How To Secure A Wireless Network

[GT4 BOOSTER]

need help putting protection on a wireless network at home,its all new to me this.do i just secure the pc thats connected to the modem/router using a password or do i need to enable this WEP thingy on all the pc's on the network????????

its netgear products if it makes any difference--thanks for any help but please make it understandable to me

[Fidgits]

Yes, you enable WEP - and you will either configure a password or key..

you then enter password/key on the machine at you want to access wirelessly... this will secure the traffic from the laptop to the access point.

To make it more secure - change the SSID - away from Linksys or whatever to something random - and once the machines have found and connected, go back to the configuration and unselect 'broadcast my SSID' - that means no-one else will be able to find you access point...

Its worth mentioning WEP is not actually that secure, WEP2 is better, but if you have a TKIP option, you want to go that route - CCMP is of course, the strongest, but i dont think thats commerically available yet - but they word of warning is you can download software to crack WEP keys in a matter of minutes, thats what happens when network protocol boys are allowed to define security protocols..

but yeah, so hiding your SSID and enabling WEP will give you reasonable security at home - and all your secure websites will still have SSL accross them, so you should be okay - but if you dealing with anything corporate, then i would reccomend another layer of security ontop of the WEP, such as IPSec....

[Jamesb4uk]

thats of course if you can select 128 bit encryption in windows - my XP Pro only lets me choose 40bit or 104 bit :(

But what Fidgits said would be right

J

[Demonic Angel]

As a rule then - wireless networks are less secure?

Ian - you need to teach me all this stuff you know! ;)

[knowlson]

If you want a WEP key

Wep Generator

[Fidgits]

James - in that case, go 104 bit...

This number refers to the length of the key used to encrypt the data - general rule of thumb, the longer the key, the harder it is to break..

Em, Generally, in a network, if you have a 802.11 wireless link, you are broadcasting your IP packets in the 'open' - a famous story is HP in Palo Alto spent about $750,000 upgrading their entire R&D site to wireless a few years ago - only to find out anyone could access their servers within 10 minutes being sat in the carpark - they ripped it all out and had to spend another $300,000 putting the old system back in...

But WEP is a wireless encryption standard - basically it exncrypts the packets between the laptop and access point, so you cant 'snoop' the data in the air - its also important to turn this on - because i will mean not just anyone can access your network - think of it as a 'log in' password to your wireless router.

The SSID is the name of your wireless access point - and generally this is transmitted in a 'here i am' fashion, which is great when people want to connect, but it also makes you open to attacks - so it you turn off broadcast, then only machines that know the SSID in advance can see and connect to the access point...

For corporations, and paraonid users, 802.11i will be a better solution, this will incorporate CCMP rather than WEP - CCMP is written by the security protocol people, and will be much more secure than WEP...

[Goders]

If you want to tighten up the security further (after adding WEP, changing & hiding SSID's) you can also set up MAC Address filtering. This will only allow machines with known MAC Addresses to access your wireless router.

This should be more than enough protection for most home users.

[GT4 BOOSTER]

i managed to set up 128 bit encryption - thanks

[sotal]

If you want to tighten up the security further (after adding WEP, changing & hiding SSID's) you can also set up MAC Address filtering. This will only allow machines with known MAC Addresses to access your wireless router.

This should be more than enough protection for most home users.

←

The MAC address filtering can help, but when I first set my home network up I just used MAC address Filtering figuring that would be more secure. One of my mates popped over with his laptop ran a little utility which scanned what was going on for a minute or two and picked up all the MAC addresses which were accessing the router, then used a MAC spoofing tool and was straight in - all within a couple of minutes.

I now use 128bit WEP but he still reckons he can be in within minutes!

[Fidgits]

I now use 128bit WEP but he still reckons he can be in within minutes!

←

if he knows what he's doing he can

of course, thats where the 'honeypot' comes in

Dont worry, when you upgrade to 'i', he wont be able to get in ;)

[Jamesb4uk]

James - in that case, go 104 bit...

Would do Ian, but the router (netgear) will alow me to set 128, but the PC's & laptops i have will only allow me to select 104... :ffs:

nm, i'm hidden with Mac filter enabled so i'm happy.

J

[sotal]

Just on another note, there is a tool called netstumbler which is free which will tell you all the netwroks in the area even if the SSID isn't broadcast. The whole concept seems completely flawed to me

[Fidgits]

James - in that case, go 104 bit...

Would do Ian, but the router (netgear) will alow me to set 128, but the PC's & laptops i have will only allow me to select 104... :ffs:

nm, i'm hidden with Mac filter enabled so i'm happy.

J

←

thats strange - have you got the latest drivers/software for your wireless card...

I take it your access point/router is a 'G' and your card is a 'B' (which are compatible by the way)...

[Jamesb4uk]

James - in that case, go 104 bit...

Would do Ian, but the router (netgear) will alow me to set 128, but the PC's & laptops i have will only allow me to select 104... :ffs:

nm, i'm hidden with Mac filter enabled so i'm happy.

J

←

thats strange - have you got the latest drivers/software for your wireless card...

I take it your access point/router is a 'G' and your card is a 'B' (which are compatible by the way)...

←

Yes mate - 2 pc's using d-link PCI cards, 1 IBM t41 with onboard Intel card & 1 IBM t23 with a Cisco PCMCIA card.

All running windows XP Pro & all updates & drivers.

J

[Fidgits]

you got the latest firmware update for your router also?

[Jamesb4uk]

Yep - the router allows me to select 128bit but go to put the key into Windows & it pops up saying only 40 or 104 bit keys are allowed

BTW sorry to hijack the thread

J

[sotal]

I might be wrong but I think 104bit and 128 bit are the same thing just different names.

128bit = 104bit Encryption + 24 bit Initialization.

64bit = 40 bit Encryption + 24 bit Initialization.

Windows is just telling you what the actual Encryption will be

[Fidgits]

hmmm, tricky one...

not sure what to suggest..

[Fidgits]

I might be wrong but I think 104bit and 128 bit are the same thing just different names.

128bit = 104bit Encryption + 24 bit Initialization.

←

i dont think so...

im pretty sure 104 is the key length for 802.11b WEP...

128-bit is the new 'g' ley length..

IV vectors tend to be 8 bits anyway, not 24...

But, i could be wrong

[sotal]

I use a 802.11b Card in my laptop using winxp and that connects fine to two 128bit Secured Networks

[Fidgits]

yeah, i suppose if they have long IV's then that would explain the disconnect, but generally you refer to the key length, not key + IV...

[sotal]

A quick search on google....

WEP: better than nothing

If you've read our Wireless Security Blackpaper then you know that Wired Equivalent Privacy (aka WEP) is not bulletproof. But then again, neither is your head, and if you use it in conjunction with other things, you can probably keep yourself out of trouble. WEP should be enabled, and ideally you should use the strongest key possible (on home systems, that's going to typically be 128-bit, but 256-bit is available with select hardware). 64-bit encryption (with a 40-bit encryption key and a 24-bit initialization vector) and 128-bit encryption (with a 104-bit key and a 24-bit initialization vector) are standard on most units (if they have the latest firmware), although you may see them identified only by key size, rather than key-size plus initialization vector bit size (e.g., as 40-bit and 104-bit). While it is true that you will get slightly higher performance with a 64-bit key (less encrypting means faster throughput), 128-bit encryption still delivers excellent throughout, and is harder (more time consuming) to crack. Use 128-bit (or higher). Currently 256-bit encryption is available on select D-Link units, and as an added bonus, I might note that 256-bit support, since it is so rare, really narrows down the field of potential attackers.

of course it might all be out of date now ;)

[DaveSR]

I might be wrong but I think 104bit and 128 bit are the same thing just different names.

128bit = 104bit Encryption + 24 bit Initialization.

64bit = 40 bit Encryption + 24 bit Initialization.

Windows is just telling you what the actual Encryption will be

←

You ARE correct !

Not much else to say as Fidgits has said it all!

[Fidgits]

cheers for the info - you learn something new everyday huh? oh well, what do you expect when wireless people make security protocols!

In every other encryption algorithm we work with 8-bit Initalisation vectors... well that explains a lot...

there you go james - see if that works for you?

[sotal]

Is this Fidgits saying he is wrong

I don't think I've ever seen Fidgits own up to being wrong!!! Is this a forum first!!!

*crosses fingers and hopes that fidgets is wrong!*