|
This article was very helpful. It addresses a strongly felt need. Thank you.
Brad Bergh -January 25, 2006
What about WPA2? Is it a better choice for those that have it available?
Lance Overk -January 25, 2006
To really know how to secure your wireless network go to http://www.grc.com/SecurityNow.htm and review episodes 10,11,13.
Alex -January 25, 2006
I want to allow anyone to access the Internet via my router, but want to keep my home network and PCs as secure as possible. How would you later the five-step process to accomplish this objective?
John Davis -January 25, 2006
thanks so much for this article it help me solve some little problems with my connections, its fantastic and i will like to recieve more about troubleshootings in the future.
lateef a. ola -January 25, 2006
Good article, easy to understand, well strictured and effective. The comments on changing the base IP address are useful as is the tip to reduce the number of IP's the DCHP server allocates!
Richard Hayes -January 25, 2006
TO JOHN DAVIS - You can make sure that your networked computers are all firewalled, which they should be anyway. Preferably, you'd add another router to your network and place your private LAN behind that. That's a bit of money just to be a nice guy doing something illegal. The other problem with allowing other "unknowns" access to your ISP through your WiFi is that if they start downloading tons of kiddie **** or trading it or doing other kinds of nefarious activity through your IP guess who's going to be answering questions from the FBI? Yes, John Davis. Then try to proving that it wasn't you. Good luck.
Alex -January 25, 2006
it helps me to aware of wireless home network
malai -January 25, 2006
There are a couple of minor errors: 1) MAC Address Filtering,WEP, disabling SSID broadcast and changing your IP are all useless to prevent access. A hacker will use Airsnort and Kismet to determine legitimate MAC addresses, your WEP key and any valid IP Addresses by grabbing frames directly. WPA is all you need to spend the time on enabling - the others are a waste and just interfere with your legitimate use. If WPA is a deadbolt, the other changes are pretty much that little lock on the handle - useless. Also "security through obscurity" is no security at all and just provides a false sense of safety. Better to focus on the really important thing here. 2) WPA is 99.9% secure currently against a hacker with realistic computing resources (e.g. less than a supercomputing cluster) provided you use a hard to guess key (long, not just words, not your bday, kids names, etc....). WPA2 uses a better encryption algorithm but isn't as widely supported on the client side. Currently there is no advantage to WPA2 unless you are concerned about organizations like the NSA who have the resources available to crack the RC4 algorithm with TKIP in WPA - WPA2 uses AES instead. 3) The other bigger hole in your security is your laptop. Realize that connecting to foreign networks at Hotspots and hotels opens you up to worms and hackers that can easily lead to malicious software being installed on your system. Where your wireless network might reach people in your neighborhood, once you have malicious software on your system you are open to everyone in the world....Microsoft has left huge vulnerabilities withing Windows Zero Config. You are actually broadcasting the name of your home network and every network you attach to everytime you fire up....Learn the advanced settings and disable the automatic connection and enable Windows Firewall. Do the same for your home systems - it is safer to assume a hacker already has access to your network or that every computer on your network is already publicly viewable. Check out D-Link's new Securespot to further secure your Internet conenction. http://www.dlink.com/products/securespot/ 4) And for those looking to host public access - you are taking a large risk. Spammers have already been convicted for relaying through insecure WLANs. Hackers are already using them for high speed, anonymous, launching points for attacks on target systems. The FBI will call and I am sure that Homeland Security is eventually going to lobby for legislation to fix this risk.
Brad -January 26, 2006
Disabling SSID broadcast can prevent your neighbors from connecting to your wireless network by accident/chance, so it's not completely useless. Likewise, using MAC Address Filtering can prevent others from stumbling onto your network. Not everyone is a hacker, some are just temporarily confused users.
Ola -January 26, 2006
Hey Brad, you make some interesting points. Let me know if you'd like to write a follow-up article. We want as much community involvement as possible here. Email me at jbovberg@connectedhomemag.com if you're interested.
Jason Bovberg -January 26, 2006
This article was very helpful. Allow Me to understand better wireless security. After reading this article I proceeded to apply some of the learning point to my wireless network.
Manuel -January 27, 2006
This article was very helpful. Allow Me to understand better wireless security. After reading this article I proceeded to apply some of the learning point to my wireless network.
Manuel -January 27, 2006
WEP can be crack in less than an 1 hour. USE WAP!
James -January 28, 2006
One more thing, MAC address filtering is usless because once a perp intercepts a single packet, he has the MAC.
James -January 28, 2006
Your Comments (required): James you said: One more thing, MAC address filtering is usless because once a perp intercepts a single packet, he has the MAC. --And if he captures the MAC what is the next thing that can be done to recover from this attack?
Name (required):Jim -January 28, 2006
Very interesting. I remember working on a friend wireless enabled laptop and there was a wireless network available although there was not one at that address. Obviously it was a neighbour's. This article opened my eyes as to how dangerous it is to leave your wireless network unprotected.
Lawrence -January 28, 2006
Hahaha, Everyone is screaming about WPA, but it is just as insecure as WEP. All you need is two wireless cards, and a little knowledge and you can crack WPA in 5-10 minutes. And for all the crazy's who think this isn't true, here is a tip, you send disassociate packets to a host and it will keep transmitting packets to reconnect which you can grab parts of the WPA key from. Game over, you lose.
security -January 31, 2006
Thanks for the info provided above, as for WPA not being secure, it the closest thing to being secure on an wireless network at this point in time. You information is of value of everyone on the forum, keep up the good work.
Ed -February 2, 2006
Only "real" security on a wireless network is to connect the AP directly to a VPN solution, and use a VPN client for connecting from the wireless zone. A wireless network is about as secure as a direct internet connection, and should be treated as such. Crypto basically only gives you LEGAL protection, against potential abusers connecting from your network, since you can prove that you actually TRIED to prevent them from abusing your internet connection. I does not by ANY means give you anywhere NEAR the security of a shielded ethernet cable. Let's face it: Any radio signal can be intercepted. The only thing you obtain by adding layers of obscurity, is a slight delay to the hacker getting in, and a slightly added latency to your own legal connection. Using a vpn-setup adds about the same latency overhead, and is a LOT more secure. //Svein
Svein -March 10, 2006
Going with the Kiss (Keep It Simple Seriously) premise, I would simply (admin) passwd protect the wireless router, chg the router default IP, limit the DHCP to EXACTLY the number of local systems. Or alternately assign the localsys's with a static IP. If you are concerned about hackers using your system - locke up all unused PORTs on your hardware firewall. P2E
Press2Esc -April 16, 2006
How does one go about monitoring who may be accessing one's home wireless network? What tools can be used to see those connections (or those attempting to connect)? Is there anything which could pop up a warning on the host system to let you know someone is accessing your network? Thanks!
Captain Nemo -May 7, 2006
Very good artical, now issue is how to control usage. Example 4 pc's on the router and I want to be able to control the time useage on 2 of the PC ( childern).
Roger Currie -May 10, 2006
what do you put at the 2 spots for the dns
thomas -July 18, 2006
how do u put tkip on wireless roter
william -September 8, 2006
Check wireless resources at www.wavetraffic.com
hyperwebby -October 11, 2006
I am printing off this whole thing. Can't wait to read it. I hope it's just what I'm looking for! Thank you! I will come back and let you know how I did with it!!! I'm SO happy to have found this information!!!
Rose -December 14, 2006
Your Comments (required):
Name (required): -January 15, 2007
Your Comments (required):
Name (required): -January 15, 2007
Great article with a cherry on top(comments from others). Those five steps omitting the DHCP stuff is just what I already do. Looks like I have a little more playing to do however, the comments on cracking TKIP using two wireless cards is very interesting and makes perfect sense because only the data in a packet is encrypted the rest is out there. I've always agreed with MAC filtering, but thinking of it in terms of the structure of the packet and what part is encrypted now leads me to keeping this as a corporate policy for people who have been terminated to keep their personal wireless devices from connecting back to the network. If it's an admin however you would want to make sure you change everything about your access points. My next step personally is to get a PKI built with some VeriSign Keys and then the Radius server. Home users: the statements that included FBI calling you are actually reverse of what was said. Having an encrypted and harder to breach security scheme is less deniability for you when someone does break it and looks up child *********** or does something else illegal. So far in U.S. Court cases people accused of downloading music illegally have been acquited so long as they had wireless and no security. Could have been anyone at all, a neighbor or a hacker downloading music, is it their fault they don't know how to secure their wireless AP, not in the eyes of the justice system it is not. Deniability even though it probably was them. Thanks for all the comments and the great kick off article.
Dru Oswald -January 27, 2007
John Davis - I agree with you. Typical scare tactics to keep people from sharing broadband width and keeping the cable and phone companies pockets loaded while decreasing the productivity and portability of wireless internet. If the FBI was ivestigating kiddie **** - it would take a half second to exonorate you.
Craig -February 17, 2007
I want my wirless secruity so please you are help me thank you
shahzad -March 26, 2007
don't forget about AP spoofing...the "man in the middle" attack.
Tyler L. G. -April 24, 2007
I've installed a Trendset TEW-432brp. I type 192.168.1.1 on my web page. I expected to get "wireless security" page so I can change password. But I get a lot of articles etc. What am I doing wrong? thanks
Mike -December 7, 2007
nice article.. ThanQ www.e-jamal.tk
Jamal -December 26, 2007
Well written and USEFUL Article - Thanks.
Lou -December 26, 2007
good and useful article given so many people have unsecured wireless networks in both home and office settings. But disabling ssid is counter-productive and increases the security risk. Microsoft strongly disagrees with hiding ssid braodcast.
deeb -January 13, 2008
Your Comments (required):
Name (required): -February 15, 2008
Your Comments (required):
Bahi -April 22, 2008
USER
ALI -April 22, 2008
this is a useful site
Name (required): -May 5, 2008
Very nice article, really gave a lot of insight into my wireless network architecture and how to secure it ... Thanks a lot !!! Keep up the good job !!!
AD -July 27, 2008
[quote]Hahaha, Everyone is screaming about WPA, but it is just as insecure as WEP. All you need is two wireless cards, and a little knowledge and you can crack WPA in 5-10 minutes. And for all the crazy's who think this isn't true, here is a tip, you send disassociate packets to a host and it will keep transmitting packets to reconnect which you can grab parts of the WPA key from. Game over, you lose. [/quote] You are obviously a script kiddie, If you weren't you wouldn't be reading this nor bragging like an idiot. While that's true, someone would have to be activly connected and you'd still have to attempt to crack the key. Even if you have a large Rainbow tables database can take quite an extensive amount of time on any decent Passphrase not to mention you have to than worry about security inside once you connect, considering it's their connection you're free reign to be hacked into without any consequences, reported, and/or I'll be outside waiting for you with friends trying to see who can pop your tires with a rifle first.
Dorky -October 1, 2008
in the ammount of time it took me to read this you could have come to my house and fixed my computer for me! but hey thanks
darren -November 3, 2008
I want to have open access to the internet (for friends and guests) and also have a secure network that they cannot get to. The only access they have will be wireless. Using a second router, how can I do this? Note: I do not want lectures about crime and kiddie ****. I am 100% sure that I do want to provide open access to the web while having a protected part as well. I am quite content to live with the limits of typical home security, I am not worried about hackers. Please don't lecture me, instead please help me. Thanks!
Name (required): -December 28, 2008
Your Comments (required):
Name (required): -May 27, 2009
well im in a mess here about my wireless i went to change my password and it unsecured my network and now i don't know how to put it back as me so if you could help me that would be great if not im going to have to bye a new wireless network so please help me anyone in my state or town could help me that would be great im in michigan
michelle -August 29, 2009
I am intersted to setup a password for my LINkSYS router before accessing the Internet to show the outsider that the Internet access is secuire but I don't know how. Can any one assist me on this. At present I am traying to use MAC address of my PCs that can access my wirless router. to protect my router to be hacked by outsider. Many Thanks
KK -September 7, 2009
Your Comments (required):
Name (required): -December 24, 2009
 |
I am no expert, Script kiddie, or dummy ? there is the question of “security vs. performance?” Many routers and adapters, especially relevant when crossing OEM's that create performance problems when adding minor "security through illusion" configurations. For example new technology “rough draft N” and others have compatibility problems ie when Linksys and belkin can’t communicate on certain firmware in N only broadcast or in WEP 128 bit etc. So is it worth the WPA2 when you get a connection of 54Mbps when you could disable security and pull 300 Mbps? Again this is more of an issue with new technologies and crossing vendors. But at the same time we all know those configs slightly hinder performance in all situations. I do agree with minor changes to keep your neighbor from being curious. But feel people would rather stream video faster than worry about Joe blow pulling a “driveby” on their wireless network unless they have amazing things on your PC to attract that type of attention. Some things that were indirectly mentioned but needing more detail is: * limiting the number of connections on your router to only the computers needing access at that time (not what could be needed) obviously encompassed with the MAC filter, *disable router management via wireless, or remote and require wired HTTPS connection to manage the non- 1.1 addressed routers?. You cannot prevent intrusion, but limit to those very few (if you live in smaller town they probably aren’t you neighbor) and make sure you monitor your logs, export them somewhere so they don’t get tampered with, and see what is going on reactively as well.
2cent -December 31, 2009
Well this is nice tips, visit my blog about wireless too in <a href=http://theautogadgets.com/>Wireless Home Security</a>
Wireless home Security -January 23, 2010
|
DHCP is also enabled by default on every router. DHCP provides IP address information to client machines. By default, the DHCP server hands out IP addresses in the 2-to-254 range. Therefore, 253 client machines can get an IP address from the router. You probably don't have that many systems at home, so it's best to reduce the DHCP range to the number of machines that you expect to have in your network. As a rule of thumb, I set the router to hand out addresses for the number of machines in my network, plus an additional two for visiting friends and family.
WEP vulnerabilities are well known and published. In January 2001, UC Berkeley published a white paper about WEP vulnerability, and in March 2001, the Department of Computer Science at the University of Maryland, College Park, published a document called 
One big WPA improvement over WEP is the addition of the Temporal Key Integrity (TKIP) security protocol that dynamically (i.e., every 10,000 packets) changes the keys used to encrypt the data. This change alone makes WPA more secure than WEP. Another advantage of using WPA is that it takes a pass phrase as a key, which is easier to remember and set up than the long and complicated WEP key. Figure 1 shows the Linksys router's pass phrase key setup.
Before adding the MAC address, you must enable the MAC filter. Most routers let you either allow only specific PCs to access the network or deny specific PCs access to the network. Figure 4 shows the settings for the Linksys router that allow only listed PCs to access the network. Generally, you might not know who to deny access to; therefore, it’s best to use the Allow only specific clients option.
Email this Article
Printer-Friendly