WIFI Security

[devildog93]

It is said that Wireless Security is an oxymoron. In other words, you can never be 100% secure with wireless.

However, you can tighten things down enough that the chance of you getting hacked is virtually nil. I'm sure that the FBI could find a way, if it was important to them, but I doubt you are that suspected.

So do what you can. Block all mac addresses not in your white list, use WPA-2 encryptions, don't broadcast your SSID, but most importantly, if you see a black van by the side of the road near your house, shut down your internet connection.

I like the black van part. lol

I also limited my ip address range to the two devices in the network.

range 192.168.1.64 (being PS3)- 192.168.1.65 (being my PC). Some people might rip on this suggestion, but in my case, with use on LAN limited to pretty much myself, it works well for me, no probs. I will be adding X-Box 360 soon, and just have to allow one more ip allocation ie. 192.168.1.64 to 192.168.1.66

I have dhcp enabled, but have port forwarding setup for a sharing program on the PC and ports forwarded for voice chat and various PS3 required functions, with no worries of ip wandering, AS LONG as I turn the devices on in the proper order, but seeing my PC stays on nearly 24/7 it never loses it's assigned ip and the PS3 automatically takes the only other one available. It has been a few months now and I have not had to mess with my router, or other setting due to ip's not matching, and ports getting screwed up.

This is in a wired setup, but this might be another way to tighten up your security on the wifi as well. If you have many people logging in and out, and need a wider ip range to allow more ip's to be dished out, this might not be for you.

Just a thought, something that is working for me.

Tell me to butt out if I missed the mark here.....lol

No. I'm open to all ideas, but I will have to consider if I can apply them to my situation. I don't have anything that needs to access the network, except two computers, and the router is set to identify them via their MACs. I think that would be equal to their IPs. However, in my first configuration attempt, I did enable DHCP, and it lists IP and MAC for both computers. Perhaps I should disable DHCP...I'm not sure.

My theory on this is that they can spoof this or that, but if only 2 device ip's are available for assignment, and as usual my devices are nearly always on, there's nowhere for an intruder to go, just another roadblock. The can only assign one of the two ip's and seeing they are already taken...dead end. It may not suit your style setup, but just something I kind of tried after doing various experiments with media servers and port forwarding, etc. etc.

It is working for me now but you know how sometimes things can change quickly.....


EDIT: I also just thought, you can also limit the broadcast power of your router, in theory, shrinking the radius of your signal. Apartments, this works to a little effect, but in a home on decent sized land you'd maybe see the benefit more, people would have to park under your front window to get a strong signal. Most wireless routers have some kind of power adjustment.

Watch out for camouflaged painted Accords in the bushes!!!!!!!!!!!!!!!!!!!!!!!

 

[zzz2496]

seekermeister, as said earlier... there is no "absolute" security in computer network. Well... there is, disconnect the computer, then turn it off... Anyways...

If you are paranoid about your wifi network connection, I have several suggestions:

1. Don't use DHCP, disable it, use manual static IP addressing. Use weird IP addresses, there's a lot of private IP subnets that you can use that doesn't start with 192, or 10, or 172... And use classless subnet mask (anything other than 8/16/24 bits).
2. Use obscure wifi standards, preferably 802.11a, though slow, it will most of the time "save" you. The analogy is this, if the thief can't see the house, he can't break into it... If you need speed, then all you can do is use g/n plus WPA2 encryption (preferably AES). Stay away from MAC address access control, if the "hacker" knows how to break into your wifi AP, spoofing a MAC address is child play.
3. If you're comfy, use pre-shared key. This is the "key" so that you can login to your wifi AP. If you're paranoid, use 32 random characters or more as a key, don't forget to use special characters (like *,(,),-,_,+,=, etc). If you're don't feel comfy with it, use RADIUS server to store the key(s) (but you'd need somewhat better access point for this kind of security). By using RADIUS, you can make many keys, and rotate those keys (this depends on the RADIUS server).
4. If you're REALLY paranoid, then put your wifi network on the outside of your LAN, then use router to connect the two, then put a traffic filter between the two. By this I mean once you're connected, you can't just put IP address then all is well, you need to configure gateway(s), custom DNS servers, etc. Much harder to break into.
5. If you are BEYOND PARANOID, put the wifi network outside LAN, and isolate it, put a VPN server in there. So if you want to connect to your LAN, you need to authenticate at least twice (first will be the wifi connection, then set static IP address, then authenticate to the VPN server) and put traffic filtering plus SNORT server, make it to automatically shutdown the network interface if it detects ANY SUSPICIOUS activity. If you're beyond all this, stack the VPN server configuration as I mentioned earlier several layers... that ought to drive the hacker away simply because it's too tedious to break into...

zzz2496

 

[polarbear]

There is no 100% but with a strong password without using real words and add other char as well will get you a fairly safe system. For WPA-2 cracking they must run your packets through a dictionary and if the password used is not within, it will not pick it up... To find more info on this visit Back-Track and read a little... GL

It appears that Back Track is simply a distro of Linux, which may be quite good...I don't know. However, my concern is WIFI security in general, regardless of the OS being used. So this is something that I will bookmark for future use, but it doesn't seem to fit what I'm looking for now.

Be worried of programs such as Back-Track as it can be used to gather most passwords used by wifi... It's been one that I have tested and is and can get through many wpa passwords... There is ways you can protect yourself and I suggested a few and posted their site to help you protect yourself the best that you can... GL

 

[seekermeister]

seekermeister, as said earlier... there is no "absolute" security in computer network. Well... there is, disconnect the computer, then turn it off... Anyways...

If you are paranoid about your wifi network connection, I have several suggestions:

1. Don't use DHCP, disable it, use manual static IP addressing. Use weird IP addresses, there's a lot of private IP subnets that you can use that doesn't start with 192, or 10, or 172... And use classless subnet mask (anything other than 8/16/24 bits).
2. Use obscure wifi standards, preferably 802.11a, though slow, it will most of the time "save" you. The analogy is this, if the thief can't see the house, he can't break into it... If you need speed, then all you can do is use g/n plus WPA2 encryption (preferably AES). Stay away from MAC address access control, if the "hacker" knows how to break into your wifi AP, spoofing a MAC address is child play.
3. If you're comfy, use pre-shared key. This is the "key" so that you can login to your wifi AP. If you're paranoid, use 32 random characters or more as a key, don't forget to use special characters (like *,(,),-,_,+,=, etc). If you're don't feel comfy with it, use RADIUS server to store the key(s) (but you'd need somewhat better access point for this kind of security). By using RADIUS, you can make many keys, and rotate those keys (this depends on the RADIUS server).
4. If you're REALLY paranoid, then put your wifi network on the outside of your LAN, then use router to connect the two, then put a traffic filter between the two. By this I mean once you're connected, you can't just put IP address then all is well, you need to configure gateway(s), custom DNS servers, etc. Much harder to break into.
5. If you are BEYOND PARANOID, put the wifi network outside LAN, and isolate it, put a VPN server in there. So if you want to connect to your LAN, you need to authenticate at least twice (first will be the wifi connection, then set static IP address, then authenticate to the VPN server) and put traffic filtering plus SNORT server, make it to automatically shutdown the network interface if it detects ANY SUSPICIOUS activity. If you're beyond all this, stack the VPN server configuration as I mentioned earlier several layers... that ought to drive the hacker away simply because it's too tedious to break into...

zzz2496

I sort of fit into item 5, but I have to balance that with what I think that I'm capable of managing. I'll start at item 1 and progress as I can.

 

[seekermeister]

There is no 100% but with a strong password without using real words and add other char as well will get you a fairly safe system. For WPA-2 cracking they must run your packets through a dictionary and if the password used is not within, it will not pick it up... To find more info on this visit Back-Track and read a little... GL

It appears that Back Track is simply a distro of Linux, which may be quite good...I don't know. However, my concern is WIFI security in general, regardless of the OS being used. So this is something that I will bookmark for future use, but it doesn't seem to fit what I'm looking for now.

Be worried of programs such as Back-Track as it can be used to gather most passwords used by wifi... It's been one that I have tested and is and can get through many wpa passwords... There is ways you can protect yourself and I suggested a few and posted their site to help you protect yourself the best that you can... GL

Ahh, originally I thought that you linked to it as something to use, rather than something guard against. I will look it over again with that in mind.

 

[zzz2496]

By the way, have a look at my favorite router, Mikrotik RB-450G router board, google it...

zzz2496

 

[seekermeister]

That looks like a good one, but it appears to not have WIFI. Doesn't make any difference though, because my router is barely out of the box, and the adapter for the remote computer is still on it's way. So far, I'm happy with it.

 

[Jacee]

You could always try Network Magic to cut down on the paranoia
Cisco - Network Magic Essentials Features

 

[zzz2496]

If you read carefully, each of RB-450G's port is an independent interface, meaning you can assign an IP address to EACH and route between interfaces. Plus I haven't seen ANY consumer grade router that has at least one fourth what Mikrotik's software can do... (by the way, fire up virtualbox or Virtual PC, download Mikrotik RouterOS for x86, and try it ro find out).

zzz2496

edit: forgot to add, there are other routerboards that has mini pci slots, so you can add a wifi card in the router if need be, some come with one slot, others have more than one...

 

[CarlTR6]

I sort of fit into item 5, but I have to balance that with what I think that I'm capable of managing. I'll start at item 1 and progress as I can.

Disable DHCP

Switching DHCP off and using static IP addressing is no defense against hacking. Anyone snooping the network can usually figure out the pattern that has been used to assign the IP addresses in question and then make a specific request accordingly.

The ABCs of securing your wireless network

 

[seekermeister]

You could always try Network Magic to cut down on the paranoia
Cisco - Network Magic Essentials Features

Unfortunately, reducing paranoia requires understanding. Having a program make decision for you is obviously easier, but it doesn't reduce worry. Besides, Network Magic doesn't support Linux.

 

[Corrine]

The article referenced, seekermeister, is talking about connecting to public hotspots. You are setting up a home network so will not be accessing "Phony access points (APs) that use spoofed service set identifiers."

Although a couple years old, you may want to read The ABCs of securing your wireless network. Also be sure to use a strong password for your wireless network. Set up a security key for a wireless network. Then, as Jonathan said, any hacker still has to get past the Windows logon. In Network and Sharing, limit any files being shared to public and require a password for access.

Curiously, your first link seems to discount the benefit of most settings, other than encryption method. Perhaps I'm making this harder than need be...don't know.

The ABC's link is a couple years old. I provided it for information.

In Network and Sharing, limit any files being shared to public and require a password for access.

This idea throws me somewhat, because I wanted to be able to access any file from either computer. Unless I misunderstand, sharing with the "public" includes other computers on the network...yes/no? I was hoping that within my network access would be simple, but with a hard shell to outside access.

No, not other computers on the network. I meant public folders -- placing music and videos in public folders, and making them accessible but not documents, thereby further protecting any confidential materials.

In fact, if you are only going to use the wireless connection "just for the purpose of giving my secondary computer access to streaming media from the internet," then you don't even need to provide access to the other files.

 

[zzz2496]

I sort of fit into item 5, but I have to balance that with what I think that I'm capable of managing. I'll start at item 1 and progress as I can.

Disable DHCP

Switching DHCP off and using static IP addressing is no defense against hacking. Anyone snooping the network can usually figure out the pattern that has been used to assign the IP addresses in question and then make a specific request accordingly.

The ABCs of securing your wireless network

As I said earlier, it's we can't really make a network 100% secure...

Here's a thought. Here, you, a wifi snooper, sniffing wifi AP in a neighborhood. You found one, unsecured, connect to it... then connected. But when you check your IP, Windows (or whatever your OS) used APIPA addessing (the one that starts with 169.x.y.z) indicating no DHCP server. The first to try is 192.x.y.z network, see if it works, do a scan in the subnet. If nothing shows up, use 10.x.y.z, do another scan, etc... What I propose was for our TS to use, let's say, 180.99.99.x network, with 27 bits subnet (that is 255.255.255.224 subnet mask). This will hinder the hacker's attempt to connect to the network.

In my more advanced suggestion (point 5) is like this:
LAN = 180.99.99.x/255.255.255.224, gateway at 180.99.99.29, and use another DNS server, let's say we use 180.99.99.27 and 180.99.99.28 as DNS servers. That alone will slow the so called hacker down... Unless the hacker use packet sniffer and try to look for packets that are running around... But then again, if the WPA2 key is at least 32 characters long with random chars + symbols, it'll be A LOT harder do "crack". If you use dictionary attack, that attack will only work for words in the "dictionary", 32 random gibberish doesn't count as a "dictionary" word... After the hacker succeed, he then needs to scan the network for another host to connect to... This will be the VPN server, the open port is only the VPN server listen port... connecting to this will engage another authentication dialog. Set the VPN server to black list host that failed upon 3rd try... Once he can connect to the first VPN server, the hacker needs to do the process all over again to connect to the next VPN server... urgh... here's the simple "map":

Internet
|
[public IP]Router[180.99.99.29]-->LAN(180.99.99.x/255.255.255.224)
|
Wifi Network honeypot 1, VPN server + Traffic filtering + SNORT server
[15.1.1.x/255.0.0.0]
|
Wifi Network honeypot 2, VPN server + Traffic filtering + SNORT server
[18.25.4.x/255.224.0.0]
|
Wifi Network honeypot 3, VPN server + Traffic filtering + SNORT server
[12.81.3.x/255.255.128.0]
|
Wifi Access point [12.81.3.8/255.255.128.0 Static assigned IP address]
|
[The hacker starts here...]

There...

zzz2496