Security on Wireless Network

Discussion in 'privacy technology' started by LenC, Jul 29, 2008.

Thread Status:
Not open for further replies.
  1. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    I use MAC filtering for security purposes. I specify the MAC addresses on the three computers in my home which are my family's network. Is there any additional security to be gained by using encryption?
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    If you aren't using strong encryption (WPA or better) on your wireless setup, then you have virtually no security at all. Encryption is 99% plus of the security. MAC filtering, not broadcastig SSID, and a few other measures are less than 1% of any security because they are so easily overcome.

    See this thread for a lot more information on wireless security. (There are related links to other threads in that thread, as well):

    Keeping your wireless Internet connection safe and secure
     
  3. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    LowWaterMark -

    Thank you for your reply. And I am digging through the lengthy link you provided. But help me understand why MAC filtering is only 1% effective? When I bring another laptop into the house, I can't access my network and I can't access the internet - that seems like good security. What am I missing here?
     
  4. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,007
    hello lenC,
    with a simplebit ofsoftware you can find out the mac addresses allowed and spoof the macaddress and then use the network.
    also if no encryption then anyone can use a packet sniffer and find out everything your sending.
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    If all that a person has is a laptop with nothing but a vanilla Windows installation with its built-in networking interface, and they add no special networking tools at all, then all they'll see and be able to access is what the wireless connection manager let's them. So yes, for you and me with our laptops and Windows connection software only, we'll see the network listed as available, but when we try to connect we'll be disallowed since our MAC address isn't in the allowed list.

    However, there are very simple tools available that you can download to give all kinds of information about the wireless network transmissions that are received by your laptop. They can tell you everything from frequencies in use, signal strengths, MAC addresses connected, and so on. And, I am not talking about only uber hacking tools, but, things that are available as shareware on download.com and similar sites. With such a tool telling you the MAC addresses used, a person can simply configure their PC to fake one of those MAC addresses and then they can get access. (MAC addresses can be overriden.)

    In any case, the only security issue is not whether a person can "use" your network, but, if they can sniff your data packets. Without encryption, all your traffic, emails you read, non SSL passwords used on websites, URLs you click on, and more are all visible in plain text for them to capture from the air, log and review as they wish. Sniffing your data can be more serious then them using your wireless as a free access point, well, unless they do serious illegal activities on your connection, which will be traced back to your ISP account.

    So, encryption is almost everything when it comes to wireless security.
     
  6. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    Thank you. I understand and I am convinced of the need for encryption.

    Hopefully, it's not too late:oops:
     
  7. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    That is, for me, the important part. To paraphrase another post on another forum, "it's not merely possible, it's trivial". :eek:
     
  8. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    I'm encrypted. THANK YOU for your advice. I had no idea how easy it is to do.

    I actually did some research on the topic and selected WPA-2. I had my three home computers working just fine with WPA-2. The problem was with my office laptop, which I like to bring home and use (how sad is thato_O ). Anyway, WPA-2 is not an option on my laptop in the drop down box for selecting an encryption method. So, I switched to WPA as the encryption method - it was a choice on my laptop (and my home computers).

    So I am using WPA. Is that a reasonably secure encryption method? I get the sense that WPA-2 is better because it is newer.
     
  9. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    Yes, WPA is secure enough.
    What changes from WPA to WPA2 is the encryption algorithm, from TKIP to AES. Although the second is considered more secure, there are no known attacks against WPA that are not valid against WPA2.
    One suggestion: make sure you use a very secure password, no matter if you use WPA or WPA2.
     
  10. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    Thank you Markoman -

    Having been fortunate to survive in this world with an open network - I got a little paranoid when I realized the potential dangers. I have a strong encryption key. :D
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Besides the obvious
    - enable WPA2 encryption with long password
    - add password for admin and user
    - change names of admin and user
    - change SSID name
    - change IP address of the router configuration software

    I also did
    - add PIN (needed to add wireless devices to network)
    - enabled Wireless Network Partitioning (so clients can not access each other)
    - added MAC address control
    - added DHCP reservation, to still use DHCP but always allocate the same IP addresses to the clients
    - added a inbound filter to log only the (above) IP's and deny all other machines (IP's) to the network
    - disable UPnP
    - disable WAN respons on ping
    - disable remote admin

    Used the routers
    - SPI firewall
    - DOS/DDOS attack prevention
    - ARP spoofing protection

    And did HIDE the SSID (so it is not visible in the neigbourhood)

    On the down side: we don't run any software firewall
     
  12. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    Hi Kees1958. Looking at your wireless setup, I would like to post my opinion about it. For the use of you, and every other reader of the forum:

    I agree with:


    I don't agree with:

    and this is why:
    - if even you change the IP of the router, it will take a port scanner 3 minutes to find its new IP
    - it takes 3 minutes of traffic analysis with aircrack-ng and any MAC spoofer (aircrack-ng can do it itself) to change a MAC address
    - This doesn't add any security: this configuration won't prevent the attacker from setting his maching with an IP compatible with our network.
    - Still using aircrack-ng, it won't take more than few minutes in order to spot your hidden wireless access point.

    So, these 4 settings, add no extra security, but extra hassle to the legitimate user.

    About

    requires quite some work on configuring and mataining the network devices, besides adding inconvenience to the legitimate user, so I would advice this kind of setup only to lcoations with HIGH SECURITY needs.

    And this:

    is good configuration habits, but not only about wireless netowrks.

    And this is BAD! Compromise your host, and the most secure network setup becomes useless. The attacker won't even need to break into your network, since he already will be IN your network controlling your PC.
     
Loading...
Thread Status:
Not open for further replies.