Request help to Secure Wireless Network

[ramesees]

I've just finished setting up a wireless LAN at home, as we're getting ADSL in the next couple of weeks and we didn't want wires all over the house.

The router is sitting with a 128bit WEP encryption, has a built in firewall (of course), and each PC in the network has ZoneAlarm on it as well.

Anyone got any other suggestions on how to secure this little network?

[markwolfe Veteran]

* split from Back Page News *

In addition to what you mentioned, I would also recommend setting up MAC filtering on your router. This will disallow any non-listed wireless MAC address from connecting.

[+BudMan MVC]

If possible use WPA vs WEP, and has markjensen already suggest use MAC filtering to limit your router to only talk to your devices. I would also not broadcast your SSID (make sure its NOT default one)... Your pretty secure with that type of setup, anyone would just move on to the next "less secure" access point.

[ramesees]

Well I've changed the SSID from the default, and its not being broadcast anyway

I'll look into MAC filtering later, thanks for the advice guys :)

[Pete Zaria]

Probably a stupid question, but does your router have the latest firmware?

A few random tips and tricks to secure wireless networks:

Put your router as far away from the nearest street as possible. That way, if someone was war driving, they'd pick up a very weak signal. You can also put a few layers of tin foil on a peice of cardboard and put it behind the router to act as a "reflector" to keep the signal from going that direction.

With 128+ bit encryption (can your router/machines handle 256? Or maybe WPA?), SSID broadcast off, and MAC authentication on... you're pretty secure for a home user. Test and see how far away you can get the signal from. Obviously you don't want your neighbors to have great signal strength.

Peace,

Pete Zaria.

Edit: PS:

No wireless network (actually, no network period) is 100% secure.

It's just a matter of how hard people want to try to get in.

Theoretically, even with 256 bit WEP, SSID broadcast off, and MAC authentication, with a Linux laptop and a good wireless card, I could get into that network in a few hours.

AirSnort is a Linux program (they might have a Windows port for it by now... google it) that "catches" packets out of a wireless network. After its collected enough, it can quickly crack the encryption key. Of course by the time it's caught two packets it already has the SSID.

Getting around MAC authentication is easy enough, just get a legitimate MAC out of the packets going through the air and then spoof yours to match.

The point is, this security setup is enough for a home user, because a hacker probably wouldn't want to go through all that trouble just for one home network. But please don't think of it as bullet proof.

Edited March 22, 2005 by Pete Zaria

[+BudMan MVC]

Dude I will agree with you on the part about no network being 100% secure... But the part about you getting into a network with 256 bit Wep, SSID broadcast off and MAC filtering within a "few hours" might be a bit of an exaggeration.. Not saying it can not be done.. But why would you go through all the time and effort for some home network - when the house 2 doors down is wide open with the default SSID being broadcasted up and down the block

Yes it is possible to crack WEP if you have collected enough packets -- Or if you know how to match up the clear text packets dhcp, arp, etc... Along with doing an active attack to gen traffic , etc... But most next generation 802.11 products do not create weak IVs packets any more - so yes it is getting harder... they may be using dynamic WEP, so the key is changing on you... Or better yet use WPA - almost any new hardware will support WPA, etc.. Or if your in a tinhat type of mood - make all of your wireless connections VPN - so now all your encrypted traffic is encrypted again..

The real problem with wireless security - or the LACK of it, is most people never bother doing anything about it -- they turn on the AP from the store, leaving the default ssid and even the default admin password, etc.. ;)

[Pete Zaria]

You're absolutely right that if there was a wide open default SSID two doors down, a hacker would go for that one instead. I'm just saying, don't think you're bullet proof because of 256 wep, mac auth, and no SSID broadcast.

I've cracked 256 bit WEP networks with mac authentication in under 2.5 hours before, but you're right, with a lot of the newer routers (or newer firmwares, anyway) it's getting a lot harder.

One trick I've used for wireless security is to set up an old 233 mhz comp with 2 or 3 wireless cards and have it broadcast 25+ fake networks (they broadcast SSIDs and will give you an IP address, but no network or internet connection). By the time someone's gone through 3 or 4 of these and noticed that none of them work, they move on. It's a bit of a "n00b" trick, but you'd be surprised how well it works aginst script kiddies and war drivers.

Peace,

Pete Zaria.

[Gowcra]

I use MAC filtering, 32bit wep, n i broadcast my ssid, keep my ssid the same AND ive never HAD ANY problems with intruders1

[Pete Zaria]

I use MAC filtering, 32bit wep, n i broadcast my ssid, keep my ssid the same AND ive never HAD ANY problems with intruders1

585654981[/snapback]

That you know of ;) a good hacker could completely own your system and not leave a single trace. But you're probably right.

Most hackers don't even bother to hit home networks if they have any security whatsoever, because odds are, a few blocks away, there's a completely default, unsecured, out-of-the-box AP.

Peace,

Pete Zaria.

[+BudMan MVC]

One trick I've used for wireless security is to set up an old 233 mhz comp with 2 or 3 wireless cards and have it broadcast 25+ fake networks (they broadcast SSIDs and will give you an IP address, but no network or internet connection).

585654956[/snapback]

Why only do 25+? Do 1000's ;)

http://www.blackalchemy.to/project/fakeap/

[Gowcra]

:rofl: ^^

[crazihouse]

53,000 do be exact :D:D