After reading the 'wireless router question' thread (http://www.pprune.org/forums/showthread.php?s=&threadid=168025) I am now reaching new heights of paranoia regarding my wireless security. Im running a small home network of 2 PCs connected by a netgear dg834g router. After reading the thread I came home and attempted to open my netgear software and tweak the security settings, unfortunately a search for 'netgear' in windows explorer reveals nothing. Where are these files likely to be and what settings should I be looking at changing ? Netgear website has no info on security that I can find ... anyone help ?
Thanks in advance

Hiya Whiz.


Open IE and type the following in the address bar.

192.168.0.1 and hit enter
Default password is admin and password

This will let youinto the netgear menus

Mike

I've also recently installed a NETGEAR DG834Gv2, and found another PPRuNe thread here (http://www.pprune.org/forums/showthread.php?threadid=160087&highlight=wireless+security) very helpful, as I cautiously try to increase the wireless security.

The text and screenshots on THIS LINK (http://www.adslguide.org.uk/hardware/reviews/2004/q3/netgear-dg834g.asp) provide some guidance on settings.

A note of caution that has been mentioned before; it's advisable to have at least one PC connected to the DG834 via a LAN cable, at least whilst you're setting up the security. If you only have a wireless connection during the procedure, and things go wrong, you could find yourself unable to communicate with your own router!

Mike and speke,

Thanks for your replies. A special thanks to speke for the noddy guide .. exactly what a duffer like me needs ... cheers both

Just an update:

There is a relatively new attack on WEP; an article about it is at

http://www.tomsnetworking.com/Sections-article111.php

Basically one tricks the access point into generating the traffic that's required to collect the large amount of data required to crack a WEP key.

The attacker used to have to wait until sufficient traffic was captured. With this attack, he can generate the traffic himself.

It's only a matter of time before a simple utility appears that cracks anybody's WEP access point; usually in minutes.

Suppressing SSID broadcast will be a first line of defence - assuming the network isn't in use at the time he is driving by, and he can't guess the SSID. So "linksys" won't hack it :O

WPA is a must.

It's only a matter of time before a simple utility appears that cracks anybody's WEP access point ... WPA is a must.


I'd be inclined to agree. WPA-PSK isn't any more work than WEP, and with a decent network key it's perfectly good for home use.

I agree about using WPA, although even it has been hacked too. It takes far more work though and you don't have to worry as much about someone running a simple utility to do it for you. Setting up a D-Link router with WPA-SK was easier than the WEP setup as you don't need to use a hex key. Netgear may be different though.

goates

My Netgear 834G was very simple; again just type in a passphrase.

I agree about using WPA, although even it has been hacked too.

Is there a reference for the above?

Not counting a brute force / dictionary attack, of course.

The downside of WPA is that a lot of older wifi gear doesn't support it, or doesn't work for reasons unknown. I've got several devices. A laptop with a Cisco 350 card which is one of the best wifi adapters for compatibility and performance (very cheap on Ebay, too) which should support WPA via the config in XP, but doesn't. (It supports a number of "corporate" WPA protocols such as EAP but without something like a decent Cisco AP (again, Ebay...) one can't use them.) An HP laptop, c. 2004, which should but doesn't. A few others that don't support it at all. The one adapter which works really well is the Linksys WPC54G, going on Ebay for about £10-15. It even works on WPA/PSK/TKIP when the SSID broadcast is disabled; once you set up the profile it just finds the AP all by itself without any interaction. It works with every AP I've tried so far.

I don't know of a serious non-dictionary attack on WPA - I read something about WPA hashing collisions that I didn't really understand, but I don't think it's a real attack, more a potential reduction in the brute-force workload (which would still be very high).

It sounds more like a dictionary attack, but it still doesn't seem to be outside the realm of a bored kid with too much time on his hands. It also looks like if you use a 64 bit passphrase you are pretty safe.

http://wifinetnews.com/archives/004428.html
http://www.nwfusion.com/reviews/2004/1004wirelesswpa.html

goates

There's a known issue on the DG834G whereby you can't turn off SSID broadcast AND have WPA-PSK on at the same time. If you do this, you won't be able to connect.

So, if you use WPA-PSK and MAC address control, you should be able to allow the SSID broadcast in relative peace.

Does MAC address filtering buy you anything if you're using WPA-PSK (or even WEP)? If someone is going to try and break the encryption, then the MAC address ACL is trivial to bypass in comparison.

MAC address filtering and stopping SSID broadcast just keeps out the neighbour wishing to download his dirty movies from alt.binaries.warez.erotica.asian.multimedia when his wife isn't looking :O

WEP security depends entirely on the adversary. No ordinary "neighbour" will ever crack WEP. Presently it takes a clever person who needs to be in good reception range for longer than just parking in the lay-by outside, and it is likely to get a lot easier very soon once properly integrated tools appear. Across the road from me is a man whose business is bulk email generation :yuk: so no way I would use WEP. But why would anyone bother? If you have secrets then you must use WPA as a minimum. Otherwise, they will just get free internet access, but they can get it 50 yards further down the road with zero effort.

The issue with not using SSID and WPA at the same time applies to quite a few devices, I suspect. A lot of wifi clients can't find the AP if SSID is OFF and encryption (even WEP) is ON. Some will work OK but they need SSID ON for the initial config. One can waste a large chunk of one's life playing with this stuff. If I didn't know the Linksys WPC54G works well I would just head for Ebay and "Cisco" every time. Life's too short.

If it helps, my girlfriend's D-Link DI-714+ (I think that's the model#) has been working well with WPA, SSID turned off and MAC address filtering.

Part of the problem with computers not seeing the router is Windows' wireless software. On just about every computer forum I have seen posts about the Windows XP wireless software not working, but some third party program working fine.

goates