General discussion

  • Creator
    Topic
  • #2258484

    Is there such a thing as a secure wireless network for a home LAN?

    Locked

    by poordirtfarmer ·

    I keep reading comments criticizing inadequately protected Access Points as though they are common. This seems to presume the need for some technical understanding for a properly configured Wi-Fi setup and that naturally gives me concern that my home wireless setup is vulnerable.

    I simply opened the manual & followed the instructions to a Tee. All I did to set up my D Link DI-624 was make up a silly SSID name and assign a 26 character HEX value for a PASSWORD. I did not enable Pier-to-Pier. I don?t recall that there was anything else I could do. Did I overlook something? Seems too simple ? Is my setup as secure as can be?

    Is there some homeowner-priced software (or freeware) that could alert me if someone trying to break in, or is actually using my home internet connection? Since they would be behind my firewall, what about an intruder?s access to the internet printers, and the shared scanner?

    The DI-624 is my only firewall since the D Link DWL-520G PCI cards I have wouldn?t communicate with the Access Point with a firewall running on the machine. So couldn?t anyone that gets in see the computers too? Could they take control? Wow! Just what I don?t need is my banking info stolen and all the hard drives reformatted.

    A related thought – I read an article awhile back that named a piece of freeware that allegedly could allow a laptop to break 64 bit Wi-Fi protection in less than 30 minutes. If this is true, just how good is the 128 bit protection (26 Hex characters) I?m using with my DI-624? It?s up 24/7.

All Comments

  • Author
    Replies
    • #3284233

      Im glad you asked these question

      by danlm ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      I have held off creating a wireless network just because I was unsure how to secure it.
      I heard you can stop people getting access to your network by setting allowed mac address’s. Ok, I can do that. But, I do online banking and things and I want a secure connection.

      Thanks for posting these questions.

      Dan

      • #3200304

        Banking and bill paying…

        by Anonymous ·

        In reply to Im glad you asked these question

        Is no more at risk over wi-fi, than it is over copper. Either way it is traversing the public internet, where pretty muuch anyone that wants to can see it. The important thing here is that the bank or online site is using an encrypted session (SSL) to transact with you.

        • #3203631

          Hmmmm. “do you feel lucky, punk”?

          by greeboid ·

          In reply to Banking and bill paying…

          Wireless IS less secure than copper. Take a look at this: http://tomshardware.co.uk/2006/08/30/defcon2006_janus_project/
          Now you might think this is paranoid, and you might ask yourself, “but what are the chances of it happenning to me”?
          but that is NOT the question you should ask. You should ask yourself this:
          Should I give them the opportunity?
          When it boils down to it you can use WEP, WPA, WPA2, MAC Address filtering and choose not to advertise your network, but there’s not yet a wi-fi that is as secure as copper sitting behind a stateful hardware firewall and even then there are risks.
          The internet is inherrently unsecure. Getting on it is a lottery. If you make yourself REALLY secure with the strongest firewall imaginable you might even be inviting interest from the pesky hackers with their port-scanning tools and their… “wonder what they’ve got to hide behind all that security” ethos.
          You just have to balance your need for visiting cyberspace with the potential risk and ask yet another question:
          “do you feel lucky, punk”?

      • #3228298

        STOP!!

        by aj-ubuntu-user ·

        In reply to Im glad you asked these question

        [quote]
        Quote:

        I heard you can stop people getting access to your network by setting allowed mac address’s.
        [/quote]

        Yes you can, but it is easy to spoof MAC Addresses under linux/unix!

        For banking , I at the moment would stay wired and make sure you have a well configured hardware firew0all, software firewall and scan your machine reguarly for spyware/malware/trojans/keyloggers and other virus like software

        • #3227137

          Re: STOP!!

          by volleyguy4 ·

          In reply to STOP!!

          Easy to spoof MAC addresses under Windows too.

    • #3284192

      I use a Belkin-64

      by mjd420nova ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      The software varies from manufacturer to manufacturer but is all pretty much the same. I am able to capture the MAC address of anyone who uses the WIFI to access the broadband connection I have. Capture the address and then block it. This address is unique to each internet WIFI card and wired card. I monitor the client list daily and add those unwanted to the list. They can never get in again unless they change the card, in which case I’ll capture a new address and add it to the blocked list. The unit also has a firewall, to keep out others who try to hack in. Each unit in house has a MacAfee firewal besides the Windows firewall in XPHOME. I don’t think anyone will get in unless they have a new un-discovered hack. I feel pretty safe. However, I do not use it for ordering anything or do banking on line, that’s just asking for trouble.

      • #3201524

        “I am able to capture the MAC address of anyone who uses the WIFI”

        by tonythetiger ·

        In reply to I use a Belkin-64

        So can any hacker….

        If someone wants to get into a home router badly enough, they’re probably going to. But first they have to be able to see it. You can buy directional antennas so that the signal only covers what you want it to cover, but ultimately your doing the best thing… protecting the computers that are hooked to the router.

        I do all of my banking, most of my bill paying, and about a third of my purchases online. Never had a problem.

        [added: Many routers also have an option to reduce the power output. This will also reduce the likelihood of it being found.]

        • #3201397

          I’ve really backed off wireless till now

          by danlm ·

          In reply to “I am able to capture the MAC address of anyone who uses the WIFI”

          I’ve been pricing it out, and researching it out. But I knew I didn’t have the knowledge to do it securely, so I just didn’t jump. That’s why when I seen this post I book marked it.
          Now that I at least know what to look for in a router, and the procedures that should be done. I think I’ll finally go wireless.
          Thanks everyone, very much appreciate this set of post’s even if I didn’t start it.

          Dan

        • #3201384

          placement is key too

          by jdclyde ·

          In reply to “I am able to capture the MAC address of anyone who uses the WIFI”

          decide where you want to have signal and where you DON’T want signal. The further back in the house away from the road, the better. Sometimes even moving it into the basement is a good idea as the signal will come up to the next floor, but will have a hard time reaching the road.

          Take your laptop out and walk around with it to see how strong of a signal you are sending out by the road and around your house. If the signal is still too strong, try taking the antenna off and test it again.

          Passwords are a must.

          You can also usually restrict to only certain MAC addresses. Remember MAC’s can be spoofed easily though so don’t rely on that.

          Isn’t it recommended to turn SSID right off?

          Your best bet is to get a router with a DMZ port and a wireless access point and plug it into the DMZ. This is more secure than getting a wireless router as it will segment off all of your PC’s behind a firewall. As you know the IP range and where to find it, you can open holes based on your MAC address if you need to connect to any of your PC’s.

        • #3201268

          Active management

          by tonythetiger ·

          In reply to placement is key too

          is also a must. Don’t just ‘set it and forget it’. Check the router’s logs frequently. That way you can see if anyone’s getting in that you don’t want to.

    • #3284178

      Wireless LAN Security

      by techexec2 ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      Yes. You CAN use a wireless LAN safely. Some quick points:

      1. Turning on the wireless router’s “security” means the data that travels in the air is always encrypted.

      2. If you use WEP (Wired Equivalent Privacy) security, you should change your key every month or so because this is easier to crack than WPA (although it is NOT easy and someone will have to work on your wireless LAN for a month or two continuously to do it). If you use WPA (Wi-Fi Protected Access), this is not an issue.

      3. When you connect to your bank, the HTTP data sent by your browser to the bank is encrypted by SSL (HTTPS). If you’re sending it across a wireless LAN, the HTTPS data is encrypted again as it travels through the air, and decrypted by the router before it is sent across the wired Internet.

      4. Most wireless LAN routers allow you to specify a list of MAC addresses that can use the LAN. Each LAN adapter has a unique MAC address. Entering your MAC addresses into the table in the router further limits access to your LAN (but not the packet sniffing).

      5. Most wireless LAN routers allow you to turn off the SSID broadcast. That is, anybody looking for LANs to hack will not see your wireless LAN. This is “security through obscurity”, but it helps someone who is wardriving to keep on driving.

      6. It’s true that packet sniffers could intercept your WEP encrypted wireless LAN traffic, record it, analyze it, and eventually determine the key. But, it takes a very large amount of data to do that. For you on your own wireless LAN, it might take months of sucking up your traffic. The solution to that is to simply change the key every month or so.

      7. When articles talk about unsecured wireless LANs, they are usually talking about people who do not change the SSID (leave it as LINKSYS or whatever), do not change the default password (that every hacker knows), do not turn off the SSID broadcast (so the LAN is visible to all), and do not turn on WLAN security (WEP or WPA). If you do these things, and specify your MAC addresses in the router, you will be fine.

      • #3284175

        and use pre shared keys (PSK)

        by stress junkie ·

        In reply to Wireless LAN Security

        Use the pre shared key version of authentication. (PSK) This means that the client computer and the access point have a more secure authentication process.

      • #3284174

        Excellent, and a few more

        by w2ktechman ·

        In reply to Wireless LAN Security

        I was going to mention most of what you had listed. But here are a few more things
        Instead of setting up the DHCP router, set static IP’s. Create a few others for friends who come over.
        Only allow connections from those IP addresses.

        turn off sharing on the Internet. This is a feature for gamers, but once a connection is established, a hole is open. If you are not gaming on the Internet through the wireless, turn it off (only allow outgoing traffic unless you request it).

        • #3284160

          Good points

          by techexec2 ·

          In reply to Excellent, and a few more

          I think we’ve secured this guys WLAN pretty well! And, we didn’t even charge a consulation fee! 🙂

        • #3284158

          Lol — maybe we should

          by w2ktechman ·

          In reply to Good points

          The Wireless helpers — $10 a sentence for advice.

        • #3200314

          Before you collect

          by paul w. ·

          In reply to Lol — maybe we should

          you may want to check out George Ou’s blog from March 18,2005 at http://blogs.zdnet.com/Ou/index.php?p=43 entitled “The six dumbest ways to secure a wireless LAN” I believe at least a couple of your ideas made the list.

        • #3226926

          I wonder if George is as handsome as he is smart!

          by dumbterminal ·

          In reply to Before you collect

          I love when someone like him gets his panties bunched on this subject. Although he is correct,the above posters aren’t securing the Pentagon. Its a home wireless network in Pooptown USA. Do you really think Bobby Joe Buckman is going to sit out on the road in his F-150 and jump through all of those hoops so he can look at porn on soneone else’s dime? Not gonna happen. For the average home users, the above suggestions are FINE.
          Really.

      • #3201594

        Actually

        by sostermann ·

        In reply to Wireless LAN Security

        Actually, it is possible to crack WEP in 10 minutes. There are plenty of tutorials on the web to easily show anyone how to do it.

        If you are truly concerned about WI-FI security, do not use WEP. Upgrade your access point to one that supports WPA-2.

        When chosing the WPA-2 pass-phrase, it is best to use a totally random 63 character phrase. There is a great generator at http://www.grc.com/passwords – you can combine several parts of the generated phrases, or use the entire one.

        MAC addressing provides no real security. MAC addresses can be spoofed very easily and should only be used with the intent of preventing accidental access – it will stop deter a hacker at all.

        Same with broadcasting the SSID – a hacker can easily find you access point, even with the broadcast turned off.

        Simply put, the best security you can have when using a wireless connection is to use WPA-2, with a 63 character pass-phrase. And if your real concerned with security, change this pass-phrase periodically.

        • #3201587

          Good points…

          by drew17 ·

          In reply to Actually

          For the sake of discussion, let’s pretend I’m wardriving and looking for an access point to ‘borrow’. Do you think I’m going to stop to mess with a system that is encryption enabled or will I latch on to an open network?

          Unless you’re specifically being targeted by a determined ‘hacker’ for some reason, following the suggestion listed in the other replies will greatly reduce your chances of being ‘hacked’.

        • #3201567

          True

          by sostermann ·

          In reply to Good points…

          Those are all true points, that why it’s relavent if you are ‘concerned’ about security.

          Now, if you live in an aprtment complex, condos or dense neighborhood of houses, there is a chance a script-kiddie, or hacker lives close enough to you that they would not have to wardrive. Then they would have plenty of time to hack into your system.

          Once they are in, they could potentially sniff your traffic to gain information and passwords and perform illegal activites through your Internet connection. Or, if your computer is not locked down, gain access to your PC or network.

        • #3201367

          apartments

          by jdclyde ·

          In reply to True

          you make sure you have an access point that you can back down the strength of the signal or try taking the antennas off.

          if your really worried about it, line the inside of your apartment with alluminum foil! B-) Just make sure you leave enough to make your hat. ;\

        • #3201368

          home vs work

          by jdclyde ·

          In reply to Actually

          I doubt anyone would go to that great of length to find and then break into your home wireless system. If you had put that much into your home wireless, it is safe to assume that you would have put equal time into your pc’s sitting on the lan.

          There are plenty of other targets just around the corner that will be easy pickings.

          I am not saying NOT to secure things as much as you can, but it is just security hype and fud to get people all worked up if you have gone to this length and are still worked up.

          Why not add another phase of security? turn your access point off when your not using it or have it on a timer so it is off when you are at work. Then your not leaving any wifi footprint to be found.

      • #3226916

        Use a WiFi locator as well

        by rsimanski ·

        In reply to Wireless LAN Security

        These are all excellent suggestions. If you want to go a bit farther, buy or borrow a WiFi locator. I picked up a good one from cyberguys.com for about $50.

        As a computer consultant and troubleshooter, I use it to test the security of my clients’ wireless networks. After I set up a network, I walk around the outside of the house to see whether or not the locator can pick up the network. It will give me an idea of the signal strength and whether the network is properly cloaked.

        If you follow TechExec2’s recommendations, you probably don’t need to do this, but it’s a useful way of double-checking the security of your wireless network.

    • #3284131

      You know what they say.

      by stress junkie ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      They say that the only secure computer is one that is powered off and locked in a safe. There is no true security. There is only risk management.

      • #3284061

        An important point everyone should always remember

        by techexec2 ·

        In reply to You know what they say.

        stress junkie is right. This is an important point we all need to remember. Our systems are never “secure”, they are only “more secure”.

        • #3201366

          more secure

          by jdclyde ·

          In reply to An important point everyone should always remember

          or less vulnerable?

          just get to a level you can live with. Also keep in mind the more you have to protect the higher the security need, the less you have to protect, …….

    • #3284035

      a simple step

      by dbernor ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      The Unique SSID and a strong wep key are a must, but you should also select the option on the AP to NOT Broadcast the SSID.

      • #3201565

        Neighbor, VPN

        by gralfus ·

        In reply to a simple step

        My wife was complaining to me about the speed of our wireless connection, so I did a bit of troubleshooting. She had inadvertently connected to the neighbor’s unsecured AP. His broadcasts, ours doesn’t. His is not secured, ours uses WPA and a hefty pre-shared key.

        Her laptop is configured correctly now… It wasn’t really a threat to us since she uses a VPN to her workplace. I’ve used Ettercap on our network to see what happens when she does this, and she basically disappears from sight, or the traffic is unintelligble. Pretty nice. I use Hamachi myself with similar results.

    • #3201557

      Never the same

      by sostermann ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      I once heard somebody say:

      “WI-FI will never be as secure, reliable or fast as wired access”

      I believe this is true. At home, mainly because of the reliability issue, I had cat5E wired to every room in the house. It was very cheap to do and worth every penny! My wireless on my router is disabled now.

      • #3201540

        I never went to wireless for home

        by w2ktechman ·

        In reply to Never the same

        because of security concerns. I live near 2 apartment complexes and 2 mobile home parks (all around me). I never decided that I needed wireless that bad.
        But, I am studying to become a wireless admin/security admin.

        • #3201354

          the best time to learn

          by jdclyde ·

          In reply to I never went to wireless for home

          is on your own when there is little at risk. Just don’t go with the home models if you want to play with the corporate features.

      • #3201365

        speed, or lack of it

        by jdclyde ·

        In reply to Never the same

        A few reasons wireless is slower.

        More network overhead is required to get to the same location.

        If you have encryption on, more overhead at each end to crypt and decrypt (latency)

        RAM as you have another program running on your laptop to control the wireless connection.

        That is before you even consider fiber or gigabit. 😀

    • #3201420

      Wireless LAN Security, Part 2

      by techexec2 ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      OK. I need to keep up on my reading better. The last time I read about this, 128-bit WEP was safe for a month or more on a WLAN with a small amount of traffic like a home WLAN. But, sostermann is apparently correct. WEP attacks have improved since then.

      Thanks, sostermann.

      WEP: Dead Again, Part 1
      http://www.securityfocus.com/infocus/1814

      WEP: Dead Again, Part 2
      http://www.securityfocus.com/infocus/1824

    • #3201373

      Like locking your car

      by mdhealy ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      Wireless security is like locking your car — if somebody *really* wants to break in, they probably will. But if one third of the cars on the street were left unlocked with the keys in the ignition, then how many locked cars would get stolen?

      From here in my living room at the moment I can see six wireless networks, of which two do not have any security configured. So if somebody in the parking lots wants to steal bandwidth, why would the *bother* to crack passwords on the four networks (including mine) that have security set?

      Also, as another poster pointed out, when you access most e-commerce sites the webserver has encryption turned on; this layer of encryption is independent of whatever encryption is done at the wireless network level.

      Finally, if you telecommute your workplace should have a “VPN” or “Virtual Private Network” connection. These also have their own encryption, just as secure web servers do.

      • #3200389

        Ethical Hacking?

        by red_wolf9 ·

        In reply to Like locking your car

        It would be tragic if someone were to access those unsecured AP’s (most likely still using the default admin password) and disable the antenna.

        Not that I would advocate doing such a thing… that COULD get you in trouble with local law enforcement. And I wouldn’t go telling them they are unsecured either, because when/if they are ever penetrated, guess who they will remember.

    • #3201330

      Hacks… Hacks… Hacks…

      by ingwar ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      Hi, all. I have had my own concerns about the Wi-Fi security as I have my home network of three laptops. Because of some online banking and my work and some simple privacy concerns I have researched this website:
      http://www.remote-exploit.org/index.php/BackTrack
      They have a Live bootable Linux CD download that lets one to do all kinds of hacks with Wi-Fi, Bluetoth, etc., etc.
      It took me about a month of inconsecutive tries to learn how to use some of those things and when I was ready I have set up my own (I repeat – my OWN) Wi-Fi network. There was just one WIRED LAN Laptop connection to the Router with Wi-Fi on but NO Wi-Fi connections at all and SSID broadcast OFF. All I needed was a SPARKLE of the wired LAN traffic, it didn’t have to be a consistant traffic at all. Are you ready for this? I was able to crack my 128 WEP key fully recovering it in about an hour. I repeat, there was absolutely NO wireless traffic with my Router from any other laptops except the one I was using to hack it. And it did not know any WEP keys untill it hacked it. My conclusions?
      1) Anybody who has a general good knowledge of PCs can learn how to use that Live CD even if they are unfamiliar with Linux at all. There are many forums available.
      2) I do not use Wi-Fi unless I really have to and only with WAP-PSK or higher security.
      3) I very rarely check my e-mail (leave alone any banking etc.) through a public Wi-Fi and then when I get home I immediately change all of my passwords that I used on that network.
      4) I use Norton Antivirus and ZoneAlarm as a firewall on all of my PCs as a rule of a thumb.
      For those of you who suspect your neighbours hacking your Wi-Fi – there’s a tool on that CD called Kismet that will produce a sound and a visual alarm when it spots a suspicious Wi-Fi activity. You will know for sure if somebody is trying to use your connection. And the best thing is you do not have to install anything on your Hard Drive. It all runs from a CD.
      So, I hope it helps some people from having their banking or other info or their identity stolen. And lastly to those reading this who do have their Wi-Fi routers open and unsecured… Just driving in a car around the town I was able to pick up zillions of those Hotspots around people’s houses. Never used it but could if I wanted to. It is so ridiculous. People are ASKING somebody to get into their home computers. My advice – always secure your Wi-Fi if you have to use it. Then get yourself some VPN and use the SSH connections to your e-mail only. Your bank uses it as a default connection anyways.
      God bless you guys. Keep it safe.

      • #3201299

        Good link. Thanks.

        by stress junkie ·

        In reply to Hacks… Hacks… Hacks…

        As an IT consultant I expect that the Backtrack Linux distribution that you referenced in your post will be a useful tool for me. I’ve used Whax Linux up to now. I’ll see if Backtrack is better.

    • #3201318

      I use a belkin as well

      by mjwx ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      And it is a POS. I just had to say that.

      I am 5 metres from the DSL modem but its over 20 metres to cable it (it?s an old house) so I use wireless to maintain on good terms with my housemate (he wouldn?t appreciate a cable snaking through the kitchen).

      1. Change the default admin password (“admin”) and we should all be familiar with complex passwords.

      2. Change the SSID and disable SSID broadcast. Although the default wireless client that comes standard with a new Dell laptop can detect the existence wireless networks even with no SSID broadcast.

      3. Set up WPA-PSK and use a 63 character randomly generated complex key (you can find a web based generator easily enough).

      4. Restrict the number of DHCP addresses to the number of clients on the network. In my case it will only dole out 2 addresses. Or you can use static addresses.

      5. Use MAC filtering. You don?t want those damn Mac’s getting onto the network 🙂

      6. Create a backup of your configuration.

      7. Make a record of the entire configuration in a .txt file and copy it to CD/flash drive/floppy. Even a txt file of your entire wireless config on your desktop is safer than using a simple password because who can remember a 63 character randomly generated complex password.

      Now the belkin is a complete POS, sometimes I can?t even get a signal from the bloody thing. I think I will have to buy a separate AP (its a combined DSL/wireless/VOIP router) from Linksys or someone else reliable.

      • #3200667

        Perfect advice

        by jfowler ·

        In reply to I use a belkin as well

        All perfect advice. Personally, since I already had a wired LAN going for multiple desktop machines, I simply added a Wireless Access Point to the existing LAN. I only use wireless with my laptop, and then only for convenience (it can also be connected via Cat5). When I’m not using the notebook, the Access Point is disabled by simpling unplugging it.
        My experience is that there are an awful lot of UNSECURED wireless networks out there (one of my own neighbors, who should know better, maintains one)for the hackers to use. They aren’t going to be wasting time trying to crack one that is properly set up, when there are others that are ripe for the picking.

    • #3201298

      Good as it gets—at home—

      by startle1234 ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      Sounds to me like you did everything just about right. The only thing you might add is to turn off the SSID broadcast and if you are using WEP for encryption, I would change it to WPA. In reality, what you have will keep out anyone who wants to get to you data. Why, because the people who could break your setup don’t want your data.
      I do this kind of work for law enforcement every day and there are much more elaborate schemes that you can configure for more secuurity, however, you just don’t need them at home.

      The level of security you have in place is suffecient.

    • #3230575

      Try these basic approach for more security

      by qreus1 ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      You have already covered using a strong password and you turned of P2P, but here are a few things you can try. (keep in mind not all devices offer the same options).

      Disable Broadcast of your SSID
      Change the default IP address to something else
      Enable WPA2 if available for encryption

      Enter access rules, by entering the MAC addresses of the PCs you want to allow to access your Access Point.

      In todays world there are really no fool-proof system, however this will make very very hard for someone to access your system.

      • #3230467

        Thanks everyone for all your thoughts!

        by poordirtfarmer ·

        In reply to Try these basic approach for more security

        Thanks everyone for all your thoughts!

        I went out and bought a 15db gain corner antenna, and installed it upstairs tilted downward such that the strongest signal is where it?s useful (Downstairs, furthest bedroom) and beyond that I?m hoping mostly just my front yard. I trust that signal strength in other directions is much reduced. I haven?t done a walk around the house / block with a laptop checking for signal strength , but think it?s a good idea & plan to do that.

        I can turn off SSID broadcasting (Assuming I can find that DLink setup screen again). When I buy another laptop, I assume I just turn on broadcasting long enough to find my SSID, and then back off again once set up?

        My DI-624 is at least a couple of years old and I don?t remember anything about a WPA2 or a WPA-PSK when I set it up back then. I?ll look tonight and check my options. I wouldn?t object to purchasing a new Access Point if that?s all I need to do to keep the family?s network security up-to-date, but I would really resist going into all the desktops and laptops to change out the wireless H/W. Actually, two units have wireless G built onto the MB, so for me the compatibility of the existing machines with any new AP is a prerequisite.

        I?ll need to investigate jdclyde?s DMZ port suggestion. Sounds like this a different concept than my DLink DI-624 which plugs directly into Brighthouse?s little box & has built-in 4 hard-line ports plus wireless? Do I buy a DMZ Router and then plug the DI-624 into its DMZ port, and also move the hard-lines from the DI-624 and plug them into other ports on this new DMZ Router? But, would this isolate the hard-lined computers from the wireless ones such that they won?t all be able to see the internet printers and shared scanner? That would be a heavy penalty … unless the ports to the printers could be forced open so that both the wireless computers and the wired ones see them? A bad guy then couldn?t do anything worse to the wired equipment than waste toner & paper – right?

        Thanks again.

        • #3230425

          Here are some small but helpful articles

          by stress junkie ·

          In reply to Thanks everyone for all your thoughts!

          It turns out that Tom’s Networking web site has been doing a lot of product testing in this area. Here is a page that has a lot of very good information. It may help you to make a good decision about whether to purchase anything new and if so then what to purchase.

          http://www.tomsnetworking.com/lans_routers/

        • #3200530

          802.1x / WPA-2

          by stubby ·

          In reply to Thanks everyone for all your thoughts!

          Here’s what I do now ….

          Use an “authentication server” and combine that with the longest PSK your access point will support.

          If you have an OS that doesn’t support such a server for free, then using someone like Witopia.net for (IIRC) $30 for the first year and then $10 thereafter, you could have upto 5 radius based accounts.

          Names and passwords could be changed whenver you felt paranoid enough and the PSK could be changed daily if teh situation required it.

        • #3200414

          RADIUS for free

          by red_wolf9 ·

          In reply to 802.1x / WPA-2

          Free solutions are availiable

          Linux users have:
          http://www.freeradius.org/

          Windows Users have:
          http://www.itconsult2000.com/en/product/WinRadius.html

        • #3226865

          Answer and suggestion

          by trav62 ·

          In reply to Thanks everyone for all your thoughts!

          When you buy another laptop, you wont have to turn on SSID broadcasting to find it; you enter your SSID into the configuration page of your new device and it will search for that specific SSID.

          Be sure to go to dlink’s website and download the latest firmware for the DI-624. I have a Revision C model and found they have a new version for it that came out just this month! The newest versions might have some security features your current version of software doesn’t. I also noticed that the new software has much better “help” files.

          In my new version (2.76), you navigate to the HOME tab, then the WIRELESS section to set WEP or WPA. Don’t be alarmed if at first glance you don’t see a particular setting; the interface is set up to change the screen depending on what feature you choose. (For instance, the screen’s selection of choices will change dramatically if you choose WPA instead of WEP.)

        • #3226692

          A word of caution

          by red_wolf9 ·

          In reply to Answer and suggestion

          There are known issues with Windows XP’s ability to connect to an AP that does not broadcast its SSID, especially when using the Wireless Zero Configuration utility. There is also the issue of XP preferring to connect to an AP broadcasting SSID’s over ones that do not. So if your neighbor broadcasts and you do not, its not uncommon to notice XP trying to connect to your neighbors AP before your own.

          It’s not uncommon for me to have to enable the SSID broadcast until the laptop “sees” the AP, at which point I can turn SSID broadcast off and everything works fine.

    • #3200516

      Yes.

      by james_knott ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      I have my WiFi outside of my Linux based firewall. The only way into my network is via SSH or OpenVPN. I also use WEP for what it’s worth.

      • #3200398

        Ahh… great and not so great

        by red_wolf9 ·

        In reply to Yes.

        While you should be commended for segregating your Wi-Fi access from your (I assume wired) other machines, you do realize that WEP is easy crackable (easy as in minutes).

        If your neighbor were to “hack” your WEP secured access point, and then commit a felony under your IP, I wish you luck in explaining that one to the authorities. Your use of WEP could actually hurt your defense, because the police will claim your network was “secured” so the perpetrator must be you.

        • #3226832

          Yes, great

          by james_knott ·

          In reply to Ahh… great and not so great

          If you reread my original message, you’ll find that I said WEP is in addition to requiring SSH or VPN to access my network via WiFi. Even if someone managed to break WEP, they’d still be up against the firewall and both the SSH and VPN require the use of an encryption key, not a password.

        • #3226677

          I see… said the blind man

          by red_wolf9 ·

          In reply to Yes, great

          It wasn’t clear to me that you were using SSH/VPN to authenticate the AP to the firewall; I thought you were protecting your internal hosts with SSH/VPN. Well done, certainly puts you a cut above the average TechRepublic reader.

    • #3200488

      Looking good

      by moriah.greenwood ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      If you followed the insructions than youre off to a good start looks like you set up basic wep if you want to futher secure through the router check for wpa in tkip or aes aes being a stronger random changing encrytion also check if you router can restrict mac ids then only put in the ids of you computers.

    • #3200440

      Mac Filtering

      by blu97ram ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      I have not taken the time to read all of the posts her, so I may be restating a comment already made. MAC filtering is one of the best ways to keep you home network secure.If you filter all but the approved list of MAC addresses, then it is going to be tought for the bad guys to get acess to your network. They will then move on and look for one of the “Geek Squad” installed wireless networks that are not running any encryption or other protection and are wide open to anyone who would like to get online.

      • #3200406

        Man in the middle

        by red_wolf9 ·

        In reply to Mac Filtering

        While I won’t disagree that MAC filtering is good (if you have it, you should turn it on). Keep in mind, it only adds an additional layer of protection, it is still possible for a MAC to be spoofed and a Man-in-the-middle attack launched.

        Security is a layers game. The more layers you make an intruder go through, the more likely they will go somewhere else. The big challenge is finding that appropriate balance between security and usability.

    • #3200287

      IPCOP, Smoothwall, Mikrotik…

      by Anonymous ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      There are a number of free and cheap firewall solutions which include VPN capability, and at least basic Intrusion detection. That would be my personal recommendation. Separate your private network from the public network. And realize that wireless IS public. No more or less than if you have a copper line running to the exterior of your house for, say, a webcam at your front door for surveillance purposes.

      WPA-2, safe to say it is better than WEP, but don’t assume it will protect you. Someone is bound to find a flaw. Just do your due-diligence:
      Identify your important secrets, isolate them from the public network, and keep a close eye on your borders.

    • #3226948

      GRC (Gibson Research Corporation)

      by drinkmetoo ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      Try this site, it will give you some great information on security. (note the https in the url)

      Perfect Passwords GRC’s Ultra High Security
      Password Generator

      https://www.grc.com/passwords.htm

      • #3226929

        grain of salt

        by red_wolf9 ·

        In reply to GRC (Gibson Research Corporation)

        Mr. Gibson is more self promoting PR man then Security professional IMHO, be sure to temper his information with other security resources. When is the last time Steve spoke at Defcon or BlackHat, and when was the last time he posted to Bugtraq or Security Focus?

        Just today I was remembering the great “Raw Sockets” DDoS Armageddon he predicted back when XP came out.

        Fear mongering at it’s finest…
        http://www.grc.com/dos/winxp.htm

    • #3226850

      Be sure to use WPA

      by techietim ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      WEP encryption can be broken with the right tools in about 10 minutes.
      WPA encryption with a long passphrase that’s also complex is currently unbreakable.
      This is your biggest concern. Hiding the SSID and MAC filtering keep casual entruders at bay but with the proliferation of “net stumbling” soft ware, SSID’s can be found easily and MAC address spoofed. I they crack your wep encryption they can get a valid mac address easlily.
      Keep it simple and just be sure to use WPA, 128 bit hexidecimal WEP is just plain to easy to crack.

    • #3226816

      Make it from paper cups & string!

      by absolutely ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      😀

      • #3228557

        SSID, MAC filters, ugly scenario

        by beerhound ·

        In reply to Make it from paper cups & string!

        There are 5 ways that an access point broadcasts it’s SSID. Turning off “broadcast SSID is really only turning off SSID beaconing. The other 4 ways your access point broadcasts your SSID are: association requests, reassociation requests, probe requests and probe responses. The other 4 methods will continue to transmit your SSID even if you set the “broadcast SSID” option of your access point to “off”.

        As to MAC filters, they are a good network management tool, but as a security measure, all they really do is prevent accidental connections to your network. For example, a friend called me because he was having trouble sharing a printer connected to his desktop machine so that his wife’s laptop could use it. I’m embarrassed to admit that it took this long to figure out, but after about 45 minutes of head scratching, I discovered that his next door neighbor had the identical wireless router that he had and both networks were still using default settings. I couldn’t see the machines on his network because he wasn’t associated to his network! Also “management packets” such as MAC addresses, IP addresses and SSID are broadcast in the clear. Even if you had WEP, WPA, etc enabled, those packets are still transmitted unencrypted and can be captured using a simple packet sniffer. Airsnort is one of the favored wireless packet sniffers, Google to get a better idea what it can do. Which brings me to my next point: WEP encryption. If you accept that MAC filters and turning off broadcast SSID is only a small speed bump at best, then the only reasonably effective protection is the encryption scheme. There is a video that was released last year **demonstrating** WEP encryption being broken in about 10 minutes using freely available tools that anyone can download and use without any special experience. Using google again you can find plenty of websites that have tutorials on how to use these tools to compromise WEP encrypted wireless networks. Yes, WEP is better than nothing, but if your equipment is capable of using WPA or newer encryption, then why not use it? With either option you have to enter the encryption key on the access point and the clients, if the setup is so similar, why not use the more secure option? As to the argument that war drivers are likely to skip over a WEP encrypted network when there is a wide open one just across the street, I agree but that argument only works for war drivers. Have you pissed anyone off lately? What if that person holds a grudge and specifically wants to target your network? Or since the little terrors are finally back in school now, how about we go back a few weeks to summer vacation when that bored neighborhood teenager who can detect 6 or 7 access points without even leaving his own bedroom? You really think he hasn’t discovered Google? That’s the only thing he needs to find all the tools for cracking into a WEP encrypted network. 10 minutes to crack WEP. Then crack windows, which is pretty easy if the target machine’s users are set up with administrator access. All users are admins by default in WinXP, you have to specifically change their accounts to give them less access. Once he cracks windows, it is easy to install a keystroke logger or other software that will log everything you type and report back every hour/day/week/whatever. I used a keystroke logger on my own machine (didn’t hack anyone) to capture my ex’s hotmail password and prove that she was cheating on me, (insert do you want naked pictures of your wife joke here) would you like someone to capture your credit card #s, user ID and passwords?

        Free advice (110% refund guaranteed)

        Use WPA encryption, the very small extra effort is worth it.
        Use a software firewall like Zone Alarm (others work well too)
        Use virus protection and update the definitions at least once a week.
        Use Firefox or Opera to websurf. If I didn’t need Internet Explorer to use windows update, I would have uninstalled it.
        Be wary of the advice you get on the internet (including what I just typed) do a little research of your own before following that advice.

        • #3228466

          How many houses are as protected

          by lstone ·

          In reply to SSID, MAC filters, ugly scenario

          I have read all these posts and some goes to far limits. I would like to know how many of their houses has a safe inside and a complete alarm system to stop break-ins. It would be easier to break into the house and use or steal the computer to get the info. You make your system so it is not “cost effective” to get in for what they want and they will go somewhere else. If you want it so noone will get by then turn off the wireless and don’t connect to internet, that is the best security. Any computer connected to wireless or the internet can be hacked, but is it “cost effective”. 🙂 Just a note :-)have a nice day.

        • #3140498

          Agreed …

          by errk’d guy ·

          In reply to How many houses are as protected

          With as complex as home hardware, software, network
          applicances, digital media centers and the like have become I
          often wonder how the average person (non-techie) manages.

          Personally I do all of the above with a hardware firewall, secure
          login, encryption, MAC address restriction. I even restrict the
          number of available IP addresses my DHCP will lease at any one
          time. Ironically I do broadcast my SSID since it is fairly easy for
          any hack, or wardriver to detect anyway and causes issues with
          one of my devices.

          … and yes I turn my router off during the day when I am not
          home. (Something I am still trying to get the other half to do.)
          Soon I will be adding a NAS server device and will either need to
          move to static IP addresses or leave the router on to avoid
          network folder/path and printer connection issues.

          BTW .. yes I do have an alarm system and a safe (hidden).

    • #3141036

      options

      by sctang73 ·

      In reply to Is there such a thing as a secure wireless network for a home LAN?

      Your options explained:

      1. The only way to fully secure your home network from wireless attacks is to NOT have a wireless network to begin with.

      2. MAC address filtering is a very basic form of protection. Think of this as the equivalent of a “VIP” list with the router acting as the doorman/ bouncer. The problem with this is that it is NOT an intelligent bouncer, as it will never ask for proof of ID. Should anyone clone your wireless adater’s MAC address (and it is possible), they can get in w/ your WLAN no questions asked.

      To make matters worse, MAC addresses are sent via the WLAN w/ o any encryption. A patient hacker just needs to be able to sniff out enough packets before obtaining & using the information they need to attempt a “break-in”.

      3. WEP keys are weak to moderate strength passwords. WEP 128-bit is obviously more stronger than WEP 64-bit, but hardly foolproof. Using Hexadecimal keys over ASCII will increases protection slightly.

      Some routers offer the option to use 152-bit (DLink) and 256-bit (NetGear) WEP keys. I have used these options successfully, but would assume that they are PROPRIETARY options and may not work w/ competing brands of hardware (wireless adapters).

      Also, use a SHARED WEP key over an OPEN WEP key. Shared WEP keys force wireless clients to provide the WEP key to communicate with the router/ access point as well as to other computers on the same WLAN. Open WEP keys allow for computer to computer traffic as long as both computers are authenticated w/ the router/ access point.

      * Periodically changing your WEP keys can help make you a moving target.

      4. WPA is a more advanced form of WEP. It gives users the ability to generate encrypted passphrases or to use encrypted security keys. I would reccommend this option over WEP wherever and whenever possible. The only drawback w/ this option is that not all wireless devices support this technology. Also, anything older than WinXP (Win98SE, Win2k, etc) does not offer native support for this technology. You will need to rely on the software that came w/ your wireless adapters, which from my experience has given me many grey hairs & bald spots.

      WPA2 is a more recent release of WPA, and offers better encryption/ protection.

      * Periodically changing your WPA/ WPA2 keys can help make you a moving target.

      5. SSID broadcast – this is your “homing beacon”. If you don’t advertise your router’s presence, then hackers won’t know who they’re hacking into until they get in. If you have enerything properly documented, you can safely turn this option OFF.

      6. Limit your DHCP scope. If your DHCP scope is limited to exactly the number of expected clients, then the hacker has to work harder to get into your WLAN. The hacker would not get an auto-assigned IP address and would have to figure out what network addressing scheme you are using and assign himself a static WLAN IP before they can begin snooping for relevant data.

      7. Change the default IP address & admin password for your router & access points. Increase the level of difficulty/ inconvenience wherever and whenever possible against hackers.

      8. Check your router’s/ access point’s logs from time to time. See if there are any attempts to connect from unfamiliar MAC addresses.

      ** Hackers are unwanted pests in your home’s WLAN and should be treated as such at all times.

      I recommend that home users should use Shared WEP 128-bit keys and MAC filtering as the minimum level of protection for their home WLANs. If possible, WPA or WPA2 should be implemented w/ MAC filtering. Disabling the SSID broadcast will also help. However, people must remember that this will only make things more challenging for the hacker. If the hacker is determined enough, and has enough time, the hacker WILL eventually get through.

Viewing 19 reply threads