Someone guide me to a perfect WiFi Security Setup.

Discussion in 'other firewalls' started by tempnexus, Dec 12, 2004.

Thread Status:
Not open for further replies.
  1. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    I need a perfect WiFi Security setup so when I run my box on WiFi I feel protected.
    What software should I run in order to protect my network from intruders and what software to run for Intrusion Detection System?

    Also what WiFi router is most secure?

    Also how is BlackIce?
    Does it still homephone? And does it detect Wifi hacks?
     
    Last edited: Dec 12, 2004
  2. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    What type of hardware do you have for WiFi?
     
  3. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    None yet that is why I am asking what is the most secure WiFi router. I will buy the network card and the router from the same company but I don't know which one is most secure.
     
  4. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    All I have ever used is LinkSys WRT54G router, WMP54G NIC and also their WRE54G range expander... the WRT54G or w.e is the latest NetGear model should be just fine. You just have to worry about using encryption
    turning off Plug 'n' Play
    use a Static IP if possible, or at least assign one to internal computers
    disable the SSID (wireless broadcast)
    change the default Subnet Mask, Gateway, DNS
    turn on the built in NAT/SPI firewall
    restrict what MAC addresses are allowed to connect to your router, ect.

    It is all basically about configuring everything right rather than looking for software such as a firewall for your WiFi connection. If you choose the LinkSys WRT54G(S) setup I know of a setup which allows you to use very strong PEAP encryption rather than the defaults, but it comes with WEP, WPA and some others which should be more than enough. Also, you can check out fwbuilder.org which has a program that can generate an iptable based on what you want and you can use that iptable with the WRT54G (and probably others, but I only have used the WRT54G with modified firmware by sve a soft which I can provide you the most updated version of for free :D )

    Here is a link to a thread on WiFi/general Network security over at the Software Security Forums which you may find usefull: http://www.fluxgfx.com/ssc/showthread.php?t=65
     
    Last edited: Dec 13, 2004
  5. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    A great open source intrustion detection system which i view as being better than Black Ice (even though it can be setup to run along with Black Ice) is Snort. I am using Demarc's PureSecure which is an automated install of Snort with a nice web interface and some file monitoring options. Demarc PureSecure is free for personal use and their URL is demarc.com <--highly suggested

    There are tons of ways to setup a Graphical User Interface for Snort, but that is my favorite so far. You might be interested in Eagle X(automated setup) or IDScenter which you can find at engagesecurity.com

    I typed these posts up kinda quick-like so if you dont understand wtf i am talking about just let me know :D
     
  6. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    We recommend that you use the non-default/manually set WPA as the default WPA has been cracked. When specifying your passcode it is necessary to use more than 21 characters and use no words, some upper and lower case letters, numbers and symbols. This is in addition to the above from AJohn. Of course you already know to purchase the "G" system. Keep in mind that 802.16 aka WiMax is due out soon.

    A little something to read on WiMax - http://www.siliconvalley.com/mld/siliconvalley/business/technology/personal_technology/9831069.htm
     
    Last edited: Dec 13, 2004
  7. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Good advice Q, using a random password generator might not be a bad idea...
     
  8. q1aqza

    q1aqza Registered Member

    Joined:
    Jul 27, 2004
    Posts:
    312
    I would also advise changing the router default login and password, and maybe even changing the standard IP subnets to something other than the standard ones most use which is the 192.168.0.x range.
     
  9. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    I just got the Wrt54g router but what is the most secure and feature rich firmware (moded)?

    Thanks
     
  10. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    The only experience I have is with the Sveasoft Satori 4.0 firmware on a WRT54GS. Absolutely rock solid. Very reasonable complement of security options - WPA-PSK, WPA-RADIUS, RADIUS, WEP; MAC filtering; etc.. Take a look at the Sveasoft documentation for some additional info

    Blue
     
  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Given the record of problems with successive Wi-Fi encryption schemes I would suggest not relying on them at all. Consider using something like OpenSSH for Windows to create encrypted tunnels between your computers. If the router does not support SSH itself (few do), you will need to have a PC physically connected to it (with a cable) instead to accept and decrypt SSH connections before sending the data out on the Internet.

    This would be of non-trivial complexity (i.e. pretty hard work to set up for a novice) - but if you want "perfect" security, this does mean using the most tested encryption methods (OpenSSH has had vulnerabilities in the past, so you do still need to keep abreast of security issues).

    Once you have this set up, the only thing left is to prevent outsiders from using your connection and MAC address filtering (mentioned previously) is the best option here.
     
Loading...
Thread Status:
Not open for further replies.