dslreports logo

    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»


how-to block ads

2.0 Types of Wireless Network Security

Here are some general steps you can implement to improve the security of your wireless network:
  • Enable WPA Encryption. (Best Bet, at this time.) TKIP, AES, or RADIUS authentication recommended. Be forewarned that all WiFi devices on your network will have to share identical encryption settings. Therefore you might have to find the lowest common denominator; the strongest setting common to all your devices.

  • Use a strong passphrase; 63 characters is best, with non-dictionary words

  • Authenticate wireless clients with protocols like EAP (including EAP-TLS, EAP-TTLS, PEAP, and EAP-SIM)

  • Encrypt wireless traffic using a VPN (Virtual Private Network)

  • Change the default SSID. Change it periodically.
    Wireless networking products come with a default SSID set by the factory. (The Linksys default SSID is linksys.) Hackers know these defaults and can check these against your network. Change your SSID to something unique and not something related to your company or the networking products you use.

  • Change the default password for the Administrator account.
    With every wireless networking device you use, keep in mind that network settings (SSID, WEP keys, etc.) are stored in its firmware. Your network administrator is the only person who can change network settings. If a hacker gets a hold of the administrators password, he, too, can change those settings. So, make it harder for a hacker to get that information. Change the administrators password regularly.

  • Enable MAC Address Filtering. (This is a weak tool, and should not be considered a "fix" by itself.)
    »Wireless Security »MAC Address Filtering

  • Check for available firmware updates at the manufacturer's website, usually in the Support area.

Wireless Security involves more than just following "general steps". Make sure that you are aware of the risks involved with using wireless networking.

by KeysCapt See Profile
last modified: 2005-12-24 09:20:42

MAC address filtering registers valid MAC (media access control) addresses in use and permits only recognized MAC addresses to establish communication with wireless access points.

Most wireless APs/routers now come the MAC Filtering feature. This option will limit access to ONLY the MAC addresses that you have configured your router to permit. If you would like to use this feature, you will need to find all the MAC addresses of the wireless cards that will be using your network.

You can find a wireless card's MAC address In Windows 2000/XP by going to "Start" -> "Run" -> Type "cmd" -> Type "ipconfig/all" and look for the wireless card in the output box. It should say "Physical Address", or something similar, under the card info. Write that MAC address down and copy it into the "MAC Allow" section of the wireless AP/router.

Although this mechanism might sound foolproof, it isn't. Most 802.11 NICs allow you to configure the MAC address of the NIC in software. If you can "sniff" the MAC address of an existing node on the network, you can join the network by spoofing the MAC address of that node. MAC filtering really only keeps somebody from accidently connecting to your WAP. It won't keep a determined wardriver out. Keep in mind that Windows XP will try to associate automatically. It is quite easy for someone with knowledge to change their MAC to match the one that has been allowed in your system, and log on in it's place. The original system will lose its access to the WAP, and it will be quite confusing to figure out what is actually going on.

However, it is still recommended to have MAC filtering enabled.


Some articles that discuss MAC filtering:

"Enable MAC Address Filtering on Wireless Access Points and Routers"

by Bill See Profile edited by KeysCapt See Profile
last modified: 2005-12-23 20:23:56

IPSec (IP Security) protocols provide mechanisms for establishing security associations between pairs of devices. In fact, IPSec may be used to establish private end-to-end communications between pairs of computers, so that an additional layer of security is imposed above and beyond whatever Wi-Fi controls may be in place. This mechanism is quite similar to that used in VPNs (virtual private networks), in which additional security is used to make connections across inherently unsecure links.

by KeysCapt See Profile

VPN links are special added protocol layers and encryption services that allow traffic between a sender and a receiver to be further secured while in transit across public or other unsecure network links (such as the Internet). Most experts recommend the use of VPN or similar technologies any time sensitive data must traverse unsecure links or media (such as WLANs).

by KeysCapt See Profile

For the most part mac's are fully compatible. However, there is a thing or two to note.

To connect to a "Closed" network (one that doesn't broadcast its SSID) you select "Other" from the Airport menu.

For use with non-apple WEP systems you'll need to enter the code in hex. When WEP was designed, there was no pass-phrase system in place. So the different manufacturers have different systems which are (for the most part) incompatible.

With the latest release (10.3.7), there are options of
"WEP Password" = Apple Base-station password
"WEP 40/128-bit hex" = The password in hex
"WEP 40/128-bit ASCII" = Enter a pass-phrase with ASCI->HEX conversion (some brands use this system)
LEAP = Use Cisco's LEAP network authentication system
WPA Personal = WPA-PSK (TKIP)
WPA Enterprise = Centralized WPA server

With some of the older versions, there was only "WEP Password". The workaround was to start the code with a 0x which would clue the computer in that it is a hex password.

With WPA however, it was included in the technical standard so it "just works".

Previously, there was no support for WPA-AES encryption with OS X, but Apple has released updates for their operating system and wireless access points that bring full compatibility with WPA2 / WPA-AES.

Conveniently, Airport (802.11b) cards do support WPA, which is good because most PC 802.11b cards don't.
You must be running OSx with the latest airport software loaded.
There is no OS9 support at this time.

With some (protected) networks you will get a error message that you can't join (instead of prompting for the password). However, going into other and punching in the Network Name (SSID) and password will let you in anyway. Some brands/models work as expected and others don't.

by macmouse See Profile edited by KeysCapt See Profile
last modified: 2005-11-21 06:56:30

There are a number of steps that should be taken while on public wireless networks, or wireless networks that you don't administer/control to guarantee the absolute security of your network traffic. While these suggestions do not constitute a complete list, they do ensure some level of security. As with any network, a good software firewall (even the Windows SP2 firewall), as well as good AV, anti-malware, and anti-spyware is critical to guarding your computer against malicious internal network traffic.

VPN: Use a VPN. If you've already got a high-end router, chances are you've got some kind of VPN endpoint already set up. Now, you need to make sure it's got NAT-T (other IPsec versions don't work with NAT, which renders VPN useless in coffee shops and little wireless networks), and preconfigure it. If you have to, you can even use PPTP, I do sometimes because my router doesn't do NAT-T. Other alternatives are OpenVPN: »openvpn.net/ , which is an SSL-based VPN client that works extremely well. Look for OpenVPN GUI for easy Windows configuration. If you're not using a VPN, SSL, or other kind of encryption low on the OSI-model, everything plaintext can be passively sniffed, or compromised on the wireless network.

SSL: When doing anything sensitive, try to make sure you're using SSL. Banking websites are usually ok, as long as they use SSL, and there aren't any funny messages about certificates being messed up (which is the man-in-the-middle vulnerability in action). Just be careful, gmail for example has the logon session secured with SSL, but messages are plain old plaintext http unless you force it with some tool. There are some extensions for firefox that are really handy for this.

Outlook/POP3/SMTP clients: Make sure you're using SSL encryption on these, otherwise you're completely out in the open. The entire authentication/secret exchange part with the mail server, messages and all are wide open. Some ISPs don't even let you connect to their mailserver outside their network without using SSL. Comcast, for example, doesn't. I'd recommend using mail2web, and clicking on "secure login," if you're in a hurry, or don't know how to configure your client to use SSL.

Windows Firewall/Software Firewall: I've already mentioned my favorite part, using the Windows XP SP2 firewall. Make sure it's setup to not allow exceptions, or else use your favorite software firewall. There are a lot of really good free ones. This won't protect you from eavesdroppers reading plaintext traffic, but it will prevent people from attacking your PC as if it's just another client on the network. You don't have to worry about this on most big, professional hot-spot APs (TrueMobile, for example), because these are setup to isolate each client. Mom-and-Pop Coffee/Java Joe, however, just have a WRT54G plugged into their Cox, so you'll need this protection there.

Click for full size

by Nerdtalker See Profile edited by jazzman916 See Profile
last modified: 2008-11-10 12:01:09