Maximizing wireless security

I have a Netgear WGR614 v6 wireless router which I have recently begun to use wirelessly for my wife's work laptop. There is also a desktop connected to the router via cat 6. Both machines are running XP SP2 with all updates. I have the router set as follows & want to be sure I'm doing all I can to maximize security on the network:

- File sharing is OFF on both PC's

- Router setup password has been changed to 14 random characters

- Router updated with most recent firmware

- SSID set to 13 random characters

- SSID broadcast is OFF

- WPA-PSK activated w/10 random character passphrase (tried a longer passphrase, but Windows Networking seemed to have trouble with it, kept defaulting to a shorter phrase). Key lifetime is the default 60 minutes.

- Access control is ON with the MAC addresses for the 2 PC's being the only ones entered.

We live in a fairly remote suburban area, so I don't think the threat of "wardriving" is what it might be in a more populated area, but I still want to be sure I'm doing all I can in terms of security.

TIA

Dan

Reply to
Dan
Loading thread data ...

Just my preferences: run the network open but with MAC address access controls and install IPSec VPN software with strong encryption on your hosts (you can run a port of OpenBSD's ISAKMPD under cygwin on the desktop if you don't have a border router, and the laptops can run the free SSH_Sentinel Ver. 1.3.2.2). Even with WPA/WPA2 it is often better to handle the encryption on your hosts rather than to expect the appliance AP/router product to do it well.

Regards,

Michael

Reply to
msg

Where is the other end of the VPN? He doesn't have file sharing turned on for either PC.

Reply to
dold

If high security is a top priority, I was suggesting that he establish the desktop as a VPN endpoint. This would also entail a separate segment for the wireless VPN (separate NIC or perhaps using the USB connection to the AP/router). I assume the desktop O/S is XP-Pro; my experience doing this is with Win2k. Filters to pass only AH and ESP and ICMP would be needed on the wireless i/f. Doing this on a Windows O/S under cygwin and with ported unix code is possible, but I would really recommend adding and obsd box as a border router and running ISAKMPD for the wireless segment. This is just my personal approach. I assume there are native MS solutions for this as well, (L2TP and less secure methods?). I am replying as a reader of alt.internet.wireless and my suggestions come from experience building similar small VPNs as described. All of this presumes that the O.P. has really serious security concerns.

Michael

Reply to
msg

If you trust the PC's turn file and print sharing back on - unless you really don't need it.

Fine, so long as you remember it.

Ok

This really doesn't matter, whether 1 or 100 it's just a ID

Might not be applicable if you don't have neighbors or many near by wireless networks however I would turn it back on so that it's possible for others to see your network and not plop down on top of making it unuseable anyway.

Should be fine.

Not necessary and makes it a pain if a friend or family member comes over and wants to use your internet.

If you want to do everything install a RADIUS server on your network and use it to manage encryption keys and do some sort of point to point vpn encryption between the machines as msg stated. You could even go as far as encrypting your most important files on the disk of each computer. But I doubt that's necessary.

Honestly most of what you have done has just make it more difficult to manage your small network. If you trust the computers on your network than things like mac filtering and turning off file and print sharing is simply unnecessary IMHO. The odds of someone breaking a WPA/WPA2 key that is random characters, case, numbers and and punctuation is VERY slim. I found a website about a year ago that said it would take like 14years to crack a 7 character WPA key. *Shrug* not sure how true that is reguardless it would take enough time that you would notice someone sitting outside your house.

Adair

Reply to
Adair Winter

Actually, fairly often when people turn the broadcast off, their software supports profiles to automatically connect when seen... no ssid, no profile, no auto connect... forces you to re-enter the wep/wpa/etc when turning on the 'puter.. If you sotware doesn't support profiles, then never mind.... Just a major annoyance/complaint

Reply to
Peter Pan

Thanks for all the helpful replies. I'm afraid you guys lost me with the Radius server & VPN bits, I'll have to look those up ;-) If anyone knows of an especially good sites on this, please pass them along. The laptop in question does logon to the wireless automatically, without SSID broadcast. As far as MAC filtering & visiting PC's are concerned, they're few & far between, it's pretty easy to shut the access control off if/when this might arise. I was surprised to see the new laptop (a Lenovo) had a sticker on the bottom with the MAC address, I had gotten it from the router setup when the PC was wired. On the file sharing part, I do have server service killed on each pc, along with a ton of other resource wasting & potentially troublesome background noise, like remote registry, computer browser, distributed link tracking service, terminal services, and others that for reasons I've never fully understood are on "automatic" by default.

Thanks again,

Dan

Reply to
Dan

Hi,

VPN and Radius Servers are complete overkill for your environment. Unless you view setting either up as a learning exercise, its pretty silly to consider either.

All you measures that you wrote are fine. I would, however, suggest that you do broadcast a SSID. Broadcasting an SSID is part of the 802.11 specifications. By not broadcasting an SSID, at best it may cause you problems, at worst your neighbors will consider it rude RFI.

Even with SSID broadcast disabled, you can still easily be seen. Disabling SSID broadcast may even make you a more likely target because it looks like you are trying to hide (which you can't).

As for using MAC filtering, that is your call. If MAC filtering is tied into being able to dish out two static IP's to your two computers, then use it. If not, then it doesn't really offer that much extra security. MAC filtering may be another effective layer for that 80 year old granny across the street, but not for her 14 year old great grandson.

Again, you sound fine on your LAN side, but are you okay on your WAN (internet) side?

Reply to
Eric

Not broadcasting SSID and doing MAC filtering is security theatre and not real security. War driving is not a threat. Your setup looks quite secure.

Reply to
S. Pidgorny

Another box to secure traffic over a cable in the house? Brilliant!

Reply to
S. Pidgorny

"S. Pidgorny " hath wroth:

Yep. Paranoia is a good thing. To someone with "serious security concerns", such added boxes will pacify them for a while. At least until the next alarmist theoretical exploit is released in the trade press. Besides, wearing one of those cool looking electronic key loaders on a neck chain is high tech fashion.

I'm waiting for home Tempest qualified packaging and shielded keyboards. Maybe home routers with built in RADIUS servers and biometric authorization. Maybe a video camera in the laptop that recognizes the owner. Naw, too easily spoofed. Maybe an olfactometric (smell) sensor that recognizes the user by their distinctive aroma. Simple fingerprint readers are so passe and can be faked. I almost forgot the encrypting ethernet adapters for securing LAN traffic from sniffing.

Of course, the same users that are so concerned about their security can't seem to get OpenPGP and Enigmail encrypted email working. They also can't seem to remember their 100+ odd passwords (or use the same same password for everything). They also lose their X.509 certificate dongles and barely understand how the technology is used, much less how it works. Meanwhile, their Vista box demand approval for doing just about everything, that genuine security alerts are lost in the muddle.

For those with "serious security concerns" (and for those selling the technology), no amount of additional security or additional black boxes, is enough.

Reply to
Jeff Liebermann

If you have "serious security concerns", take the bloody thing offline.

-- Les Cargill

Reply to
Les Cargill

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.