securing wireless router WPA and WPA Psk

Discussion in 'other security issues & news' started by novicestill, Nov 13, 2005.

Thread Status:
Not open for further replies.
  1. novicestill

    novicestill Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    14
    I have the D-link 624 wireless router for my cable modem. I already have a WEP at 128 bits stealth ICMP ping ( I think that is what it is called). I have read about enabling Mac filter. Could someone give me step by step information on this? Also what else can I do for security?
     
  2. novicestill

    novicestill Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    14
    WPA and WPA Psk

    I have been using WEP for a long time till I read about WPA (never heard of WPA Psk) I have a choice of either of the 3 on my Dlink624. If I use WPA, I need to have a radius server, IP , Port and shared secret to fill in the boxes. What is that and where do I get it from?

    If I use WPA Psk, I don't need a radius server and all I do is type in a passphrase. What is this? Is it a password?


    Which is better- WPA or WPA Psk
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    MAC filtering is an additional step you can take that will help in limiting what systems can access your wireless network. You first need to prepare a list of the MAC addresses of trusted systems connecting via wireless. You can get this by doing an "ipconfig /all" on each of those systems and noting the "physical address" for the wireless adapter.

    You would then go into your wireless configuration and look for the page that covers MAC filtering. You would then add/permit the trusted MAC's and deny any others.

    Regards,

    CrazyM
     

    Attached Files:

  5. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Another step you could take if your D-link supports logging of wireless connections is to enable it. That will allow you monitor permitted sytems connecting, and more importantly, attempts by unknown systems to connect to your wireless network.

    Regards,

    CrazyM
     
  6. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    There are a lot of myths about wireless security, and a lot of people who are operating wireless networks that they believe to be secure (when in fact they are anything but). Here's some info that should help:

    1. Most wireless routers and access points (I'll group tham all as 'AP's here) offer basic security features - normally turned off by default - incl. preventing SSID broadcasts, MAC address control, and encryption using the WEP standard and, in most modern APs, WPA encryption.

    2. A wireless network secured with SSID broadcasts prevented, MAC address control and WEP encryption (64-bit or 128-bit) will prevent your neighbours' casual snooping, but a skilled 'war-driver' with a laptop and freely-available software can, provided you have at least one client device connected to your network, easily break into such a network in a matter of minutes.

    3. WPA encryption is far superior to WEP. If you have a WPA-enabled AP and clients (e.g., WPA-enabled WLAN cards in your wireless computers) then always use this in place of WEP.

    4. There are two variants of WPA: WPA-PSK ('Pre-Shared Key'), often called WPA Home, and WPA, often called WPA Enterprise.

    a. WPA-PSK is meant for small networks where each station on the network agrees to use a single, pre-shared encryption key which is configured separately on the AP and on each device that can connect. Most WPA-PSK capable devices allow you to specify the PSK in the form of a 'passphrase' or password that the device internally converts to an actual (binary) key that is used for encryption. Use a long enough passphrase, however - there are known 'dictionary attacks' which can break many WPA PSKs of less than around 20 characters. The other weakness of WPA-PSK is that anyone who can discover the PSK in use (such as by having access to a computer, or getting access to a person's written record of such key) can trivially break into your network.

    b. WPA Enterprise (or just WPA for short) is much more secure than WPA-PSK, due to its use of central 'authentication' via a so-called WPA RADIUS server and frequent rotation of WPA keys in use. Here, any client wishing to connect to the WLAN needs to authenticate with the RADIUS server, by providing the AP with a user-specific password or by having a defined security certificate installed. Most home and small business networks do not have their own RADIUS server (the costs can be prohibitive, requiring a server running Linux, or Windows server OS), but there are a couple of free/cheap web-based RADIUS services available.

    5. There is actually a more recent version of WPA, called WPA2 (and it also exists in PSK and Enterprise form), which improves further on WPA. To use this, you will need an AP and client equipment that all support WPA2, and a patch that also adds WPA2 support to WinXP.

    6. The ultimate in wireless security involves the use of a VPN to secure all WLAN communications. Here, the (servers and clients on the) network is configured to allow only VPN-based traffic, so even if an attacker breaks into the network he/she can make no use of it. A VPN-based solution can be costly, both to setup and maintain, and require experience even some IT administrators do not have, so it tends to be the preserve of bigger business.

    The bottom line is that you need to judge what the threats to your network are, and choose a level of security that is appropriate.

    For instance, if you run a home network, you do not store or transmit critical data, and you don't mind someone else using your wireless network's internet connection (or spying on your network), then use WEP encryption. This might also be sufficient if you live so far out 'in the sticks' that passers-by are very unlikely to detect your wireless radio signals.

    If you run a small business, or you do store and/or transmit critical data, use WPA encryption at least. Authentication would be highly advisable. If you don't have your own RADIUS server and can't afford one, try one of these web based services:

    http://www.witopia.net/
    http://www.wirelesssecuritycorp.com/wsc/public/index.jsp

    If you need better security, utilise in-house skills or buy in outside resources to go the VPN route. Here, you will need to separate your WLANs onto different segments from your wired LANs, secure all your WLAN clients with a VPN which routes through a server that also firewalls-out non-VPN communications, and layer it with WPA Enterrpise authentication.
     
  7. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    here are some audios that will help alot - Episodes 10, 11 & 13. you can play them by opening your media player then telling it to play the URLs rather then downloading them.

    http://www.grc.com/securitynow.htm

    Link Removed No links to malware sites please. -- Ron
     
    Last edited by a moderator: Nov 14, 2005
  8. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Is this really allowed by the forum's TOS? Is this really a responsible post?
     
  9. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    yeah, i think so, if you see how easy it is you'll do something about it. it's hardly unknown :rolleyes:
     
  10. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Then you are very misguided. By your argument, it'd be OK to post links to virus downloads, "just so people can see what they do".

    Fortunately the moderators agree with me and see it for what it is, even if you don't.
     
  11. dog

    dog Guest

    OK ... that's enough guys. ;)

    Lets play nice in the sandbox, please. :) Two posts have been taken off-line for being well OT and not in the best spirits.

    Steve
     
  12. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Two posts have been taken off-line for being well OT and I suggest the 2 parties utilize our PM feature in regards to posting malware links vs not :ninja:
     
Loading...
Thread Status:
Not open for further replies.