How to deny wifi access?

Is there any way to block an intruder access to my wifi connection?
I don´t want to use the wep/wpa encryption. Just somrthing like network firewall that tell me if someone want to connect, then i have the choice to accept or to deny. Is this possible?

 

btw do you relise that if you dont use encrption on your wireless network everything you do online is sent from your computer to your router as plain text?

you could use mac filtering but its not very effective and can easily be bypassed by someone changing their mac address to one thats allowed on the network.

 

There are ways to monitor traffic on your wireless LAN. Note I said monitor. The would requier constant vigilance.

As far as allow\deny I do not believe there is anything.

As Lodore stated, MAC filtering is an option but can be spoofed.

WEP encryption can be and has been cracked for quit some time.

WPA, is the only way to go. Without it, again as Lodore stated, not only is access to your wireless signal possible, but, even if you are running with a software firewall on the computers any information transmitted is done so "in the open". Any one around with wireless can capture and read it. Also steal your bandwidthe.

 

Well, there are other ways. You can set an ip scheme, static only, with a different subnet than normal. This way, you turn of dhcp. The 'visitor' must place a correct static ip on thier nic for your network. You can also limit in some routers access based on ip or mac or both. Some routers may let you state that only mac xyz can be ip 123.

Just have to think outside the box. This also introduces a more complex network, which may produce headaches you don't want. I have employed methods like this before. Most peeps run dhcp. You can also not put dns settings in your router, which leaves visitors without static dns in thier nic settings without an outbound dns. Can foil them.

Sul.

 

Where wuold I put them, in the connection properties? For instance, I have OpenDNS ips in my router, just plug those in manually to the connection properties on each machine?

 

Yes, each network adapter in your machine can have dns ip addresses. None of my routers have dns addresses in them. and I only allow 1 dhcp address. All of my machines are static ip to 192.168.x.x.

 

OK, thanks, it makes sense.

I do have static internal/private IPs set up in router based on MAC addresses. Although I don't quite understand how MAC spoofing is done, I hear the warning often enough - I guess in context of wireless mainly.

Are you saying I should assign the IPS also in connection properties on each machine and NOT have the IPs setup in router?

I guess I need to have a look and refresh myself on dhcp.

 

DHCP - dynamic host configuration protocol
essentially, your router (or dhcp server) will assign or 'lease' an ip to a computer that is configured for dhcp. The client asks for an ip. Usually in routers there is a table of currently assigned ip's to clients, many times identifying the computer name (netbios name) or the mac address. Most routers have a place where you input the dns server ip's. These are then forwarded to the client, or the client will just use the router as it's dns server. The router then in turn actually heads to the ip's it has (real ones) to fetch the name lookup. Sort of transparent to the client.

MAC address - media access control.
In theory, every device made is supposed to have a unique identifier. I think you could define it as very much like a GUID, only for hardware. Most times routers or firewalls will filter by mac address. So you perfrom a getmac command on your client. It returns the mac address. You can then set forms of access control in the router based on that address. For example at my house, my kids' mac addresses are in a control access area. I state that those mac addresses (independent of ip address) are to be restricted. Part of my router lets me define a list of websites that I can block access to or only allow acces to. This is what I do, My kids computers can only go to a website in the list.

MAC spoofing comes about where you get the mac address of a computer, and then you can assign your own nic that mac. You can then enter a restricted router as that mac, or spoof it. That is a little simplistic, but how it is done. You have probably seen a feature in your router called mac clone? That is so your router will acquire your computers mac address, in case you need to remote in to work or something where they have a mac restriction. That way your boss can put your computer's mac address in a list of allowed, and your router spoofs itself as you.

What I am saying, is that you can set each of your clients ip addresses to 192.168.6.x. You set your router to 192.168.6.200. You disable dhcp in your router, or maybe set only 1 allowed depending on what you want. Some routers have rules capable of only allowing net access to certain ip's. Some let you state how many ip's are allowed at all. One easy way to limit net connectivity is to declare only ip addresses 192.168.6.72 to 192.168.6.79 will have outbound access and all others do not.

Then think of this. If you were to not set up wep or wpa, you are not restricting access to your network. However, times just not broadcasting the network can keep others from connecting, unless they have a sniffer program or something special to find it.

But assume it is broadcasting, so all can see it from your driveway. You have no wep or wpa to stop them from connecting. If you have no dhcp enabled, they would have to set an ip in thier nic to your subnet 192.168.6.x. But, they would first have to know the subnet. Most subnets are 192.168.0.x or 192.168.1.x. I don't know if sniffer apps can tell what your subnet are or not. But no problem, because even if a 'guest' were to see your subnet and make thier nic a static ip of 192.168.6.4 (or any number in your subnet), they might be able to connect to your network. But, they still have to provide some dns ip addresses if your router has none. Now that too poses no problem if someone knows what they are doing. I know my 4 by heart now.

So a 'guest' gets this far. But wait, you have restricted outbound access to only a few ip numbers. How in the world is the 'guest' in the parking lot going to know those? I don't know of a way to find out. I would be curious if anyone does know, how that could be done.

Anyway, routers are all different. Some have more advanced rules to really let you crack down on what ips or mac addresses can do what. The more restriction routers have the better I like them. Always think out of the norm. Setting your subnet to 192.168.6.x is a simple example. Noone uses that. It is all about making things easy for you because you know, and not typical or standard for those 'guests'. You can keep your wep/wpa off and still not have problem with all but the most determined 'guests'.

Is that confusing enough? lol

Sul.

EDIT: Oh yeah, another trick. Use your firewall (or ipsec rules) to only allow outbound port 53 (dns) to go to your dns server ip's. This is a small and simple way to foil rogue programs that might like to use thier own dns servers.

 

Absolutely!
Actually, I mean that is a lot of good info, and I will digest it thoroughly. I've captured it to a PDF on my desktop so I can understand each piece and check my wifi, router, and connection properties.

Thanks very much, this is good stuff!

 

This much I can tell you. I set up a router with wireless at a racetrack, where all the pit teams connected to the network to get updates on the cars (they use transponders). With I dont' know how many attached, I was watching the logs of the router. No one thought to get a static ip in thier NIC and see if they could go out. They all followed the standard practices of dhcp, and though there was no internet available.

Put your subnet into a non standard configuration, make some rules so only very certain ip addresses can go online, and I doubt you will ever have an issue. Of course you should probably have a firewall up in an evironment with strange computers in the same network. Also, very easy to just set your 'server' service to manual, so it is not on by default. That takes care of your shares. A great big way to mitigate issues. Also set firewall to not respond to pings. You can even use ipsed rules to tell pings to drop only on ip addresses not specifically stated. So you could ping to router and print server, and internet, but not to other local machines. Works a charm being outside the box.

Sul.

 

alloucho,

Why not? WPA2 using a strong passphrase and TKIP+AES would take a few years to crack. Unless the hacker is determined (a successful crack takes about an hour, 4 Nvidia graphics cards, and a special program), you don't need to be concerned.

 

I found a program that can block intruders the way i described.
http://www.mywifizone.com/help.asp
http://www.mywifizone.com/download1.asp
Can anyone confirm this too? Thanks

 

Have not tried it. My thought, what if the computer running this program is down or has problems? There seems to be no redundancy. But, it might work a charm for you. Cant hurt to test it. Sounds simple enough.

Sul.

 

I know you don't want to use encryption but this kind of strikes me as using a 10 ton wrecking ball to kill a fly on the wall. Encryption with a reasonable sized key would use no additional PC resources and still do the job. IMO, just seems like a poor trade-off...

 

Why don't you want to use the WPA2/AES internal data packet flow encryption method would be better than any software firewall. You could build a IPCOP use it's hardware firewall on wireless adapter cards. But still even with VPN connection they use passcode token key to get onto the network. This mywifizone is a service to pay for.. There was another way to do the same thing for free buy changing your proxy, but then that would slow down the network on the device (node). It's better to use the hardware encryption found in the wireless router and then use your own passcode or generated pin key.

 

Alloucho, I think you should explain your reasoning for not wanting to use WPA encryption. It's like saying, "I don't want to use a lock on my front door, but I want to keep people out, can you help?" Well, yeah, but first it would help to understand why the most basic way to keep out intruders is, for some reason, unacceptable to you?