Wireless Networking Security Question

Hi all,

I'm am going to set up a wireless network and I am looking at how to set up
the security. I am new to setting up networks having only had standalone PC
up to now.

I have read that WEP can be cracked and that MAC addresses can be spoofed to
gain access. Does that mean it's not worthwhile to use them at all or is a
poor defence better than no defence?

What I am wondering is, if someone does crack my WEP encryption key, what
can they then do - can they access the files on my PC and/or use my internet
connection without any further action or will they also need to crack
another password before they can do that?

Also how long does it take to crack a WEP key? I will probably only have 2
or 3 devices on the network so changing the key regularly is an option.

If there's a site that answers these kind of questions please let me know
and I'll take a look.

cheers
Patrick.

On Fri, 2 Jan 2004 19:54:32 +0000 (UTC), "Patrick"
<(E-Mail Removed)> wrote:

>I'm am going to set up a wireless network and I am looking at how to set up
>the security. I am new to setting up networks having only had standalone PC
>up to now.
>
>I have read that WEP can be cracked and that MAC addresses can be spoofed to
>gain access. Does that mean it's not worthwhile to use them at all or is a
>poor defence better than no defence?

It is always better to have a weak defence than no defence at all.
Don;t overlook changing the default settings for user/password which
would let someone else change your settings. Also enable the options
which hide the name of the WAP to make it a tad harder.

>What I am wondering is, if someone does crack my WEP encryption key, what
>can they then do - can they access the files on my PC and/or use my internet
>connection without any further action or will they also need to crack
>another password before they can do that?

Depends how you have your network set up. If you have a switch with a
wired network and wireless network then, in theory, an attacker can
access all of your machines and all traffic. If you have a router
with a DMZ for the wireless part of the network then you restrict the
access to that part. But then you also cease to be able to use
Internet connection sharing or file/printer sharing.

Putting a firewall on every machine helps, but if you put the LAN into
the "trusted zone" you may as well not have the firewall (for this
purpose).

Remember careful siting of the WAP so that you limit the range outside
of your property - put it central to your house and only as high up as
you need for coverage. Signal goes through windows and floors better
than walls.

>Also how long does it take to crack a WEP key? I will probably only have 2
>or 3 devices on the network so changing the key regularly is an option.

There's 64, 128 and (some brands) 256 bit keys...and information is
sent in every packet so an attacker could sniff packets for a while
and then go away and work out the key. How long to do? How fast is
their PC and how efficient is their cracking software?

Regular key changes are fine when you can bother to do it.

>If there's a site that answers these kind of questions please let me know
>and I'll take a look.

There is tons - google for WEP and words like vulnerability, hacking
etc.

I would urge you to think whether you *really* need wireless - would a
cable do the job you need?

BUT don't think I'm anti wireless - it is a very useful tool in the
right situations. It is just the fashion of the moment to avoid
cables and most home users would be better with cable imho.

jay

Patrick wrote:
> Hi all,
>
> I'm am going to set up a wireless network and I am looking at how to
> set up the security. I am new to setting up networks having only had
> standalone PC up to now.
>
> I have read that WEP can be cracked and that MAC addresses can be
> spoofed to gain access. Does that mean it's not worthwhile to use
> them at all or is a poor defence better than no defence?
>

Hi,

A short beginners guide to wireless security can be found at:

http://www.overclockers.com/tips1105/index.asp

There is a huge wealth of info to be found by searching on "Wireless
Security" using any major search engine

In addition to the advice given by Jay, one of the security configuration
you could investigate is using a VPN tunnel through the wireless into your
wired network.

Windows XP has a built-in VPN server capacity but is limited to one client
connection at a time. An article that describes a setup can be found at at:

http://www.extremetech.com/article2/...,840939,00.asp

The idea here is that if an intruder cracks your WEP key then they will be
unable to gain access to your wired home network without first acquiring the
password to the VPN connection; a daunting prospect as they will be unable
to monitor your communications through the VPN tunnel due to the heavy
encryption. Access through the tunnel will be somewhat slower due to the
encryption but is much more secure.

If you are a power user you can also try setting up a dual home machine
running Windows 2000 or Windows 2003 server running RAS configured as a VPN
server. One of the NICs connects to the Wireless access point and the other
NIC to your wired home network. This setup will support multiple (up to 256
I think) VPN connections and allows better control and monitoring . I tried
this with an evaluation copy of Windows 2003 and it worked brilliantly )

For most people the XP VPN setup described in the link above should suffice



--
Peter <X-Files Fan>
Please Note: Emailed replies cc'd / bcc'd , containing HTML or attachments
auto-binned as spam

On Sat, 3 Jan 2004 21:28:44 -0000, "Trust No One®"
<(E-Mail Removed)> wrote:

>Windows XP has a built-in VPN server capacity but is limited to one client
>connection at a time. An article that describes a setup can be found at at:
>
>http://www.extremetech.com/article2/...,840939,00.asp
>
>The idea here is that if an intruder cracks your WEP key then they will be
>unable to gain access to your wired home network without first acquiring the
>password to the VPN connection; a daunting prospect as they will be unable
>to monitor your communications through the VPN tunnel due to the heavy
>encryption. Access through the tunnel will be somewhat slower due to the
>encryption but is much more secure.
>
>If you are a power user you can also try setting up a dual home machine
>running Windows 2000 or Windows 2003 server running RAS configured as a VPN
>server. One of the NICs connects to the Wireless access point and the other
>NIC to your wired home network. This setup will support multiple (up to 256
>I think) VPN connections and allows better control and monitoring . I tried
>this with an evaluation copy of Windows 2003 and it worked brilliantly )
>
>For most people the XP VPN setup described in the link above should suffice
>

Great advice and very useful link - thx for that, I'll add this to my
repertoire!

jay

"Trust No One®" <(E-Mail Removed)> wrote in message
news:bt7c6r$45la4$(E-Mail Removed)...
>
> Hi,
>
> A short beginners guide to wireless security can be found at:
>
> http://www.overclockers.com/tips1105/index.asp
>
> Windows XP has a built-in VPN server capacity but is limited to one client
> connection at a time. An article that describes a setup can be found at
at:
>
> http://www.extremetech.com/article2/...,840939,00.asp
>
> --
> Peter <X-Files Fan>
> Please Note: Emailed replies cc'd / bcc'd , containing HTML or attachments
> auto-binned as spam
>

Many thanks both of you this is very useful.

Using your advice I have set up a network and done most of the things you
recommend - I have enabled WEP 128 bit encryption and MAC filtering, and
changed the SSID to a random code, and also changed the admin password on
the router. I have a few follow up questions which you might also be able
to help with.

What I can't seem to do is what is suggested in your article about assigning
specific IP addresses to specific MAC numbers in the router. I have a
USRobotics combined router/modem/access point, and I can't see the same
option anywhere.

I have the option to disable the DHCP server, and I have a security option
called MAC Filtering but that looks to be for denying traffic to/from
certain MAC numbers across combinations of source and target addressses.

I'm guessing that I need to assign the IP addresses manuallyto each machine
in the Windoes network configuration under "Internet Protocol" - if that's
correct, do I just need to assign the IP address or do I also need to assign
manuallythe subnet mask and gateway settings?

Also, do I need to mess with the settings for automatic assignment of the
DNS server address?

Next - what is the significance of the 4 different encryption keys? I set
up my desktop and my router with 4 different keys and found that if I
changed the key number on the router, the desktop would freeze up for a
while, but eventually automatically select the new key. However, on my
laptop it is not clear whether you can set up all 4 keys. There is a thing
called "Index Number" that you can type in, but I couldn't find any way to
get it to save all 4 keys - I had to manually type in the key each time I
changed the key on the router. Is it supposed to cycle automatically on all
connected machines each time I change the key number on the router?

Last question - I had wanted to enable WPA authentication. My router
supports it, in the menus. My network card supports it on the box but in
the manual it says "WPA will be provided when ratified". What does it mean
by "when ratified" do you know?

thanks again for all your help this has been extremely useful.
Patrick.

>>Windows XP has a built-in VPN server capacity but is limited to one client
>>connection at a time. An article that describes a setup can be found at
at:
>>http://www.extremetech.com/article2/...,840939,00.asp
>>The idea here is that if an intruder cracks your WEP key then they will be
>>unable to gain access to your wired home network without first acquiring
the
>>password to the VPN connection; a daunting prospect as they will be
unable
>>to monitor your communications through the VPN tunnel due to the heavy
>>encryption. Access through the tunnel will be somewhat slower due to the
>>encryption but is much more secure.

One more follow up - I'm not sure what you mean by "one client connection at
a time", and the article you's put up here is somewhat beyond my technical
ability to understand easily. However from scanning through it I got the
impression that I need to set up one of my computers as a VPN server with a
firewall, and the rest of my computers to connect to that VPN server using a
secure VPN. I would then have a firewall between the internet and my doubly
encrypted internal network. Is that correct?

How would internet traffic on the non-server machines work in that
situation - would that also go through the VPN connection?

I may have misunderstood this totally and I don't know if it makes a
difference that my connection to the internet is on the router and not
directly connected to what would be the server?

Lastly, at the moment I don't have an XP Professional PC so I gather I would
need to upgrade to do this, so short term at least it's not an option.
However, I will certainly keep it in mind and would appreciate any further
comments on my questions above.

thanks
Patrick.

On Sun, 4 Jan 2004 12:10:39 +0000 (UTC), "Patrick"
<(E-Mail Removed)> wrote:

>Last question - I had wanted to enable WPA authentication. My router
>supports it, in the menus. My network card supports it on the box but in
>the manual it says "WPA will be provided when ratified". What does it mean
>by "when ratified" do you know?

"We haven't yet implemented this feature because there isn't an agreed
standard for it yet. We'll make it available as a download at some
point in the future."

I guess

jay

Patrick wrote:
>
> What I can't seem to do is what is suggested in your article about
> assigning specific IP addresses to specific MAC numbers in the
> router. I have a USRobotics combined router/modem/access point, and
> I can't see the same option anywhere.

The static DHCP option appears to be specific to the particular D-Link
router that the article's author has. It is not present in my D-Link access
point. The option allows the DCHP server to hand out leases only to
specified IP addresses. Your router does not appear to have the option
either.

>
> I have the option to disable the DHCP server, and I have a security
> option called MAC Filtering but that looks to be for denying traffic
> to/from certain MAC numbers across combinations of source and target
> addresses.

The MAC address filtering is useful and you should use it to restrict
connections to the MAC addresses of the NICs in your laptop and desktop. You
should also check the logs on your access point regularly.

>
> I'm guessing that I need to assign the IP addresses manually to each
> machine in the Windoes network configuration under "Internet
> Protocol" - if that's correct, do I just need to assign the IP
> address or do I also need to assign manuallythe subnet mask and
> gateway settings?
>
Disabling the DHCP server will throw another hurdle in the path of a would
be hacker. You can also change the subnet and IP address used by your
router/ap from the default but you should not attempt this until you're
comfortable with tcp/ip concepts.

You will need to assign an ip address, subnet mask and gateway to your
desktop and laptop. The gateway address will of course be the address
assigned to your router/ap. The subnet mask (usually 255.255.255.0) should
be the same on all the devices.


> Also, do I need to mess with the settings for automatic assignment of
> the DNS server address?
>
Just about every router/ap supports DNS relay so all you'll need to do is to
specify the ip address of the router/ap as the DNS server for your desktop
and laptop.

> Next - what is the significance of the 4 different encryption keys?
> I set up my desktop and my router with 4 different keys and found
> that if I changed the key number on the router, the desktop would
> freeze up for a while, but eventually automatically select the new
> key. However, on my laptop it is not clear whether you can set up
> all 4 keys. There is a thing called "Index Number" that you can type
> in, but I couldn't find any way to get it to save all 4 keys - I had
> to manually type in the key each time I changed the key on the
> router. Is it supposed to cycle automatically on all connected
> machines each time I change the key number on the router?
>
Is the NIC in your laptop made by the same manufacturer (USR) as your
router/AP? If not the configuration may be slightly different. All I can
suggest is that you consult the documentation or the manufacturers website
for the NIC in your laptop. If you give the model of the NIC perhaps someone
on the group can help here.


> Last question - I had wanted to enable WPA authentication. My router
> supports it, in the menus. My network card supports it on the box
> but in the manual it says "WPA will be provided when ratified". What
> does it mean by "when ratified" do you know?
>
I think Jay has already answered this one. The WPA standard(s) is still
going through the process of ratification. When it becomes official firmware
and software updates will most likely be released for both the AP and the
NICs.

hth

--
Peter <X-Files Fan>
Please Note: Emailed replies cc'd / bcc'd , containing HTML or attachments
auto-binned as spam

On Sun, 4 Jan 2004 12:26:23 +0000 (UTC), "Patrick"
<(E-Mail Removed)> wrote:

>One more follow up - I'm not sure what you mean by "one client connection at
>a time", and the article you's put up here is somewhat beyond my technical
>ability to understand easily. However from scanning through it I got the
>impression that I need to set up one of my computers as a VPN server with a
>firewall, and the rest of my computers to connect to that VPN server using a
>secure VPN. I would then have a firewall between the internet and my doubly
>encrypted internal network. Is that correct?

Correct. It also means that people accessing your WLan are unable to
"simply" connect to your non-WLan machines.

Most home setups would be a desktop PC hardwired to the router, and
one or more laptops connecting via the WAP to the router.

Without VPN you could allow windows file/print sharing between wired
and wireless machines - and make your desktop PC vulnerable to attack
across the wireless network.

With the VPN you encrypt traffic across certain ports and connect that
way. This presents another (quite big) hurdle for an attacker to
jump.

The "one client" bit means only one (say) laptop can be connected to
yuor desktop machine at a time. Again, for most home use, this is not
a problem. You need to file share? Connect. Finished? Disconnect -
next person's go. File sharing between wireless machines is
unaffected in this scenario.

>How would internet traffic on the non-server machines work in that
>situation - would that also go through the VPN connection?
>
>I may have misunderstood this totally and I don't know if it makes a
>difference that my connection to the internet is on the router and not
>directly connected to what would be the server?

Your Internet access would be via the Router as before - it is only
access between wired and wireless parts of your network that are
affected.

>Lastly, at the moment I don't have an XP Professional PC so I gather I would
>need to upgrade to do this, so short term at least it's not an option.

Look out for OEM versions of XP Pro - you can get it for a little over
£100 new. There are always trials of VPN software on conver disks -
from memory the latest Computer Shopper has a trial version of Secure
Planet VPN.

Have fun,

jay

"Trust No One®" <(E-Mail Removed)> wrote in message
news:bta4kv$53e9g$(E-Mail Removed)...
> Patrick wrote:
>
> The static DHCP option appears to be specific to the particular D-Link
> router that the article's author has. It is not present in my D-Link
access
> point. The option allows the DCHP server to hand out leases only to
> specified IP addresses. Your router does not appear to have the option
> either.
>
Sorry, I meant to say:

This option allows the DHCP server to hand out leases only to specified MAC
addresses...

Most full blown DHCP implementations support this, but the DHCP
implementations tend to be limited in most routers/APs

--
Peter <X-Files Fan>
Please Note: Emailed replies cc'd / bcc'd , containing HTML or attachments
auto-binned as spam

--
Peter <X-Files Fan>
Please Note: Emailed replies cc'd / bcc'd , containing HTML or attachments
auto-binned as spam