|
| ||||
 |
|
Home | Reviews | Tools | Forums | FAQs | Find Service | ISP News | Maps | About |
|
how-to block ads |
1.0 Introduction
1.5 Do I Need It?
2.0 Types of Wireless Network Security
2.1 WEP
2.2 WPA
2.3 Radius3.0 More Definitions4.0 Setup5.0 Tools
6.0 Miscellaneous Help
7.0 Other Info Sources1.0 Introduction
We encourage comments on the FAQ's contents. To do that, click on the author's "business card" at the bottom of the entry you wish to comment on. That generates an Instant Message screen by which you can send your thoughts directly to the FAQ author. We also encourage FAQ submissions. To submit a suggested entry for the FAQ, click on the link at the bottom of the FAQ's index page. You may submit a question only if you like, but it's far better to post your question in the forum where it will get faster responses. Don't worry if your proposed entry isn't elegant, or even complete. If you submit a question and a proposed answer, it will be reviewed and edited as necessary. If it's considered a helpful addition, it will be added. Thanks for your participation and interest.
 got feedback?by KeysCapt WEP, WPA and other wireless encryption methods operate specifically between your wireless client, or computer and your WiFi access point (WAP). When data from your computer gets to the access point or gateway, it is no longer encrypted and it is transmitted over the public Internet to its destination. The only exception to this is when you're using SSH, SSL (commonly employed when you make a purchase on the Internet) or VPN, in which case it is still encrypted. While using an advanced tool like WPA will protect you to a degree from intruders, you might also consider additional protection techniques such as VPN. See /faq/vpn
got feedback?by KeysCapt If you'd like more basic information and definitions relating to Wi-Fi, see the /faq/wlan got feedback?by KeysCapt Furthermore, our system also has FAQs and Forums for each of the major equipment manufacturers. Click here for a listing: Hardware By Brand. Most of these forums have a FAQ and links to the manufacturer's support sites. If you are considering providing commercial wireless services for the general public, apartments, or hotels, you can find that information in the »Wireless Service Providers forum. If your wireless network is working correctly, except for file or printer sharing, that topic is covered by our »Networking forum. You can search the entire system, but sometimes the number of responses are overwhelming or unorganized, and it is easier to visit the forums and FAQs. Naturally, if you have a Wi-Fi security question that is not covered in the places above, you are in the right place! Tips: This is the fastest way to get most answers. When you visit a forum, look for a FAQ (a feature of most forums), and perform a forum search (a feature of all forums) before posting.
got feedback?by funchords 1.5 Do I Need It?
Enabling WEP usually results in the card having to do the encryption and this means slowdown. Some have said there is a huge hit if the encryption takes place with software, and maybe no noticeable hit if the encryption takes place with hardware (Cisco?). Not only do many other gateways leave WEP off by default, some manufacturers go out of their way to stress that WEP is not required and could slow down network performance. But according to Microsoft, the performance hit is marginal--about 0.5Mbps with 64-bit encryption and only slightly more with 128-bit.
got feedback?by KeysCapt Whenever you use a wireless connection, you might want to ensure that your communications and files are private and protected. If your transmissions are not secure, it may be possible for others to intercept your e-mails, examine your files and records, and use your network and Internet connection to distribute their own messages and communications. How secure you want your network to be depends on how you use it. If you're just surfing to do research or watch movies, you may not care if anyone picks up part of the transmission, but that's up to you. Even if you're shopping and purchasing items over the net, those financial transactions are usually protected by Secure Socket Layer (SSL). However, if your data is confidential or if you want additional security, there are several different technologies you can install. Keep in mind that security is a personal decision, but it's almost essential to use at least some level of security as a deterrent to intrusion and interception. In a home wireless network, you can use a variety of simple security procedures to protect your Wi-Fi connection. These include enabling Wi-Fi Protected Access, changing your password or network name (SSID) and closing your network. However, you can also employ additional, more sophisticated technologies and techniques to further secure your business network.
got feedback?by KeysCapt /forum/remark,12624537~mode=flat#12626550 A substantial number of routers sold in the US today are of the wireless variety, because with rebates, they are often cheaper than the wired kind. Many of these end up in wired-only service. The new owner took it home, plugged it in, and it worked right out of the box. Unfortunately this means that the wireless side configuration was left in the default mode -- so it bears the default SSID, default lack of encryption, default passwords, and default transmitter "on" state. It is now an insecure wireless access point, and anyone can associate with it. Doing so places them on the new owner's side of his firewall, if any. The new owner is none the wiser. He doesn't have any wireless computers ... so as far as he's concerned, he doesn't use wireless yet. If this is your situation, read on, learn how to secure your system, and ask in the forum if you have any questions. It's how most of us learned. /forum/wsecurity
got feedback?by KeysCapt There are other considerations. You may be located in an area that is more prone to attacks, for example a college campus or a business center. Or you may be in a more rural area with less population. But this may actually have the reverse effect, if your broadband connection is a popular target because access is scarce. Security is a personal decision, but the bottom line may be that taking whatever steps you can may cause an attacker to look for an easier target.
got feedback?by KeysCapt 2.0 Types of Wireless Network Security
got feedback?by KeysCapt Most wireless APs/routers now come the MAC Filtering feature. This option will limit access to ONLY the MAC addresses that you have configured your router to permit. If you would like to use this feature, you will need to find all the MAC addresses of the wireless cards that will be using your network. You can find a wireless card's MAC address In Windows 2000/XP by going to "Start" -> "Run" -> Type "cmd" -> Type "ipconfig/all" and look for the wireless card in the output box. It should say "Physical Address", or something similar, under the card info. Write that MAC address down and copy it into the "MAC Allow" section of the wireless AP/router.  Although this mechanism might sound foolproof, it isn't. Most 802.11 NICs allow you to configure the MAC address of the NIC in software. If you can "sniff" the MAC address of an existing node on the network, you can join the network by spoofing the MAC address of that node. MAC filtering really only keeps somebody from accidently connecting to your WAP. It won't keep a determined wardriver out. Keep in mind that Windows XP will try to associate automatically. It is quite easy for someone with knowledge to change their MAC to match the one that has been allowed in your system, and log on in it's place. The original system will lose its access to the WAP, and it will be quite confusing to figure out what is actually going on. However, it is still recommended to have MAC filtering enabled. ------------------------------------------ Some articles that discuss MAC filtering: "Enable MAC Address Filtering on Wireless Access Points and Routers"
got feedback?by Bill got feedback?by KeysCapt got feedback?by KeysCapt To connect to a "Closed" network (one that doesn't broadcast its SSID) you select "Other" from the Airport menu. For use with non-apple WEP systems you'll need to enter the code in hex. When WEP was designed, there was no pass-phrase system in place. So the different manufacturers have different systems which are (for the most part) incompatible. With the latest release (10.3.7), there are options of "WEP Password" = Apple Base-station password With some of the older versions, there was only "WEP Password". The workaround was to start the code with a 0x which would clue the computer in that it is a hex password. With WPA however, it was included in the technical standard so it "just works". Previously, there was no support for WPA-AES encryption with OS X, but Apple has released updates for their operating system and wireless access points that bring full compatibility with WPA2 / WPA-AES. Conveniently, Airport (802.11b) cards do support WPA, which is good because most PC 802.11b cards don't. You must be running OSx with the latest airport software loaded. There is no OS9 support at this time. With some (protected) networks you will get a error message that you can't join (instead of prompting for the password). However, going into other and punching in the Network Name (SSID) and password will let you in anyway. Some brands/models work as expected and others don't.
got feedback?by macmouse • VPN: Use a VPN. If you've already got a high-end router, chances are you've got some kind of VPN endpoint already set up. Now, you need to make sure it's got NAT-T (other IPsec versions don't work with NAT, which renders VPN useless in coffee shops and little wireless networks), and preconfigure it. If you have to, you can even use PPTP, I do sometimes because my router doesn't do NAT-T. Other alternatives are OpenVPN: »openvpn.net/ , which is an SSL-based VPN client that works extremely well. Look for OpenVPN GUI for easy Windows configuration. If you're not using a VPN, SSL, or other kind of encryption low on the OSI-model, everything plaintext can be passively sniffed, or compromised on the wireless network. • SSL: When doing anything sensitive, try to make sure you're using SSL. Banking websites are usually ok, as long as they use SSL, and there aren't any funny messages about certificates being messed up (which is the man-in-the-middle vulnerability in action). Just be careful, gmail for example has the logon session secured with SSL, but messages are plain old plaintext http unless you force it with some tool. There are some extensions for firefox that are really handy for this. • Outlook/POP3/SMTP clients: Make sure you're using SSL encryption on these, otherwise you're completely out in the open. The entire authentication/secret exchange part with the mail server, messages and all are wide open. Some ISPs don't even let you connect to their mailserver outside their network without using SSL. Comcast, for example, doesn't. I'd recommend using mail2web, and clicking on "secure login," if you're in a hurry, or don't know how to configure your client to use SSL. • Windows Firewall/Software Firewall: I've already mentioned my favorite part, using the Windows XP SP2 firewall. Make sure it's setup to not allow exceptions, or else use your favorite software firewall. There are a lot of really good free ones. This won't protect you from eavesdroppers reading plaintext traffic, but it will prevent people from attacking your PC as if it's just another client on the network. You don't have to worry about this on most big, professional hot-spot APs (TrueMobile, for example), because these are setup to isolate each client. Mom-and-Pop Coffee/Java Joe, however, just have a WRT54G plugged into their Cox, so you'll need this protection there. 
got feedback?by Nerdtalker 2.1 WEPWEP can be typically configured in 3 possible modes: • No encryption mode • 64 bit encryption • 128 bit encryption By default, most Wireless Access Points have WEP turned off. Most public wireless LAN access points (i.e., airports, hotels, etc.) do not enable WEP. Based on statistical analysis in regions like New York, San Francisco, London, Atlanta, most companies do not turn on WEP security on their APs. If the AP does not enable WEP, the wireless clients can not use the WEP encryption. In WAPs, it is optional whether the encryption is enforced. The WEP encryption may be turned on, but if it is not enforced, a client without encryption with the proper SSID can still access that base station.
got feedback?by KeysCapt These include: 1. A high percentage of wireless networks have WEP disabled because of the administrative overhead of maintaining a shared WEP key.
got feedback?by KeysCapt
got feedback?by KeysCapt See this thread for some good information on this question: /forum/remark,8645211~mode=flat got feedback?by Bill One way to 'beef up' WEP is by using tinyPEAP from »www.tinypeap.com which replaces the key every five minutes, which makes cracking the key useless. You can learn more about this application here: »Need opinion on my wireless security. got feedback?The website tinypeap.com has been replaced. 2008-08-20 12:16:18 by KeysCapt 2.2 WPA
got feedback?by KeysCapt WPA Enterprise Mode (RADIUS): Requires an authentication server Uses RADIUS protocols for authentication and key distribution Centralizes management of user credentials The Enterprise Mode of WPA benefits from the maturity of the RADIUS architecture -- but it requires a RADIUS server. This is not something that will benefit most home users. got feedback?by Bill WPA is a more powerful security technology for Wi-Fi networks than WEP. It provides strong data protection by using encryption as well as strong access controls and user authentication. WPA utilizes 128-bit encryption keys and dynamic session keys to ensure your wireless network's privacy and enterprise security. There are two basic forms of WPA: • WPA Enterprise (requires a Radius server) • WPA Personal (also known as WPA-PSK) Either can use TKIP or AES for encryption. Not all WPA hardware supports AES. WPA-PSK is basically an authentication mechanism in which users provide some form of credentials to verify that they should be allowed access to a network. This requires a single password entered into each WLAN node (Access Points, Wireless Routers, client adapters, bridges). As long as the passwords match, a client will be granted access to a WLAN. Encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is in WPA-PSK, authentication is reduced to a simple common password, instead of user-specific credentials. The Pre-Shared Key (PSK) mode of WPA is considered vulnerable to the same risks as any other shared password system - dictionary attacks for example. Another issue may be key management difficulties such as removing a user once access has been granted where the key is shared among multiple users, not likely in a home environment.
got feedback?by KeysCapt To improve data encryption, WPA utilizes TKIP. TKIP dynamically changes keys as the system is used, and provides a message integrity check and a re-keying mechanism, thus fixing the flaws of WEP. An important part of TKIP is that it changes the key used for each packet. This is the "temporal" part. TKIP is one of the two choices provided by both WAPs and Operating Systems (such as Windows XP) when initializing WPA protection on your wireless network. More information here: »www.nwfusion.com/reviews/2004/10···kip.html
got feedback?by KeysCapt AES is a block cipher adopted as an encryption standard by the US government and reportedly it has never been cracked. It's one of the two choices provided by both WAPs and Operating Systems (such as Windows XP) when initializing WPA protection on your wireless network. got feedback?by KeysCapt If you use the standard interface for WPA key entry and provide a text passphrase that uses words found in dictionaries of fewer than 20 characters, a cracker passively intercepting initial key exchange messages can employ an offline dictionary attack and extract the encryption key, gaining access to the network. Key exchange messages occur at the beginning of a connection between an adapter (station) and an access point; that exchange can be forced to repeat by a cracker sending a disassociate message which forces a new exchange within about 30 seconds. So a cracker can be on and off the network in a couple of minutes with the information they need. This is actually much worse than WEP, but easily solved. The solution is also quite simple: choose a key of at least 96 bits or a passphrase that includes gibberish that’s more than 20 characters long. So far, of all the WPA interfaces that I’ve seen, only Apple’s allows you to enter raw hexadecimal and they require 64 hex characters (32 bytes or a full 256 bits). Robert suggests generating a small random value, turning it into its hex equivalent, and then entering those hex digits as a text passphrase to have sufficient randomness. For more information on passphrase weaknesses and strategies for choosing them, Robert refers you to this FAQ.
got feedback?by KeysCapt You can run WPA-PSK with AES-CCMP on a Windows 2K machine with Funk Software's "Odyssey Client" to control the network card, and a software such as "HyperWRT" if you have a Linksys router like the WRT54G. The Odyssey Client does this by having the network card's driver loaded into the supplicant during the configuration stage. Funk Software: »www.funk.com/ Hyperwrt: »www.hyperdrive.be/hyperwrt/
got feedback?by KeysCapt - If this is not completed, the process ends by interrupting communications. Both the client and AP perform this checking and either one (or both) may be the side with the problem. - This communications interruption is a possible cause for the DHCP failure. - Because of profile corruption or bugs in some software, this problem can affect wireless products that are not configured to use WPA, WPA-PSK or 802.1X. Use these same steps if you are having the described problems and are using WEP or no encryption. - Some 802.11 software and hardware products are more robust than others. Some products may not tolerate unexpected issues like an AP changing security methods, a frequently rebooting AP or client, or multiple security profiles for a single access point. The purpose of these steps is to give a hardware and software independent method of resolving the issue of repeated communication lockouts between a wireless Access Point and a wireless client computer. SOME EXAMPLES OF WHEN TO USE THIS: - You repeatedly get a message from a wireless computer about Limited Connectivity because you did not get an IP address, or you are assigned an APIPA 169.254 address. - If you have set a manual IP address, the wireless client says it is connected, but it repeatedly is not communicating or it stops communicating within 5 minutes of connecting every time - Even though you have saved profiles for your wireless Access Point (AP), some clients repeatedly refuse to attempt to connect - In Event Viewer, DHCP and TCPIP appear in the system event logs over and over, and rebooting has not solved the problem THINGS TO TRY FIRST: - Reboot your wireless computers and power-cycle your AP. - Turn off any options to hide your SSID from broadcasts. - Turn off any proprietary speed-enhancing technologies. - On your wireless client, delete and re-create your saved profile. STEPS TO PERFORM: 1. On your wireless AP, change your SSID to something that you have never used before. 2. Unplug power to your AP, take note of the time 3. Remove all saved profiles for that AP from your wireless computers 4. Reboot your wireless computers 5. After 65+ minutes from step 2, plug in your router 6. Using your wireless computers, associate with the new SSID 7. Leave the client connected for 65+ minutes. There may or may not be indications of up to two brief reconnections during this time. Do not reboot the AP during this time. 8. Shut down or reboot your wireless client computer normally (do not sleep, hibernate, or abruptly power-cycle). TIP: The 65+ minute wait in step 5 may not be necessary for your hardware or software. If you only have one or two clients, you may wish to first try these steps without that wait. If they are not successful, then try all of the steps again with the wait. WHY THIS WOULD WORK (IF IT WORKS): Setting up a new SSID causes the clients to create a new, clean, and correct profile for the access point. Rebooting the hardware is one attempt at clearing authentication failure lockouts. Waiting 65 minutes with the router off is another. Leaving the client online for 65 minutes is to ensure at least one successful key exchange after the initial successful authentication. Shutting down normally allows the software or OS to save configuration or registry information so that you can successfully connect in the future.
got feedback?by funchords This problem occurs due to various timing issues involving authentication and the resume process. The authentication process is starting before the hardware is ready or before the initial wireless connection is established. Even if you are not using WPA2 in your network, the following optional update for XP SP2 is known to help concerning this problem in any WPA or 802.1X mode (including RADIUS): The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) update for Windows XP with Service Pack 2 is available If you do not have Administrator rights to your computer, the best course of action would be to ask your an Administrator to apply this update for you. Otherwise, you may also mitigate this problem by either logging out or turning off your wireless card before suspending. Many newer laptops are equipped with a switch either as a Function Key (Fn) or an actual switch somewhere along the outside casing with the symbol (((•))).
got feedback?by funchords RADIUS is a protocol for remote user authentication and accounting that enables centralized management of authentication data, such as usernames and passwords. When a user attempts to login to a RADIUS client, such as a router, the router send the authentication request to the RADIUS server, which is usually a hard-wired machine on the network. The communication is authenticated and encrypted through the use of a shared secret, which is not transmitted. It consistently protects against a sniffing, active attacker where other remote authentication protocols provide either intermittent, inadequate or non-existent protection. RADIUS utilizes the MD5 algorithm for secure password hashing. In depth discussion here: »www.untruth.org/~josh/security/r···uth.html
got feedback?by KeysCapt 3.0 More DefinitionsTaken from the movie, "WarGames", where the actor dialed many phone numbers looking for computers to access, called "War-Dialing". The analogy has been applied to wireless. War-walking, war-driving, war-flying refer to the modes of transportation for moving around and identifying various Access Points. Most reports of war-walking, war-driving, and war-flying have resulted in identifying large numbers of wide open unsecure Access Points in most areas. War-chalking is the act of marking the area or vicinity with a symbol to infer that an AP is within range. WiFi War-chalking Symbols are at »searchmobilecomputing.techtarget···,00.html Here's another FAQ with relevant info: /faq/wardrive
got feedback?by KeysCapt The SSID differentiates one WLAN from another, so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. Because an SSID can be sniffed in plain text from a packet it does not supply any security to the network. Each Access Point advertises its presence several times per second by broadcasting beacon frames that carry the ESS name (SSID). Those who have installed NetStumbler on their WiFi-equipped laptops and cruised around town can relate how many SSID's pop up, many of them announcing their location, and whether they are secured or not. SSID from a security point of view acts as a simple single shared password between base stations and clients, but this should not be considered anything other than a very basic level of security. An SSID can be easily discovered by network sniffing. With proper configuration, only clients that are configured with the same SSID should communicate with base stations having the same SSID. Knowing the SSID name does not necessarily mean that rogue clients will be able to join the network. It depends on how the network administrator has configured their WLAN, particularly WEP or WPA security. By default, the SSID is part of the packet header for every packet sent over the WLAN.
got feedback?by KeysCapt got feedback?by KeysCapt 4.0 Setup   These are examples of setting up WPA Security in a LinkSys Wireless Router. In the first image, the WPA Pre-Shared Key opton is selected. The other common option (Sometimes referred to as a 'home user' option), is WEP, generally considered less secure than WPA. In the second graphic, the type of WPA security is selected. In this example, TKIP is the choice. The administrator then enters his passphrase in the Shared Key window. The third graphic is the setup window for a NetGear wireless card, showing the SSID of the network and in this case, WPA plus AES rather than TKIP. Both of these should be the same selection, obviously.
got feedback?by KeysCapt See this post: /forum/remark,9286052~mode=flat got feedback?by Bill The SSID must be broadcast with Probe Response frames. In addition, the wireless access cards will broadcast the SSID in their Association and Reassociation frames. Because of this, the disabling the SSID broadcast cannot be considered a valid security tool.
got feedback?by KeysCapt »www.microsoft.com/technet/commun···102.mspx got feedback?by KeysCapt 5.0 ToolsAirSnare is installed on a machine that is associated with the Access Point. Download it here: »home.comcast.net/~jay.deboer/air···oad.html There is a user guide here: »home.comcast.net/~jay.deboer/air···ide.html
got feedback?by KeysCapt Get it here: »www.wireshark.org/ got feedback?by KeysCapt »www.blackalchemy.to/project/fakeap/ got feedback?by KeysCapt Whereas site monitoring tools like Netstumbler are active, "noisy" (they request responses from APs), and thus detectable, kismet works by passively monitoring and capturing packets, allowing for the stealthy detection of APs that would normally not be detected in Netstumbler. Kismet requires a wireless NIC and drivers that support rfmon mode. got feedback?by Nerdtalker The client is free to download and use, and installs easily. Edit: 11/27/05 Lucidlink has apparently folded up their tents and stolen away. The site no longer exists. got feedback?by KeysCapt Requires an Apple Airport Card and MacOS 10.1 or greater. MacStumbler doesn't currently support any kind of PCMCIA or USB wireless device. »www.macstumbler.com/ got feedback?by KeysCapt IStumbler »www.istumbler.net/ In functionality, a little better then MacStumbler, supports Airport Extreme and Bluetooth. • Note - Airport Extreme is *different* then "normal" Airport. They have totally different chipsets. So you can't assume the new one is backwords compatiable. KISMAC »binaervarianz.de/projekte/progra···/kismac/ Essentially, a Mac Port OS KisNet for Linux. Supports scanning in passive mode on a number of wireless devices, including PCMCIA and USB. Also has functionality to "crack" the passcode for devices it detects (advanced knowledge necessary).
got feedback?by macmouse
Get it here: »www.netstumbler.com/downloads/ See this in-depth FAQ on NetStumbler by Bill  :/faq/11414
got feedback?by KeysCapt 6.0 Miscellaneous Help
Doing NAT in two routers is undesirable because it tends to break some software such as VPN and online games. By purchasing the correct equipment you can eliminate double NAT. Router one must support NAT for IP addresses that are not on the same subnet as the router and support static routes. If router one is providing wireless access, it needs to support WPA to be secure. Router one should also have SPI firewall for security. You could also use a wired router and a separate wireless access point. For testing this I used a Netgear WGR614 version 5 wireless router ($20 after rebate). As far as I know, all the Zyxel routers, firewalls, and DSL modem/routers support all of these requirements except wireless/WPA and some of them support WPA. Router one will support the DMZ/wireless subnet. The second router must support a SPI firewall with NAT disabled to secure the protected LAN. To use DHCP on the protected “LAN”, the second router must support manually assigning DNS servers (which will be given to the DHCP clients). I used a Zyxel P334WT for the second router (less than $62 shipped). As far as I know, all the Zyxel routers and firewalls currently in production support these requirements. Router two will provide Internet access to the “secure” LAN through router one. You must use two subnets. For this example I use 172.30.100.0 for the DMZ and 192.168.8.0 for the LAN both with masks of 255.255.255.0 (172.30 is a class B block under the now obsolete IP class rules and the normal mask for a class B is 255.255.0.0 but you could always subnet a class B)You can use your existing subnet for the LAN as long as you use a different subnet for the DMZ.
• Create a static route in with a destination of 192.168.8.0 mask 255.255.255.0 gateway 172.30.100.2 • Set the DHCP server -start- address to 172.30.100.100 and -end- address to 172.30.100.149 (or any range you want as long as it doesn’t include .1 and .2 and is part of the same subnet) • Optionally Set the default DMZ server to 172.30.100.2 if you want to see port probes in the P334WTs logs. • If you are going to be using wireless, setup and enable Router one's wireless LAN • Connect the WAN port of Router one to your DSL or cable modem. • Disable Router Two's wireless LAN if it has one. • Assign router two a LAN IP address of 192.168.8.1 mask 255.255.255.0 • Set the DHCP -start- address to 192.168.8.100 and -end- address to 192.168.8.149 (or any range you want as long as it doesn’t include .1 and is part of the same subnet) • Set the first DNS server to IP address assigned by your ISP as first choice (You can get these from Router one's status) • Set the second DNS server to IP address assigned by your ISP as second choice (You can get these from Router one's status) • Set the third DNS server to 172.30.100.1 (LAN IP of router one) • Set Windows networking Netbios over TCP/IP to allow between LAN and WAN (on the LAN setup page) • Assign Router two a WAN IP address of 172.30.100.2 mask 255.255.255.0 gateway 172.30.100.1 • Set address translation to NONE on a Zyxel P334WT (uncheck -enable NAT- on a Zywall 5) • Set Windows networking (Netbios over TCP/IP to allow between LAN and WAN (on the WAN setup page) • Connect the WAN port of Router two to a LAN port of Router one. You should install a software firewall on all the wireless and DMZ PCs. I use the free version of Zone Alarm and set it to trust the LAN subnet. • Connect any wired “DMZ” PCs to LAN ports on Router One (use a switch if you need more ports). Connect your “secure” LAN PCs to LAN ports on Router Two (use a switch if you need more ports). If you need to access shares on a PC attached that connects to the DMZ subnet (wired or wireless), go to the PC and at a cmd prompt enter: Route add 192.168.8.0 mask 255.255.255.0 gateway 172.30.100.2 Or Route -p add 192.168.8.0 mask 255.255.255.0 gateway 172.30.100.2if you want the route to be semi permanent (you can delete it). Then use find compute to find the DMZ PC. If you share a folder read/write on the PC, you can transfer files in both directions. If you need to access share on the LAN from a DMZ PC, the cheap way is to temporarily disconnect the PC from the DMZ ane connect it to the LAN. Since the P334WT has a limited VPN server the other option to access the LAN from the DMZ is to setup a VPN rule on the P334WT and install VPN client software on the DMZ PC(s). I use this method to access a shared printer from my wireless notebook PC. You can download a free (but old) VPN client here: »ftp.up.ac.za/pub/linux/ssh/pub/sentinel/ This link is from the top of the VPN forum here. If you are using P2P software, you may want to consider a more robust router than the Netgear WGR614 such as a second P334WT for Router One. I did a second successful test using my P334T as Router one and my Zywall 5 as Router Two. ------------------------ This entry is from a post by janderso1 »Using two routers for securtity without double NAT Although this method can be used to isolate any two network segments, a wireless network is the most frequent reason for a home user to want to isolate a network segment.
got feedback?by janderso1 SOME EXAMPLES OF WHEN TO USE THIS: - You repeatedly get a message from a wireless computer about Limited Connectivity because you did not get an IP address, or you are assigned an APIPA 169.254 address. - If you have set a manual IP address, the wireless client says it is connected, but it repeatedly is not communicating or it stops communicating within 5 minutes of connecting every time - Even though you have saved profiles for your wireless Access Point (AP), some clients repeatedly refuse to attempt to connect - In Event Viewer, DHCP and TCPIP appear in the system event logs over and over, and rebooting has not solved the problem THINGS TO TRY FIRST: - Reboot your wireless computers and power-cycle your AP. - Turn off any options to hide your SSID from broadcasts. - Turn off any proprietary speed-enhancing technologies. - On your wireless client, delete and re-create your saved profile. STEPS TO PERFORM: 1. On your wireless AP, change your SSID to something that you have never used before. 2. Unplug power to your AP, take note of the time 3. Remove all saved profiles for that AP from your wireless computers 4. Reboot your wireless computers 5. After 65+ minutes from step 2, plug in your router 6. Using your wireless computers, associate with the new SSID 7. Leave the client connected for 65+ minutes. There may or may not be indications of up to two brief reconnections during this time. Do not reboot the AP during this time. 8. Shut down or reboot your wireless client computer normally (do not sleep, hibernate, or abruptly power-cycle). TIP: The 65+ minute wait in step 5 may not be necessary for your hardware or software. If you only have one or two clients, you may wish to first try these steps without that wait. If they are not successful, then try all of the steps again with the wait. WHY THIS WOULD WORK (IF IT WORKS): Setting up a new SSID causes the clients to create a new, clean, and correct profile for the access point. Rebooting the hardware is one attempt at clearing authentication failure lockouts. Waiting 65 minutes with the router off is another. Leaving the client online for 65 minutes is to ensure at least one successful key exchange after the initial successful authentication. Shutting down normally allows the software or OS to save configuration or registry information so that you can successfully connect in the future. NOTES: - WPA-PSK is a key-exchanging encryption and authentication method. The correct keys must be exchanged within a certain time and order. - If this is not completed, the process ends by interrupting communications. Both the client and AP perform this checking and either one (or both) may be the side with the problem. - This communications interruption is a possible cause for the DHCP failure. - This problem can affect wireless products that are not configured to use WPA-PSK or 802.1X. Use these same steps if you are having the described problems and are using WEP or no encryption. - Some 802.11 software and hardware products are more robust than others. Some products may not tolerate unexpected issues like an AP changing security methods, a frequently rebooting AP or client, or multiple security profiles for a single access point. -------------------------- This entry from a post by funchords »WPA-PSK Communications Lockout or DHCP Failure Tip
got feedback?by KeysCapt 7.0 Other Info Sources»www.drizzle.com/~aboba/IEEE/ got feedback?by KeysCapt However, the unsolicited association with an open access point is illegal. Some good reading regarding the legality of wardriving: »www.sans.org/rr/whitepapers/wireless/176.php got feedback?by Nerdtalker | ||||||||||||||||||||||||||||||||||||
| Sunday, 19-May 13:39:14 | Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo over 13.5 years online © 1999-2013 dslreports.com. |
