Is my network secure?

......just a quick one. I've got a wireless router on my b/band
connection, which I've secured(?) using WPA-PSK with an ASCII passphrase 9
alphanumeric characters long, and I use MAC filtering to only allow a laptop
and a
wireless IP camera to connect. When checking the log today, I've got the
following in it:

Mon Aug 28 22:51:48 2006 Unallowed access from 00-A0-F8-CC-96-A7
Mon Aug 28 22:51:49 2006 Unallowed access from 00-A0-F8-CC-96-A7
Mon Aug 28 22:51:50 2006 Unallowed access from 00-A0-F8-CC-96-A7
Mon Aug 28 22:51:50 2006 Unallowed access from 00-A0-F8-CC-96-A7
Mon Aug 28 22:51:51 2006 Unallowed access from 00-A0-F8-CC-96-A7
Mon Aug 28 22:51:52 2006 Unallowed access from 00-A0-F8-CC-96-A7

and

Tue Aug 29 02:42:39 2006 Associated: 00-14-A5-49-04-0A st=0
Tue Aug 29 02:42:44 2006 Disassociated: 00-14-A5-49-04-0A
Tue Aug 29 02:42:48 2006 Associated: 00-14-A5-49-04-0A st=0

Apart from having the time set wrong(!), is my network secure?

> Mon Aug 28 22:51:48 2006 Unallowed access from 00-A0-F8-CC-96-A7
> Tue Aug 29 02:42:39 2006 Associated: 00-14-A5-49-04-0A st=0

What devices are using those MAC addresses? Your own PCs or something else?

You can see your own device MAC addresses, on windows, using 'ipconfig /all'
from the cmd line. Look for the line labelled 'Physical Address'. If
you're on a linux or Macintosh you could use 'ifconfig' and look for
'HWaddr'. For other stuff like printers and such you may have to look on
their labels to find the address (presuming they're networkable, of course!)

If it's not a MAC address of one of your own devices than it's something
else trying to get connected. There's not much you can do to "stop" them
from trying. But if you're got your WPA setup then they just won't make the
connection.

But if you're really concerned about being 'secure' then using wireless
isn't the way to get it. Sure, it can be made pretty resistant to casual
attempts, and WPA is currently as good as it's going to get for fending off
unwanted connections. But it wouldn't prevent someone from staging denial
of service or other attacks bent on slowing the network down so much as to
become useless. For that you ought to be using an actual wired connection.

So it all depends on just how 'secure' your situation requires.

>> Mon Aug 28 22:51:48 2006 Unallowed access from 00-A0-F8-CC-96-A7
>> Tue Aug 29 02:42:39 2006 Associated: 00-14-A5-49-04-0A st=0
>
> What devices are using those MAC addresses? Your own PCs or something
> else?
>
> You can see your own device MAC addresses, on windows, using 'ipconfig
> /all'
> from the cmd line. Look for the line labelled 'Physical Address'. If
> you're on a linux or Macintosh you could use 'ifconfig' and look for
> 'HWaddr'. For other stuff like printers and such you may have to look on
> their labels to find the address (presuming they're networkable, of
> course!)
>
> If it's not a MAC address of one of your own devices than it's something
> else trying to get connected. There's not much you can do to "stop" them
> from trying. But if you're got your WPA setup then they just won't make
> the
> connection.
>
> But if you're really concerned about being 'secure' then using wireless
> isn't the way to get it. Sure, it can be made pretty resistant to casual
> attempts, and WPA is currently as good as it's going to get for fending
> off
> unwanted connections. But it wouldn't prevent someone from staging denial
> of service or other attacks bent on slowing the network down so much as to
> become useless. For that you ought to be using an actual wired
> connection.
>
> So it all depends on just how 'secure' your situation requires.
>

Thanks for that - none of the MAC address are the laptop of the wireless IP
camera, so assume they must be somebody trying to hack into the network. On
the basis that the log says: 'Unallowed access from....', does that mean the
attempt to connect has failed? The wording isn't particularly clear - it
could mean that they have had access but it was unallowed. Get my drift?

Gus,

It could be that what you saw was no more than a neighbor trying to
connect and was refused because the security or encryption was not
right as it should be. The fact of the connection was attempted does
not neccessarily mean that there was a problem. the device trying to
connect may simply have been using a broadcast SSID, or if you have not
changed your SSID from the default of your router or access point.

I do have a question do you have Broadcastt SSID turned off. This will
prevent a device from trying to connect if it is using a broadcast SSID
such as ANY or a blank SSID. It does not stop beacons with your SSID
from being sent out over the air as many people think.

> It could be that what you saw was no more than a neighbor trying to
> connect and was refused because the security or encryption was not
> right as it should be. The fact of the connection was attempted does
> not neccessarily mean that there was a problem. the device trying to
> connect may simply have been using a broadcast SSID, or if you have not
> changed your SSID from the default of your router or access point.
>
> I do have a question do you have Broadcastt SSID turned off. This will
> prevent a device from trying to connect if it is using a broadcast SSID
> such as ANY or a blank SSID. It does not stop beacons with your SSID
> from being sent out over the air as many people think.
>

Yes - I've got my broadcast SSID off, which I remembered I did some time
ago, when I tried to reconnect the laptop after a problem with the network
and then couldn't quite work out why the laptop couldn't see the network on
a wireless scan. When I connected the laptop on a cable and went into the
router settings, I enabled broadcast SSID so I could connect wirelessly, and
then disabled it again once connected.

Thanks for all your help, by the way.

> I do have a question do you have Broadcastt SSID turned off. This will
> prevent a device from trying to connect if it is using a broadcast SSID
> such as ANY or a blank SSID. It does not stop beacons with your SSID
> from being sent out over the air as many people think.

Eh, using no SSID broadcast is almost useless. Anything that listens
passively to the airwaves will quickly be able to determine it. That and if
anyone else is setting up their own network they may not see your equipment
already on the channel. So then you'll have the potential for someone else
to innocently setup their equipment on the same channel and ruin bandwidth
for the both of you. And this helps you, how?

It's better to leave the SSID being broadcast and just go with WPA.

-Bill Kearney

On Tue, 29 Aug 2006 15:34:38 -0400, "Bill Kearney"
<(E-Mail Removed)> wrote in
<(E-Mail Removed)> :

>> I do have a question do you have Broadcastt SSID turned off. This will
>> prevent a device from trying to connect if it is using a broadcast SSID
>> such as ANY or a blank SSID. It does not stop beacons with your SSID
>> from being sent out over the air as many people think.
>
>Eh, using no SSID broadcast is almost useless. Anything that listens
>passively to the airwaves will quickly be able to determine it. That and if
>anyone else is setting up their own network they may not see your equipment
>already on the channel. So then you'll have the potential for someone else
>to innocently setup their equipment on the same channel and ruin bandwidth
>for the both of you. And this helps you, how?
>
>It's better to leave the SSID being broadcast and just go with WPA.

Agreed. But make sure the SSID is unique to you (e.g., GusUltonNet) --
lots of connection attempts are nothing more than using a common default
SSID (e.g., "linksys").

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

>>> I do have a question do you have Broadcastt SSID turned off. This will
>>> prevent a device from trying to connect if it is using a broadcast SSID
>>> such as ANY or a blank SSID. It does not stop beacons with your SSID
>>> from being sent out over the air as many people think.
>>
>>Eh, using no SSID broadcast is almost useless. Anything that listens
>>passively to the airwaves will quickly be able to determine it. That and
>>if
>>anyone else is setting up their own network they may not see your
>>equipment
>>already on the channel. So then you'll have the potential for someone
>>else
>>to innocently setup their equipment on the same channel and ruin bandwidth
>>for the both of you. And this helps you, how?
>>
>>It's better to leave the SSID being broadcast and just go with WPA.
>
> Agreed. But make sure the SSID is unique to you (e.g., GusUltonNet) --
> lots of connection attempts are nothing more than using a common default
> SSID (e.g., "linksys").
>

I've changed my SSID to something unique (I think, because I can't see any
other wireless networks in my local area transmitting).

> I've changed my SSID to something unique (I think, because I can't see any
> other wireless networks in my local area transmitting).

Just be sure to check the nearby airwaves now and then. At some point
someone else may be likely to setup another network. Since clients don't
generally care which channel they'll use it's often better to switch your
channel to something else to avoid the interference. It's impossible to
completely avoid interference or overlap if there's a lot of access points.
But when there's only a few, especially if they're all crowded on a default
channel, it's possible to move to a different channel and possibly avoid the
performance hits.

-Bill Kearney