Maximizing wireless security

I have a Netgear WGR614 v6 wireless router which I have recently begun to
use wirelessly for my wife's work laptop. There is also a desktop connected
to the router via cat 6. Both machines are running XP SP2 with all updates.
I have the router set as follows & want to be sure I'm doing all I can to
maximize security on the network:

- File sharing is OFF on both PC's
- Router setup password has been changed to 14 random characters
- Router updated with most recent firmware
- SSID set to 13 random characters
- SSID broadcast is OFF
- WPA-PSK activated w/10 random character passphrase (tried a longer
passphrase, but Windows Networking seemed to have trouble with it, kept
defaulting to a shorter phrase). Key lifetime is the default 60 minutes.
- Access control is ON with the MAC addresses for the 2 PC's being the only
ones entered.

We live in a fairly remote suburban area, so I don't think the threat of
"wardriving" is what it might be in a more populated area, but I still want
to be sure I'm doing all I can in terms of security.

TIA

Dan

Dan wrote:

> I have a Netgear WGR614 v6 wireless router which I have recently begun to
> use wirelessly for my wife's work laptop. There is also a desktop connected
> to the router via cat 6. Both machines are running XP SP2 with all updates.
> I have the router set as follows & want to be sure I'm doing all I can to
> maximize security on the network:
>

Just my preferences: run the network open but with MAC address access
controls and install IPSec VPN software with strong encryption on
your hosts (you can run a port of OpenBSD's ISAKMPD under cygwin
on the desktop if you don't have a border router, and the laptops can
run the free SSH_Sentinel Ver. 1.3.2.2). Even with WPA/WPA2 it is
often better to handle the encryption on your hosts rather than to
expect the appliance AP/router product to do it well.

Regards,

Michael

In alt.internet.wireless msg <msg@_cybertheque.org_> wrote:
> controls and install IPSec VPN software with strong encryption on

Where is the other end of the VPN? He doesn't have file sharing turned on
for either PC.

--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5

(E-Mail Removed) wrote:

> In alt.internet.wireless msg <msg@_cybertheque.org_> wrote:
>
>>controls and install IPSec VPN software with strong encryption on
>
>
> Where is the other end of the VPN? He doesn't have file sharing turned on
> for either PC.
>

If high security is a top priority, I was suggesting that he establish
the desktop as a VPN endpoint. This would also entail a separate segment
for the wireless VPN (separate NIC or perhaps using the USB connection
to the AP/router). I assume the desktop O/S is XP-Pro; my experience
doing this is with Win2k. Filters to pass only AH and ESP and ICMP
would be needed on the wireless i/f. Doing this on a Windows O/S
under cygwin and with ported unix code is possible, but I would
really recommend adding and obsd box as a border router and running
ISAKMPD for the wireless segment. This is just my personal approach.
I assume there are native MS solutions for this as well, (L2TP and
less secure methods?). I am replying as a reader of alt.internet.wireless
and my suggestions come from experience building similar small VPNs
as described. All of this presumes that the O.P. has really serious
security concerns.

Michael

"Dan" <(E-Mail Removed)> wrote in message
>I have a Netgear WGR614 v6 wireless router which I have recently begun to
>use wirelessly for my wife's work laptop. There is also a desktop
>connected to the router via cat 6. Both machines are running XP SP2 with
>all updates. I have the router set as follows & want to be sure I'm doing
>all I can to maximize security on the network:
>
> - File sharing is OFF on both PC's

If you trust the PC's turn file and print sharing back on - unless you
really don't need it.

> - Router setup password has been changed to 14 random characters

Fine, so long as you remember it.

> - Router updated with most recent firmware

Ok

> - SSID set to 13 random characters

This really doesn't matter, whether 1 or 100 it's just a ID

> - SSID broadcast is OFF

Might not be applicable if you don't have neighbors or many near by wireless
networks however I would turn it back on so that it's possible for others to
see your network and not plop down on top of making it unuseable anyway.

> - WPA-PSK activated w/10 random character passphrase (tried a longer
> passphrase, but Windows Networking seemed to have trouble with it, kept
> defaulting to a shorter phrase). Key lifetime is the default 60 minutes.

Should be fine.

> - Access control is ON with the MAC addresses for the 2 PC's being the
> only ones entered.

Not necessary and makes it a pain if a friend or family member comes over
and wants to use your internet.

>
> We live in a fairly remote suburban area, so I don't think the threat of
> "wardriving" is what it might be in a more populated area, but I still
> want to be sure I'm doing all I can in terms of security.

If you want to do everything install a RADIUS server on your network and use
it to manage encryption keys and do some sort of point to point vpn
encryption between the machines as msg stated. You could even go as far as
encrypting your most important files on the disk of each computer. But I
doubt that's necessary.

Honestly most of what you have done has just make it more difficult to
manage your small network. If you trust the computers on your network than
things like mac filtering and turning off file and print sharing is simply
unnecessary IMHO.
The odds of someone breaking a WPA/WPA2 key that is random characters, case,
numbers and and punctuation is VERY slim.
I found a website about a year ago that said it would take like 14years to
crack a 7 character WPA key. *Shrug* not sure how true that is reguardless
it would take enough time that you would notice someone sitting outside your
house.

Adair

Adair Winter wrote:
> "Dan" <(E-Mail Removed)> wrote in message
>
>> - SSID broadcast is OFF
>
> Might not be applicable if you don't have neighbors or many near by
> wireless networks however I would turn it back on so that it's
> possible for others to see your network and not plop down on top of
> making it unuseable anyway.
>
> Adair

Actually, fairly often when people turn the broadcast off, their software
supports profiles to automatically connect when seen... no ssid, no profile,
no auto connect... forces you to re-enter the wep/wpa/etc when turning on
the 'puter.. If you sotware doesn't support profiles, then never mind....
Just a major annoyance/complaint

"Peter Pan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Adair Winter wrote:
>> "Dan" <(E-Mail Removed)> wrote in message
>>
>>> - SSID broadcast is OFF
>>
>> Might not be applicable if you don't have neighbors or many near by
>> wireless networks however I would turn it back on so that it's
>> possible for others to see your network and not plop down on top of
>> making it unuseable anyway.
>>
>> Adair

Thanks for all the helpful replies. I'm afraid you guys lost me with the
Radius server & VPN bits, I'll have to look those up ;-) If anyone knows of
an especially good sites on this, please pass them along. The laptop in
question does logon to the wireless automatically, without SSID broadcast.
As far as MAC filtering & visiting PC's are concerned, they're few & far
between, it's pretty easy to shut the access control off if/when this might
arise. I was surprised to see the new laptop (a Lenovo) had a sticker on
the bottom with the MAC address, I had gotten it from the router setup when
the PC was wired. On the file sharing part, I do have server service killed
on each pc, along with a ton of other resource wasting & potentially
troublesome background noise, like remote registry, computer browser,
distributed link tracking service, terminal services, and others that for
reasons I've never fully understood are on "automatic" by default.

Thanks again,

Dan

"Dan" <(E-Mail Removed)> wrote in message
news:-(E-Mail Removed)...
>I have a Netgear WGR614 v6 wireless router which I have recently begun to
>use wirelessly for my wife's work laptop. There is also a desktop
>connected to the router via cat 6. Both machines are running XP SP2 with
>all updates. I have the router set as follows & want to be sure I'm doing
>all I can to maximize security on the network:
>
> - File sharing is OFF on both PC's
> - Router setup password has been changed to 14 random characters
> - Router updated with most recent firmware
> - SSID set to 13 random characters
> - SSID broadcast is OFF
> - WPA-PSK activated w/10 random character passphrase (tried a longer
> passphrase, but Windows Networking seemed to have trouble with it, kept
> defaulting to a shorter phrase). Key lifetime is the default 60 minutes.
> - Access control is ON with the MAC addresses for the 2 PC's being the
> only ones entered.
>
> We live in a fairly remote suburban area, so I don't think the threat of
> "wardriving" is what it might be in a more populated area, but I still
> want to be sure I'm doing all I can in terms of security.
>
> TIA
>
> Dan

Hi,

VPN and Radius Servers are complete overkill for your environment. Unless
you view setting either up as a learning exercise, its pretty silly to
consider either.

All you measures that you wrote are fine. I would, however, suggest that
you do broadcast a SSID. Broadcasting an SSID is part of the 802.11
specifications. By not broadcasting an SSID, at best it may cause you
problems, at worst your neighbors will consider it rude RFI.

Even with SSID broadcast disabled, you can still easily be seen. Disabling
SSID broadcast may even make you a more likely target because it looks like
you are trying to hide (which you can't).

As for using MAC filtering, that is your call. If MAC filtering is tied
into being able to dish out two static IP's to your two computers, then use
it. If not, then it doesn't really offer that much extra security. MAC
filtering may be another effective layer for that 80 year old granny across
the street, but not for her 14 year old great grandson.

Again, you sound fine on your LAN side, but are you okay on your WAN
(internet) side?

Not broadcasting SSID and doing MAC filtering is security theatre and not
real security.
War driving is not a threat.
Your setup looks quite secure.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Dan" <(E-Mail Removed)> wrote in message
news:-(E-Mail Removed)...
>I have a Netgear WGR614 v6 wireless router which I have recently begun to
>use wirelessly for my wife's work laptop. There is also a desktop
>connected to the router via cat 6. Both machines are running XP SP2 with
>all updates. I have the router set as follows & want to be sure I'm doing
>all I can to maximize security on the network:
>
> - File sharing is OFF on both PC's
> - Router setup password has been changed to 14 random characters
> - Router updated with most recent firmware
> - SSID set to 13 random characters
> - SSID broadcast is OFF
> - WPA-PSK activated w/10 random character passphrase (tried a longer
> passphrase, but Windows Networking seemed to have trouble with it, kept
> defaulting to a shorter phrase). Key lifetime is the default 60 minutes.
> - Access control is ON with the MAC addresses for the 2 PC's being the
> only ones entered.
>
> We live in a fairly remote suburban area, so I don't think the threat of
> "wardriving" is what it might be in a more populated area, but I still
> want to be sure I'm doing all I can in terms of security.
>
> TIA
>
> Dan
>

Another box to secure traffic over a cable in the house? Brilliant!

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"msg" <msg@_cybertheque.org_> wrote in message
news:(E-Mail Removed)...
> (E-Mail Removed) wrote:
>
>> In alt.internet.wireless msg <msg@_cybertheque.org_> wrote:
>>
>>>controls and install IPSec VPN software with strong encryption on
>>
>>
>> Where is the other end of the VPN? He doesn't have file sharing turned
>> on
>> for either PC.
>>
>
> If high security is a top priority, I was suggesting that he establish
> the desktop as a VPN endpoint. This would also entail a separate segment
> for the wireless VPN (separate NIC or perhaps using the USB connection
> to the AP/router). I assume the desktop O/S is XP-Pro; my experience
> doing this is with Win2k. Filters to pass only AH and ESP and ICMP
> would be needed on the wireless i/f. Doing this on a Windows O/S
> under cygwin and with ported unix code is possible, but I would
> really recommend adding and obsd box as a border router and running
> ISAKMPD for the wireless segment. This is just my personal approach.
> I assume there are native MS solutions for this as well, (L2TP and
> less secure methods?). I am replying as a reader of alt.internet.wireless
> and my suggestions come from experience building similar small VPNs
> as described. All of this presumes that the O.P. has really serious
> security concerns.
>
> Michael