how-to block ads
2.0 Types of Wireless Network Security
Most wireless APs/routers now come the MAC Filtering feature. This option will limit access to ONLY the MAC addresses that you have configured your router to permit. If you would like to use this feature, you will need to find all the MAC addresses of the wireless cards that will be using your network.
You can find a wireless card's MAC address In Windows 2000/XP by going to "Start" -> "Run" -> Type "cmd" -> Type "ipconfig/all" and look for the wireless card in the output box. It should say "Physical Address", or something similar, under the card info. Write that MAC address down and copy it into the "MAC Allow" section of the wireless AP/router.
Although this mechanism might sound foolproof, it isn't. Most 802.11 NICs allow you to configure the MAC address of the NIC in software. If you can "sniff" the MAC address of an existing node on the network, you can join the network by spoofing the MAC address of that node. MAC filtering really only keeps somebody from accidently connecting to your WAP. It won't keep a determined wardriver out. Keep in mind that Windows XP will try to associate automatically. It is quite easy for someone with knowledge to change their MAC to match the one that has been allowed in your system, and log on in it's place. The original system will lose its access to the WAP, and it will be quite confusing to figure out what is actually going on.
However, it is still recommended to have MAC filtering enabled.
Some articles that discuss MAC filtering:
"Enable MAC Address Filtering on Wireless Access Points and Routers"
To connect to a "Closed" network (one that doesn't broadcast its SSID) you select "Other" from the Airport menu.
For use with non-apple WEP systems you'll need to enter the code in hex. When WEP was designed, there was no pass-phrase system in place. So the different manufacturers have different systems which are (for the most part) incompatible.
With the latest release (10.3.7), there are options of
"WEP Password" = Apple Base-station password
With some of the older versions, there was only "WEP Password". The workaround was to start the code with a 0x which would clue the computer in that it is a hex password.
With WPA however, it was included in the technical standard so it "just works".
Previously, there was no support for WPA-AES encryption with OS X, but Apple has released updates for their operating system and wireless access points that bring full compatibility with WPA2 / WPA-AES.
Conveniently, Airport (802.11b) cards do support WPA, which is good because most PC 802.11b cards don't.
You must be running OSx with the latest airport software loaded.
There is no OS9 support at this time.
With some (protected) networks you will get a error message that you can't join (instead of prompting for the password). However, going into other and punching in the Network Name (SSID) and password will let you in anyway. Some brands/models work as expected and others don't.
• VPN: Use a VPN. If you've already got a high-end router, chances are you've got some kind of VPN endpoint already set up. Now, you need to make sure it's got NAT-T (other IPsec versions don't work with NAT, which renders VPN useless in coffee shops and little wireless networks), and preconfigure it. If you have to, you can even use PPTP, I do sometimes because my router doesn't do NAT-T. Other alternatives are OpenVPN: »openvpn.net/ , which is an SSL-based VPN client that works extremely well. Look for OpenVPN GUI for easy Windows configuration. If you're not using a VPN, SSL, or other kind of encryption low on the OSI-model, everything plaintext can be passively sniffed, or compromised on the wireless network.
• SSL: When doing anything sensitive, try to make sure you're using SSL. Banking websites are usually ok, as long as they use SSL, and there aren't any funny messages about certificates being messed up (which is the man-in-the-middle vulnerability in action). Just be careful, gmail for example has the logon session secured with SSL, but messages are plain old plaintext http unless you force it with some tool. There are some extensions for firefox that are really handy for this.
• Outlook/POP3/SMTP clients: Make sure you're using SSL encryption on these, otherwise you're completely out in the open. The entire authentication/secret exchange part with the mail server, messages and all are wide open. Some ISPs don't even let you connect to their mailserver outside their network without using SSL. Comcast, for example, doesn't. I'd recommend using mail2web, and clicking on "secure login," if you're in a hurry, or don't know how to configure your client to use SSL.
• Windows Firewall/Software Firewall: I've already mentioned my favorite part, using the Windows XP SP2 firewall. Make sure it's setup to not allow exceptions, or else use your favorite software firewall. There are a lot of really good free ones. This won't protect you from eavesdroppers reading plaintext traffic, but it will prevent people from attacking your PC as if it's just another client on the network. You don't have to worry about this on most big, professional hot-spot APs (TrueMobile, for example), because these are setup to isolate each client. Mom-and-Pop Coffee/Java Joe, however, just have a WRT54G plugged into their Cox, so you'll need this protection there.