Do I need additional security?

I'm on the end unit of an apartment building, in an area where it's unlikely
that anyone within 500 feet (the operating range of my wireless network) is
going to have another wireless device. Do I really need to worry about
others possibly tapping into my network?

--
-Bill
------

On 13 Jul 2003 05:51:32 GMT, (E-Mail Removed) (Walter
Roberson) wrote:

>Bill <(E-Mail Removed)> wrote:

>o I really need to worry about others possibly tapping into my network?

>In other words, if you plan to be undertaking a $$$$$$ lucrative
>business in your apartment, you should pretty much count on someone
>going through the bother of putting a detection device within range.
>Ditto if you intend to make a nuisance of yourself to any of the
>three-letter-agencies or the Secret Service, or The Lumber Cartel
>(tinlc).
>
>If all you intend to do is play Solitare from one end of your unit
>to the other, probably no-one will be bothered. But don't expect
>to be able to get away with running Fluffy Bunny Net in your unit
>without encountering some well-organized intelligence efforts.

I'd suggest to *always* secure it. Otherwise third parties will be
able to access the Internet through your wireless network; some
spammers use this new technique already to do massive spamruns. They
really don't care if this access is provided by a major company or by
a private person with a xDSL connection at home.

Jacco Tunnissen
--
http://www.wardrive.net/
Wireless Networking Security
and Wardriving Resources

Yes, and maybe more importantly, filter by MAC address. The two combined
will give you the equivalant of a padlock a on door. No determined thief
will be kept out, no casual thief will get in easily.

You wouldn't want to secure the Hope diamond with this level of
security, you don't need to secure your copy of Solitaire with this
level of security.

Bill wrote:

> Thanks. And the best way is by enabling WEP?
>
> --
> -Bill
> ------
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>>On 13 Jul 2003 05:51:32 GMT, (E-Mail Removed) (Walter
>>Roberson) wrote:
>>
>>
>>>Bill <(E-Mail Removed)> wrote:
>>
>>>o I really need to worry about others possibly tapping into my network?
>>
>>>In other words, if you plan to be undertaking a $$$$$$ lucrative
>>>business in your apartment, you should pretty much count on someone
>>>going through the bother of putting a detection device within range.
>>>Ditto if you intend to make a nuisance of yourself to any of the
>>>three-letter-agencies or the Secret Service, or The Lumber Cartel
>>>(tinlc).
>>>
>>>If all you intend to do is play Solitare from one end of your unit
>>>to the other, probably no-one will be bothered. But don't expect
>>>to be able to get away with running Fluffy Bunny Net in your unit
>>>without encountering some well-organized intelligence efforts.
>>
>>I'd suggest to *always* secure it. Otherwise third parties will be
>>able to access the Internet through your wireless network; some
>>spammers use this new technique already to do massive spamruns. They
>>really don't care if this access is provided by a major company or by
>>a private person with a xDSL connection at home.
>>
>>Jacco Tunnissen
>>--
>>http://www.wardrive.net/
>>Wireless Networking Security
>>and Wardriving Resources
>
>
>

On Sun, 13 Jul 2003 04:54:38 +0000, Rôgêr wrote:

> Yes, and maybe more importantly, filter by MAC address. The two combined
> will give you the equivalant of a padlock a on door. No determined thief
> will be kept out, no casual thief will get in easily.
>

"filter by MAC address" - I've heard that several times on this NG. OK,
how do you do that? I already have DHCP set up to only give out IP
addresses to known MAC addresses. But that won't stop someone from using
a random IP on that subnet to access my network.

So do you set up a firewall to filter on MAC adresses? I don't want to
get too OS specific - I use linux, and many use windows, so the
implementation will be radically different. Unfortunately, linux doesn't
have an interface between DHCP and iptables, so you can't easily punch
holes in the firewall for assigned IPs.

If you filter on MAC addresses, how do DHCP requests get through? Do you
allow broadcasts from anywhere?

Any HOWTOs or docs out there?

-Dondo

Captain Dondo wrote:

> On Sun, 13 Jul 2003 04:54:38 +0000, Rôgêr wrote:
>
>
>>Yes, and maybe more importantly, filter by MAC address. The two combined
>>will give you the equivalant of a padlock a on door. No determined thief
>>will be kept out, no casual thief will get in easily.
>>
>
>
> "filter by MAC address" - I've heard that several times on this NG. OK,
> how do you do that? I already have DHCP set up to only give out IP
> addresses to known MAC addresses. But that won't stop someone from using
> a random IP on that subnet to access my network.
>
> So do you set up a firewall to filter on MAC adresses? I don't want to
> get too OS specific - I use linux, and many use windows, so the
> implementation will be radically different. Unfortunately, linux doesn't
> have an interface between DHCP and iptables, so you can't easily punch
> holes in the firewall for assigned IPs.
>
> If you filter on MAC addresses, how do DHCP requests get through? Do you
> allow broadcasts from anywhere?
>
> Any HOWTOs or docs out there?
>
> -Dondo

There's settings in the access point, or at least most of them, to allow
MAC addresses. That's where you filter by MAC. If you have that enabled
and someone with a MAC address other than the ones you specifically
allow tries to get on the network, they find a dead AP.

On Sun, 13 Jul 2003 01:42:54 -0700, "Bill" <(E-Mail Removed)>
wrote:

>Thanks. And the best way is by enabling WEP?

It's a combination of things, really.

You should at least *pay attention* to the following:

a) Change your default SSID (network name)
b) Disable the SSID broadcast option
c) Change the default username/password of your wireless AP
d) Enable MAC address filtering
e) Turn off DHCP
f) Refrain from using the default subnet
g) Use WEP for encryption of packets

Here's some more about this at O'Reilly's Wireless DevCenter:

http://www.oreillynet.com/pub/a/wire...fi.html?page=2

And there are lots of documents -both beginner and advanced- in the
"802.11 Security Links & Docs" section of www.wardrive.net

Jacco Tunnissen
--
http://www.wardrive.net/
Wireless Networking Security
and Wardriving Resources

On Sun, 13 Jul 2003 06:21:06 -0400, "Captain Dondo"
<(E-Mail Removed)> wrote:

>"filter by MAC address" - I've heard that several times on this NG. OK,
>how do you do that? [...] So do you set up a firewall to filter on MAC adresses?

This can be done by entering the (known) MAC Addresses of your own
wireless cards, into your Wireless Access Point. How you can do this
should be outlined in more detail in the documentation of your AP.

Jacco Tunnissen
--
http://www.wardrive.net/
Wireless Networking Security
and Wardriving Resources

On Sun, 13 Jul 2003 13:07:50 +0000, Rôgêr wrote:

> There's settings in the access point, or at least most of them, to allow
> MAC addresses. That's where you filter by MAC. If you have that enabled
> and someone with a MAC address other than the ones you specifically
> allow tries to get on the network, they find a dead AP.

Well, I have a brainless AP - an SMC 2652W - which doesn't provide any
sort of filtering. I finally got WEP going, and like I said, I assign
addresses only to known MACs, so I guess I should be OK.

Any other ways of tightening down a wireless network, assuming I don't
have MAC filtering at the AP?

-Dondo

On Sun, 13 Jul 2003 05:51:32 +0000, Walter Roberson wrote:

> If all you intend to do is play Solitare from one end of your unit to
> the other, probably no-one will be bothered. But don't expect to be able
> to get away with running Fluffy Bunny Net in your unit without
> encountering some well-organized intelligence efforts.

You forgot the same issue that everyone seems to forget when talking
about wireless security.. liability.

If your wireless network is compromised, and someone piggybacks your
connection, through your provider, to the internet, and decides to
download some copyrighted material (such as certain kinds of mp3s), or
"bomb-making plans", or child pornography, your provider will see that
coming through YOUR connection. Who do you think they'll be asking
questions of, when the local police, FBI, CIA, etc. come knocking?
Certainly not the guy across the street with a laptop in the back of his
van, riding on your connection.

Secure your network, always:

1.) Disable DHCP entirely. Use static addressing, always.

2.) Put your machine('s) MAC address(es) in the WAP's ACL

3.) Use (and regularly rotate) strong 128-bit WEP keys on both ends

4.) Disable SSID broadcasting (if your WAP doesn't support this,
get a new WAP)

5.) Use SSL whenever possible, VPN/ipsec/ssh for ALL outbound traffic

6.) Enable "closed-wireless network" for your WAP

7.) Lock down all incoming, unused ports through your firewall (What?
Your WAP IS your firewall? Tsk tsk!)

These steps should help, and be used at a bare minimum, even if you're
playing Solitaire on your computer.

> You forgot the same issue that everyone seems to forget when talking
> about wireless security.. liability.

Just to play devils advokate though, who says I'm required to secure my
network any more than I'm required to secure my car to stop it being
taken and used in a bank raid?

I take your point but it's also up to the authorties (certain is here)
to provide evidence and simply saying "well his ISP shows it being
logged as from that connection" probably wouldn't be enough.

I'd counter with, "well prove that beyond all reasonable doubt that it
couldn't have been someone within a certain radius around my property
looking to mask their illegal activities!" I am not required to encrypt
my WLAN any more than I am required to carry ANY documentation as to who
I am, nor do I have to have any documents relating to my vehicle or my
ability to drive it when in the process of doing so, likewise, just
because I might have a can of beer open on the seat next to me, that's
not enough to get a conviction for anything!

Encryption is for *MY* benefit for the security of my data, not merely
as a purpose of excluding my liability.

Besides, how about if it is encrypted and the traffic comes from your
location. It's much easier to say well that's because for my
convenience I don't encrypt so it could well have been someone nearby,
instead of saying "well I guess that Mr Porno sat around catching
packets to break my WEP key before being able to download his fix!"

> 7.) Lock down all incoming, unused ports through your firewall (What?
> Your WAP IS your firewall? Tsk tsk!)

And outbound ones for that matter

> These steps should help, and be used at a bare minimum, even if you're
> playing Solitaire on your computer.

Remove games!