Tip of the Day - Home Wireless Gateways (Sans)

Discussion in 'other security issues & news' started by ronjor, Aug 21, 2006.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,772
    Location:
    Texas
    Sans.org
     
  2. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    These are all snakeoil approaches to security. The only worthwhile thing is to change the channel and all this does is minimize interference in the network. The only security you need is a strong password for a router and implement either WPA or WPA2 with a 63 random password, then you are good to go.

    Turning off the SSID broadcast only turns off one of multiple techiniques a wireless access point uses to broadcast its location.

    MAC Address filtering is a hassle for large networks, and mac addresses are sent in the clear so they are easily spoofed.

    WEP is crackable with increasingly smaller amounts of packets (FBI did a presentation with linux tools that cracked a 128 bit wep network in under five minutes)

    Keeping the router at or below ground level is nice if you want to limit interference for your neighbors, but all it will do is create less range for you to access your network which is why new MIMO routers are rolling off the line since people want more coverage, not less.

    Limiting the dhcp licenses is bad as well since all a hacker has to do is assign the computer he/she is working at a static ip and they are good to go.

    Hmmmm, hopefully that guy isn't used to secure large networks or even household networks, or else he needs to give out refunds or something :/

    Alphalutra1
     
  3. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    hi Alphalutra1

    you seam quite knowlegeable regarding wireless network.


    At home we have a network of about 4 computer on three floors (actually more sort of 4). Sometime computer fails to join the network.

    If the computer is on DHCP it fail at "getting ip adress"
    If computer is on static ip it fail at "finding localhost"
    However all computer see the router (signal in range)

    I've sort of come to the conclusion that whan a computer connect it have to do a handshake and during this phase it's more vulnerable to signal corruption so it end up unable to connect to the network.

    This might be due to the fact that we have a network distribued on multiple floor and the fact that about each neigbor are in the same sittuation and have a wireless network so there's like 8 network in range from here.

    The thing seams to be mostly fixed since we have bougth extended range antena for the wrt54gs. We also have a wireless "duplicator" or range extender or whatever they call it from netgear .. but it does not seam to be that efficient.

    Now that you know my situation i'd like to knwo if you have any knowlege on how wpa handle interference. Rigth now i'm on wep, i know it's not the most secure, however i beleive it's the most inteference resistant as i guess you have to be either secure or error tolerant.
     
  4. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Let me try and throw out some ideas that may help you. To minimize interference, I would recommend changing your channel that the wireless signal is on to either 1 or 11. Channels 1,6,11 are the three channels that never overlap. Since channel six is the default for almost all routers, I would recommend you change to either 1 or 11.

    In terms of WEP and WPA, there is no signal difference or loss between the two. They are just encrypted in different methods and have different modes of authentication. So if all of your devices support it, I recommend changing to either WPA-TKIP/AES or WPA2-AES with a strong passphrase which can be generated here.

    In terms of your DHCP not working, you may want to ensure that there are enough dhcp addresses that can be given out, so on the first page of your routers web configuration set the max dhcp clients to around five more than you actually need just to make sure that there will always be a free dhcp address. I recently had this problem when I started to use openvpn on my computer, since the adapter for it gets its own dhcp address, so I ran out of dhcp addresses and had to configure a static one temporarliy to even access my router :blink:

    Another thing you may want to configure is that if you have laptops that traverse many networks, try to configure your home router to a different subnet ex. 10.0.30.0/32 instead of 192.168.1.1/32 so that they won't get confused between networks.

    A final comment is that the beauty of wrt54g's and the wrt54gs's is that they run off of a linux firmware. So I recommend that you update your firmware to the one current on the linksys website in order to fix any bugs that may have happened that may be causing your problem. If you feel more adventerous, you can explore third party firmware such as HyperWRT Thibor, Openwrt, DD-WRT, etc. which can offer a ton more functionality to your router without any cost to you.


    Cheers,

    Alphalutra1
     
  5. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    thanks

    I've try playing with channel.
    However for some reason the last comp downstair _need_ me to be on channel 6. the more i go away from 6 the less it have signal. I guess there is something about wave physic and frequency and how the house is made that can explain that. Maybee 6 have the best reach and this is why it's the default.

    The only two things that keep me from moving to wpa is
    1) lazyness... it work well now and i dont want to configure again all 4 comp
    2) i beleive my ppc only support wep

    there is more than enougth dchp limit. Actually there's 100 and as far as i know 100 > 4 ;)

    subnet is a good idea... making all computer + wireless repeater on the new subnet would be a pain tought. (unless you know a good way to automate wpa + subnet install)

    I know the beauty of such linux router.
    I am also lucky to have got one of the old series ... as new router doesnt have linux + have less ram. dd-wrt is what i have on my router.
     
Loading...
Thread Status:
Not open for further replies.