Discussion on:
View:
Show:
If in an Active Directory environment, I'm a fan of PEAP+Encryption. Kind of a two factor authentication than be seemless to the user, and keep not AD machines off your WLAN.
Is it just PEAP wrapped in an encrypted connection or is there "what you have" or "what you are" providing the second factor along side the "what you know" password hash value?
LOL, I wish I could do that, but since I work on a cruiseship,all our AP's are near metal. PoE is a lifesaver.
We had great reception on the Zuiderdam Rotterdam deck - NEPTUNE LOUNGE area! The 10 day Caribbean cruise was awesome.
The 128k was a little painful but it was flawless.
Jeff
United Health Care - IT Security
The 128k was a little painful but it was flawless.
Jeff
United Health Care - IT Security
I don't know anyone who would put in an access point and not turn on encryption. And in a small office environment, most (if not all) would maintain the MAC address list so that only specific machines can access the router.
I've never ran a wireless router unencrypted. It's bad enough WEP can be cracked faster than a walnut under and elephant's foot.
I've never ran a wireless router unencrypted. It's bad enough WEP can be cracked faster than a walnut under and elephant's foot.
Most folks I've seen buy a wifi access point, plug it in and think they're done. "What? You mean the factory defaults are wide open?"
I set up my old neighbors in FL on wireless, and made sure the laptop that we got them had a card which could do everything it needed. They were going to do some limited shopping on the internet, and I didn't want them getting their info stolen.
I helped their friends out too, but the husband was tech savvy to an extent and had read up and figured out how to setup encryption.
I guess I got kinda spoiled that I didn't deal with the worst of the end-users.
I helped their friends out too, but the husband was tech savvy to an extent and had read up and figured out how to setup encryption.
I guess I got kinda spoiled that I didn't deal with the worst of the end-users.
With ISP's issuing access points that are insecure by default, I see a lot of network SSID that scream "five minutes of your time or less". I am happy to report an increase in the use of WPA for non-default SSID around home though.
Get a good access point that does 802.11x authentication. That makes it secure as plugging in to the network since all users must authenticate on the network (not the wireless encryption).
The beauty of it is that you can also meet management's need to provide "guest access" by routing unauthenticated users directly to the internet.
The beauty of it is that you can also meet management's need to provide "guest access" by routing unauthenticated users directly to the internet.
I've heard this before and wanted a professional opinion: When selecting channels for your AP, put it not one, but two channels away from other nearby access points. For example: If another access point is on channel 3, you want to use 1 or 5, not 2 or 4. The radio signal for a channel can overlap into the one before and after, causing radio intereference and thus, performance issues. I think I've seen this on cruise ships before, where they use channels 1,3,5,7, etc. Can anybody confirm this?
I'm curios if I have multiple AP's and all of them are on the same channels?
Channel frequencies cross over due to being an analog signal versus a digital. They don't have a hard set on or off but rather ranges where signal is stronger or weaker.
If you think of a half circle, the peak may be channel 6 but your also getting decreasing signal strength bleeding into channels 4, 5, 7, 8. This type of wifi scanner display shows the peak plus the range of channel cross-over:
http://maemo.org/downloads/product/Maemo5/wifieye/
Ideally, you want to pick channel 1, 6, or 11 since those provide the greatest seporation from each other.
For the question attached to yours regarding multiple access points on the same channel:
In short, it depends on if your getting interference from other routers on the same channel or not.
I'm not sure about devices setup to extend a wireless coverage area; they may provide config to broadcast the same SSID on the same channel. In general though, you can have multiple different SSID broadcasting on the same channel up to the point when you start to sense interference.
In a previous place I lived, I'd start to get slow and dropped wifi connections every three to six months as more folks around me baught wifi routers for home. My network would be fine up to a point until there was just too much radio noise (often newer 802.11n routers overpowering my humble 802.11g radio at the time). I'd pop open my wifi scanner, see what channels are least populated and change my router over to that one; poof.. rock solid and fast network connetions again.
If you think of a half circle, the peak may be channel 6 but your also getting decreasing signal strength bleeding into channels 4, 5, 7, 8. This type of wifi scanner display shows the peak plus the range of channel cross-over:
http://maemo.org/downloads/product/Maemo5/wifieye/
Ideally, you want to pick channel 1, 6, or 11 since those provide the greatest seporation from each other.
For the question attached to yours regarding multiple access points on the same channel:
In short, it depends on if your getting interference from other routers on the same channel or not.
I'm not sure about devices setup to extend a wireless coverage area; they may provide config to broadcast the same SSID on the same channel. In general though, you can have multiple different SSID broadcasting on the same channel up to the point when you start to sense interference.
In a previous place I lived, I'd start to get slow and dropped wifi connections every three to six months as more folks around me baught wifi routers for home. My network would be fine up to a point until there was just too much radio noise (often newer 802.11n routers overpowering my humble 802.11g radio at the time). I'd pop open my wifi scanner, see what channels are least populated and change my router over to that one; poof.. rock solid and fast network connetions again.
Not that it was suggested by the article:
"Many IT Pros recommend not broadcasting one's SSID".. gah.. is that falicy of obscurity still floating around?
When the access point does not broadcast it's SSID, the client device must constantly call out for it hoping to discover that it's within range. This means that the network SSID is being announced all over town when the device is turned on.
- One can have a bit of fun and do some information gathering by grabbing any handy wifi sniffer and watching what SSID names devices call out for. Watch the list of names that the same device requests and you'll get the home network, the work network, the hotels one's been at and so on.
- Worse still, one can setup an access point that listens for any device calling out SSIDs and answers "yeah, that SSID is me.. send your password".. and the client device does just that.
When the access point broadcasts the SSID, the client device knows to listen for it rather than constantly calling out. You can also set the client device to not try and connect to an access point which is not broadcasting the correct SSID reducing the risk of Mr Rouge AP in the second bullet above. (Windows has this option, not sure how other device software manages it. My Debian simply doesn't try to connect unless I tell it to do so.)
You may even benefit from someone setting up there own access point, seeing your SSID and then knowing to use a different channel. "hm.. lots of wifi networks on channel 6, I better use channel 11 or 1 then".. and everybody is happy with less radio interference.
And point 7; Yes! Use the security features provided by your access point. if it's a consumer device that doesn't do at least WPA or WPA2; return or replace it for/with one that does. Client devices that only do 802.11b? Your better off replacing them rather than decreasing the entire network's security because of them.
Change the network password as soon as you can. Use a maximum length complex code and keep it in a password manager if you need too. yeah, it sucks to type it into your new Iphone but two minutes of typing versus a crapy short password easily broken by packet analysis (.11b at under five minutes) or dictionary (WPA/WPA2 in a day or so with some services).
As for MAC filtering; this is not a security feature. Don't think for a second that a MAC filter stops people from connecting to your network if they want too. Any OS besides Windows is going to easily allow one to set the MAC address to whatever they like including MAC listed in the wifi scanner. Windows allows it also with special drivers so anyone who wants to do this is going to be able too.
What MAC filtering can do for you is tell the access point if it should even care about the network packet. If the packet is not from a recognized MAC addrss, the access point will ignore it. This reduces resource load on your access point and the radio noise it responds too. That's not a security feature but it is a beneficial outcome.
Point 9; be warned. Reducing signal strength may be of interest to reduce the range that clients can connect from (say, like the empty parking lot across the road.. probably not a lot of folks who need to connect from there). Be careful when increasing signal strength beyond the factory defaults though. An overpowered radio may get you a few extra meters of range but it can burn out your access point a lot sooner than expected.
"Many IT Pros recommend not broadcasting one's SSID".. gah.. is that falicy of obscurity still floating around?
When the access point does not broadcast it's SSID, the client device must constantly call out for it hoping to discover that it's within range. This means that the network SSID is being announced all over town when the device is turned on.
- One can have a bit of fun and do some information gathering by grabbing any handy wifi sniffer and watching what SSID names devices call out for. Watch the list of names that the same device requests and you'll get the home network, the work network, the hotels one's been at and so on.
- Worse still, one can setup an access point that listens for any device calling out SSIDs and answers "yeah, that SSID is me.. send your password".. and the client device does just that.
When the access point broadcasts the SSID, the client device knows to listen for it rather than constantly calling out. You can also set the client device to not try and connect to an access point which is not broadcasting the correct SSID reducing the risk of Mr Rouge AP in the second bullet above. (Windows has this option, not sure how other device software manages it. My Debian simply doesn't try to connect unless I tell it to do so.)
You may even benefit from someone setting up there own access point, seeing your SSID and then knowing to use a different channel. "hm.. lots of wifi networks on channel 6, I better use channel 11 or 1 then".. and everybody is happy with less radio interference.
And point 7; Yes! Use the security features provided by your access point. if it's a consumer device that doesn't do at least WPA or WPA2; return or replace it for/with one that does. Client devices that only do 802.11b? Your better off replacing them rather than decreasing the entire network's security because of them.
Change the network password as soon as you can. Use a maximum length complex code and keep it in a password manager if you need too. yeah, it sucks to type it into your new Iphone but two minutes of typing versus a crapy short password easily broken by packet analysis (.11b at under five minutes) or dictionary (WPA/WPA2 in a day or so with some services).
As for MAC filtering; this is not a security feature. Don't think for a second that a MAC filter stops people from connecting to your network if they want too. Any OS besides Windows is going to easily allow one to set the MAC address to whatever they like including MAC listed in the wifi scanner. Windows allows it also with special drivers so anyone who wants to do this is going to be able too.
What MAC filtering can do for you is tell the access point if it should even care about the network packet. If the packet is not from a recognized MAC addrss, the access point will ignore it. This reduces resource load on your access point and the radio noise it responds too. That's not a security feature but it is a beneficial outcome.
Point 9; be warned. Reducing signal strength may be of interest to reduce the range that clients can connect from (say, like the empty parking lot across the road.. probably not a lot of folks who need to connect from there). Be careful when increasing signal strength beyond the factory defaults though. An overpowered radio may get you a few extra meters of range but it can burn out your access point a lot sooner than expected.
"- Worse still, one can setup an access point that listens for any device calling out SSIDs and answers "yeah, that SSID is me.. send your password".. and the client device does just that."
That's bad!
That's bad!
Another one is simply setting up an access point broadcasting "Free Internet" then watch who jumps on.
[AP] [Silent Proxy sniffing traffic] {Internet}
And technically, they connected to your network so you may have some legal argument against wire-tap charges for that silent sniffer in the middle. I still wouldn't recommend it without an initiall "welcome to Free Internet, all your traffic will be monitored while here" or similar method of assumed permission. Still, it's a possible attack criminals can easily make use of.
[AP] [Silent Proxy sniffing traffic] {Internet}
And technically, they connected to your network so you may have some legal argument against wire-tap charges for that silent sniffer in the middle. I still wouldn't recommend it without an initiall "welcome to Free Internet, all your traffic will be monitored while here" or similar method of assumed permission. Still, it's a possible attack criminals can easily make use of.
giving me really evil ideas... the likes I haven't since I worked for that company where I did really cool projects... 
You could still charge them with illegally connecting to an AP that they don't own... 
Just sayin'
Smart people KISS it when setting up wireless access...
That means keeping a log and updating a building's blueprints...
Smart people KISS it when setting up wireless access...
That means keeping a log and updating a building's blueprints...
Very important - do a site survey and find out what channels are already out there, and be cautious of slapping it out there right out of the box.
My SSIDs at home are HAL and DAVE for obvious reasons.
My favorite ones I've seen are:
Network Connection Error
FBI Surveillance Van #2
I would think a SSID for a restaurant would be:
Try_the_99cent_Taco_Meal_at_El_Toro
My favorite ones I've seen are:
Network Connection Error
FBI Surveillance Van #2
I would think a SSID for a restaurant would be:
Try_the_99cent_Taco_Meal_at_El_Toro
Filling out or not filling out a warranty card in no way affirms or negates your warranty rights. Laws regarding warranties are pretty clear in that regard.
However, filling out the warranty card isn't a bad idea to register to receive product bulletins.
However, filling out the warranty card isn't a bad idea to register to receive product bulletins.
Hi- If this isn't the correct forum for this, please let me know where i can post this, Thanks everyone:
I need to succesfully wirelessly prelogon connect to an enterprise RADIUS (Certificate Based) domain. It always asks for the password and user account at boot up. Although this is pre-logging on, i want to store the certificate and credentials so that it autmatically connects to the wireless without prompting for domain credentials, how can i do that? I tried using intel pro set but that didnt help either.
I want to reiterate that i am pre-logon connecting although just like you set up windows with AUTO-LOGON, i'd like to do the same with the prelogon wireless connection , (no user intervention). I have several tablet computers we need to deploy in a medical center network and we can't have any user interaction. The reason why we need the prelogon connect is because we do not cache the domain credentials since they save patient info to the C drive, if the laptop gets stolen , it would windows auto-logon and they would access the data. Again, without caching the DOMAIN credentials, it allows us a secure configuration since the logon would fail if not on our network. I wanted to explain this better......,
So, the deal is, with windows XP and intel pro set , it allowed me to prelogon connect or should i say AUTO wireless prelogon-connect, meaning, no user interaction was needed. I have over 1300 of these on the network or more..... Windows 7 seems to not have this capability ( I thnk), of course you can pre-logon connect but you ALWAYS have to enter your domain\useraccount and password at the logon screen. I have pulled several PDF's and I dont think its possible, they also mention that Win7 will not save the users wireless credentials for use at pre-logon. this will be a HUGE show stopper for this medical center to move to Windows 7 if this is not resolved. We need to have no user interaction at log on and a secure NON-CACHED domain logon configuraion.
MS - please help.
Ed , Roch NY -
I need to succesfully wirelessly prelogon connect to an enterprise RADIUS (Certificate Based) domain. It always asks for the password and user account at boot up. Although this is pre-logging on, i want to store the certificate and credentials so that it autmatically connects to the wireless without prompting for domain credentials, how can i do that? I tried using intel pro set but that didnt help either.
I want to reiterate that i am pre-logon connecting although just like you set up windows with AUTO-LOGON, i'd like to do the same with the prelogon wireless connection , (no user intervention). I have several tablet computers we need to deploy in a medical center network and we can't have any user interaction. The reason why we need the prelogon connect is because we do not cache the domain credentials since they save patient info to the C drive, if the laptop gets stolen , it would windows auto-logon and they would access the data. Again, without caching the DOMAIN credentials, it allows us a secure configuration since the logon would fail if not on our network. I wanted to explain this better......,
So, the deal is, with windows XP and intel pro set , it allowed me to prelogon connect or should i say AUTO wireless prelogon-connect, meaning, no user interaction was needed. I have over 1300 of these on the network or more..... Windows 7 seems to not have this capability ( I thnk), of course you can pre-logon connect but you ALWAYS have to enter your domain\useraccount and password at the logon screen. I have pulled several PDF's and I dont think its possible, they also mention that Win7 will not save the users wireless credentials for use at pre-logon. this will be a HUGE show stopper for this medical center to move to Windows 7 if this is not resolved. We need to have no user interaction at log on and a secure NON-CACHED domain logon configuraion.
MS - please help.
Ed , Roch NY -
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
