Questions on setting up a "secure" router.

ok, i finally (after 8 months) got serious about setting up my router to be more "secure". this came about after I went on over to grc.com and ran the "shields up!" tests. My router failed to achieve true "stealth" results because my port 113 was "closed" instead of "stealth" and my router was responding to unsolicited pings. long story made short, i figured out how to use port forwarding to make my port 113 come up as stealth and found an option in my router to disable responding to unsolicited pings. now the router passes all tests over at grc.com with full "stealth" results.

now here's my dilemma, i wanted to secure my wireless network now so i googled around. i found this and did what "answer 4" recommended : disable ssid's broadcasting, enable wep (i only have wep i need to get a new router soon. i have something in mind but i'll post it later), setup mac address filtering, and set up DHCP to only allow for 3 IPs. i'm thinking fine, i did my job.

BUT i found this article that basically says everything i did was pointless! what gives? in the name of security, should i just chuck my router and get a new one with WPA2?

 

The short answer is yes. All the measures you took, while better then nothing, are easily crackable with tools found on the Web. Be aware that if you upgrade your router to a WPA capable one all wireless NICs need to be upgraded as well.

 

arrrgh

is there a way to check and see if my NICs support WPA? the reason why i ask is, the router is old but the laptops/desktop that connect to the network are fairly new (6 months old).

 

At that age my guess would be yes. How you find out varies from product to product. I would first check with the owners manual that came with it. Or the website of the OEM.

Is the desktop wireless as well? If so then you will need a WPA capable NIC for it too. If not, if it is hard wired, then replacing the NIC on it is not necessary.

 

i went ahead and emailed customer support just to be 100% sure (luckily both laptops are HP/compaq).

thankfully it's hard wired (that should save me some money).




one more quick question while i wait for customer supports answer

let's assume we have the following scenario :

1) someone finds my network (i have SSID broadcasting disabled)

2) someone cracks my 128 bit WEP encryption

3) someone clones a MAC address on my network (i have mac filtering enabled)

**i have dhcp set up so that it will only issue 3 IP addresses (1 to the desktop which is directly wired and 2 to the laptops which are wireless)


now what happens? for example : is he/she able to use my wireless router to log on to the net?

 

Sorry. Really not sure about that. On my network, a rather different set-up, DHCP is enabled with no limit. The PCs that are always connected have static IPs. For the times another PC is introduced for short periods of time it is easier for the auto-config. A guess would be that if all 3 of your machines are on then a fourth one could not be introduced to the network. How ever if only 1 or 2 IPs have been issued then I would think that someone who has gained access to your signal would be issued the third IP and gain access to the net or worse your machines.

 

Let's see if I can provide an analogy...

Even with locks on the doors, some burglars are able to come in your house.
Does that mean that you would leave the doors unlocked for that reason?
Or would you move into a bunker?

 

first let me say thank you thunderz for your help secondly, this brings up even more questions :

1) what would happen if my legitimate third machine was turned on and tried to access the internet while the hacker was on (assuming he would be issued that third IP address)? would the hacker be kicked off or would my 3rd machine be denied internet access?

2) my current router has an option for DHCP to always issue the same IP address to a specific MAC address would that do anything to help or...?

@wilbertnl

according to what i've read, these steps i took to "secure" my router wouldn't even last 2 minutes. whereas WPA2 is basically a hackers worst nightmare. trust me i was hoping i wouldn't have to shell out additional money to secure my network. i found a dirt cheap router with WPA2 capability. i'm only hoping my 2 laptops internal wireless cards are capable of WPA2 i don't think i can shell out the additional money to buy 2 new cards AND a router (i'm currently hurtin' for cash)

 

If you upgrade the router to WPA support, I think that you will be able to get support for your adapters with Free WPA Software by McAfee.
I got my 63 chars passphrase from GRC.com.

You want cheap?

 

DHCP only allows them to get an IP address automatically assigned. Anyone that's gone through the trouble of cracking your WEP, cloning a MAC address, and so on, probably won't have any problems assigning a static IP address. To be honest I don't think that limiting your DHCP has done a lot for you.

If someone was using up all 3 IPs from DHCP and you turned your on, your connecton would show "Limited" with no internet access and a generic IP outside of your subnet. If all your machines were on at the time, though, that's what the attacker would get, and they'd just set a static IP.

If they did get connected, they would just be another member of your network and could do all the things your machines can do on your network. The main thing would be that they'd have access to your internet connection and access to your machines from behind the router. Having a software firewall is always a good idea even behind the router.

I wouldn't stress TOO much about your current setup. Yes you do need to get a WPA2 device(s) when you can, but in the meantime someone would have to target you specifically. The majority of threats are neighbors and passerbys that just want a free connection. So you can relax a little, just try to get WPA2 soon.

Keep in mind that if you have a wired router then you can save some money by getting an access point rather than a full router. A wireless router is often just a regular router with an access point essentially tacked on, so unless you really need another router you're just as well off with an access point, which might even have some features you could find useful down the road that the router doesn't offer.

If your budget isn't real tight you could also consider getting wireless-n. Getting a speed upgrade in addition to the security always makes it a bit more satisfying Compaq has a "feature" in the BIOS that only recognizes internal cards purchased from them, but D-Link has a cardbus card that slips into the slot on the side and works very well.

 

How about limiting the amount of connections by setting the subnet mask?
For example 255.255.255.252.

 

woot! thanks wilbernl

yeah but i was secretly hoping against hope i just can't believe that all the steps i took basically amount to nothing if i don't have wpa(2). how can companies still sell routers with only WEP encryption? they should be sued.

no such luck, i'm broke

 

Do you share folders/printers over your network?
If not and you only have the network to share the internet connection, then maybe firewalls on the systems and a tight netmask like I suggested could give you some relief.

 

no. i'm too paranoid for that

will do! (the 255.255.255.252) like this (under the section "LAN IP Address")right? oh what do you think about his suggestion :

i got paranoid and set it to expire every hour good? bad?

thanks to everybody on this thread for your patience and help.

 

There is no reason to freak out.

You had a network running for 8 months without any sweat, right? Just remember how peaceful your life was all these months.
I don't think that you should worry too much over it. You take reasonable meassures and if you set each computer's firewall like it's connected directly to the internet, as opposed to a LAN, then you are at least as safe as when you didn have the router at all (remember the dial-up days?). The router adds security with it's NAT feature.

If you use the xp-sp2 built-in firewall, maybe you could look for free and more secure third party firewall, like Kerio.

 

thanks guys for your help. well i got word back from tech support and it's a mix of good news and bad news. one of my wireless cards supports wpa/wpa2 the other doesn't

BUT i found a great deal on a wireless n router (with SPI and WPA/WPA2) and a wireless n network card for the laptop (WPA/WPA2) for $49.99 USD! i went ahead and ordered it

 

When you say wireless "n". Just what are you referring to? The current standard is "G". "N" is the new kid on the block. I do not know if it is backwards compatible.

 

sorry i should have been more specific yeah the "n" is for the new wireless standard. more information on the bundle router/card below :

it' the dlink dir-615 wireless n router (it's backward compatible with g/b) and the dlink dwa-645 wireless n laptop card.

 

Thanks for the links. You should be safe and (as secure) as is possible. Just did`t want to see you getting the wrong equipment. You`ll also be set to make the jump N on the rest of your wireless if you should chose to. DLink gets good reviews from what I read and the price usually can not be beat. Post back if you would with your impressions on the new N to N connection when\if you decide to try it. I understand there is supposed to be a noticeable speed increase. May upgrade my own.......shhhhhhh, do`t tell the Mrs.

 

thanks for the concern, this is why i love this board

truthfully, i never had speed issues with my current setup (wireless g). the only reason i'm upgrading is because of security concerns. the laptops are basically for normal day to day stuff : browsing, work, email, and downloading medium sized files like mp3s. the really big stuff (full linux distros) are done on my desktop which is wired directly to the router. it will take a few days for the router/card to get here, i'll pm you my speed results (i'll try downloading a linux distro using my laptop).

lol you better hope she doesn't read the wilders forums.

 

No worries there. She peaks over my shoulder every once in a while, gets that glazed look in her eyes as she reads bits and pieces of what I am reading\writing, smiles, pats her "geek" husband on the head then go`s back to d/l`ing \ burning her movies and music on her tower via Remote Desktop from the comfort of the front room on her laptop.

She knows her tower and the rest of the network are about as safe as they can be thanks to this Forum.

 

You made the right decision. Anybody still running their wifi with WEP, and thinking they are secure, are mistaken. There's a couple of programs floating around the internet that can crack any WEP password in seconds.You definitely did the right thing.