Newbie - Setup Wireless network [Archive] - Glock Talk

PDA

View Full Version : Newbie - Setup Wireless network


pascal
10-05-2008, 06:54
Howdy,
I previously purchased a wireless router to play with to a second none important computer. At the time I could only get wep encryption running, finally hooked it to cable and turned off wireless transmission.
Recently my wife was issued a laptop and wanted to get online. Setup the wireless which was turned off, using WPA Personal Enhanced with about a 25 character decipher key. Broadcast SSID off and MAC filtering enabling use of only the two computers. I have Commodo Pro and Avast & AVG on the main computer. Haven't figured how to configure Commodo Pro for network protection so just using default modes.
Does this sound fairly secure? Is there anything I missed that might increase security.
For some reason I can't get WPA2 enhanced or WPA2 Auto working. Actually don't know the difference or benefits.
Thanks for any help.
pascal
BTW she's forced to use IE7, Outlook and Microsoft Word Office. I use Firefox, Thunderbird and openoffice.

IndyGunFreak
10-05-2008, 07:19
Howdy,
I previously purchased a wireless router to play with to a second none important computer. At the time I could only get wep encryption running, finally hooked it to cable and turned off wireless transmission.
Recently my wife was issued a laptop and wanted to get online. Setup the wireless which was turned off, using WPA Personal Enhanced with about a 25 character decipher key. Broadcast SSID off and MAC filtering enabling use of only the two computers. I have Commodo Pro and Avast & AVG on the main computer. Haven't figured how to configure Commodo Pro for network protection so just using default modes.
Does this sound fairly secure? Is there anything I missed that might increase security.
For some reason I can't get WPA2 enhanced or WPA2 Auto working. Actually don't know the difference or benefits.
Thanks for any help.
pascal
BTW she's forced to use IE7, Outlook and Microsoft Word Office. I use Firefox, Thunderbird and openoffice.

Disabled ESSID Broadcast--- Check-- I also make a fairly ambiguous ESSID rather than leaving it Linksys or Netgear, etc.. The one I have now is HomeNetwork####### (random numbers)
WPA--- Check
Mac Filtering... Check, this should probably be more like Check +2.. Most people never bother locking down a network with Mac filtering.
AV/Spyware software -- Check
IE7-- Ugh.. :)

I think you did fine... I generally always keep my firmware up to date also. I've had people say not to do that, because if it doesn't work or screws up, then you have a pretty plastic box w/ antenna's on it.

Edit: Only other thing I might add(and I'm betting you've done this), is making sure you change the default log in username/password for the router. For instance, many of them come with "username=username" and "password=passwd" or something like that. That way some enterprising fellow can't try logging in to your router and make a mess of things.

IGF

pascal
10-05-2008, 07:37
Thank you for the evaluation. I did upgrade the router to the latest firmware and changed the username and password to various numbers, letters, characters and Case.
pascal

IndyGunFreak
10-05-2008, 07:47
Thank you for the evaluation. I did upgrade the router to the latest firmware and changed the username and password to various numbers, letters, characters and Case.
pascal

Then honestly, like I said, I think you'll be fine... A lot of people don't even bother disabling their SSID... I'm certainly no expert, but you seem to have taken more steps than 99% of the people out there.

Just as an example, Thur I was on break, and pulled into a dept. store parking lot to eat lunch. There's a big complex of condo's across the street. When I started searching for a network to get on, I bet I had probably 15 visible choices, only 2 or 3 had WPA enabled, 3 or 4 had WEP, and the remaining had nothing at all and most hadn't even bothered changing the SSID, which means I probably could have logged in to their router had I felt like it.

pascal
10-05-2008, 07:58
Great!!! I find it amazing though that I get 2 bars from my upstairs bedroom to the downstairs kitchen. Older router without the newer features I guess. Whoever is the administrator for my wife's computer made it impossible for me to add spyware/firewall and most disturbingly connecting to my home printer.
Oh well it is a dell.
rhtwist

noway
10-05-2008, 12:08
FWIW:

disabling SSID does help but a cracker will find it, the typical script kiddie might not.


Also you can reduce your power output which will help you to limit the signal within a more moderate range. If you have a notebook or wifi cell phone, drive around your domicile and see just how far your signal is thrown and then go back and make adjust to the power output if you have this option.


It's suprising to see a home WIFI WAP shooting a 70% signal strength 2 blocks over outside of the originating home ;)

betyourlife
10-05-2008, 12:17
FWIW:

disabling SSID does help but a cracker will find it, the typical script kiddie might not.


Also you can reduce your power output which will help you to limit the signal within a more moderate range. If you have a notebook or wifi cell phone, drive around your domicile and see just how far your signal is thrown and then go back and make adjust to the power output if you have this option.


It's suprising to see a home WIFI WAP shooting a 70% signal strength 2 blocks over outside of the originating home ;)

Good point, rule #1 don't give them access to the signal to begin with. NO reason for the signal to go three blocks over outside your house.

dotsun
10-05-2008, 13:09
If there's a client connected, hiding your essid and mac filtering are a waste of time. Just use wpa with a long and strong passphrase and change your essid to something unique. That's enough to keep all but the most determined people off of your network.

IndyGunFreak
10-05-2008, 13:56
If there's a client connected, hiding your essid and mac filtering are a waste of time. Just use wpa with a long and strong passphrase and change your essid to something unique. That's enough to keep all but the most determined people off of your network.

While hiding your ESSID may not be foolproof, as someone said above, its gonna keep the average script kiddie off your network. Its just the first, most basic step in securing your network, in my opinion.

I don't think I'd consider mac filtering a waste of time(although I personally don't do it, I just use WPA)

IGF

d3athp3nguin
10-05-2008, 15:06
Wifi signal strength is funny in homes- the strength you get room-to-room depends on the antenna on the router, your own wifi card, and what obstacles are between you and the router. Most routers have one omni-directional antenna. Put a kitchen between you and your router and I will bet your signal strength will drop, due to stoves, ovens, fridges etc.

Once you get good with the router, you can do all of that fun home networking stuff- set up Network Attached Storage for the whole family, get a media center PC... or if you're really nerdy like me you can get your own domain name for free at dyndns.org and link it to your router, then run a web server/ftp server on a home PC so you can access your stuff from anywhere. Why? BECAUSE YOU CAN! :supergrin:

If you like to download things from the web a lot, most bittorrent programs have a plugin that runs a little web interface. You just forward a certain port to the router (usually 8080) and using the method above, you can go to anyone's web browser and type your.domainname.com:8080 and presto, you can add torrents to your computer from anywhere.

dotsun
10-05-2008, 15:16
While hiding your ESSID may not be foolproof, as someone said above, its gonna keep the average script kiddie off your network. Its just the first, most basic step in securing your network, in my opinion.

I don't think I'd consider mac filtering a waste of time(although I personally don't do it, I just use WPA)

IGF

Trust me on this, if your wpa passphrase is weak no other steps are going to prevent me from accessing your wireless network. Nothing except turning it off that is. :) Everything else is just fluff, and MAC filtering is fluff that requires more administration.

Big Al 24
10-05-2008, 18:46
Trust me on this, if your wpa passphrase is weak no other steps are going to prevent me from accessing your wireless network. Nothing except turning it off that is. :) Everything else is just fluff, and MAC filtering is fluff that requires more administration.

Yeah passphrases should be as long and unintelligible as allowed by the router or software. Both the one to log onto the router and any others. I locked down two routers belonging to neighbors in my building. Both had NETGEAR broadcasting and only needed ADMIN to log on. Since we all feed off of the Comcast teat, I figured this would protect them as well as me. Two years later the passwords are still the ones I set, and I think it's time to change them. I personally have tried to avoid wireless except on the many free connections that are out there.

pascal
10-06-2008, 06:37
Thanks Gentlemen for the ideas and experience. WPA will take 63 characters or 64 Hex numbers, is that correct? Also another simpleton question, is there a way to see who's connected to your network. I thought with the Mac filtering no other computers would be able to get on. Please correct me.
pascal

jilverthor
10-06-2008, 09:35
Thanks Gentlemen for the ideas and experience. WPA will take 63 characters or 64 Hex numbers, is that correct? Also another simpleton question, is there a way to see who's connected to your network. I thought with the Mac filtering no other computers would be able to get on. Please correct me.
pascal

With Mac filtering, only a computer with one of the listed Mac addresses (real or spoofed) should be able to use your network.

pascal
10-06-2008, 09:51
Another simple (dumb?) question. Is there a way to tell how many computers are accessing your network?
pascal

dotsun
10-06-2008, 17:52
Thanks Gentlemen for the ideas and experience. WPA will take 63 characters or 64 Hex numbers, is that correct? Also another simpleton question, is there a way to see who's connected to your network. I thought with the Mac filtering no other computers would be able to get on. Please correct me.
pascal

Yeah I think you're correct about the possible length of the passphrase, but you really don't need it to be that long.

If you use a truly random password with 10 or more characters with numbers, letters, and symbols AND changed your ESSID to a unique one you've made your AP virtually unhackable. You're talking at least weeks, probably months to brute force that password using a top of the line home computer. Trust me, if that doesn't stop them (and it will) the MAC filtering is a total waste of time.

Another simple (dumb?) question. Is there a way to tell how many computers are accessing your network?
pascal

Most routers have a status page that shows what computers are on the network. If you're really paranoid you can run a network mapper (ie. nmap) to find all devices, but that's way overkill in a home network.

DragonRider
10-06-2008, 22:14
Check your logs, right after you set up the network, once a week for the first month, then at least once a month there after. Helps you remember your configs and password. Checks to see if someone is spoofing your mac, unlikely, but.....

John

pascal
10-07-2008, 04:35
I am now getting officially over my head. Spoofing my MAC. What does that look like in the logs.
Reference to signal strength reduction sounds like a wise move but I currently can barely reach downstairs where the laptop is. I'll tinker around using the advise I've received. Feel pretty secure. But then again I'm paranoid. :supergrin:
pascal

adroc
10-07-2008, 14:31
I would highly suggest disabling SSID broadcast and setup WPA as a minimum configuration from a security standpoint.

dotsun
10-07-2008, 16:13
I would highly suggest disabling SSID broadcast and setup WPA as a minimum configuration from a security standpoint.

Why disable essid broadcasting when it's sent in plaintext when a client authenticates?

noway
10-07-2008, 16:19
Why disable essid broadcasting when it's sent in plaintext when a client authenticates?

because it would keep it invisible to the normal person. If he/she doesn't know it exist they he/she won't do anything against.

A few devices exists to snoop wifi traffic but that's out of the range of a typical ordinary person.

btw, I just hack my neighbor netgear, This thread got me looking at WAP in my hood ;)

dotsun
10-07-2008, 17:34
because it would keep it invisible to the normal person. If he/she doesn't know it exist they he/she won't do anything against.

A few devices exists to snoop wifi traffic but that's out of the range of a typical ordinary person.

btw, I just hack my neighbor netgear, This thread got me looking at WAP in my hood ;)

Simple wep encryption accomplishes that goal. My contention is that hiding your essid adds absolutely no value to your wireless security that wpa with a good passphrase doesn't accomplish.

jilverthor
10-07-2008, 20:11
I am now getting officially over my head. Spoofing my MAC. What does that look like in the logs.
Reference to signal strength reduction sounds like a wise move but I currently can barely reach downstairs where the laptop is. I'll tinker around using the advise I've received. Feel pretty secure. But then again I'm paranoid. :supergrin:
pascal

Spoofing your MAC address would look just like you using the computer, which is one reason it is an effective method of hacking. To determine if someone had spoofed your MAC address, you would have to know when you were using the network, and then search for access at a time you were not connected to the network.

noway
10-08-2008, 22:27
One other thing you could do, I have a firewall with WiFi and authenication for access before a packet get's out on another interface or internet. All of this takes place thru a simple HTTPS page, a la similar to what Panera does.

Big Al 24
10-09-2008, 22:15
One other thing you could do, I have a firewall with WiFi and authenication for access before a packet get's out on another interface or internet. All of this takes place thru a simple HTTPS page, a la similar to what Panera does.

Are you saying that Panera provides safe wireless connections along with tasty sandwiches, soup, and salads? :wow:

IndyGunFreak
10-10-2008, 04:58
Are you saying that Panera provides safe wireless connections along with tasty sandwiches, soup, and salads? :wow:

I use Panera's wireless all the time... I've generally found every one of their stores to have very solid wireless connections. Although admittedly, I've never ate there, but have thought about it once or twice.. I tend to pack my lunch, and just eat in their parking lot.. :)

IGF

noway
10-10-2008, 16:14
Are you saying that Panera provides safe wireless connections along with tasty sandwiches, soup, and salads? :wow:


Yeap no more safe or safer being at the library, park, school, your home,etc...

just make sure you locked down your computer, use common sense,etc....

pascal
10-12-2008, 20:09
Thanks its the common sense I might be shy on. Take care.
pascal

JMC
10-16-2008, 21:50
It's generally accepted among wireless security experts today that suppressing the SSID broadcast can actually make you *more* vulnerable. The problem is in the way the wireless client deals with a suppressed SSID.

When you broadcast your SSID, and you configure your wireless in your preferred network list, your computer can monitor for that wireless network and connect when you are in range. However, when you suppress your SSID, your computer must continually call out for it to determine if it is in range so that it knows to connect. Thus, if you set your SSID to any complex range of characters, then suppress it, while you're sitting in a Starbucks with your radio switched on (how many of us switch it off?), your computer will continually broadcast for that SSID looking for it. While your network won't be in range, someone else sniffing the air can see you looking for it and throw an evil AP up to masquerade as your SSID. At that point, your computer will attempt to connect to it and authenticate, allowing them to capture the traffic to begin cracking the password.

Another issue with suppressing your SSID is Windows will often prefer a broadcast SSID over a suppressed SSID. Thus, even if you're sitting in your living room connected to your wireless, if someone nearby puts up another AP with the same SSID being broadcast (in an attack attempt), your computer may choose to disconnect from your wireless to connect to theirs instead.

Broadcast your SSID. Then set your computer to not broadcast for it when not detected. Yes, the script kiddie will be able to see your wireless when they are in range. But, if they are advanced enough to crack your long, difficult passkey, then they would not have been slowed down by suppressing your SSID.

As for MAC filtering, again, anyone advanced enough to crack your long, difficult passkey would find your MAC filtering deters them for the 5 seconds it takes to clone your MAC address.