 shamrin
join:2001-01-08
Lexington, KY | Securing your WLAN without WEP? I had to shut down WEP on my wireless clients because one of the NICs is having trouble holding its algorithm. Within two days I found in the DHCP log that I had an "unauthorised user" on my LAN. I'm not all terrified about him using my internet connection, but all the machines around here have file sharing turned on and a malicious user could do some pretty heavy damage.
I've solved this problem in the following way:
1) Turn on fixed IP assitnments (based on MAC address) with all authorised users between 50-100 for the last octect (i.e. all my machines have IP x.x.x.50 to x.x.x.100)
2) Set DHCP to issue new IP addresses between x.x.x.0 and x.x.x.49
3) Set Zone Alarm to recognise x.x.x.50 to x.x.x.100 as local (medium security) and everything else as internet (high security)
4) Password-protect the shared directories on the W98 machines that are not running Zone Alarm.
I know this isn't foolproof, for example if the intruder reads this board he'll know that he should start hardcoding his IP, testing ranges of 10 until he hits a valid IP. However, I'm thinking it is at least a pretty good deterant.
I was wondering if anyone would care to comment on this strategy and/or share their own strategies for non-WEP security?
sch
|
|
Anon | does WEP hurt your bandwidth that bad?
security through obscurity..... is == (drive of hacker) x (desirability of your content) / (complexity of your enigma).
question: how did he know your SSID? (or can that be picked up by 'scanning' the area?)
Q2: do you have a linksys product? (or do you use ZoneAlarm on it's own?)
Q3: have you tried PC Cillin? |
|
|
|
 DrTCPYours trulyPremium,ExMod 1999-04
join:1999-11-09
Round Rock, TX | said by hakalugi:
question: how did he know your SSID? (or can that be picked up by 'scanning' the area?)
AP SSID can be learned easily by using programs like Netstumbler (for Orinoco based cards). There are other programs out there that can do passive scanning as well (so they will detect AP name while client is associating even if AP is not advertising its name)
--
Austinites! Check out new Austin forum! |
|
JPSJPS
join:2001-07-02
nicaragua | reply to shamrin
I do not see the same options with SMC7004AWBR, but is MAC address control about the same as your first 2 items?
(allow connection to specified MAC address only)
John |
|
shamrin
join:2001-01-08
Lexington, KY | Re: Answers and clarification Q: does WEP hurt your bandwidth that bad?
No (well, yes actually, but I don't notice it), rather the card/driver combo I have has a bit of a hard time with WEP. They run more reliably without it.
Q: do you have a linksys product? (or do you use ZoneAlarm on it's own?)
This seems a bit of one of those "Did you walk to work or did you bring your lunch?" kind of questions. No linksys products though, I'm using an SMC AP/Router.
Q: have you tried PC Cillin?
No, it looks like (in this context) it would do the same thing that ZA does now as a software firewall.
Q: how did he know your SSID?
As far as I can tell, SSID is meaningless as a security measure. I don't have the SSID of the AP set in any of my own machines even, I just have it set to "ANY" and they connect just fine.
Q: is MAC address control about the same as your first 2 items?
Yes. I'm using the 7004WBR and the items mentioned are set on the MAC Address Control page. I'll paste a picture of how my page looks if you are interested.
sch
|
|
DrTCPYours trulyPremium,ExMod 1999-04
join:1999-11-09
Round Rock, TX | said by shamrin:
Q: how did he know your SSID?
As far as I can tell, SSID is meaningless as a security measure. I don't have the SSID of the AP set in any of my own machines even, I just have it set to "ANY" and they connect just fine.
"ANY" would work only for "Open system" installations where SSID is broadcast at each beacon. "Closed system" does not advertise the SSID (they are suppressed in beacons) so "ANY" will fail to associate.
My Wireless Router (ZyXEL P316) allows me to hide SSID so Netstumbler scans and "ANY" will fail. You need exact SSID to associate. It makes it harder to identify the AP but it is not totally foolproof. Other Wireless sniffers like Kismet can do passive monitoring and AP SSID can still be captured when a client is associating itself with AP. This does not happen often so hacker may need to monitor your network for a long while particularly if it is not a very active network where clients come and go everytime.
--
Austinites! Check out new Austin forum! |
|
| reply to shamrin
Re: Securing your WLAN without WEP? To prevent access to files you can use NetBeui for file and print sharing right? and turn off TCPIP for file and print sharing??
Wont that be a good deterrent for someone trying to access your inner files? |
|
shamrin
join:2001-01-08
Lexington, KY | said by newimmigrant:
To prevent access to files you can use NetBeui for file and print sharing right? and turn off TCPIP for file and print sharing??
Wont that be a good deterrent for someone trying to access your inner files?
Well, I don't think so. That strategy is designed to help you keep from sharing your files inadvertently through your wired connection to the internet. However, if you have a "guest" coming in through your wireless connection and he has NetBeui turned on, he should get access to all your shares. Not only that, but you won't even know it because all the defense mechanisms that I know of (except WEP) are geared toward TCP/IP. Somebody tell me if I'm wrong.
sch |
|
| reply to shamrin
ah! thats interesting!! all this time i thought my network and files were safe because I had this netbuei on and tcpip for file andprint sharing off..
Which means, now i am inthe same boat.
How do i secure my network?
1) i am using a Linksys BEFWSR14 wireless router
2)i have changed the SSID to something other than default
3) i have 128 bit WEP enabled.
so whats the verdict on my network??
i am still unsecure please tell me what else needs to be done
thx!! |
|
 cosmicvoidInfinity Or Bust
join:2001-01-02
Kingston, WA
 ·CenturyLink
| I have the same situation, so I'd like to hear a good answer too! The only thing I can think of is to put strong passwords on your shares. Are share passwords sent "in the clear"? Can they be snooped, too?
--
S@H: 2500 WUs and counting |
|
shamrin
join:2001-01-08
Lexington, KY | reply to newimmigrant
said by newimmigrant:
so whats the verdict on my network??
i am still unsecure please tell me what else needs to be done
There's another thread here where Nack1 covers this quite nicely (»WEP versus MAC authorized list). I think the answer here is running WEP and VPN if you are particularly paranoid. If not running WEP and sharing via NetBeui, I think the answer is that you are running an open system and you better have good passwords on your shares.
sch |
|
cosmicvoidInfinity Or Bust
join:2001-01-02
Kingston, WA Reviews:
·CenturyLink
| reply to shamrin
Mmm, yeah. That is the general idea that I'm seeing. That if you do ALL of that stuff, you're probably safe but not bulletproof. Here's a blurb from the Orinoco security documents page: »www.orinocowireless.com/upload/d···rity.pdf that says about the same.
--
S@H: 2500 WUs and counting |
|
 jtc1Go Pack GoPremium
join:2000-02-13
Cedar Rapids, IA | reply to shamrin
said by shamrin:
Well, I don't think so. That strategy is designed to help you keep from sharing your files inadvertently through your wired connection to the internet. However, if you have a "guest" coming in through your wireless connection and he has NetBeui turned on, he should get access to all your shares. Not only that, but you won't even know it because all the defense mechanisms that I know of (except WEP) are geared toward TCP/IP. Somebody tell me if I'm wrong.
sch
Actually, I've found that I could not access NETBEUI shares on my wireless network. I had to bind F&P sharing to TCP/IP in order to access shares from the wireless side. The same wireless PC's had no trouble with NETBEUI when they were hard wired. And yes, NETBEUI was bound to the wireless NIC. Not sure if that is a limitation of 802.11b or if it was some kind of bug with the Linksys WAP11. |
|
