability of being remotely administered (eg from the Internet), turn that function OFF! There is really no reason why you would require to administer your router from outside your home.

Well, that's about it. Hope this helps people.

Best,

Mark

Share this post


Link to post
Share on other sites

Well, pretty much everything has been covered ... except we still don't know what router you actually have ...

Share this post


Link to post
Share on other sites

Piece of crap trendnet that I paid less than $15 bucks. Using it as an access point only as I have a VPN router from work in the house. If there is a better way, I'd be happy to hear about that as well. I don't have the exact model as I am 1100mi from home but can add if it would help.

Share this post


Link to post
Share on other sites

Well only thing that sucks which has happened to me 3 times in the past hour.

If power goes out the router will reset and u gotta enter all u info back into the router again.

u would think it would have some kinda battery in there to store info until u press the reset button, well, my linkysys, doesn't

boo to that

edit:

Whats the point of bridging ur modem and router together?

It still works the same, so what is the point of doing so?

Share this post


Link to post
Share on other sites
Well only thing that sucks which has happened to me 3 times in the past hour.

If power goes out the router will reset and u gotta enter all u info back into the router again.

u would think it would have some kinda battery in there to store info until u press the reset button, well, my linkysys, doesn't

boo to that

edit:

Whats the point of bridging ur modem and router together?

It still works the same, so what is the point of doing so?

It shouldn't reset anything other than perhaps the IP address, DNS, etc. provided by your ISP. If it does, there's obviously something wrong there, but you can save your settings as a file on your computer and then just upload the file to the router if/when it happens again.

Share this post


Link to post
Share on other sites

its not that bad, it keeps the ip info, but i have to set up a new wireless connection each time, including wpa key...

whats interesting if i unplug it and plug it back up it saves everythig, however, when the power went out, it reset the settings.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×