Just got broadband at home and a Wifi modem so I can use my laptopn.
The documentation said nothing about how to protect wireless access.
Any suggestions or useful links?

I think I've written something here before, but...

The simplest and reasonably effective - but far from perfect - method is to use a MAC address ACL. A MAC address is a unique ID for a network card, and by using an access control list (ACL) you can only allow named cards to access your network. However, MAC addresses can be spoofed and the MAC address of your wireless card can be discovered reasonably easily by a third party, so this isn't really more than a way to prevent completely open access.

WEP (Wired-equivalent privacy) is more secure - good enough for all but serious business use - and is somewhere between simple and a complete pain in the backside depending on your wireless card drivers. To use it, the laptop needs to be configured with the WEP key. Good drivers make this trivial, but one cheap card that I got off ebay forgot the key every reboot, which made WEP a total pain. The card went in the bin :)

Personally I use WEP, but the ACL is generally good enough. Security for a home user is all about being harder to crack than the bloke down the street who has a totally open WAP, not being bombproof.

I think I have WEP set up, if I followed the idiot -proof instructions correctly. I had to copy a key to my laptop.

Thanks Evo

I've used MAC address control limiting ever since I've had Broadband and haven't had any problems. But I tried to set up WEP and had no end of difficulty. Once I'd got the wireless router into a WEP-enabled state, even though I put the correct key into the laptop I couldn't get the thing to reconnect. As the control software for the router is in the laptop, eventually I had to system restore in order to get back to a non-WEP state.

How (and why) would anyone discover the MAC address of an in-use laptop without having access to that laptop? Presumably anyone doing so in order to access a private wireless router without permission would be acting unlawfully?

How (and why) would anyone discover the MAC address of an in-use laptop without having access to that laptop? Presumably anyone doing so in order to access a private wireless router without permission would be acting unlawfully?


The MAC address is encoded in plaintext in the network packet (for obvious reasons - at a low level it is telling the network where to send the packet, so you can't encrypt it). You just need to listen to broadcast packets from your laptop, inspect them and determine the MAC address your wireless card is using. MAC-address 'spoofing' (i.e. broadcasting a different MAC address than the real one for the card) is a 'feature' built into most wired and wireless cards, so I just give my laptop card the same MAC address, your router can't tell the difference so it lets me in.

I can't comment on the lawfullness, other than to note that the law usually lags reality by many years if technology is involved (or just about anything else, for that matter). However, it's obviously something you shouldn't be doing.

While MAC-address ACLs are easy to bypass, it'll only be done by someone with a specific interest in your data, whereas accessing an open WAP could be useful just to go online to check your email. Most home users won't have anyone who cares enough to hack it, so the ACL is fine, but when WEP is no more effort then i'd use that instead. If it's being a pain then I wouldn't lose too much sleep over it.


edit to add: disabling SSID-broadcast is another semi-secure technique like MAC-address ACLs. However, the SSID is broadcast in plaintext in many 802.11b frames, so it's also easy to discover.

"You just need to listen to broadcast packets from your laptop..."

What does 'just need to listen' mean? Using some form of scanning receiver and analyser? Or is it simpler than that? I'm only curious as I can't see how anyone could otherwise obtain the MAC address of my laptop?

I use WEP and ACL on my Wi-Fi. ACL keeps out interlopers, but still leaves your netwrk open to easy inspection. 128 bit WEP will also keep out the casual observer.

Think of it as belt and braces!

Using some form of scanning receiver and analyser? ... I'm only curious as I can't see how anyone could otherwise obtain the MAC address of my laptop?


All you need is another wireless card, in what is called 'promiscuous mode'. In this mode it listens to all the traffic on a wireless network, rather than discarding all traffic destined elsewhere.

Every time your laptop broadcasts a network packet, it includes it's MAC address in the packet. And as it's wireless, it's broadcast globally, rather than down a cable. I just need to sit in range of your wireless network, capture a packet from your laptop, and inspect it to find your MAC address. It's very simple, which is why a MAC-address ACL isn't security. It's just a simple barrier, and anybody with a desire to do so can bypass it. As I said earlier, it's unlikely that anyone will care enough to do so, but it's worth understanding the level of protection you have.

(edit - I answered 'what does listen in mean' with 'listen in', d'oh :O )

As a very rough analogy, think of an open WAP as leaving your front door open. The MAC-ACL is like shutting it, but I only need to watch you open it once to know how to work the handle. WEP locks it with a lock that I can pick, but it requires significant effort to actually do it. Of course, regardless of whether your door is open or locked, it's illegal for me to enter, but...

Not giving away any secrets here:

Go to Netstumbler (http://www.netstumbler.com), download the software and install on your laptop, plug in wifi card and voila your own EW / wardriving kit.

It will tell you exactly what you are broadcasting to the world.

Very techie guide to wireless security here (http://www.drizzle.com/~aboba/IEEE/)

Generally I go by the following guidelines:

Before you even consider encryption your first lines of defence are to ensure you change your SSID from its default name, disable SSID broadcast and enable MAC filtering.

As stated earlier these can be easily bypassed, but the aim of good network security is to put in as many layers of defence as possible.

Having established these you now need to enable the strongest possible authentication/encryption that your firmware supports. In order of best to worst these are:

WPA-TKIP (WiFi Protected Access - Temporal Key Integrity Protocol)

WPA-PSK (WPA - PreShared Key)

WEP - Open Authentication (Wireless Equivalent Privacy)

WEP - Shared Key Authentication

None

The strength of the WEP encryption decrease from 256 bit down to 64 bit. 128 bit and below has already been compromised.

To run WPA-TKIP you need to run a RADIUS server. WPA-PSK is the best solution for SoHo users.

If your firmware doesn't support WPA then use WEP-Open at the highest bit strength your firmware supports. Generate 5 WEP keys and change them at least weekly. Google for "WEP Hex Key Generator" and create hexadecimal keys of the appropriate length for the strength of encryption you are using. Most of the utilities you find on google will walk you throught this.

One of the weaknesses of WEP compared with WPA is that it uses the same key for initial authentication and subsequent real time data encryption. That is why for WEP, Open Authentication is better than Shared Key because you are not revealing your key for authentication and hacker cryptanalysis as part of your broadcast.

Comparing WEP and WPA-PSK is rather academic, because AFAIK they're both fine for protecting a home W-LAN. But FWIW, it is my understanding that WPA-PSK has a human factors problem - people tend to pick a plain English key. If you can capture a valid authentication packet, you can take it home and try dictionary attacks where you iterate through possible keys until you hit the right one. It's fairly slow, 100-odd attempts per second, but very effective.

If you pick a good random passphrase (of the Zj8mqS0l variety) then WPA-PSK is very good.

:8

That's absolutely true, but even a strong passphrase can be "brute forced", it takes more time, granted. As has been stated earlier, the more layers of defence... the bigger the deterent.

Wireless is inherantly insecure, but like life (and flying) you have to weigh up the odds. Is little Johnny down the road going to try and hack into your bandwidth, with MAC ACL's, WEP/WPA and everything you can throw at it available, or is he going to use your next-door neighbours bandwidth, who doesn't have a clue about security ?

Agree the above but I think we need to keep this in perspective. We're not talking protection of large corporate enterprises or national security data here. Any IT admin who came to this forum for security advice ought to be sacked.

But since the majority of people on here are home users, the threat of advanced cryptanalysis attack is remote.

Realistically the security threat ranges from not having your neighbour get free internet access through your wireless network, to at worst the possibility of a mischievous wardriver parking outside your house.

In this context I stand by my earlier assertion that with a non-standard SSID, SSID broadcast disabled. MAC filtering and WPA-PSK with a randomly generated hex passkey, you will have the best protection you can get at no cost and it is appropriate for the threat.

The key, if you'll excuse the pun, to overcoming the PSK weakness of the passkey is to use a random key generator. These are freely available on the internet. Although in general it is bad practice to write down passwords, this is not an issue for home users. If somebody breaks into your house, they're far more likely to nick your pc, along with the rest of your crown jewels, than spend time faffing around trying to crack your network password.

So the message has to be, yes there are vulnerabilites that IT administrators must be aware of, but as a home user there's a few relatively simple and basic measures you can take to protect your system, which is what the OP was asking.

I think there is no doubt that WPA-PSK is very secure indeed. Just make up a really long silly key like ghryenf8f74bh2kg74hs4 and nobody will be able to brute force that.

The problem is that unless one has quite recent kit, and preferably all from the same manufacturer, the more one goes down the encryption route the less likely it is to work.

I've spent many hours getting wifi networks to work, and I do this sort of IT cr*p almost for a living! I can get WPA working only between certain devices.

The other advice is good: stop SSID broadcast (will stop your IT-thick but nosy neighbour seeing your network when he does a "look for networks" on his PC); put in MAC filtering, but these won't stop anyone remotely clued-up who has detected your emissions and is sitting outside your house in a car. Plenty of people drive around with the kit (basically laptops with PCMCIA wifi cards that can be put into promiscuous mode, and the right software) looking for open wifi networks through which they can download all sorts of stuff, obviously anonymously.

The other thing to consider is that on a typical consumer wifi access point the wifi port is on the *inside* network, so if someone can get through the wifi they will have access to all PCs on the network, including all those connected to the wifi router via ethernet! They will still need to get past the Windows login (or use some exploit) but a lot of people have their PCs wide open. The XP firewall won't help here either.

WEP is OK if the attacker can't capture much data, but if it is used for a lot of volume (e.g. connecting a desktop PC to a wifi router, and the PC does printing through it) then the key can be cracked after an hour's hard use (one needs about 5GB to crack a WEP key).

WPA is a must for security but as I've said above there are compatibility problems, and since an access point needs to support the lowest common denominator, if you have an older laptop which supports only 64-bit WEP then that's what you have to use.

The other approach is to get a wifi router which supports a VPN (e.g. a Draytek 2600) and use the VPN that comes with Windows. Then you can leave the wifi connection wide open; nobody will be able to break it. However I would still disable SSID broadcast just for the benefit of the neighbours :O

Yet again all good stuff, but it comes back to -

APPROPRIATE TO THE THREAT

I honestly do not believe that the home user is vulnerable if the simple not-too-techie measures we have described are used.

Having taken such steps, they then really ought not have to worry in the slightest about VPN tunneling into their intranet to enhance their security. It's just inappropriate for the degree of risk.

What on earth is a 'wardriver'?

When not standing outside the airfield perimeter fence on his little step ladder with the world's largest telephoto lens or standing on the end of the platform at Westbury entering the number of cement wagons he's just counted passing, then he's the sad anorak who, whilst driving from one to t'other is using his laptop to log wi-fi hotspots.

Dictionary definition:

WarDriver: One who locates and logs wireless access points while in motion ;[benign]. WarDriving was invented by Peter Shipley and now commonly practiced by hobbyists, hackers, security analysts and retired Crabs worldwide.

Sad but true!!!

Someone connecting unbeknowst to other people's Wifi networks in order to gain free access to the Internet.

In some cases it might be to perform illegal operations (some examples here (http://www.zdnet.co.uk/print/?TYPE=story&AT=39168660-39020375t-10000025c))

In other words a spotty little wanquerre intent on invading peoples' privacy?

If I come across one in the vicinity of BEagle Towers, I will merely arrange for every one of his fingers to be broken after he's been given a laptop suppository. Sloooowly.... Hope that he'll have fun wiping his bum....

During one of the many phonecalls to the Netgear helpline as I tried to set up my new DG834GT wireless router (it turned out to be U/S and will be replaced), I was told that with the security supplied with the router I no longer need Norton Antivirus, Zone Alarm, Spybot or Adaware - all of which I was running. Can this be true?:confused:

Can this be true?


No. The 834G contains a reasonable home firewall, so you don't need Zone Alarm (but see below). However, it isn't a substitute for anti-virus or anti-spyware software.

You may wish to continue running Zone Alarm, even with the 834G, as it tells you when software that you may not know about (i.e. malware) is trying to connect to the internet from your PC - the 834G only blocks inbound requests. I'm using an 834G, but I've kept ZA for just this reason.