PDA

View Full Version : Protecting Wireless Network From Intruders



norderney
2008-03-01, 15:51
I currently run a Transporter,Laptop and PDA, on my wireless network, using my Netgear DG834G Wireless ADSL Router.

Currently the Wireless Security Options are Disabledon my Router. There are a number of other wireless networks near me, so I think I ought to enable some security options, but I am not sure how to go about this.

If I go into Security Options in Wireless Settings on my Router I have the following options:
Disabled (Currently Selected)
WEP
WPA-PSK
WPA=802.1x

Which option should I select and what else do I need to do with my Router settings?

What do I then need to do with my Transporter, Laptop and PDA?

radish
2008-03-01, 16:06
Choose WPA-PSK, enter a password. Then go to your players (and any other wireless devices) and rerun network setup - choose WPA again and enter the same password.

Mark Lanctot
2008-03-01, 20:34
And don't use a password you could find in a dictionary. Use odd capitalization, purposeful misspelling, add numbers and punctuation.

smc2911
2008-03-01, 20:58
If you want to be super-paranoid, use a password from here: https://www.grc.com/passwords.htm

I used that to generate one and used the first 20 characters (entering more was just a bit too painful for the SB!). Maybe one-day it will be possible to copy a longer password onto an SD card and stick it in the SBC...

matthijskoopmans
2008-03-01, 21:38
If you are really paranoid:

WPA-PSK: use a password consisting of acronyms and numbers that only have meaning to yourself. Randomly replace certain characters with symbols (i.e. @ for A, or ! for i)

SSID: do not broadcast

MAC: only allow the MAC addresses of your devices to access your wireless network

The SSID and MAC may add additional security, but by themselves they are not adequate. you do need the WPA encryption.

Cheers

Matt

NFLnut
2008-03-01, 21:58
If you want to be super-paranoid, use a password from here: https://www.grc.com/passwords.htm

I used that to generate one and used the first 20 characters (entering more was just a bit too painful for the SB!). Maybe one-day it will be possible to copy a longer password onto an SD card and stick it in the SBC...


Steve Gibson has been my security guru for over fifteen years now!

smc2911
2008-03-01, 22:33
Indeed. Security Now is a great podcast. In a recent episode, Steve tossed around the figure of 20 characters as a minimum for good WPA security if you are compromising security for convenience of data entry.

radish
2008-03-01, 23:11
1) MAC filtering is entirely useless. It will only annoy you when you can't figure out why things don't work properly. Likewise for SSID broadcast, leave it on and lead a happier life. WPA with a decent passphrase is quite strong enough for anything you're sending over your network. Remember it's all in the clear once it leaves your cable modem anyway...

2) Steve Gibson is, IMHO, a pompous snake oil salesman. Sorry, but it has to be said. I know some people around here love him, but hey, if you've read the audiophile forum you'll know there are people who will believe anything :) I'm not going to present any evidence for my statement, just google around if you're interested. No one in the actual security business takes him seriously.

3) Feel free to use a 20 character passphrase if you like, it's certainly true that the longer the better. However, I use 8 truly random characters. It's easy to enter with an SB remote and I would be quite happy to challenge anyone to break it, and offer a nice bottle of something to anyone who can do so before we're both dead :) This makes interesting reading: http://blogs.zdnet.com/Ou/?p=127. GRC seems to have got his value of 20 from the study of attacks on the IDEA cypher which is really unrelated to WPA. According to the authors of the best WPA craking tool (aircrack) you can only test around 300 keys per second (http://www.aircrack-ng.org/doku.php?id=cracking_wpa). Thus, my 8 characters would take 91 years for a single computer to break. Maybe when computers get a little faster I'll up it to 9 chars - that's over 3000 years :)

peter
2008-03-01, 23:38
radish wrote:
> 1) MAC filtering is entirely useless. It will only annoy you when you
> can't figure out why things don't work properly. Likewise for SSID
> broadcast, leave it on and lead a happier life. WPA with a decent
> passphrase is quite strong enough for anything you're sending over your
> network. Remember it's all in the clear once it leaves your cable modem
> anyway...
>

Agreed. MAC filtering is mostly an incredible hassle.

> 2) Steve Gibson is, IMHO, a pompous snake oil salesman. Sorry, but it
> has to be said. I know some people around here love him, but hey, if
> you've read the audiophile forum you'll know there are people who will
> believe anything :) I'm not going to present any evidence for my
> statement, just google around if you're interested. No one in the
> actual security business takes him seriously.
>

He's a bit of an amateur posing as a professional. Still, I've gotten
something from his site now and then.

> 3) Feel free to use a 20 character passphrase if you like, it's
> certainly true that the longer the better. However, I use 8 truly
> random characters. It's easy to enter with an SB remote and I would be
> quite happy to challenge anyone to break it, and offer a nice bottle of
> something to anyone who can do so before we're both dead :) This makes
> interesting reading: http://blogs.zdnet.com/Ou/?p=127. GRC seems to
> have got his value of 20 from the study of attacks on the IDEA cypher
> which is really unrelated to WPA. According to the authors of the best
> WPA craking tool (aircrack) you can only test around 300 keys per
> second (http://www.aircrack-ng.org/doku.php?id=cracking_wpa). Thus, my
> 8 characters would take 91 years for a single computer to break. Maybe
> when computers get a little faster I'll up it to 9 chars - that's over
> 3000 years :)
>

Some botnets contain more than a 100.000 PC's, you better make sure you
don't get their attention ;)

Regards,
Peter

slimkid
2008-03-01, 23:49
some good info here:

http://www.satirewire.com/news/aug02/encryption.shtml

radish
2008-03-01, 23:52
Some botnets contain more than a 100.000 PC's, you better make sure you
don't get their attention ;)


True :) You do bring up an important point though, which is to figure out who you're defending against before deciding on the level of security to employ. In my case I don't want the kid next door deleting all my flacs, so I have decent but still user friendly security. If I wanted to keep out the NSA or the owner of the 100,000 machine botnet - well for one thing I'd get rid of the wifi altogether. Then I'd probably invest in a lot of wire mesh to wrap my house in :)

peter
2008-03-02, 00:04
radish wrote:
> Peter;274380 Wrote:
>
>> Some botnets contain more than a 100.000 PC's, you better make sure you
>>
>> don't get their attention ;)
>>
>>
>
> True :) You do bring up an important point though, which is to figure
> out who you're defending against before deciding on the level of
> security to employ. In my case I don't want the kid next door deleting
> all my flacs, so I have decent but still user friendly security. If I
> wanted to keep out the NSA or the owner of the 100,000 machine botnet -
> well for one thing I'd get rid of the wifi altogether. Then I'd probably
> invest in a lot of wire mesh to wrap my house in :)
>

The good thing about wifi is that they have to get close to you. Where
the whole internet can pound on your firewall without any trouble it's a
major hassle for an attacker to get in range of your wifi, unless he's
the kid next door.

For the moderately paranoid, it might be good to realize that it looks
like the Duet transmits your WPA key unencrypted (or insufficiently
encrypted) over
an ad hoc wifi link as part of the setup process. Use Robin Bowes'
ethernet setup script to avoid this.

Regards,
Peter

pfarrell
2008-03-02, 00:05
Peter wrote:
> radish wrote:
>> 1) MAC filtering is entirely useless.
> Agreed. MAC filtering is mostly an incredible hassle.

Word.

MAC filtering is nearly as hard to manage as the olden days of each PC
needing manual TCP/IP address assignments. It will drive you crazy.


>> 2) Steve Gibson is, IMHO, a pompous snake oil salesman.
>
> He's a bit of an amateur posing as a professional. Still, I've gotten
> something from his site now and then.

I too find an occasional nugget but he's mostly selling snake oil
Read Bruce Schneier for professional guidance. Bruce recently posted
about how his home WiFi is all in the clear.


>> 3) Feel free to use a 20 character passphrase if you like, it's
>> certainly true that the longer the better.

Only up to a point. Longer is only better if there is more entropy.
Using "four score and seven years ago, our forefathers..." has about the
same security as a three character password.

The fundamental problem with passwords is that if they are strong, no
one can remember them. So they write them on yellow stickies.

Realistically, you are unlikely to be attacked over your WiFi network,
as that requires the bad guys to be withing a mile of your house. Its
far more likely that your cable modem's lame security is the weak link,
and like chains, its all about the weak link.

The botnets have at least 100,000 Windows PCs ready and able to go.
They come in through broadband connections. WiFi can't handle the bandwidth.

Start with the basics. Change the SSID from Linksys to something
personal. Change the password to the router's admin page. Put a firewall
between your DSL/Cable line and your house computers.

And for gosh sake, don't use Windows.

But consumers want convenience not security.

--
Pat Farrell
http://www.pfarrell.com/

danco
2008-03-02, 02:15
Only up to a point. Longer is only better if there is more entropy.
Using "four score and seven years ago, our forefathers..." has about the
same security as a three character password.

The fundamental problem with passwords is that if they are strong, no
one can remember them. So they write them on yellow stickies.

--
Pat Farrell
http://www.pfarrell.com/

fsasya,of... would also get cracked easily.

But I think that is the way to go. Initial letters of the seventh line of the first poem you learned by heart should be easy to remember, and hard to crack, even if attackers have volumes of poetry in their database.

And perhaps, which I am using nowadays, a program that keeps a list of your passwords. I have one for my internet passwords. That way, I only need to remember one password, the one protecting the program.

tamanaco
2008-03-02, 07:28
I love these discussions on network security... Some of my thoughts...

- Don't spend $0.26 worth of time/money to protect $0.25
- The weakest link to your valuables is probably "not" the technology you're using to protect your wireless network.

Perspective for the paranoid... "most" people pay thier bills with a check via regular mail... they're leaving their names, bank names, bank account numbers and signatures in the middle of the street protected by a bit of saliva... How secure is that?

The best computer security hackers I've known have been very good dumpster surfers. Believe me... they know how hard it is to crack a WPA key.

peter
2008-03-02, 08:44
tamanaco wrote:
> I love these discussions on network security... Some of my thoughts...
>
> - Don't spend $0.26 worth of time/money to protect $0.25
> - The weakest link to your valuables is probably "not" the technology
> you're using to protect your wireless network.
>
> Perspective for the paranoid... "most" people pay thier bills with a
> check via regular mail... they're leaving their names, bank names, bank
> account numbers and signatures in the middle of the street protected by
> a bit of saliva... How secure is that?
>
> The best computer security hackers I've known have been very good
> dumpster surfers. Believe me... they know how hard it is to crack a WPA
> key.
>

Got me there. I think I must've printed and discarded my wpa key several
times so monitoring my trash for a month or so would've been enough!
I'll change my key key straight away and eat any future printouts. ;)

Regards,
Peter

bobkoure
2008-03-02, 09:40
If you're looking for random set of letters you can remember, I'd suggest using what the spooks used to call a "book code".
Go through your favorite books, find a sentence that's really memorable, then just use the first character of each word in the sentence - so "it was a dark and rainy night" becomes "iwadarn", hmm... that one's got a word in it, so bad example, but hopefully you get the idea.

If you've got anything that truly needs to be private, don't leave it somewhere where someone breaking into your wireless will expose it.

Steve Gibson is a very talented security amateur who sometimes overreacts, but if he's wound up about something, it's at least figuring what's up. IMHO he was right about the Win implementation of uPNP.

kidjan
2008-03-03, 14:39
Peter wrote:
> radish wrote:
>> 1) MAC filtering is entirely useless.
> Agreed. MAC filtering is mostly an incredible hassle.

Word.

MAC filtering is nearly as hard to manage as the olden days of each PC
needing manual TCP/IP address assignments. It will drive you crazy.

I've always done MAC filtering. I've never considered it nearly the hassle of setting up encryption.

Enter in the MAC addresses you want to allow/disallow, and you're off. It seems pretty easy to me. Maybe it's the firmware I use (either DD-WRT or Tomato, for WRT54G), but...MAC filtering seems braindead to me.

Ben Sandee
2008-03-03, 14:43
On Mon, Mar 3, 2008 at 3:39 PM, kidjan <
kidjan.35pukn1204580402 (AT) no-mx (DOT) forums.slimdevices.com> wrote:

> Enter in the MAC addresses you want to allow/disallow, and you're off.
> It seems pretty easy to me. Maybe it's the firmware I use (either
> DD-WRT or Tomato, for WRT54G), but...MAC filtering seems braindead to
> me.


If you want security, then yes MAC filtering is braindead.

Ben

radish
2008-03-03, 14:56
MAC filtering seems braindead to me.

It is indeed, because as well as being a pain it simply doesn't work :) MAC spoofing is trivial, in fact it's even easier than breaking WEP.

As for ease of use, compare these procedures for adding a new device:

1) Startup new device and enter network setup
2) Select SSID, enter key
3) Relax, safe in the knowledge that your network is still secure

or

1) Startup new device and enter network setup
2) Try to figure out what the MAC is (is it on a label on the bottom? is it in a config screen somewhere?)
3) Write MAC down (careful!)
4) Log into router from some other device
5) Add new MAC to access table & save config
6) Go back to new device, go back into network setup and complete it
7) Relax, with the false sense of security that the MAC filtering will actually stop anyone getting into your network.

Personally, I keep the key for my network on a big label on the front of the router. That way, if guests come over and want to connect up it's easy for them. Having them all give me their MAC addresses so I can add them (and then try to remember who is who months later when I want to clean up the list) would be a huge hassle.

Kevin Lepard
2008-03-03, 15:08
> Personally, I keep the key for my network on a big label on the front
> of the router. That way, if guests come over and want to connect up
> it's easy for them.

Another neat way to manage this is to use two networks, one secured
that your computer's attach to and one that is not for guests. There
are alternate firmwares for the Linksys WRT54GLs that will do this and
is pretty slick.

Kevin
--
Kevin O. Lepard, MD, PhD, FACEP, FAAEM

Happiness is being 100% Microsoft free.

CONFIDENTIALITY NOTICE: This message and any attachments to it are
intended for use only by the addressee(s), and may contain privileged
or confidential information. If you are not the intended recipient,
you are not authorized to read, print, copy or disseminate this
message or any attachments to it, or to take any action based on
them. If you have received this message in error, please permanently
delete or destroy the original and any copy of this message.

smc2911
2008-03-03, 16:18
Personally, I keep the key for my network on a big label on the front of the router. That way, if guests come over and want to connect up it's easy for them. Having them all give me their MAC addresses so I can add them (and then try to remember who is who months later when I want to clean up the list) would be a huge hassle.I do a similar thing: the key is on a USB key that lives in a draw under the TV. Friends and family know where to find it. This has the advantage of allowing a cut & paste of the key.

bobkoure
2008-03-03, 20:35
Using "four score and seven years ago, our forefathers..." has about the
same security as a three character password.
Actually, that one might be OK as it's a mis-quote...

peter
2008-03-04, 09:20
kidjan wrote:
> Pat Farrell;274387 Wrote:
>
>> Peter wrote:
>>
>>> radish wrote:
>>>
>>>> 1) MAC filtering is entirely useless.
>>>>
>>> Agreed. MAC filtering is mostly an incredible hassle.
>>>
>> Word.
>>
>> MAC filtering is nearly as hard to manage as the olden days of each PC
>>
>> needing manual TCP/IP address assignments. It will drive you crazy.
>>
>
> I've always done MAC filtering. I've never considered it nearly the
> hassle of setting up encryption.
>
> Enter in the MAC addresses you want to allow/disallow, and you're off.
> It seems pretty easy to me. Maybe it's the firmware I use (either
> DD-WRT or Tomato, for WRT54G), but...MAC filtering seems braindead to
> me.
>

I hope you use it together with encryption, cause otherwise your traffic
could be sniffed easily.

Regards,
Peter

Phil Leigh
2008-03-04, 14:50
Gosh you must be a paranoid bunch...
Why do you think anyone would sniff your traffic? - there are much more interesting things out there...

radish
2008-03-04, 15:08
Gosh you must be a paranoid bunch...
Why do you think anyone would sniff your traffic? - there are much more interesting things out there...

I _don't_ care about sniffing, like I said I care about people getting on to my net and poking around where they shouldn't be poking.

Phil Leigh
2008-03-04, 15:12
I _don't_ care about sniffing, like I said I care about people getting on to my net and poking around where they shouldn't be poking.

Fair enough... but why would they target YOUR network? Why would they expend a lot of effort to get on it (compared with say a Government site)

Ben Sandee
2008-03-04, 15:17
On Tue, Mar 4, 2008 at 3:50 PM, Phil Leigh <
Phil.Leigh.35rpxn1204667702 (AT) no-mx (DOT) forums.slimdevices.com> wrote:

>
> Gosh you must be a paranoid bunch...
> Why do you think anyone would sniff your traffic? - there are much more
> interesting things out there...


WPA is easy to use, virtually universal and proven effective. I can't
figure out a reason not to use it.

Do you pay your bills using transparent envelopes? Surely nobody else
really cares about your mail but since an opaque envelope costs the same
I'll go ahead and use them.

The whole thing with MAC address security is that it's cumbersome to use and
proven ineffective -- so why use it at all?

Ben

mr-b
2008-03-04, 16:35
Are there any performance issues these days when enabling encryption?
I know when I've seen wireless router perf tests in the past that it can have a significant effect, but not seen any figures recently.

radish
2008-03-04, 17:57
Fair enough... but why would they target YOUR network? Why would they expend a lot of effort to get on it (compared with say a Government site)

It depends who "they" are. If "they" are international terrorists then I wouldn't assume they're interested in my network, I don't have any information regarding how to make bombs out of face cream and airline pretzels. On the other hand, if "they" are my neighbor's 16 year old son...who knows what he might find on my network that he likes the look of (music files, financial info, photos of my wife, etc). And he doesn't even have to leave his bedroom to attack it - just download a cracker, hit a button a wait a few minutes. As has been mentioned, it's not difficult to switch on encryption, it doesn't cost anything, so I simply don't understand why you wouldn't use it (unless of course you were intentionally leaving an open access point - which is another matter).

bobkoure
2008-03-04, 19:54
I'm probably not typical, but I often have an ipsec connection up to one client or another, and I feel I have a "duty of care" - so the wireless router is attached to the "DMZ" side of the firewall, and I just VPN in if I need to access "inside" files from a wireless connection.
If you care enough (if your situation isn't like mine you most probably don't) you can just put the wireless AP (and Squeezebox) on the DMZ side (you might have to port-forward port 5000 inbound for the squeezebox - acess from the server to the squeezebox is outbound and so should "just work" And there's SSH tunneling for the truly paranoid...

peter
2008-03-06, 05:24
Phil Leigh wrote:
> Gosh you must be a paranoid bunch...
> Why do you think anyone would sniff your traffic? - there are much more
> interesting things out there...
>

Some people find it interesting to spy on their neighbours. That's the
main risk I guess. Plus, these days all my financial and personal
information is on my network server. I like that protected. From my
local network it's a lot easier to gain access to business servers I
have access to. I'm guessing some people would do strange things to gain
access to money.

Sniffing, of course, is a useful prelude to an attack.

Regards,
Peter

pfarrell
2008-03-06, 07:05
Peter wrote:
> Some people find it interesting to spy on their neighbours. That's the
> main risk I guess. Plus, these days all my financial and personal
> information is on my network server. I like that protected. From my
> local network it's a lot easier to gain access to business servers I
> have access to. I'm guessing some people would do strange things to gain
> access to money.

Most malware is about money.

Google for kismet, install it and see how protected your neighbors'
networks are.


--
Pat Farrell
http://www.pfarrell.com/