Intrusion possible?

Yes - if your cable modem or dsl modem is turned on it is possible for someone to use your internet connection even with WEP.

Reply to
johnny
Loading thread data ...

I have d-link wireless router DI614+. Its always on. Is it possible that somebody with a wireless enabled PC uses my internet connection even when my PC is switched off? I use 64 bit WEP encryption on the router. Tardus

Reply to
Tardus_merula

Yes. The PC probably is not necessary to connect the DI-614+ to the internet. There are some SBC PPPoE clients that a controlled by the PC which do require that the PC first login, but those are few.

Useless. WEP64 can be cracked in about 15 minutes of sniffing.

Reply to
Jeff Liebermann

Meph, I can hardly believe you wrote this stuff after your post "Public Access WIFI Security". And with an email like " snipped-for-privacy@bout.it" you have got to be joking. Unfortunately the OP might take you seriously and we don't want that, do we?

Tardus_merula, MAC filtering is not a security measure.

Think of it like this. There are baggage locks that shy away the occasional temptation and there are kryptonite locks that resist New York mobsters. WEP is so fragile today that it hardly offers resistance against tampering. It is very easy to find tools that crack WEP, they are publicly available on the internet. All that is needed to break in is the will.

MAC filtering is even less than WEP. Even if you never turned on your computer (which transmits your MAC) it is easy to silently try all the possibilities until a match is found.

Don't listen to Meph. And from this point on, neither will I.

Reply to
speeder

First off - Linksys is the way to go - its cisco's version of products for the home. I havn't used D-Link with wireless however I know with the Linksys routers you can setup a list to restrict which MAC addresses can access your Wireless Internet. I have it setup to accept 3 MAC addresses, two are used and the other is sitting next to my linux box. There are 3 people who are trying to connect but can't because of that.

If you can do that in D-Link, provided its fesable, which unless your running it as a wireless access point it is (and i doubt sence you care who is connecting.) definatly do it. It will keep everyone out except those who you want in.

Reply to
teh Mephisto

I can see where you got that impression but reality is quite different. Cisco has adopted an "hands off" policy toward running Linksys since they bought it in Mar 2003. Most of the original Linksys management are still in place. Absolutely none of Cisco's IOS operating system has appeared in Linksys products. Most are just commodity products, made in China, and similar to other major players in the market (Netgear and DLink). Cisco may be on the front panel, but not inside.

MAC address filtering is nice but offers little in the way of security. It's incredibly easy to sniff of an authorized MAC address, and then change your clients MAC address to the same as theirs. See:

formatting link

It won't keep anyone out that knows how MAC addresses operate. However, it might slow them down until they figure it out.

Reply to
Jeff Liebermann

There is no way anything can be totally secure, the only thing security mesaures do is prolong the time until you have been compromised. If you have more than one security measure (ex. WPA2 and MAC address filtering) it will take longer to crack than if you only had one of them.

BTW i'm still new at wireless security, and even the entire security field in general, so you will have to cut me a little slack.

Reply to
teh Mephisto

Jeff Liebermann wrote: ...

And 128-bit wep? How secure's that?

Reply to
Mike Scott

True but MAC address filtering will add all of about 3 seconds. Not worth the hassle IMO. The only useful purpose of a MAC access control list is to log MAC adresses that are not allowed and to warn an administrator that unauthorized acces has been attempted. You might find the attacker before he/she succeeds in breaking tho other security measures. Not a likely scenario for a home network.

Sander

Reply to
Sander

Before you can sniff traffic there has to _be_ traffic. Beacon frames are not very useful. If a network is not in active use you'll have to wait until a client associates before you can actively attack that network. If you can capture the date of a client associating you have the tools to do the rest quickly and no other traffic is neccesary. You can generate it yourself. But you do need that traffic first so you can replay it.

Sander

Reply to
Sander

Agreed.

Yep. I leave my laptop running in my vehicle sniffing away merrily. I was more interested in traffic and use patterns than in cracking WEP keys, but the methodology is the same. 8 hours later, I usually have enough traffic captured to crack many networks. My client is setup like a radio scanner. It listens on a channel for traffic. When the traffic stops, it move on to the next channel.

My all time record was about 2 years ago. My car was facing a large office building, where I captured about 4 gigabytes of traffic during the workday. I was able to later crack about 30 WEP keys out of about

40 encrypted SSID's heard. A few were trivial. Just crunching the mess after doing the capture took most of the next day. I had to crunch it several times because there was one system that had 4 SSID's associated with a single MAC address. Drove me nuts until I figured out what was happening.

WPA had just been released in early 2003, so none of the networks I sniffed were using WPA. However, I'm not sure as the RC4 encrypted payloads for WEP and WPA are identical. Only the key exchange is different.

The traffic patterns showed serious problems. About 25% of all packets heard were retransmissions implying lots of reflections and interference. A full 50% of the packets heard were "malformed" which is a nice term for a collision. I discarded these. A few systems were operating at 1 and 2 mbits/sec which also indicates substantial co-channel interference. One system had about 1/3 of their traffic wasted as ARP requests, DNS lookups, and repetitive broadcasts, which indicates a screwed up network. I found zero indication of any VPN's in use, but may have missed them some under the packets I couldn't sniff or decrypt. There was a considerable amount of UDP traffic which implies streaming content. That could be VoIP, but is more likely to be watching movies or listening to music at work. There was some worm that had just been released and there was plenty of ICMP probes flying around.

I should do this again to see how things have changed.

Agreed.

Reply to
Jeff Liebermann

40 bit WEP requires about 150,000 packets, 104 bit WEP requires about 500,000. It doesn't take that much longer, a few minutes to get the extra ones and given that wepcrack can be run against the data as it's being collected, you can keep trying and might get lucky earlier.

David.

Reply to
David Taylor

Well, there are other uses for MAC filters. I run an open (unencrypted) neighborhood WLAN with about 15 machines connected via wireless. New machines come and go as people bring their laptops and PDA's into range. No problem. However, we have a few teenagers with no clue about misusing or hogging the system. So, when the traffic goes tilt, and I see it's mostly porno, I block the MAC address and await the inevitable "is the network down" phone call. Not the best means of blocking abuse, but it gets their attention.

Some of the local public hot spots go a step furthur. They run some IDS (intrusion detection system) such as Snort to detect abuse. If it detects anything obviously disgusting, it blocks the MAC address for a few minutes. That's caught 3 different spammers at one hot spot. (Why

3 different spammers would select the same hot spot to do their spamming is an open question).

Another dumb use of MAC filtering is where there's a system of multiple access points, all with the same SSID and no easy way to select a specific access point. This became a problem in a large concrete (refridgerated) produce warehouse. The reflections off the walls would sometimes cause workstation to select the wrong access point. So, I added MAC address filters into the non-desired access points leaving the clients to connect to the others. Keeping track of these setting has been no fun, but it did the job.

Another use it to mitigate a form of abuse. One hot spot operate was plagued by a nearby home user who decided that the hot spot would become his private broadband connection. Unfortunately, he was not very considerate with his usage patterns. At first, I blocked his MAC address, but he quickly figured out how to change that (probably from one of my postings). So, the hot spot had to go to an authentication system where the users get tokens at the cash register which entitles them to use the system. The owner keeps juggling systems and schemes, but one of them simply registered the MAC address in the access points MAC address filter.

Reply to
Jeff Liebermann

There's not too much difference between them because the weaknesses in WEP are not in the actual encryption algorithm itself (RC4) but in the way it is implemented in WEP. It might take a little bit longer to find a longer key.

Sander

Reply to
Sander

Use WPA if you can, else use 128 WEP. Hide SSID. MAC Filter.

Reply to
Dan

At the end of that discussion, it should be clear that "reasonably secure" only excludes people accidentally falling onto the network and WEP alone would prevent those accidental incursions.

Hiding SSID does nothing whatsoever from a security point of view, MAC filtering is next to useless as even if the WEP key is unknown, the allowed MAC addresses are sniffable anyway, finding the WEP key can take as little as around 10 minutes.

So, if some script kiddie is sitting next door with a copy of one of the live hacking CD's, they won't take long before they're on your network with those 3 "features".

WPA it is then.

David.

Reply to
David Taylor

Thanks all for a thorough discussion of the security problem. So, what can one do to make WLAN reasonably secure (home network conditions apply). Tardus

Reply to
Tardus_merula

Thanks to Dan and David. I /ll do all my banking hardwired. Tardus

Reply to
Tardus_merula

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.