home networking and security
Thread Starter
Joined: Jan 1998
Posts: 884
Likes: 0
From: somewhere in the nth of Oz, where it isn't really cold
home networking and security
hello gurus' .. I have recently networked my new lappy with the home desktop, bluddy marvellous thing and very happy with it too!
My question though concerns the security aspect.
How can I make sure that the wireless connection is purely for my two computers, not my two computers and all of the neighbours as well?
tks in advance
My question though concerns the security aspect.
How can I make sure that the wireless connection is purely for my two computers, not my two computers and all of the neighbours as well?
tks in advance
Administrator
Joined: Mar 2001
Aviation Qualifications: PPL
Posts: 8,121
Likes: 686
From: Twickenham, home of rugby
1) use the encryption that your WAP supports - it'll be either WEP or WPA, WPA is the stronger.
2) MAC address filter - just allow your laptop MAC address.
3) Network address - change from the default (usually 192.168.0.0) to something else - like 192.168.101.0
4) name your wifi network something other than the default. Change the password of the WAP to something strong. If you can, change the admin account name to something else.
5) don't advertise the SSID of the network - assuming your WAP supports it.
6) DHCP scope - only use as many IP addresses as there are devices - in your case 2. So the network address is 192.168.101.0, the router is 192.168.101.1, the DHCP scope is 192.168.101.2 - 192.168.101.3. Create a reservation for you laptop's IP address.
7) for the truly paranoid, limit the IP addresses available on your network by changing the subnet mask to 255.255.248 - this would only allow 6 hosts on the network, including the router.
2) MAC address filter - just allow your laptop MAC address.
3) Network address - change from the default (usually 192.168.0.0) to something else - like 192.168.101.0
4) name your wifi network something other than the default. Change the password of the WAP to something strong. If you can, change the admin account name to something else.
5) don't advertise the SSID of the network - assuming your WAP supports it.
6) DHCP scope - only use as many IP addresses as there are devices - in your case 2. So the network address is 192.168.101.0, the router is 192.168.101.1, the DHCP scope is 192.168.101.2 - 192.168.101.3. Create a reservation for you laptop's IP address.
7) for the truly paranoid, limit the IP addresses available on your network by changing the subnet mask to 255.255.248 - this would only allow 6 hosts on the network, including the router.
Joined: Jun 2003
Posts: 13,787
Likes: 0
From: EuroGA.org
Some of this is debatable, IMHO.
With any security policy, one needs to identify the enemy.
To stop a casual passer-by all you need is plain 64-bit WEP with some not totally obvious password e.g. ppruNe9734
This gives you very good equipment compatibility and doesn't need a revisit to the router config for each new device.
Equally, one could leave the network wide open and use MAC filtering, allowing only the known clients. This gives the best possible equipment compatibility (because as far as each client is concerned the network uses no security) but needs a visit to the router config for each device to be added.
To stop somebody who knows what they are doing you have to use WPA/PSK, or better. Adding the other stuff (MAC address filtering, SSID broadcast disabled) doesn't add any security because the required data can be picked up instantly by monitoring existing traffic.
"SSID broadcast disabled" in particular is a equipment compatibility nightmare. Many XP laptops will never find the access point thus configured, unless they are rebooted. A lot of gear just doesn't work, or disconnects randomly. My HP 4700 PDA doesn't work at all sime some access points. The latest Draytek 2600 firmware stops working completely if I set this... This method stops the casual passer-by noticing the network, that's all.
With any security policy, one needs to identify the enemy.
To stop a casual passer-by all you need is plain 64-bit WEP with some not totally obvious password e.g. ppruNe9734
This gives you very good equipment compatibility and doesn't need a revisit to the router config for each new device.
Equally, one could leave the network wide open and use MAC filtering, allowing only the known clients. This gives the best possible equipment compatibility (because as far as each client is concerned the network uses no security) but needs a visit to the router config for each device to be added.
To stop somebody who knows what they are doing you have to use WPA/PSK, or better. Adding the other stuff (MAC address filtering, SSID broadcast disabled) doesn't add any security because the required data can be picked up instantly by monitoring existing traffic.
"SSID broadcast disabled" in particular is a equipment compatibility nightmare. Many XP laptops will never find the access point thus configured, unless they are rebooted. A lot of gear just doesn't work, or disconnects randomly. My HP 4700 PDA doesn't work at all sime some access points. The latest Draytek 2600 firmware stops working completely if I set this... This method stops the casual passer-by noticing the network, that's all.
Administrator
Joined: Mar 2001
Aviation Qualifications: PPL
Posts: 8,121
Likes: 686
From: Twickenham, home of rugby
one could leave the network wide open and use MAC filtering, allowing only the known clients. This gives the best possible equipment compatibility (because as far as each client is concerned the network uses no security)
Joined: Jun 2003
Posts: 13,787
Likes: 0
From: EuroGA.org
Yes, but then the attacker would be in the second category.
Disabling SSID broadcast is just as useless if somebody is packet sniffing because intercepting any existing traffic will reveal both the SSID and the MAC.
WEP can be attacked too nowadays but it's still a bit obscure.
The other thing I wouldn't do is use one's house name / number as the SSID. A lot of people do that, and it makes it really easy to work out where one should be for best reception
Disabling SSID broadcast is just as useless if somebody is packet sniffing because intercepting any existing traffic will reveal both the SSID and the MAC.
WEP can be attacked too nowadays but it's still a bit obscure.
The other thing I wouldn't do is use one's house name / number as the SSID. A lot of people do that, and it makes it really easy to work out where one should be for best reception
Joined: Nov 2000
Posts: 3,443
Likes: 1
From: Cambridge, England, EU
Originally Posted by The Voice
hello gurus' .. I have recently networked my new lappy with the home desktop, bluddy marvellous thing and very happy with it too!
My question though concerns the security aspect.
How can I make sure that the ...(snip)... connection is purely for my two computers, not my two computers and all of the neighbours as well?
My question though concerns the security aspect.
How can I make sure that the ...(snip)... connection is purely for my two computers, not my two computers and all of the neighbours as well?
(Oh, there is one downside though. When lightening struck our fishpond it took out all the wired network gear; a wired network would have survived a bit better.)
Administrator
Joined: Mar 2001
Aviation Qualifications: PPL
Posts: 8,121
Likes: 686
From: Twickenham, home of rugby
GtW,
Fine to use wired ethernet if you have either flood wired your dwelling - like they do in new domestic buildings in Scandinavia and Germany, apparently - or don't mind trailing wires around the house.
Not so convenient if you wish to occasionally work with a lappy in the garden, in bed, or on the kitchen table.
Or if someone visits, or if the sprogs need to play games with their friends, or if you want to use a PDA with wifi etc.
WiFi is here to stay, better to know how to maximise the benefits and minimise the risks.
SD
Fine to use wired ethernet if you have either flood wired your dwelling - like they do in new domestic buildings in Scandinavia and Germany, apparently - or don't mind trailing wires around the house.
Not so convenient if you wish to occasionally work with a lappy in the garden, in bed, or on the kitchen table.
Or if someone visits, or if the sprogs need to play games with their friends, or if you want to use a PDA with wifi etc.
WiFi is here to stay, better to know how to maximise the benefits and minimise the risks.
SD
Joined: Aug 2001
Posts: 1,924
Likes: 7
From: UK
There is one additional and very simple precaution that I use. Unless someone in our house is using the wireless network, I turn the WAP Off! This still leaves internet access on one PC, connected to the router by cable.
Thread Starter
Joined: Jan 1998
Posts: 884
Likes: 0
From: somewhere in the nth of Oz, where it isn't really cold
I knew I came to the right place 
thankyou for your advice!!
now, is there a some sort of monitoring programme that will actually watch over the network and throw up alerts if someone is trying to use it?? (if you know what I mean)
thankyou for your advice!!
now, is there a some sort of monitoring programme that will actually watch over the network and throw up alerts if someone is trying to use it?? (if you know what I mean)
Joined: May 2003
Posts: 307
Likes: 0
From: South East England
This is a pretty comprehensive article...............
"How to Secure Your Wireless Home Network with Windows XP"
http://www.microsoft.com/windowsxp/u...ebruary10.mspx
Hope it is of some interest and/or help.
N o t a
"How to Secure Your Wireless Home Network with Windows XP"
http://www.microsoft.com/windowsxp/u...ebruary10.mspx
Hope it is of some interest and/or help.
N o t a
