for reasons known only to the router and offending computers, putting a password on the router is causing it to drop connection regularly, so what i have now done is left the router password off for open access and set it to only allow computers with a specified MAC address to access it. I have tried it with a non specified computer and it couldnt connect, so is this method as safe as having a password?
wireless security
- Thread starter paulhol
- Start date
- Status
Obtruse_Man4
In Runtime
- Messages
- 439
What type of encryption were you using for the passphrase/password? WEP or WPA? WPA is stronger, and highly recommended, however WEP is better than nothing. Limiting access to MAC address' specified only by you is good, and better than nothing. I would use both if possible, but maybe in this case it isn't. I'm not sure why you would lose connection because you enabled encryption. There are ways around both, so i'm not sure if either single one is better than the other. If you can though, disable the broadcasting of your SSID, and change it from the factory default. That will help a lot in your security. Just make sure you specify the SSID on the computers that you are connecting to the router with.
Law
Fully Optimized
- Messages
- 4,200
- Location
- the data closet
Is the problem occuring because you change the SSID on the router? Because there's no reason for it to drop if you just change the login configuration. You probably might have to update the firmware.
There are ways to get around MAC filtering, if the attacker is very determined he would go to great length just to crack through your network. You can make it tougher for the hacker by changing many of the default configuration that came with the router. Changing username and password of the configuration page, use a different SSID than the default, disable SSID Broadcast, change the channel number, change default IP, disable wireless configuration, disable DHCP, enable WEP/WPA, try to put your wireless router in the center of your house to prevent it from leaking to much to the outside, if you have more than 1 router you can isolate the wireless router by putting it on a different segment. You probably won't use all these features depending on your brand of router.
There are ways to get around MAC filtering, if the attacker is very determined he would go to great length just to crack through your network. You can make it tougher for the hacker by changing many of the default configuration that came with the router. Changing username and password of the configuration page, use a different SSID than the default, disable SSID Broadcast, change the channel number, change default IP, disable wireless configuration, disable DHCP, enable WEP/WPA, try to put your wireless router in the center of your house to prevent it from leaking to much to the outside, if you have more than 1 router you can isolate the wireless router by putting it on a different segment. You probably won't use all these features depending on your brand of router.
The passphrase is used to encrypt the data as it travels through the airwaves. Without it anyone in close proximity can listen to everything traveling on your network such as the username and password for your router, and your mac addresses. A simple mac clone would give them full access to your network and your router and anything else they managed to pick up while sniffing.
This passphrase you are entering also needs to be input in the computers that need to use the wireless connection. Or in some cases one of the keys generated from the phrase - i'm guessing you are using WEP, although would recommend using WPA if possible.
This passphrase you are entering also needs to be input in the computers that need to use the wireless connection. Or in some cases one of the keys generated from the phrase - i'm guessing you are using WEP, although would recommend using WPA if possible.
Law
Fully Optimized
- Messages
- 4,200
- Location
- the data closet
If you are using WPA2-PSK with TKIP and/or AES on the wireless router, you have to make sure the client supports WPA2 because this is a 802.11i standard. You are probably experiencing a lost of connection because th clients doesn't fully support whatever type of encryption you are using on the router. For compatability I suggest trying WEP out first, if that works than move to WPA. Make sure you go into the wireless NIC properties on the wireless network tab than double click on the perfered network and ensure the right encryption is selected on the client side and that it matches with the router both the type and network key (passphrase or whatever you want to call it).
Yeah, i have to second everything Law said in his last post. Some NICs wont support anything stronger than WEP, which is the main reason for its wide use - not because it is actually secure!
Basically use the strongest encryption you can even if it happens to be wep. If you have no encryption then not only is most data being transmitted on your network insecure but also anyone that fancies it can probably connect to it relatively easy. By default a wireless NIC under windows will connect to whatever network it can - wich if your network in insecure may well be yours
Basically use the strongest encryption you can even if it happens to be wep. If you have no encryption then not only is most data being transmitted on your network insecure but also anyone that fancies it can probably connect to it relatively easy. By default a wireless NIC under windows will connect to whatever network it can - wich if your network in insecure may well be yours
Jayce
Fully Optimized
- Messages
- 3,056
- Location
- /home/jason
I don't mean to jack the thread, but is there any how-to's available so you can have a more detailed walkthrough of how to secure your wireless internet?
The tricky thing here is that it is relatively easy to explain it all but when it comes to the implementation different manufacturers set up their routers differently, different routers have different features and are missing others and different manufacturers refer to some features in a slightly odd way which makes it all a tad confusing for your average user.Jayce said:
This is generally how i would do it. If you look at your router you will probably find similar options somewhere, but perhaps with different names:
Before you start it is often a good idea to get the network together and computers talking to each other - just so you know it did work at some point - even if it was insecure. I'm going to assume you dont have any servers (e.g DHCP, DNS etc... other than those in your router - if you do then you should know how to do this yourself)
---
1) Your router probably has a DHCP server, this is what allocates IP addresses to the computers on the network. If you are only ever going to have a maximum of 5 machines on your network then only let it allocate 5 IP addresses. If the router is at 192.168.0.1 then this would probably be the range 192.168.0.2 - 192.168.0.6. This means that if a sixth machine tries to connect it will be unable to obtain an IP address.
2) If not all of your computers are on all the time then even if you have done as in part 1 there may well be some ip addresses not in use. If you set the lease time of the IP addresses to the maximum you can then even if computer 192.168.0.3 is turned off the router wont lease out its IP address until this time expires. Even better some routers will allow you to assign an ip address to a MAC address - this way only the computer with the specified mac addresses can get an ip address.
A MAC address is a unique address assigned to network cards. They are unique and no two have the same - although it is possible to clone a mac address. Also it is worth mentioning that a mac address is specific to a network card not a computer, so if you have two network cards in a machine each will have a different mac address
3) Now it is often possible to filter computers on your network by only allowing those with certain mac addresses (belkin routers do this). This is an effective way of choosing who can and cant get on your network - but remember you have done it when you want to add another machine to the network!!
4) Change the password on your router - should be 8 characters at least, with letters, digits and special characters - and should not be a dictionary word. Also if possible change the admin username to something else. Admin and administrator are easy to guess!. The worst thing you can do is leave the defailt username and password - a quick google for you routers manual and i'm in.
5) Turn off remote administration. This allows someone to configure your router from outside your network. The only reason you might want to configure your router from outside your network is if you are running a server. in which case you should ssh into the server and then access your router from that.
6) Most routers are configured via a web interface. Often via http. This is insecure as everything (including usernames and passwords is sent via plain text). If you have the option turn on https (linksys routers will let you do this - but dont forget to enter the https:// before the ip address when accessing the router from now on. https means everything is encrypted. (this is only protection from people inside your network - you are still safe from people outside if you use http because any traffic when configuring your router does not reach the internte)
-> The above apply to both wired and wireless networks, but obviously a wireless network is easier for a stranger to connect to so the above are a tad more important on a wireless network.
[wireless specific stuff]
On a wireless network data is floating through the air. To listen to it you just need something that listens on that frequency- such as a wireless network card... so right now if i wanted i could listen to my neighbours traffic!...
That is kind of bad... what if they are sending sensitive data? That is where encryption comes in... Now WEP and WPA are the two most commonly used encryption methods for home wireless networks. Now if your computer encrypts data before it sends it even if someone intercepts it during transmission it is no use to them since they cannot decrypt it back to useful data. In order to decrypt it you need a key...
Most routers will ask for a passphrase. this generates a key which the sender and reciever both need to know in order to encrypt/decrypt data and communicate effectively. If they dont know the key then they cannot communicate , so it also has the advantage of password protecting your network (although that is not its main goal).
The key generated is hex, which is a number system, although rather than going from 0-9 it goes from 0-F. Generally you will be using a shared key in which case every computer needs this key entered in it to communicate.
Now as a general rule you want to use WPA if you can, if not then use WEP. WEP sends out weak keys every now and then so someone sniffing your network traffic can probably break it if they want to. use 128bit encryption rather than 64bit (it is more secure).
WPA i more secure, although off the top of my head i cant tell you why, but i believe it is something to do with changing keys.
So...
7) make sure you use the best encryption available to you.
8) turn off your SSID broadcast. this basically tells everyone that your network is there. turning it off this makes it harder (but not impossible) for people to spot your network.
I think that is about it. i know someone will point out that all of that is overkill, perhaps it is? but how much monitoring do you do of your network? would you know if someone hacked it in a couple of minutes. What i am saying is that if someone tries to break into a bank there are alarms, sounds etc... you know it is happening. With a network it is not, especially a wireless one. Think what data could be captured on your network - your computers are no longer secure behind that NAT firewall if someone is on your network. Also all it takes is one unpload of dodgy firmware and your router is dead...
...anyway i'm done, hope it is of some use to someone.
- Status
