How to deny wifi access?

Discussion in 'other software & services' started by alloucho, Apr 4, 2009.

Thread Status:
Not open for further replies.
  1. alloucho

    alloucho Registered Member

    Joined:
    Dec 26, 2007
    Posts:
    145
    Is there any way to block an intruder access to my wifi connection?
    I don´t want to use the wep/wpa encryption. Just somrthing like network firewall that tell me if someone want to connect, then i have the choice to accept or to deny. Is this possible?
     
  2. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    btw do you relise that if you dont use encrption on your wireless network everything you do online is sent from your computer to your router as plain text?

    you could use mac filtering but its not very effective and can easily be bypassed by someone changing their mac address to one thats allowed on the network.
     
  3. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    There are ways to monitor traffic on your wireless LAN. Note I said monitor. The would requier constant vigilance.

    As far as allow\deny I do not believe there is anything.

    As Lodore stated, MAC filtering is an option but can be spoofed.

    WEP encryption can be and has been cracked for quit some time.

    WPA, is the only way to go. Without it, again as Lodore stated, not only is access to your wireless signal possible, but, even if you are running with a software firewall on the computers any information transmitted is done so "in the open". Any one around with wireless can capture and read it. Also steal your bandwidthe.
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Well, there are other ways. You can set an ip scheme, static only, with a different subnet than normal. This way, you turn of dhcp. The 'visitor' must place a correct static ip on thier nic for your network. You can also limit in some routers access based on ip or mac or both. Some routers may let you state that only mac xyz can be ip 123.

    Just have to think outside the box. This also introduces a more complex network, which may produce headaches you don't want. I have employed methods like this before. Most peeps run dhcp. You can also not put dns settings in your router, which leaves visitors without static dns in thier nic settings without an outbound dns. Can foil them.

    Sul.
     
  5. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,976
    Location:
    Eastern PA, USA
    Where wuold I put them, in the connection properties? For instance, I have OpenDNS ips in my router, just plug those in manually to the connection properties on each machine?
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes, each network adapter in your machine can have dns ip addresses. None of my routers have dns addresses in them. and I only allow 1 dhcp address. All of my machines are static ip to 192.168.x.x.
     
  7. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,976
    Location:
    Eastern PA, USA
    OK, thanks, it makes sense.

    I do have static internal/private IPs set up in router based on MAC addresses. Although I don't quite understand how MAC spoofing is done, I hear the warning often enough - I guess in context of wireless mainly.

    Are you saying I should assign the IPS also in connection properties on each machine and NOT have the IPs setup in router?

    I guess I need to have a look and refresh myself on dhcp.
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    DHCP - dynamic host configuration protocol
    essentially, your router (or dhcp server) will assign or 'lease' an ip to a computer that is configured for dhcp. The client asks for an ip. Usually in routers there is a table of currently assigned ip's to clients, many times identifying the computer name (netbios name) or the mac address. Most routers have a place where you input the dns server ip's. These are then forwarded to the client, or the client will just use the router as it's dns server. The router then in turn actually heads to the ip's it has (real ones) to fetch the name lookup. Sort of transparent to the client.

    MAC address - media access control.
    In theory, every device made is supposed to have a unique identifier. I think you could define it as very much like a GUID, only for hardware. Most times routers or firewalls will filter by mac address. So you perfrom a getmac command on your client. It returns the mac address. You can then set forms of access control in the router based on that address. For example at my house, my kids' mac addresses are in a control access area. I state that those mac addresses (independent of ip address) are to be restricted. Part of my router lets me define a list of websites that I can block access to or only allow acces to. This is what I do, My kids computers can only go to a website in the list.

    MAC spoofing comes about where you get the mac address of a computer, and then you can assign your own nic that mac. You can then enter a restricted router as that mac, or spoof it. That is a little simplistic, but how it is done. You have probably seen a feature in your router called mac clone? That is so your router will acquire your computers mac address, in case you need to remote in to work or something where they have a mac restriction. That way your boss can put your computer's mac address in a list of allowed, and your router spoofs itself as you.

    What I am saying, is that you can set each of your clients ip addresses to 192.168.6.x. You set your router to 192.168.6.200. You disable dhcp in your router, or maybe set only 1 allowed depending on what you want. Some routers have rules capable of only allowing net access to certain ip's. Some let you state how many ip's are allowed at all. One easy way to limit net connectivity is to declare only ip addresses 192.168.6.72 to 192.168.6.79 will have outbound access and all others do not.

    Then think of this. If you were to not set up wep or wpa, you are not restricting access to your network. However, times just not broadcasting the network can keep others from connecting, unless they have a sniffer program or something special to find it.

    But assume it is broadcasting, so all can see it from your driveway. You have no wep or wpa to stop them from connecting. If you have no dhcp enabled, they would have to set an ip in thier nic to your subnet 192.168.6.x. But, they would first have to know the subnet. Most subnets are 192.168.0.x or 192.168.1.x. I don't know if sniffer apps can tell what your subnet are or not. But no problem, because even if a 'guest' were to see your subnet and make thier nic a static ip of 192.168.6.4 (or any number in your subnet), they might be able to connect to your network. But, they still have to provide some dns ip addresses if your router has none. Now that too poses no problem if someone knows what they are doing. I know my 4 by heart now.

    So a 'guest' gets this far. But wait, you have restricted outbound access to only a few ip numbers. How in the world is the 'guest' in the parking lot going to know those? I don't know of a way to find out. I would be curious if anyone does know, how that could be done.

    Anyway, routers are all different. Some have more advanced rules to really let you crack down on what ips or mac addresses can do what. The more restriction routers have the better I like them. Always think out of the norm. Setting your subnet to 192.168.6.x is a simple example. Noone uses that. It is all about making things easy for you because you know, and not typical or standard for those 'guests'. You can keep your wep/wpa off and still not have problem with all but the most determined 'guests'.

    Is that confusing enough? lol

    Sul.

    EDIT: Oh yeah, another trick. Use your firewall (or ipsec rules) to only allow outbound port 53 (dns) to go to your dns server ip's. This is a small and simple way to foil rogue programs that might like to use thier own dns servers.
     
  9. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,976
    Location:
    Eastern PA, USA
    Absolutely!:argh:
    Actually, I mean that is a lot of good info, and I will digest it thoroughly. I've captured it to a PDF on my desktop so I can understand each piece and check my wifi, router, and connection properties.

    Thanks very much, this is good stuff!
     
  10. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    This much I can tell you. I set up a router with wireless at a racetrack, where all the pit teams connected to the network to get updates on the cars (they use transponders). With I dont' know how many attached, I was watching the logs of the router. No one thought to get a static ip in thier NIC and see if they could go out. They all followed the standard practices of dhcp, and though there was no internet available.

    Put your subnet into a non standard configuration, make some rules so only very certain ip addresses can go online, and I doubt you will ever have an issue. Of course you should probably have a firewall up in an evironment with strange computers in the same network. Also, very easy to just set your 'server' service to manual, so it is not on by default. That takes care of your shares. A great big way to mitigate issues. Also set firewall to not respond to pings. You can even use ipsed rules to tell pings to drop only on ip addresses not specifically stated. So you could ping to router and print server, and internet, but not to other local machines. Works a charm being outside the box.

    Sul.
     
  11. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    8,634
    Location:
    NSW, Australia
    alloucho,

    Why not? WPA2 using a strong passphrase and TKIP+AES would take a few years to crack. Unless the hacker is determined (a successful crack takes about an hour, 4 Nvidia graphics cards, and a special program), you don't need to be concerned.
     
  12. alloucho

    alloucho Registered Member

    Joined:
    Dec 26, 2007
    Posts:
    145
  13. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Have not tried it. My thought, what if the computer running this program is down or has problems? There seems to be no redundancy. But, it might work a charm for you. Cant hurt to test it. Sounds simple enough.

    Sul.
     
  14. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    I know you don't want to use encryption but this kind of strikes me as using a 10 ton wrecking ball to kill a fly on the wall. Encryption with a reasonable sized key would use no additional PC resources and still do the job. IMO, just seems like a poor trade-off... ;)
     
  15. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA

    Why don't you want to use the WPA2/AES internal data packet flow encryption method would be better than any software firewall. You could build a IPCOP use it's hardware firewall on wireless adapter cards. But still even with VPN connection they use passcode token key to get onto the network. This mywifizone is a service to pay for.. There was another way to do the same thing for free buy changing your proxy, but then that would slow down the network on the device (node). It's better to use the hardware encryption found in the wireless router and then use your own passcode or generated pin key.
     
  16. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Alloucho, I think you should explain your reasoning for not wanting to use WPA encryption. It's like saying, "I don't want to use a lock on my front door, but I want to keep people out, can you help?" Well, yeah, but first it would help to understand why the most basic way to keep out intruders is, for some reason, unacceptable to you?
     
Loading...
Thread Status:
Not open for further replies.