GlockTalk.com
Home Forums Classifieds Blogs Today's Posts Search Social Groups



  
SIGN-UP
Notices

Glock Talk
Welcome To The Glock Talk Forums.
Reply
 
Thread Tools Display Modes
Old 06-04-2004, 12:51   #1
hapuna
Trusted Member
 
hapuna's Avatar
 
Join Date: Apr 2002
Location: Washington
Posts: 3,917
Tell me about wireless security please?

OK I have not been able to actually see the programs on TV but I have seen a lot of the teasers for the shows discussing the risk of working in a wireless environment. One of the teasers had someone sitting in an internet cafe saying that they could see everything that was being done on another persons computer.
What should I be doing to sensible secure my stuff??? I also have a wireless router at home. Is there something I should be doing here also to make sure that the casual hacker can't get in?
All ideas greatly appreciated.
hapuna is offline   Reply With Quote
Old 06-04-2004, 15:11   #2
whizz
Senior Member
 
whizz's Avatar
 
Join Date: Feb 2002
Location: sweden
Posts: 240
wireless security
Oxymoron?
__________________
- Caput Draconis -
"buy powder and bullets and get some serious training instead..."
whizz is offline   Reply With Quote
Old 06-04-2004, 15:25   #3
physicsdevil
Member
 
Join Date: Jan 2000
Location: California
Posts: 75
Here are the basics:

- Change your default WAP login/password and make your password sufficiently complex.
- Change your SSID periodically.
- Disable SSID broadcast.
- Use some semblance of encryption (WEP/EAP).
- Limit the number of DHCP addresses that your WAP assigns, or better yet, disable DHCP entirely.
- Limit the size of your internal network to just what you need.
- Limit connectivity by MAC address.

Obviously, I can't give you specifics without knowing what kind of WAP you have.

Hope this helps...
physicsdevil is offline   Reply With Quote
Old 06-04-2004, 19:25   #4
David_G17
/\/\/\/\/\/\/\/
 
David_G17's Avatar
 
Join Date: Oct 2002
Posts: 7,678
google "airsnort"

__________________
"One handgun a month is too much."
"If you ask me, 12 handguns/year is too much."
"I'd be OK with one gun a year."
"We need the strong gun regs and enforcement Europe has."
-DU debates America's future 10/23/2005
David_G17 is offline   Reply With Quote
Old 06-04-2004, 19:55   #5
HerrGlock
CLM Number 2
Scouts Out
 
HerrGlock's Avatar
 
Join Date: Dec 2000
Posts: 64,439


What physicsdevil said plus change your WEP key about every month or every other month. It takes about a month to get enough packets to break the encryption from a normal household.

Look for the highest WEP possible, 128 Bit +. There will be another encryption technique but it'll be a while before it's as well used as WEP.

DanH
__________________
Sent from my rotary phone
"The way I see it as soon as a baby is born, he should be issued a banjo!"- Linus Van Pelt
UNIX - Not just for Vestal Virgins any more
HerrGlock is offline   Reply With Quote
Old 06-05-2004, 09:49   #6
gudel
Senior Member
 
gudel's Avatar
 
Join Date: Jun 2001
Posts: 4,047
some wireless clients would not connect if the access point's ssid is turned off. there's no point turning dhcp off since i can just connect to your router anyway if i stick in static ip.

in addition to what physicsdevil already said, if you do turn off dhcp and your router has client filtering, block tcp/udp port from 1 to 65535 of the ip range that you don't use.

even if the guy can associate with your wireless router, he wouldn't be able to do much. if he does use the ip that already in use, that'll pretty much give you the warning on screen

i have four APs, great signal through out the house i see this all the time in my router log, people try to logon to my router, and people try to join. they all got denied.

but if i see some guy hanging out across the street looking suspicous, specially with a laptop or some antenna in it, they just might meet Mr. 12GA ;f

you can also use 255.255.255.248 subnet, that should make only 6 usable IP addresses.

Last edited by gudel; 06-05-2004 at 10:00..
gudel is offline   Reply With Quote
Old 06-05-2004, 10:03   #7
BikerGoddess
Got hairspray?
 
BikerGoddess's Avatar
 
Join Date: Mar 2002
Location: Dallas, TX
Posts: 3,900
Hmm, but what if you're at one of those hotspot thingies?

Laura
__________________
"You know what separates the winners from the losers, kid?" - Coach McGinty
"The score." - Shane Falco

http://www.bikergoddess.com
BikerGoddess is offline   Reply With Quote
Old 06-05-2004, 12:23   #8
hapuna
Trusted Member
 
hapuna's Avatar
 
Join Date: Apr 2002
Location: Washington
Posts: 3,917
Yes it looks like a lot of good advice for my home wireless network which is great(and none of which I am using). I will get on that.
But back to Laura's question re the hotspot type scenario?
Thanks for all the advice so far.
hapuna is offline   Reply With Quote
Old 06-05-2004, 13:58   #9
gudel
Senior Member
 
gudel's Avatar
 
Join Date: Jun 2001
Posts: 4,047
Quote:
Originally posted by BikerGoddess
Hmm, but what if you're at one of those hotspot thingies?

Laura
what about it?
gudel is offline   Reply With Quote
Old 06-05-2004, 14:08   #10
HerrGlock
CLM Number 2
Scouts Out
 
HerrGlock's Avatar
 
Join Date: Dec 2000
Posts: 64,439


Quote:
Originally posted by BikerGoddess
Hmm, but what if you're at one of those hotspot thingies?

Laura
If you're talking about Starbucks or some other place with wireless as a feature, don't do anything personal, don't type in your password to anything, don't put any financial information at ALL.

Treat it as if you are in the middle of grand central station and writing on a large chalk board. What would you write up there? Not much.

DanH
__________________
Sent from my rotary phone
"The way I see it as soon as a baby is born, he should be issued a banjo!"- Linus Van Pelt
UNIX - Not just for Vestal Virgins any more
HerrGlock is offline   Reply With Quote
Old 06-06-2004, 10:29   #11
gudel
Senior Member
 
gudel's Avatar
 
Join Date: Jun 2001
Posts: 4,047
anyone here use RADIUS?
gudel is offline   Reply With Quote
Old 06-06-2004, 17:25   #12
HerrGlock
CLM Number 2
Scouts Out
 
HerrGlock's Avatar
 
Join Date: Dec 2000
Posts: 64,439


Quote:
Originally posted by gudel
anyone here use RADIUS?
Yes. But not with wireless.

DanH
__________________
Sent from my rotary phone
"The way I see it as soon as a baby is born, he should be issued a banjo!"- Linus Van Pelt
UNIX - Not just for Vestal Virgins any more
HerrGlock is offline   Reply With Quote
Old 06-07-2004, 10:04   #13
grantglock
/dev/null
 
grantglock's Avatar
 
Join Date: Feb 2004
Location: Iowa
Posts: 932
Send a message via Yahoo to grantglock
I intentionally leave my access point wide open to anyone who wants to use it. That said I do know how to encrypt my important things if i need to.
grantglock is offline   Reply With Quote
Old 06-07-2004, 10:24   #14
HerrGlock
CLM Number 2
Scouts Out
 
HerrGlock's Avatar
 
Join Date: Dec 2000
Posts: 64,439


Quote:
Originally posted by grantglock
I intentionally leave my access point wide open to anyone who wants to use it. That said I do know how to encrypt my important things if i need to.
and I intentionally leave an access point wide open for anyone who wants to use it...

Of course, it doesn't go anywhere but an enclosed network and a packet sniffer...

;j

DanH
__________________
Sent from my rotary phone
"The way I see it as soon as a baby is born, he should be issued a banjo!"- Linus Van Pelt
UNIX - Not just for Vestal Virgins any more
HerrGlock is offline   Reply With Quote
Old 06-07-2004, 11:52   #15
physicsdevil
Member
 
Join Date: Jan 2000
Location: California
Posts: 75
Quote:
Originally posted by gudel
some wireless clients would not connect if the access point's ssid is turned off.
I'd say that's the point if you're trying to protect your internal network. Actually, even though the SSID can still be seen if you're sniffing, this is a commonly accepted method to eliminate low-hanging-fruit by making it more difficult to connect to your network for those who are unfamiliar with it.

Quote:
there's no point turning dhcp off since i can just connect to your router anyway if i stick in static ip.
Except for the fact that a potential attacker wouldn't likely know your internal network range. This is especially true if you limit the size of your network (unfortunately most WAPs default to a /24). Besides, I don't want anyone within range or my WAP to be able to pull an IP address. At the very least, they can take up IPs that would otherwise go to legitimate clients. It's also a lot easier to limit the activity of legitimate clients if they're assigned static IPs.

Quote:
in addition to what physicsdevil already said, if you do turn off dhcp and your router has client filtering, block tcp/udp port from 1 to 65535 of the ip range that you don't use.
This is a possibility, but it's easier to resize your network and enable MAC filtering.

Quote:
you can also use 255.255.255.248 subnet, that should make only 6 usable IP addresses.
Assuming that he only *needs* 6 IP addresses.
physicsdevil is offline   Reply With Quote
Old 06-07-2004, 14:32   #16
BikerGoddess
Got hairspray?
 
BikerGoddess's Avatar
 
Join Date: Mar 2002
Location: Dallas, TX
Posts: 3,900
Quote:
Originally posted by gudel
what about it?
I've not used one, but I'm assuming that they don't let you set up the AP for them... ;Q Any security tips for those situations?

Laura
__________________
"You know what separates the winners from the losers, kid?" - Coach McGinty
"The score." - Shane Falco

http://www.bikergoddess.com
BikerGoddess is offline   Reply With Quote
Old 06-07-2004, 14:49   #17
HerrGlock
CLM Number 2
Scouts Out
 
HerrGlock's Avatar
 
Join Date: Dec 2000
Posts: 64,439


Quote:
Originally posted by BikerGoddess
I've not used one, but I'm assuming that they don't let you set up the AP for them... ;Q Any security tips for those situations?
Yeah. Only go to https websites and/or set yourself up a proxy at home that uses https and use it exclusively.

DanH
__________________
Sent from my rotary phone
"The way I see it as soon as a baby is born, he should be issued a banjo!"- Linus Van Pelt
UNIX - Not just for Vestal Virgins any more
HerrGlock is offline   Reply With Quote
Old 06-08-2004, 09:19   #18
gudel
Senior Member
 
gudel's Avatar
 
Join Date: Jun 2001
Posts: 4,047
Quote:
Originally posted by physicsdevil
[B]I'd say that's the point if you're trying to protect your internal network. Actually, even though the SSID can still be seen if you're sniffing, this is a commonly accepted method to eliminate low-hanging-fruit by making it more difficult to connect to your network for those who are unfamiliar with it.

[B]

Except for the fact that a potential attacker wouldn't likely know your internal network range. This is especially true if you limit the size of your network (unfortunately most WAPs default to a /24). Besides, I don't want anyone within range or my WAP to be able to pull an IP address. At the very least, they can take up IPs that would otherwise go to legitimate clients. It's also a lot easier to limit the activity of legitimate clients if they're assigned static IPs.

[B]

This is a possibility, but it's easier to resize your network and enable MAC filtering.



Assuming that he only *needs* 6 IP addresses.
you seem to argue everything i say.
try this, if you're actually setting up other people's computer, and their wlan can't connect because you turn off the ssid, you can't say, "oh, my wifi card's kungfu is better than yours, which is why you can't connect; therefore i want you to buy the $80 card". it's just doesn't work like that.
i invite you to come on down my house and try to break in the wlan.
gudel is offline   Reply With Quote
Old 06-08-2004, 09:25   #19
gudel
Senior Member
 
gudel's Avatar
 
Join Date: Jun 2001
Posts: 4,047
Quote:
Originally posted by grantglock
I intentionally leave my access point wide open to anyone who wants to use it. That said I do know how to encrypt my important things if i need to.
i have a commie worker from poland, he believes internet access should be free and everything should be shared and free (just as about anything else, free books, free software) but he hates guns (just like a lefty/commie he is! ;f). he set up a rogue AP at work, which i quickly took down.
gudel is offline   Reply With Quote
Old 06-08-2004, 10:20   #20
physicsdevil
Member
 
Join Date: Jan 2000
Location: California
Posts: 75
Quote:
Originally posted by gudel
you seem to argue everything i say.
try this, if you're actually setting up other people's computer, and their wlan can't connect because you turn off the ssid, you can't say, "oh, my wifi card's kungfu is better than yours, which is why you can't connect; therefore i want you to buy the $80 card". it's just doesn't work like that.
i invite you to come on down my house and try to break in the wlan.
Please don't take my replies as being adversarial. I'm simply trying to offer up help based on my knowledge and experiences.

As a matter of fact, in my experience, I have *never* had trouble connecting to a WAP with SSID broadcast disabled. I don't broadcast on my home AP, and none of my laptops have any problem connecting via Windows (perhaps due to WinXPs excellent wireless management) or Linux. I'm just using a plain ol' Linksys 802.11b WAP/router and generic Orinoco gold WiFi cards. At work, we're using an even more generic WAP that one of the other security guys brought from home...everyone there seems to be able to connect with no problem.

It seems that our experiences are just different, as you appear to work more on the PC side of things, and I work more on the server/network side.
physicsdevil is offline   Reply With Quote
Old 06-10-2004, 19:18   #21
lomfs24
Senior Member
 
lomfs24's Avatar
 
Join Date: Apr 2003
Location: Kansas
Posts: 4,813
Send a message via AIM to lomfs24 Send a message via Yahoo to lomfs24
Quote:
Originally posted by HerrGlock
and I intentionally leave an access point wide open for anyone who wants to use it...

Of course, it doesn't go anywhere but an enclosed network and a packet sniffer...

;j

DanH
Come on Dan, you can do better than an enclosed network with a packet sniffer. How about a closed network, packet sniffer and a webserver and you control where that clients get directed. Let you imagination run on that one for a while. I have a pretty good plan that I just have to build now.
__________________
The simple believeth every word: but the prudent man looketh well to his going. ~Proverbs 14:15
lomfs24 is offline   Reply With Quote
Old 06-10-2004, 19:27   #22
lomfs24
Senior Member
 
lomfs24's Avatar
 
Join Date: Apr 2003
Location: Kansas
Posts: 4,813
Send a message via AIM to lomfs24 Send a message via Yahoo to lomfs24
Quote:
Originally posted by physicsdevil
[B]I'd say that's the point if you're trying to protect your internal network. Actually, even though the SSID can still be seen if you're sniffing, this is a commonly accepted method to eliminate low-hanging-fruit by making it more difficult to connect to your network for those who are unfamiliar with it.

[B]

Except for the fact that a potential attacker wouldn't likely know your internal network range. This is especially true if you limit the size of your network (unfortunately most WAPs default to a /24). Besides, I don't want anyone within range or my WAP to be able to pull an IP address. At the very least, they can take up IPs that would otherwise go to legitimate clients. It's also a lot easier to limit the activity of legitimate clients if they're assigned static IPs.

[B]

This is a possibility, but it's easier to resize your network and enable MAC filtering.



Assuming that he only *needs* 6 IP addresses.
Several problems. You say that an stealthed network name can be found by sniffing. This is true. But you say that someone wouldn't be able to tell the range of your network. This is not true. If you are sniffing you can find network names, IP addresses, ranges, MAC addresses, number of clients, their MAC's, their IP, Router maker, client hardware makers and a whole host of other "useful" info.

If I can find MAC addresses that kind shoots MAC filterintg out of the water too. I just have to spoof my MAC address and "Viola" I am on.

Simple truth, if there is a wireless network, there is a way to break it. WEP probably takes the longest to break but even that is not fool proof.
__________________
The simple believeth every word: but the prudent man looketh well to his going. ~Proverbs 14:15
lomfs24 is offline   Reply With Quote
Old 06-11-2004, 03:23   #23
HerrGlock
CLM Number 2
Scouts Out
 
HerrGlock's Avatar
 
Join Date: Dec 2000
Posts: 64,439


Quote:
Originally posted by lomfs24
Come on Dan, you can do better than an enclosed network with a packet sniffer. How about a closed network, packet sniffer and a webserver and you control where that clients get directed. Let you imagination run on that one for a while. I have a pretty good plan that I just have to build now.
Oh I've got all kinds of goodies in there. Remember, if someone gets into a network, they will expects a mail server, a couple of desktops, some file servers, and a handful of other servers. If they aren't there, it's not worth trying to crack ;j

DanH
__________________
Sent from my rotary phone
"The way I see it as soon as a baby is born, he should be issued a banjo!"- Linus Van Pelt
UNIX - Not just for Vestal Virgins any more
HerrGlock is offline   Reply With Quote
Old 06-14-2004, 07:14   #24
Nigel_C
Senior Member
 
Nigel_C's Avatar
 
Join Date: Jan 1999
Location: North Florida
Posts: 1,168
I worked with Cisco when the Aironet product was first Released.
The Chipset is made by Radiata ( now cisco).

When the first big furror came out about wireless security,the White Paper that came from Cisco, distributed to SEs basically said that inorder to crack WEP you needed at least 15 minutes of data.

Simple fix, Set your WEP key to reney every 5 minutes..or every minute if you like.

Manage your address space. I think the Cisco stuff will work with a Radius or Tacacs box now but I'm not sure.

I hate Wireless...
__________________
Big Dawg # 128
NRA Member
http://www.fdcc.us
Nigel_C is offline   Reply With Quote
Old 07-17-2004, 09:26   #25
physicsdevil
Member
 
Join Date: Jan 2000
Location: California
Posts: 75
Quote:
Originally posted by lomfs24
Several problems. You say that an stealthed network name can be found by sniffing. This is true. But you say that someone wouldn't be able to tell the range of your network. This is not true. If you are sniffing you can find network names, IP addresses, ranges, MAC addresses, number of clients, their MAC's, their IP, Router maker, client hardware makers and a whole host of other "useful" info.

If I can find MAC addresses that kind shoots MAC filterintg out of the water too. I just have to spoof my MAC address and "Viola" I am on.

Simple truth, if there is a wireless network, there is a way to break it. WEP probably takes the longest to break but even that is not fool proof.
Sniffing the bulk of the information you've suggested requires that you've already penetrated the network in some matter. I was proceeding under the assumption that the aforementioned basic security measures were already taken (i.e. WEP/WPA).

Sniffing some of that information also assumes a certain network config. Network addressing for example (used for determining an IP range) is an *optional* field in an IP packet header. Also, you can't accurately determine the number of clients on a network by passive sniffing. That's like saying you can determine the number of cars in your town by counting them as they pass by on main street. It doesn't account for systems wired to the network, passive (IDS?) systems connected via a span port, or a number of other scenarios.

"spoofing" a mac address doesn't get you on to a network. *changing* your mac address to match a valid one does...but it's not that easy if you want to be able to access network resources. You also have to be able to remove the system with the "real" mac address from the network, and keep it off (possibly via DoS or some similar attack). Of course, this is all easily detected by an IDS via sequence number analysis.
physicsdevil is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT -6. The time now is 05:44.



Homepage
FAQ
Forums
Calendar
Advertise
Gallery
GT Wiki
GT Blogs
Social Groups
Classifieds


Users Currently Online: 811
244 Members
567 Guests

Most users ever online: 2,244
Nov 11, 2013 at 11:42