GlockTalk.com
Home Forums Classifieds Blogs Today's Posts Search Social Groups



  
SIGN-UP
Notices

Glock Talk
Welcome To The Glock Talk Forums.

 
  
Reply
 
Thread Tools Display Modes
Old 06-04-2004, 12:51   #1
hapuna
Trusted Member
 
hapuna's Avatar
 
Join Date: Apr 2002
Location: Washington
Posts: 3,917
Tell me about wireless security please?

OK I have not been able to actually see the programs on TV but I have seen a lot of the teasers for the shows discussing the risk of working in a wireless environment. One of the teasers had someone sitting in an internet cafe saying that they could see everything that was being done on another persons computer.
What should I be doing to sensible secure my stuff??? I also have a wireless router at home. Is there something I should be doing here also to make sure that the casual hacker can't get in?
All ideas greatly appreciated.
hapuna is offline   Reply With Quote
Old 06-04-2004, 15:11   #2
whizz
Senior Member
 
whizz's Avatar
 
Join Date: Feb 2002
Location: sweden
Posts: 240
wireless security
Oxymoron?
__________________
- Caput Draconis -
"buy powder and bullets and get some serious training instead..."
whizz is offline   Reply With Quote
Old 06-04-2004, 15:25   #3
physicsdevil
Member
 
Join Date: Jan 2000
Location: California
Posts: 75
Here are the basics:

- Change your default WAP login/password and make your password sufficiently complex.
- Change your SSID periodically.
- Disable SSID broadcast.
- Use some semblance of encryption (WEP/EAP).
- Limit the number of DHCP addresses that your WAP assigns, or better yet, disable DHCP entirely.
- Limit the size of your internal network to just what you need.
- Limit connectivity by MAC address.

Obviously, I can't give you specifics without knowing what kind of WAP you have.

Hope this helps...
physicsdevil is offline   Reply With Quote
Old 06-04-2004, 19:25   #4
David_G17
/\/\/\/\/\/\/\/
 
David_G17's Avatar
 
Join Date: Oct 2002
Posts: 7,678
google "airsnort"

__________________
"One handgun a month is too much."
"If you ask me, 12 handguns/year is too much."
"I'd be OK with one gun a year."
"We need the strong gun regs and enforcement Europe has."
-DU debates America's future 10/23/2005
David_G17 is offline   Reply With Quote
Old 06-04-2004, 19:55   #5
HerrGlock
CLM Number 2
Scouts Out
 
HerrGlock's Avatar
 
Join Date: Dec 2000
Posts: 64,496


What physicsdevil said plus change your WEP key about every month or every other month. It takes about a month to get enough packets to break the encryption from a normal household.

Look for the highest WEP possible, 128 Bit +. There will be another encryption technique but it'll be a while before it's as well used as WEP.

DanH
__________________
Sent from my rotary phone
"The way I see it as soon as a baby is born, he should be issued a banjo!"- Linus Van Pelt
UNIX - Not just for Vestal Virgins any more
HerrGlock is offline   Reply With Quote
Old 06-05-2004, 09:49   #6
gudel
Senior Member
 
gudel's Avatar
 
Join Date: Jun 2001
Posts: 4,047
some wireless clients would not connect if the access point's ssid is turned off. there's no point turning dhcp off since i can just connect to your router anyway if i stick in static ip.

in addition to what physicsdevil already said, if you do turn off dhcp and your router has client filtering, block tcp/udp port from 1 to 65535 of the ip range that you don't use.

even if the guy can associate with your wireless router, he wouldn't be able to do much. if he does use the ip that already in use, that'll pretty much give you the warning on screen

i have four APs, great signal through out the house i see this all the time in my router log, people try to logon to my router, and people try to join. they all got denied.

but if i see some guy hanging out across the street looking suspicous, specially with a laptop or some antenna in it, they just might meet Mr. 12GA ;f

you can also use 255.255.255.248 subnet, that should make only 6 usable IP addresses.

Last edited by gudel; 06-05-2004 at 10:00..
gudel is offline   Reply With Quote
Old 06-05-2004, 10:03   #7
BikerGoddess
Got hairspray?
 
BikerGoddess's Avatar
 
Join Date: Mar 2002
Location: Dallas, TX
Posts: 3,900
Hmm, but what if you're at one of those hotspot thingies?

Laura
__________________
"You know what separates the winners from the losers, kid?" - Coach McGinty
"The score." - Shane Falco


To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
BikerGoddess is offline   Reply With Quote
Old 06-05-2004, 12:23   #8
hapuna
Trusted Member
 
hapuna's Avatar
 
Join Date: Apr 2002
Location: Washington
Posts: 3,917
Yes it looks like a lot of good advice for my home wireless network which is great(and none of which I am using). I will get on that.
But back to Laura's question re the hotspot type scenario?
Thanks for all the advice so far.
hapuna is offline   Reply With Quote
Old 06-05-2004, 13:58   #9
gudel
Senior Member
 
gudel's Avatar
 
Join Date: Jun 2001
Posts: 4,047
Quote:
Originally posted by BikerGoddess
Hmm, but what if you're at one of those hotspot thingies?

Laura
what about it?
gudel is offline   Reply With Quote
Old 06-05-2004, 14:08   #10
HerrGlock
CLM Number 2
Scouts Out
 
HerrGlock's Avatar
 
Join Date: Dec 2000
Posts: 64,496


Quote:
Originally posted by BikerGoddess
Hmm, but what if you're at one of those hotspot thingies?

Laura
If you're talking about Starbucks or some other place with wireless as a feature, don't do anything personal, don't type in your password to anything, don't put any financial information at ALL.

Treat it as if you are in the middle of grand central station and writing on a large chalk board. What would you write up there? Not much.

DanH
__________________
Sent from my rotary phone
"The way I see it as soon as a baby is born, he should be issued a banjo!"- Linus Van Pelt
UNIX - Not just for Vestal Virgins any more
HerrGlock is offline   Reply With Quote
Old 06-06-2004, 10:29   #11
gudel
Senior Member
 
gudel's Avatar
 
Join Date: Jun 2001
Posts: 4,047
anyone here use RADIUS?
gudel is offline   Reply With Quote
Old 06-06-2004, 17:25   #12
HerrGlock
CLM Number 2
Scouts Out
 
HerrGlock's Avatar
 
Join Date: Dec 2000
Posts: 64,496


Quote:
Originally posted by gudel
anyone here use RADIUS?
Yes. But not with wireless.

DanH
__________________
Sent from my rotary phone
"The way I see it as soon as a baby is born, he should be issued a banjo!"- Linus Van Pelt
UNIX - Not just for Vestal Virgins any more
HerrGlock is offline   Reply With Quote
Old 06-07-2004, 10:04   #13
grantglock
/dev/null
 
grantglock's Avatar
 
Join Date: Feb 2004
Location: Iowa
Posts: 932
Send a message via Yahoo to grantglock
I intentionally leave my access point wide open to anyone who wants to use it. That said I do know how to encrypt my important things if i need to.
grantglock is offline   Reply With Quote
Old 06-07-2004, 10:24   #14
HerrGlock
CLM Number 2
Scouts Out
 
HerrGlock's Avatar
 
Join Date: Dec 2000
Posts: 64,496


Quote:
Originally posted by grantglock
I intentionally leave my access point wide open to anyone who wants to use it. That said I do know how to encrypt my important things if i need to.
and I intentionally leave an access point wide open for anyone who wants to use it...

Of course, it doesn't go anywhere but an enclosed network and a packet sniffer...

;j

DanH
__________________
Sent from my rotary phone
"The way I see it as soon as a baby is born, he should be issued a banjo!"- Linus Van Pelt
UNIX - Not just for Vestal Virgins any more
HerrGlock is offline   Reply With Quote
Old 06-07-2004, 11:52   #15
physicsdevil
Member
 
Join Date: Jan 2000
Location: California
Posts: 75
Quote:
Originally posted by gudel
some wireless clients would not connect if the access point's ssid is turned off.
I'd say that's the point if you're trying to protect your internal network. Actually, even though the SSID can still be seen if you're sniffing, this is a commonly accepted method to eliminate low-hanging-fruit by making it more difficult to connect to your network for those who are unfamiliar with it.

Quote:
there's no point turning dhcp off since i can just connect to your router anyway if i stick in static ip.
Except for the fact that a potential attacker wouldn't likely know your internal network range. This is especially true if you limit the size of your network (unfortunately most WAPs default to a /24). Besides, I don't want anyone within range or my WAP to be able to pull an IP address. At the very least, they can take up IPs that would otherwise go to legitimate clients. It's also a lot easier to limit the activity of legitimate clients if they're assigned static IPs.

Quote:
in addition to what physicsdevil already said, if you do turn off dhcp and your router has client filtering, block tcp/udp port from 1 to 65535 of the ip range that you don't use.
This is a possibility, but it's easier to resize your network and enable MAC filtering.

Quote:
you can also use 255.255.255.248 subnet, that should make only 6 usable IP addresses.
Assuming that he only *needs* 6 IP addresses.
physicsdevil is offline   Reply With Quote
Old 06-07-2004, 14:32   #16
BikerGoddess
Got hairspray?
 
BikerGoddess's Avatar
 
Join Date: Mar 2002
Location: Dallas, TX
Posts: 3,900
Quote:
Originally posted by gudel
what about it?
I've not used one, but I'm assuming that they don't let you set up the AP for them... ;Q Any security tips for those situations?

Laura
__________________
"You know what separates the winners from the losers, kid?" - Coach McGinty
"The score." - Shane Falco


To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
BikerGoddess is offline   Reply With Quote
Old 06-07-2004, 14:49   #17
HerrGlock
CLM Number 2
Scouts Out
 
HerrGlock's Avatar
 
Join Date: Dec 2000
Posts: 64,496


Quote:
Originally posted by BikerGoddess
I've not used one, but I'm assuming that they don't let you set up the AP for them... ;Q Any security tips for those situations?
Yeah. Only go to https websites and/or set yourself up a proxy at home that uses https and use it exclusively.

DanH
__________________
Sent from my rotary phone
"The way I see it as soon as a baby is born, he should be issued a banjo!"- Linus Van Pelt
UNIX - Not just for Vestal Virgins any more
HerrGlock is offline   Reply With Quote
Old 06-08-2004, 09:19   #18
gudel
Senior Member
 
gudel's Avatar
 
Join Date: Jun 2001
Posts: 4,047
Quote:
Originally posted by physicsdevil
[B]I'd say that's the point if you're trying to protect your internal network. Actually, even though the SSID can still be seen if you're sniffing, this is a commonly accepted method to eliminate low-hanging-fruit by making it more difficult to connect to your network for those who are unfamiliar with it.

[B]

Except for the fact that a potential attacker wouldn't likely know your internal network range. This is especially true if you limit the size of your network (unfortunately most WAPs default to a /24). Besides, I don't want anyone within range or my WAP to be able to pull an IP address. At the very least, they can take up IPs that would otherwise go to legitimate clients. It's also a lot easier to limit the activity of legitimate clients if they're assigned static IPs.

[B]

This is a possibility, but it's easier to resize your network and enable MAC filtering.



Assuming that he only *needs* 6 IP addresses.
you seem to argue everything i say.
try this, if you're actually setting up other people's computer, and their wlan can't connect because you turn off the ssid, you can't say, "oh, my wifi card's kungfu is better than yours, which is why you can't connect; therefore i want you to buy the $80 card". it's just doesn't work like that.
i invite you to come on down my house and try to break in the wlan.
gudel is offline   Reply With Quote
Old 06-08-2004, 09:25   #19
gudel
Senior Member
 
gudel's Avatar
 
Join Date: Jun 2001
Posts: 4,047
Quote:
Originally posted by grantglock
I intentionally leave my access point wide open to anyone who wants to use it. That said I do know how to encrypt my important things if i need to.
i have a commie worker from poland, he believes internet access should be free and everything should be shared and free (just as about anything else, free books, free software) but he hates guns (just like a lefty/commie he is! ;f). he set up a rogue AP at work, which i quickly took down.
gudel is offline   Reply With Quote
Old 06-08-2004, 10:20   #20
physicsdevil
Member
 
Join Date: Jan 2000
Location: California
Posts: 75
Quote:
Originally posted by gudel
you seem to argue everything i say.
try this, if you're actually setting up other people's computer, and their wlan can't connect because you turn off the ssid, you can't say, "oh, my wifi card's kungfu is better than yours, which is why you can't connect; therefore i want you to buy the $80 card". it's just doesn't work like that.
i invite you to come on down my house and try to break in the wlan.
Please don't take my replies as being adversarial. I'm simply trying to offer up help based on my knowledge and experiences.

As a matter of fact, in my experience, I have *never* had trouble connecting to a WAP with SSID broadcast disabled. I don't broadcast on my home AP, and none of my laptops have any problem connecting via Windows (perhaps due to WinXPs excellent wireless management) or Linux. I'm just using a plain ol' Linksys 802.11b WAP/router and generic Orinoco gold WiFi cards. At work, we're using an even more generic WAP that one of the other security guys brought from home...everyone there seems to be able to connect with no problem.

It seems that our experiences are just different, as you appear to work more on the PC side of things, and I work more on the server/network side.
physicsdevil is offline   Reply With Quote

 
  
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT -6. The time now is 00:01.




Homepage
FAQ
Forums
Calendar
Advertise
Gallery
GT Wiki
GT Blogs
Social Groups
Classifieds


Users Currently Online: 835
229 Members
606 Guests

Most users ever online: 2,672
Aug 11, 2014 at 2:31