OT: Setting up secure wireless in your house.

[Clark F Morris]

Pete mentioned a while back that he had set up his wireless such the
no passwords were required to connect but that the access was still
secure. I am looking at doing something similar if I can find some
reference material so that I can do the same. Note that I don't want
to get information that would compromise anyone's security.

Clark Morris

[Pete Dashwood]

Clark, when they talk about a "secure network" what they really mean is that
data is encrypted before being sent over it.

So the "content" is secure, inasmuch as anyone listening in on a wireless
scanner will just see garbage. It has nothing to do with security of access
in terms of a login.

As encrypting and decrypting each message incurs a slight overhead, I chose
not to install it. (besides, there is no traffic on my network that I
wouldn't want anyone to see, so I really don't care if someone has nothing
better to do than watch my network traffic...)

What I did was get the MAC address of the wireless card in the machine that
wanted to connect over WiFi.

(You run the "ipconfig /all" command from a DOS Box on it and note the IP
MAC Address of the card. These addresses are unique to each device.)

You then connect to the Wireless router as administrator and check the menus
provided. One of these will say something like..."Wireless Settings". Open
this and check for an entry or button that says "Wireless Station Access
List" or something similar.

This is a list of "Trusted wireless stations" with a device name and a MAC
address for each.

(You must have the Access Control feature of the wireless router firmware
turned ON for this to work).

Add the new device and it will be able to connect without a login. Any
machine that is NOT in the list can't connect.

This has worked exactly as intended for a couple of years and friends can
switch on their notebooks in my house and get immediate connection and
Internet.

All good until recently when I decided to upgrade my home entertainment
system and wanted wireless access for all devices on the LAN, to my large
flat screen TV. I'm using a Blu-Ray recorder as the hub and it has built in
WiFi which gives Internet access to the social sites and movie streaming,
and it SHOULD allow me to access and share other devices on my LAN, so I can
play photos, movies and music on any of my computers through the home
surround system and view them on the flat screen. When I came to configure
the recorder it detected my WiFi network and allowed Internet access but NOT
the LAN. It said the LAN HAD to be secure. (It's Panasophic, and although it
has proven to be excellent in most areas this is one where it isn't.)

I HAD to encode my network but I didn't use WPA2, just standard WPA. The
very first time a device logs on to the LAN it has to provide a password.
(It is a LAN Network password, not an individual Log In. And it isn't one of
those insane hex login strings you sometimes encounter when being given
access to someone's LAN) After that the Access Control described above kicks
in and if it is not an authorised trusted device, it won't be connected. I
have only ever had to do this once for each device even if it is switched on
and off or connected and disconnected, so I guess the credentials are stored
somewhere in each machine.

On the whole I'm pretty happy with it but it rankles a bit that a
manufacturer can MAKE me do something I'd prefer not to.

Pete.
--
"I used to write COBOL...now I can do anything."

[Richard]

On 6 Nov, 23:50, "Pete Dashwood" <dashw...@removethis.enternet.co.nz>
wrote:

> MAC Address of the card. These addresses are unique to each device.)

While devices are manufactured with supposedly unique MAC addresses
most NICs can have this changed to whatever you would like it to be.
In particular anyone can see your network traffic, including the MAC,
and can easily make their machines fake this and connect.

It is _not_ a security feature.

> And it isn't one of those insane hex login strings

Most equipment caters for specifying whether it a hex or text.

[Pete Dashwood]

Richard wrote:
> On 6 Nov, 23:50, "Pete Dashwood" <dashw...@removethis.enternet.co.nz>
> wrote:
>
>> MAC Address of the card. These addresses are unique to each device.)
>
> While devices are manufactured with supposedly unique MAC addresses
> most NICs can have this changed to whatever you would like it to be.

Yes, I am aware of that but considered it was simply muddying the water
because nobody DOES ever change it...

What would be the point?

> In particular anyone can see your network traffic, including the MAC,
> and can easily make their machines fake this and connect.

Easily, huh?

They can see all the traffic they like but it is encrypted.

And, after spending considerable time on packet programming using various
protocols (just for the experience) I don't think it is for the faint
hearted. "Easy" is relative, and not a word that immediately comes to mind
in this context.

I also have certain other measures in place which I don't intend to divulge
here, but I still think that what was described is adequate for a home
system.

>
> It is _not_ a security feature.

That's arguable, and I think it is.

>
>> And it isn't one of those insane hex login strings
>
> Most equipment caters for specifying whether it a hex or text.

I know at least 3 networks that require a hex login for new connectors.

[Richard]

On Nov 8, 2:16 am, "Pete Dashwood"
<dashw...@removethis.enternet.co.nz> wrote:

> Richard wrote:
>
> Yes, I am aware of that but considered it was simply muddying the water
> because nobody DOES ever change it...

Actually I _do_ change MAC addresses, one machine has it changed on
reboot (every year or so). This is because I have software that is
locked to a MAC address and the original NIC failed.

> What would be the point?

By using your network they can do their bulk emailing, DOS attacks and
copyright downloads without fear of being caught - it will be you
taking the blame.

> Easily, huh?
> They can see all the traffic they like but it is encrypted.

>> As encrypting and decrypting each message incurs a slight overhead, I chose
not to install it.

So it is _not_ encrypted at all !!! Easily - yes.

> I also have certain other measures in place which I don't intend to divulge
> here, but I still think that what was described is adequate for a home
> system.

> > It is _not_ a security feature.
>
> That's arguable, and I think it is.

http://www.esecurityplanet.com/views/article.php/3891716/7-Things-Hackers-Hope-You-Dont-Know.htm

[Richard]

On Nov 8, 2:16 am, "Pete Dashwood"
<dashw...@removethis.enternet.co.nz> wrote:
> Richard wrote:
>

> > In particular anyone can see your network traffic, including the MAC,
> > and can easily make their machines fake this and connect.
>
> Easily, huh?
>
> They can see all the traffic they like but it is encrypted.

From elsewhere:

>>> The question is as per the title : can anyone tell me whether the WPA/
>>> PSK Wifi data protection scheme encrypts the MAC addresses of
>>> participating controllers, or are these addresses still visible to a
>>> snooper who doesn't have the key ?

>> The MAC addresses are sent in the clear.

This is required because the MAC address is checked before the network
login and it is only after the login with WEP, WPA or WPA2 the
encryption can be done.

> >> And it isn't one of those insane hex login strings
>
> > Most equipment caters for specifying whether it a hex or text.
>
> I know at least 3 networks that require a hex login for new connectors.

Exactly. If the admin of the WAP specifies hex then the clients must
use that. However, they could have specified that ASCII be used as
long as they restricted the string to one represented by ASCII
characters.

It is not a limitation of the equipment but a choice by the admin.