Re: Wireless security
Doz
You need to login to your router of access point and setup WPA encryption
(if it's supported) WPA-PSK to be exact... then enter a nice long pass
phrase.
You need to configure the PC's for WPA-PSK to be able to connect. Assuming
the PC's network cards/operating system are able to do this...
As you can see there are lots of variables...
Take look here for some more info...
http://compnetworking.about.com/cs/winxpnetworking/ht/wpainwindowsxp.htm
"Mr T" <nos...@hotmail.com> wrote in message
news:JCx%e.4598$O%.2043@newsfe1-gui.ntli.net...
>I have recently setup a wireless network with my laptop and 3 desktops. At
> present I have no security on my network. Can someone advise me what
> security I need to setup on my network?
> Thanks
>
> Mr T
>
>
>
Justin Thompson
>What sort of answer is "hit google"?
>
<Sigh>
<wonders about the limit of peoples imagination>
<wonders if Doz has missed a "y" off the end of his name>
<has better things to do with life, and gets on with it>
<is happy>
Mr T
Doz
"Justin Thompson" <Justin....@removethisntlworld.com> wrote in message
news:ercuj1pq372tdr5ug...@4ax.com...
Graham
| "Justin Thompson" <Justin....@removethisntlworld.com> wrote in message
| news:ercuj1pq372tdr5ug...@4ax.com...
| > On Sun, 02 Oct 2005 01:00:43 GMT, "Doz" <D...@whatever.com> wrote:
| >
| >>What sort of answer is "hit google"?
| >>
| >
| > <Sigh>
| > <wonders about the limit of peoples imagination>
| > <wonders if Doz has missed a "y" off the end of his name>
| > <has better things to do with life, and gets on with it>
| > <is happy>
| >
"Doz" <D...@whatever.com> wrote in message news:6JG%e.5578$4Q....@newsfe4-gui.ntli.net...
> Mr T must be chuffed with all the help you gave...
With a name like "Justin", what else do you expect.....??
--
Regards,
Graham.
ROT13 for email address:-
Rznvy: tenunz....@agyjbeyq.pbz
Mr T
>
> Mr T - dont be so f'ing lazy - hit google. This has been done to
> death.
>
> Cheers
Then what??? :)
Justin Thompson
Mark
The best thing to do is enable MAC address filtering on the access point.
Add the MAC addresses of the wireless networkcards. This will make it much
harder for any random passer to even connect to the AP network.
Doz
"Graham" <NOS...@example.com> wrote in message
news:PNG%e.5280$O%.3411@newsfe1-gui.ntli.net...
David Taylor
> best & simplest way
So what security does MAC filtering bring to the table?
It doesn't provide any encryption whatsoever.
The valid MAC addresses are broadcast for anyone to sniff.
If the objective is to prevent casual bypassers from connecting, then
even 40 bit WEP has value here and even gives a slither of security.
MAC filtering brings nothing useful from a security standpoint which was
the original question.
David.
mikeFNB
best & simplest way
mike
"Mark" <sa...@yourheadntlworld.com> wrote in message
news:9sI%e.4569$0f3...@newsfe1-win.ntli.net...
Mr T
"mikeFNB" <mik...@moc.dlrowltn> wrote in message
news:RSM%e.299$rp1...@newsfe4-win.ntli.net...
Thanks to everyone who contributed sensible answers :)
Mr T
Mr T
"David Taylor" <djta...@bigfoot.com> wrote in message
news:MPG.1da9bf26e...@news.cable.ntlworld.com...
Have you got any suggestions then please?
Mr T
David Taylor
WPA with a strong passphrase (strong, non dictionary phrase, greater
than 20 characters, non a-z characters.
You haven't actually said what it is that you'd like to achieve from a
security standpoint.
David.
Mark
"David Taylor" <djta...@bigfoot.com> wrote in message
news:MPG.1da9bf26e...@news.cable.ntlworld.com...
Sure it does, If your next door neighbor can't access the AP because the MAC
address isn't on the allowed list, then unless they go out their way to
clone one of your wireless card's MAC address they're not going to get
access by default. There for it is useful from a security standpoint.
Not only that, but unless your neighbor knows you have a wireless AP and
have cloned one of the MAC addresses, they won't even see it on the list of
available networks to connect to.
Sure, they can run a lot of tools, a large list can be found at
www.wardrive.net/wardriving/tools. The OP might want to run a few of them on
his network to check how secure is really is. These are the kind of tools
crackers might be using to gain access to the network, but given enough
time, even WEP and any key/pass phrase can be found if you sniff enough
packets on the network.
David Taylor
> address isn't on the allowed list, then unless they go out their way to
Again, even WEP, poor and cracked though it is, provides the same
inability to associate with the AP *and* encrypts the payload.
MAC filtering does not encrypt the payload so anyone within range gets
to sniff the contect even if they haven't associated so tell me again,
how MAC filtering brings any security to the OP's data?
Don't confuse security with the inability to associate with an AP, it's
not the same thing.
> Not only that, but unless your neighbor knows you have a wireless AP and
> have cloned one of the MAC addresses, they won't even see it on the list of
> available networks to connect to.
Turning on MAC filtering will not prevent the display of the SSID in XP
or netstumbler and turning off SSID broadcasts does not prevent it being
discovered by anyone with a sniffer or even just a copy of kismet or
similar so tell me again, how MAC filtering secures a network because
you did say just MAC filtering.
> crackers might be using to gain access to the network, but given enough
> time, even WEP and any key/pass phrase can be found if you sniff enough
> packets on the network.
Yes, 500,000 packets which can be captured in say 15 minutes. Without
even WEP, no key to crack i.e. NO SECURITY!
David.
Duane Arnold
>
There is a link below for you Mr. T. You're about to enter the Twilight
Zone with someone's drunken mistake old Dave. <g>
http://netsecurity.about.com/cs/wireless/a/aa112203_2.htm
Duane :)
Richard Tobin
David Taylor <djta...@bigfoot.com> wrote:
>Don't confuse security with the inability to associate with an AP, it's
>not the same thing.
it's one aspect of security, and MAC filtering gives you that aspect,
which is all many people want.
Just because you want *more* security doesn't mean MAC filtering is
*no* security.
-- Richard
Jeff Liebermann
wrote:
>Just because you want *more* security doesn't mean MAC filtering is
>*no* security.
>
>-- Richard
Ah, 5 newsgroups to crosspost. ntl internal groups dropped because my
usenet news server doesn't carry them.
I thought you might be amused to know that the original MAC address
filtering feature was added to solve a problem with multiple access
point systems. There was no way to pre-select which access point one
would connect if all the SSID's were the same. This was a critical
feature for WISP (wireless ISP service) and corporate WLAN's with
fixed wireless desktops. With MAC address filtering one could nail
down a connection to a specific access point and still have roaming
among the other access points for laptops and PDA's. Eventually, this
mutated into a security feature when blocking by MAC addresses was
added. I don't think anyone originally intended it to be much of a
security feature as everyone was counting on encryption to provide
security.
MAC address filtering for security is like locking your door with duct
tape. It does present an obstacle, but is not a replacment for a good
lock.
--
Jeff Liebermann je...@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Geoffrey
wrote:
Be aware that you will incur a significant overhead by setting up
encryption. IIRC it was about 30% when I last set one up at work.
Personally I don't bother with any security on the wireless component
of my network. If anyone is stealing my bandwidth it hasn't been
noticable.
Why do you think you need it?
--
Warning: Do not look directly into laser with remaining eye.
Alex Heney
wrote:
>On Sun, 02 Oct 2005 11:20:40 GMT, David Taylor <djta...@bigfoot.com>
>wrote:
>
>>> Have you got any suggestions then please?
>>
>>WPA with a strong passphrase (strong, non dictionary phrase, greater
>>than 20 characters, non a-z characters.
>>
>>You haven't actually said what it is that you'd like to achieve from a
>>security standpoint.
>>
>Be aware that you will incur a significant overhead by setting up
>encryption. IIRC it was about 30% when I last set one up at work.
>
Which for most home networks would be imperceptible, as they will very
rarely use it to anywhere near capacity.
Although it shouldn't be anywhere near that high anyhow.
>Personally I don't bother with any security on the wireless component
>of my network. If anyone is stealing my bandwidth it hasn't been
>noticable.
>
>Why do you think you need it?
Because only people who never access anything that needs a password,
and never use credit cards on line don't need it.
And even then, they could well find themselves struggling to prove it
wasn't them if the person piggybacking on their account starts using
the connection for illegal activities.
Or if said person starts breaching your ISPs AQUP, you could well lose
your account with no comeback.
There is no reasonable reason NOT to secure your network as much as
you can.
--
Alex Heney, Global Villager
Take my advice, I don't use it anyway.
To reply by email, my address is alexATheneyDOTplusDOTcom
martyn
>>it's one aspect of security, and MAC filtering gives you that aspect,
>>which is all many people want.
>
>
> to just keep accidental stumblers off his network we won't know.
>
>
>>Just because you want *more* security doesn't mean MAC filtering is
>>*no* security.
>
>
> from associating for the amount of time it takes them to run a sniffer
> and spoof their MAC address. That in my mind is no security from either
> association and certainly no security of the data packets in transit so
> I still call that no security.
>
> If you are happy with the illusion that MAC filtering provides your
> network with some security, i'm happy for you! :) Just let me know
> where you live. ;)
>
> David.
I've been following this thread with some interest as I took my laptop
to work on the train the other day, initially I was looking for an
access point in the station but noticed a number of open wireless
networks which didn't seem to be commercial setups so I kept on scanning
during the journey, I reckon I found 40-50 open & unencrypted networks
during the 1 hour journey. I found this quite shocking really
particularly as the tools are there to make it fairly easy to enable
encryption on wireless kit.
I realise that encryption isn't foolproof but it'll deter the casual hacker.
For the effort involved I would:
1. enable MAC filtering.
2. turn off SSID broadcast
3. choose a different SSID from the default
4. turn on encryption
It should only take a few minutes to set it all up, & once done you can
forget all about it.
David Taylor
> which is all many people want.
Well since the original poster hasn't said whether he wan't security or
to just keep accidental stumblers off his network we won't know.
> Just because you want *more* security doesn't mean MAC filtering is
> *no* security.
I'd just want some rather than nothing. MAC filtering prevents people
David Taylor
> encryption. IIRC it was about 30% when I last set one up at work.
There are many variable which determine whether it's an issue. For most
home users, 30% less performance than say a max of 22Mbps leaves me with
15Mbps which is *still* faster than my internet connection.
> Personally I don't bother with any security on the wireless component
> of my network. If anyone is stealing my bandwidth it hasn't been
> noticable.
If you think that stealing bandwidth is the only concern you should have
then think again.
> Why do you think you need it?
Well for starters, I'd like to collect my email from a client. I don't
have the desire to use a web based email client doing SSL from home. I
quite like being wireless at home and so I think that being able to
collect email via say POP3 is ok for me. However, POP3 is clear text
authentication as is the resultant traffic. What a great way to begin
an identity theft experiment for someone sniffing.
With the wireless portion encrypted, the simple eavesdropping won't
succeed and neither will the kiddie porn get downloaded over my
connection nor will my connection end up being used by a spammer. I
don't consider any of these likely knowing where I live but there's no
reason why not.
Those are just examples.
David.
David Taylor
> networks which didn't seem to be commercial setups so I kept on scanning
> during the journey, I reckon I found 40-50 open & unencrypted networks
> during the 1 hour journey. I found this quite shocking really
I'm surprised you found so few. I drove around the city here and in 15
minutes had found 270 of which half were (apparently) unencrypted, some
commercial. This was only with netstumbler although I did the same
route last week and found 277 with kismet so very little difference.
> I realise that encryption isn't foolproof but it'll deter the casual hacker.
Yes but again, if it's just the casual hacker that you're looking to
deter then:-
> For the effort involved I would:
> 1. enable MAC filtering.
Does not deter even a casual hacker who has the intent on spoofing and
if it's to avoid people falling onto your network by accident then (4)
does this already.
> 2. turn off SSID broadcast
Does not in any way hide the SSID, it's in the frames and kismet,
wellenrieter etc pick it up just fine. Just makes it harder for other
people to avoid your channel and you end up with interference. Also
breaks some client functionality. The only people you're hiding from
here are the XP zero config clients and they're not your worry anyway.
> 3. choose a different SSID from the default
Ok but only so as to not look like a target. Nothing like a ripe
company with an SSID which matches the company name.
> 4. turn on encryption
Which deters the accidental person connecting, provides some security
and hopefully deters the lazy hacker who may seek other low hanging
fruit. This is the only one of the above that is really in the realms
of any security despite what you might read on the web, much of it which
is several years old in principle and has never been updated.
David.
Derek Broughton
> 1. disable MAC filtering
> 2. turn on SSID broadcast
> 3. choose a SSID which clearly identies it as your network [1]
> 4. turn off encryption [1]
> 5. only permit VPN traffic between the WLAN and any other network
> (and only allow VPN authentication through certificates, not
> PSKs).
Maybe I'm just demonstrating my ignorance, but doesn't VPN require a VPN
server on the other end? If I was an authorized user on your WLAN, how
would I browse the Internet?
--
derek
Jeff Liebermann
wrote:
[ntl newsgroups dropped because Newsguy doesn't carry them]
>I drove around the city here and in 15
>minutes had found 270 of which half were (apparently) unencrypted, some
>commercial.
Don't assume that just because it's not encrypted, it's also insecure.
The local hospital wireless system is a good example. It shows up as
unencrypted. Anyone can connect. However, they're greeted with an
SSL encrypted splash web page that demands a user name and password
(along with some instructions). Once you login, all traffic is SSL
encrypted. It also delivers a magic cookie for temporary
authentication making session hijacking difficult. At first glance,
this would appear to be insecure, but it's really quite secure.
The same thing with VPN over wireless. The wireless connection is
unencrypted. However, all traffic is configured to go to the VPN
server. All ports are blocked except those required for the VPN. The
only way to get anywhere is to fire up the VPN client. All traffic
appears encrypted by the VPN tunnel.
There is an issue with client-to-client security on such systems, but
most access points have a "client isolation" feature that prevents
unencrypted bridging between connected clients.
While I'm ranting on security, I have a really bad attitude about
security by group rather than by individual. Having a common WEP or
WPA key for a system is rediculous. The chances of social engineering
or simple theft causing the key to leak out is far to risky to even
consider WEP or WPA a useable security mechanism. Would you trust
your co-worker with *YOUR* system passwords? Encryption should be
individualized so that a leak or security breach by one person does
not compromise the rest of the users or the rest of the system.
DevilsPGD
<ne...@pointerstop.ca> wrote:
Yes.
Personally, I don't run MAC filtering, WEP, WPA, or anything else...
However, the only services you'll get on my wireless LAN are a DNS
server and a VPN server. Depending on which firewall I'm using, the
only query the DNS server will answer is the VPN server's IP, it doesn't
even resolve on it's own, it's just there so that I can use the same VPN
icon on my desktop when I'm on my wireless network or when I'm
traveling.
Anyone with the ability to break my VPN's encryption will have better
things to do then monitor my wireless traffic :)
--
If electricity comes from electrons, where does morality come from?
Taylor
news:1tj5k1lh78boak3u6...@4ax.com...
The fact is, it'll likely only be a script-kiddie hacking your network.
WPA-PSK or WPA2 personal are fine, and wont realistically be hacked. Fact.
Just because you're a fanny running a VPN does not mean other people should
choose this path, you should disable SSID, enable mac filtering, change
default SSID name, enable WPA with AES, or WPA2 with AES+TKIP.
Knob.
David Taylor
> choose this path, you should disable SSID, enable mac filtering, change
> default SSID name, enable WPA with AES, or WPA2 with AES+TKIP.
You commented on how random comments get thrown in, yet then suggest
disabling SSID broadcast which has no useful security value and only
makes it more difficult to a) troubleshoot connections, b) detect if
someone else is on the same channel (if you've all disabled SSID
broadcast).
In your previous post, you commented that MAC filtering has no security
value, yet bring it up again here?
Random!
BTW, there are other ways to secure WLAN's without using WPA(2) you know
and more secure than those too.
David.
Taylor
news:9sI%e.4569$0f3...@newsfe1-win.ntli.net...
>
> "Mr T" <nos...@hotmail.com> wrote in message
> news:JCx%e.4598$O%.2043@newsfe1-gui.ntli.net...
>>I have recently setup a wireless network with my laptop and 3 desktops. At
>> present I have no security on my network. Can someone advise me what
>> security I need to setup on my network?
>> Thanks
>>
>> Mr T
>>
>>
>>
>
> The best thing to do is enable MAC address filtering on the access point.
> Add the MAC addresses of the wireless networkcards. This will make it much
> harder for any random passer to even connect to the AP network.
LOL that is *not* at all secure! If I was beside your house and you had MAC
filtering on, I could watch about 10 packets, get the MAC address of the
person using the network, then just change my NIC to match it.
The *ONLY* secure way (NOT WEP!!) is to use WPA with AES (NOT TKIP!!!) -
also using WPA with AES means less bandwidth is used in communication, so
you're not sacrificing speed to such an extent.
Always amuses me how random comments get made about this subject.
David Taylor
> will take up no noticeable router resources, and will make you think about
No need if using something stronger.
> ie: a friend brings a laptop round, aha better put his MAC in...
MAC addresses are too easily spoofed.
Yozzi
> You commented on how random comments get thrown in, yet then suggest
> disabling SSID broadcast which has no useful security value and only
> makes it more difficult to a) troubleshoot connections, b) detect if
> someone else is on the same channel (if you've all disabled SSID
> broadcast).
>
> In your previous post, you commented that MAC filtering has no security
> value, yet bring it up again here?
>
> Random!
>
> BTW, there are other ways to secure WLAN's without using WPA(2) you know
> and more secure than those too.
You would be as well to enable it if you are going to use encryption, it
will take up no noticeable router resources, and will make you think about
who is on your network that little bit more;the normal modern home use will
not normally do that.
ie: a friend brings a laptop round, aha better put his MAC in...
You can use 'net-stumbler' to look at various signal strengths and channels
used in your area. And as a trouble-shooting assistance, it's a good plan,
even if you're a basic home wifi user, to have software that will identify
the above.
Did i suggest using it on your own? Yawn, you're a strange one.