Glen T
join:2003-11-03
BC
| Hiding unsecured networks - Part 2
Several respondents to my previous topic of hiding wireless networks at the client have pointed out that I framed my question in the wrong context. Here's a different take on a similar topic.
Sorry if this seems recycled, but I am just trying to respond to the critics who said that I didn't pose the right question. I hope I got it right this time:
A client had me setting up a wireless network for a small business in multi-use commercial/condo (you can live where you work). There are no fewer than 10 wireless networks within range of the their computers.
Overlapping frequencies kept bumping my client's computers off their wireless station. Within an hour two of my client's users were hooked up to other people's networks -- before we even had a chance to try alternative channels. Their SSID kept disappearing, so they just hooked up to another one named "linksys".
Half of the 10 networks in that building/block are not secured in any way. My problem is that I would like hide these networks from view in the Windows XP wireless connection wizard -- out of sight is out of mind.
I think we all agree that hooking up to someone elses network is not a good thing for many reasons. Also, this is not a secure solution and it will not discourage a serious hacker. This solution is mean't simply to discourage inadvertent connection to an outside network.
Many respondents to the other topic pointed out that we could lock down access to a preferred network by using firewall software and assigned IP ranges. While this solutions would work fine, it requires a lot of setup and ongoing maintenance (adding new computers) that is beyond the technical ability of my client. It would make it very difficult for my client to add a new computer to the network on a temporary (drop in) or permanent basis, because this small network is not managed in-house. I think DHCP is the simplest choice for this situation. |
|
jaa
Premium,MVM
join:2000-06-13
New Canaan, CT
 ·Vonage
 ·Optimum Online
| If your network is the only one in the preferred network list, it should connect there first.
They should not be able to connect to an unsecured network without explicitly accepting the connection - there is a box that appears saying "are you sure you want to connect to this unsecured network".
--
NOTHING justifies terrorism. We don't negotiate with terrorists. Those that support terrorists are terrorists. |
|
funchords
Robb
Premium,MVM
join:2001-03-11
Hillsboro, OR
 ·Verizon Online DSL
·Skype
·Comcast
| reply to Glen T
said by Glen T  :Many respondents to the other topic pointed out that we could lock down access to a preferred network by using firewall software and assigned IP ranges. While this solutions would work fine Maybe I have to go read the other thread first, but IP ranges, DHCP, and firewall software do not even come into play at the time an association is made. The association is made, then the additional layers that make the above possible are added. By the time they could do any work, it's too late.
These might limit access after the incorrect association was made, but they won't prevent the incorrect association.
Group Policies for wireless seems to be a feature in Windows Server 2003 which is not offered in any way in Windows XP. Yet, WS2003 can manage XP with wireless policies -- so my guess is that there has to be a way. I'm sorry that I don't have an answer and can only splash cold water on the quoted part above. 
--
Robb Topolski
http://www.funchords.com/
Hillsboro, Oregon USA |
|
Birds
join:2004-10-23
edit:
June 21st, @02:53PM
| reply to Glen T
What is shared below does not touch on the default "out of the box setup" because you mentioned that these are clients. So I am working from the standpoint that as a computer professional you make it a common practice to implement WPA security, use unique SSIDs, and tell your clients about the risks of using open/unsecured networks.
Wireless networking may not be the best way to network your clients in this case. It might be the easiest and most interesting, but maybe not the most reliable and productive solution.
As you know, simply "hiding" the unsecured connections won't do anything to reduce interference. So if there is a problem with a heavily congested 2.4 Ghz band in that location then wireless just may not be the best option.
The technology to limit connections to a specified wireless network is already present in XP without having to hide unsecured networks.
- XP's Wireless Zero Configuration has a check box one can unselect that would prevent the system from automatically connecting to any available network - it will only connect to the one specified.
- Setting up the client workstations with an SSID other than "Linksys" should prevent them from connecting to other networks.
- The two combined should be the end of accidental connections. Any connection made from this point on would require the user to knowingly seek out another network.
A client disregarding your configruation and knowingly searching for an open network is a mind set of the client and not a technical problem. It has been my experience that with certain clients nothing short of fully locking down a computer will prevent them from "tweaking".
Maybe a wired solution is what should be recommended as the best way to keep the clients secure and productive, as well as reduce the number of service calls you have to make for trivial problems (which in-turn reduces the number of clients you can support). |
|
jaa
Premium,MVM
join:2000-06-13
New Canaan, CT
·Vonage
·Optimum Online
| reply to Glen T
Another option may be an 802.11a network. If you put in a-only adapters, they will not be able to connect to the b and g networks, and not have an interference problem either.
--
NOTHING justifies terrorism. We don't negotiate with terrorists. Those that support terrorists are terrorists. |
|
Nerdtalker
Working Hard, Or Hardly Working?
Premium,MVM
join:2003-02-18
Tucson, AZ
clubs:
·Comcast
| said by jaa :Another option may be an 802.11a network. If you put in a-only adapters, they will not be able to connect to the b and g networks, and not have an interference problem either. You beat me to it.
If there are truly that many APs surrounding you, you should seriously consider either moving to 802.11a, or you could optionally (if you're not concerned with it being entirely legit) use a European channel using European station firmware.
However, your clients should not be connecting to random APs within range by default. It just doesn't work that way in WZC. I'm not sure whether you're running some authentication/card client from your Wireless NIC's manufacturer, but that shouldn't be setup like that either.
The wording in the WZC Wireless Networks->Advanced box is a little strange, but if you 'uncheck automatically connect to non preferred networks' (which is unchecked by default), you should find your way around a lot of headaches.
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn
iPod Shuffle=iPos
I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 6200+ |
|
alex4life
Alex4life
Premium
join:2001-06-22
Delta, BC
| reply to Glen T
said by Glen T :Their SSID kept disappearing, so they just hooked up to another one named "linksys". That shouldn't happen unless their SSID is also Linksys. If it is, change it.
--
"For in the final analysis, our most basic common link is that we all inhabit this small planet, we all breathe the same air, we all cherish our children's future, and we are all mortal." - John F. Kennedy |
|
Birds
join:2004-10-23 | reply to Glen T
Would range/distance be reduced by moving to 802.11a? |
|
ThreeD
join:2001-05-19
Southern Cal
clubs:
·Cox HSI
| said by Birds :Would range/distance be reduced by moving to 802.11a? Normally A is said to have less range due to frequency and penetration of the structure. In this case, with all the interference from other wireless, A could potentially be better.
--
My goal in life is to be as good of a person as my dog already thinks I am. |
|
jpg366
join:2004-04-09
Humble, TX
·RoadRunner Cable
·Mediacom
·AT&T Southeast
| reply to Glen T
It is fairly easy to tell Windows to talk only to a your particular SSID (provided yours is unique). A few steps on one page could walk a new user through that.
It might be possible to work through the Condo Association to encourage each wireless network owner to adopt a different SSID. Interference may still be a problem. Have you used NetStumbler to see which channels might be open? If most are "default," then there may be quite a bit of space. I don't think most wireless cards can be held to a single channel when in infrastructure mode. The 802.11a solution suggested is good, although relatively expensive, and most would need a new wireless adaptor. Each would need to replace or disable their 'b' adaptor.
But given the likelihood of someone connecting through an unknown unsecured network, a software firewall on each PC would be a good idea. A "silent install" of a pre-configured free firewall could be provided for each new PC.
Are the client PCs close enough together to consider a wired network? There is cat-5 cable rated for A/C plenums. |
|
Glen T
join:2003-11-03
BC
edit:
June 24th, @10:52AM
| reply to Birds
****
Wireless networking may not be the best way to network your clients in this case. It might be the easiest and most interesting, but maybe not the most reliable and productive solution.
****
Agreed. We did end up wiring all of the desktops. They still have two laptops that they are using wirelessly for the convenience of taking them into an area where there are no wired drops.
****
A client disregarding your configruation and knowingly searching for an open network is a mind set of the client and not a technical problem. It has been my experience that with certain clients nothing short of fully locking down a computer will prevent them from "tweaking".
****
Agreed. But this is done more out of reflex than malice. What had been happening is that our unique SSID (WPA secured) just disappears at times and the client then consciously grabs another available connection to continue working.
'If' there were no visible unsecured connections, and they could not get access to the secured connections, then they would call me and I'd come in and do some more tuning and explore alternative solutions. But what is more likely is that they will happily continue to use the available connection until they find something else broken, such as when they try to print to a networked printer etc. |
|
Glen T
join:2003-11-03
BC
| reply to jaa
****
Another option may be an 802.11a network. If you put in a-only adapters, they will not be able to connect to the b and g networks, and not have an interference problem either.
****
This would certainly be an option. But I think I should probably get some kind of sniffer to take a look at the wireless 'a' traffic before we spend more money. We may find that 'a' is just as cluttered. Not sure about built-in support for 'a' on the two laptops. |
|
DaDogs
Semper Vigilantis
Premium
join:2004-02-28
Deltaville, VA
edit:
June 24th, @08:13PM
| User education? How many hours are you going to spend and expect others to expend trying to accomplish what fifteen minutes of user training will accomplish? Mind you don't take that the wrong way. I just had to train one of our customers the second time last Saturday afternoon. I finally took the time to actually teach him what he was seeing.
No more calls.
--
Stupid is as this Crook does.
»www.filecabi.net/v.php?file=MichaelCrook.wmv
|
|
Glen T
join:2003-11-03
BC | User education is good. However, for the users that I haven't met yet, I'd like to be proactive and set the system up in a way that curbs future behaviour. In this case I really believe that out of sight is out of mind for most people. |
|
DaDogs
Semper Vigilantis
Premium
join:2004-02-28
Deltaville, VA
edit:
June 24th, @09:16PM
| said by Glen T :User education is good. However, for the users that I haven't met yet, I'd like to be proactive and set the system up in a way that curbs future behaviour. In this case I really believe that out of sight is out of mind for most people. Well, you have been given all the simple ideas. Why don't you just give Microsoft a call and ask them to modify their code to have an exclude list. That won't help you with users you haven't met yet, will it?
You see the thing you are asking for is not trivial. On the one hand there is an actual NEED to be able to see any network SSID which might show up in your wireless configuration menu. On the other hand you have a need to exclude some arbitrarily defined SSIDs. There is no way to do that.
There are no perfectly satisfactory answers to some questions. It would appear that there is no perfectly satisfactory answer to your particular question.
--
Stupid is as this Crook does.
»www.filecabi.net/v.php?file=MichaelCrook.wmv
|
|
Glen T
join:2003-11-03
BC
edit:
June 28th, @12:02PM
| ****
You see the thing you are asking for is not trivial. On the one hand there is an actual NEED to be able to see any network SSID which might show up in your wireless configuration menu. On the other hand you have a need to exclude some arbitrarily defined SSIDs. There is no way to do that.
*****
The MS wireless connection wizard already has the code to discriminate between secure and non-secure wireless networks. All MS would have to do is create a switch and then check it when they build up the list of available networks. I guarantee you that this would be a trivial change. The most work would be adding the switch to the admin security interface. Alternatively, they could just leave it as a registry entry that you could set yourself.
Maybe someone from MS will swing by and read this. And maybe XP SP3 will have what I'm looking for.  |
|
Glen T
join:2003-11-03
BC
edit:
June 29th, @11:42AM
| 
WSC Guard client |
They reviewed two sets of software. WSC Guard is a hosted RADIUS server that offers higher security for home and small business users for a small monthly fee.
They also include an alternative wireless client that graphically marks 'clear' (unsecured) networks with a red (X) symbol.
The wireless client is available as freeware from the company »www.wirelesssecuritycorp.com |
|
funchords
Robb
Premium,MVM
join:2001-03-11
Hillsboro, OR
·Verizon Online DSL
·Skype
·Comcast
| said by Glen T :They reviewed two sets of software. WSC Guard is a hosted RADIUS server that offers higher security for home and small business users for a small monthly fee. I often wondered why Microsoft didn't use Passport for this. Sure would solve some of my small-workgroup issues.
Thanks for the link.
--
Robb Topolski
http://www.funchords.com/
Hillsboro, Oregon USA
Kindness is treating someone better than they deserve.
Support this site - Get more features - Be a member! |
|
DaDogs
Semper Vigilantis
Premium
join:2004-02-28
Deltaville, VA
edit:
July 7th, @01:20AM
| reply to Glen T
said by Glen T :said by DaDogs :You see the thing you are asking for is not trivial. On the one hand there is an actual NEED to be able to see any network SSID which might show up in your wireless configuration menu. On the other hand you have a need to exclude some arbitrarily defined SSIDs. There is no way to do that. The MS wireless connection wizard already has the code to discriminate between secure and non-secure wireless networks. All MS would have to do is create a switch and then check it when they build up the list of available networks. I guarantee you that this would be a trivial change. The most work would be adding the switch to the admin security interface. Alternatively, they could just leave it as a registry entry that you could set yourself. Maybe someone from MS will swing by and read this. And maybe XP SP3 will have what I'm looking for. Yah know I have written well over a million lines of C over the course of my coding career and I have learned that nobody is allowed to "garauntee you that would be a trivial change". It may be, and it may not be.
You see on the ONE hand there is an actual need to be able to see any network SSID which might be available on your configuration menu and on the other hand you (and one other person so far) feel a need to exclude some arbitrarily defined SSIDs.
There IS a way to do that, after thinking about it, but it would be more than a check box. It would be a listbox whence you clicked an SSID and caused it to switch from the "connect to these" list to the "never connect to these" list. It would be an SSID "black list". Yes, upon thinking about it, it would probably be pretty easy to implement and I think it is a good idea. Since you had it, why don't you lobby M$ and see if they will do it? They may well not only do it but they may also patent it. 
--
Need a bit more range? WWW.FREEANTENNAS.COM
Need a bit more privacy? WWW.FREEANTENNAS.COM
Need a bit more speed? WWW.FREEANTENNAS.COM
|
|
