Author Topic: Securing a wireless network (Read 517 times)

Modas · « **on:** July 20, 2006, 09:24:56 AM »

Hi Guys -

I've live out in the sticks and have been running dial-up for the past several years. Well finally someone has put up a wireless tower so we can get broadband wireless.

couple of questions....

1. I'm assuming that wireless will work for AH. Is that correct?

2. The installation package from the service included an antenna (to communicate to the tower) and some cable that runs into the house. I need to supply the wireless router (for multiple computers) and install a couple of wireless PC cards. I'm looking at this wireless router from Newegg...

LINKSYS WRT54G IEEE 802.3, IEEE 802.11b/g Wireless-G Broadband Router

Is this router any good? How is it to set up? I'm a complete noob to this whole wireless network thing.

3. Can anyone recommend a halfway decent wireless PC card? There were a bunch from Newegg, and they all seemed to be more or less the same as far as I could see

4. The tech support guy from the service says the the antenna act as a firewall to prevent people from accessing the computer thru the antenna (between the house and the tower) and all I have to make sure to do is to secure the transmission from the computer to the router. What prevents people from accessing the computer between the computer and the wireless router? Or is this not possible? I did some internet searching, but wasn't able to get the info into laymans terms.

Question 4 is probably my biggest concern in terms of getting this service. If anyone can help me out here I would greatly appreciate it.!

Thanks

Bogie603rd · « **Reply #1 on:** July 20, 2006, 10:48:35 AM »

Question 1: Wireless will work for AH, although you may get some lag from "Internet gaps". When the wireless signal is lost for a few seconds.

Question 2: I use a Belkin 54G Wireless router. It doesent allow you to host arenas and use VOX, but it works great for me. (Just letting ya know, im not sure if the linksys is any better)

Question 3: Usually at the store where you buy your Wireless Router, there will be an agent to help you find a Wireless PC card or USB Wireless device that matches the router you are buying.

Question 4: You can do 2 of 2 things to help secure your router. 1. On the routers control panel, you can choose to "encrypt" the router to prevent other from simply pressing a button and getting your internet access(This happened to me for 2 months!).

And/Or, you can buy a personal firewall for your computer. This blocks open ports (connections) that could be used by hackers to gain access to your computer.

Schatzi · « **Reply #2 on:** July 20, 2006, 11:52:29 AM »

Running AH on wireless is possible, but i wouldnt recommend it. Its bound to have lots of lag/warp and HCL issues every time you have a tiny hickup in the wireless transmission. The signals are never 100% stable. This will make no difference browsing the Web or downloading stuff, but for Gaming it will certainly be noticable.

Sometimes a slower, but more stable connection can be better then a fast, unstable one.

Tarmac · « **Reply #3 on:** July 20, 2006, 12:52:51 PM »

I have a Linksys WRT54GS that I'm very happy with. I get pings of around 30-40 to the AH servers, and have no problems with AH gameplay. I use a Linksys wireless card (not sure of model number). Setup was easy... everything is pretty self explanatory with the step by step quick setup guide... just remember to turn some sort of WEP/WPA encryption on (simple as checking the box and writing down a passcode) if you're worried about people leeching on your network.

If you have ping issues, I doubt it's from your wireless LAN.

Modas · « **Reply #4 on:** July 20, 2006, 01:23:06 PM »

Thanks Guys and Gals!

I changed my search words in google and found a host of stuff (amazing how that works).

Tarmac - Did you do anthing with MAC filtering and manually assigning IPs and all that good stuff or did you stick with the default settings?

Thanks again!

Bogie603rd · « **Reply #5 on:** July 20, 2006, 01:27:52 PM »

Glad to help.

Tarmac · « **Reply #6 on:** July 20, 2006, 02:46:42 PM »

In the initial setup I didn't mess with any of that stuff... I just followed the basic instructions and set up security. As my needs changed I've gone to static internal IP addresses and set up port forwarding, all of which was easy to do by following some instructions I found online (it's intuitive now, but I had no idea what I was doing at the time as I'm not a networking geek by any stretch). No real hiccups doing any of that stuff.

I haven't done anything with MAC filtering, but judging from the screen in the setup program it's as simple as checking the box and typing in the MAC address.

eagl · « **Reply #7 on:** July 20, 2006, 05:30:57 PM »

To discourage most intruders, all you have to do is change the default router login password, disable remote management (usually disabled by default), turn on wireless encryption (WPA) with a reasonably long passphrase, and change the SSID to something other than the default setting.

There are other measures you can take but they are only necessary against an extremely small number of people who probably won't be wasting their time trying to get into your lan anyhow.

Bogie603rd · « **Reply #8 on:** July 20, 2006, 05:57:20 PM »

Glad to hear its working for you now Tarmac.

Irwink! · « **Reply #9 on:** July 20, 2006, 08:24:56 PM »

Your Linksys router is probably doing service for DHCP. Otherwise you'd have to be running a server OS on at least one computer in your house. To keep people from stealing access you would need to limit the number of leases - IP addresses granted- that DHCP on your router provides. Limit the number of leases to only the number of computers you have. If they can't get a legititmate IP in the correct range for your little network they can't steal access very easily. As said before, definitely change the default password too.

gbfromsd · « **Reply #10 on:** July 22, 2006, 03:13:35 AM »

RE: security - there's four things you need to do.
First - tell your wireless router to stop broadcasting the SSID
Second - Enable WEP, WPA or other encryption.
Third - exclude all other machines not in your network (MAC address filtering).
Fourth - as mentioned before, limit the number of IP leases.

Doing all the above secures your wireless and makes it darn near impossible to crack.

eagl · « **Reply #11 on:** July 22, 2006, 04:26:26 AM »

gbfromsd,

3 of your 4 measures do nothing.

SSIDs are easily visible using simple utilities that just listen for network traffic, and some network cards work poorly if SSID broadcast is disabled. My laptop refuses to connect to any router not broadcasting SSID, even though netstumbler could still pull the SSID from network traffic when the SSID broadcast was disabled. It just took longer.

MAC addresses can be pulled and spoofed pretty easily.

IP addresses can likewise be hijacked.

The things that MUST be done are:

Change the default password.
Turn on encryption with a robust password or passphrase.
Disable remote router management (usually disabled by default).
Avoid the temptation to use "DMZ" mode on the router. You may as well not even have a router at that point.

One thing that SHOULD be done is:

Change the SSID to something other than the default. This doesn't really add security, but it DOES tell any potential snoopers that you're not some noob who pulled it out of the box and turned it on without configuring it, so they'll very likely look for an easier target.

Things that do not really help include:

Disabling SSID broadcast. Some(many? most?) network sniffers can pull the SSID from normal traffic.

MAC address filtering. Can slow down a casual intruder but won't even slow down a skilled hacker. Since the encryption would stop a casual intruder anyhow, MAC address filtering is of dubious value.

Limiting IP address leases. Again this can frustrate a casual intruder, but a skilled hacker may actually use this to his advantage since he can assume all network traffic is on a limited set of addresses.

Everyone has an opinion on this sort of stuff, but I've seen "proof" that disabling SSID broadcast and using MAC address filtering are not all that helpful. Yes they can discourage an unskilled script kiddie until he gets his next toolkit, but it would barely slow down a skilled network intruder.

You're much better off using really good passwords and encryption and changing the SSID as a public notice that you do not intend your router to be an open access point.

fipeso · « **Reply #12 on:** July 22, 2006, 05:56:06 AM »

Mac filter can be a nice way to protect against most "hackers", because the encryption actualy slows down trafic, as the home WLAN AP is not that fast to encrypt / decrypt.

I noticed this one day. I was looking at a MPEG movie on my desktop over the LAN. Then I wanted to look at the movie on my vifes Laptop over WLAN.

It was soo slow, that the movie was interupted every other second

I could not figure out why, until I turned of the encryption for WLAN.

All lag was gone, and it was possible to watch the movie over WLAN.

Boroda · « **Reply #13 on:** July 24, 2006, 06:09:00 PM »

Quote

Originally posted by fipeso
Mac filter can be a nice way to protect against most "hackers", because the encryption actualy slows down trafic, as the home WLAN AP is not that fast to encrypt / decrypt.

I noticed this one day. I was looking at a MPEG movie on my desktop over the LAN. Then I wanted to look at the movie on my vifes Laptop over WLAN.

It was soo slow, that the movie was interupted every other second

I could not figure out why, until I turned of the encryption for WLAN.

All lag was gone, and it was possible to watch the movie over WLAN.

Can you please tell us the model of your AP/router? Just curious. I see pathetic difference in performance between some models of home-routers, I mean - wired. Like 20kb/s vs. 800 kb/s between devices from the same price- range.

So far the best security I found is having your AP behind concrete walls in a block of office cells or something like that.

Believe me or not, about 50% of APs "protected" by WEP here use default 0000000000 keys.

I think that I'll not suffer from lack of work for at least 10 years. Or maybe it will get better every year: people born here after 1980 Olympics usually look like they are unable to think

Just curious, how can you portray a person who turns on WEP on his wireless AP and leaves keys to default zeros? IMHO he's an imbecile and I don't know how can he afford all this toys, or he's a 12-yeas old kid who has a rich father.

fipeso · « **Reply #14 on:** July 25, 2006, 01:11:26 AM »

The brand of my WLAN AP is buffalo, cant remeber the model tho.
It is about 2 years old. Linksys are also good products.

I have tested 4-5 different brands in the home market range, and my friend in IT has also.

It realy seems that these cheap AP are designed to handel one or maybe two computers, but if you have encryption on, then the LAN network gets very very slow. (Internet usualy is slow any way)

It gets alot beter without encryption, but then you have to think about other ways for security.

So if you only have one or two PC, and are not planning to look at DVD quality movies over the WLAN or do somthing else that needs high through put, then WPA+PSK encryption is the best sollution. It is "slower", but not for "normal" usage for one or two computers. I dont know how an online game is effected. I dont think there is so much data betwen our AH2 pc and HTC server? When I used my WLAN for AH, I never noticed any LAG.

WEP encryption is "easy" to hack. It is more safe to run WPA with SID on and no mac filter, compared to WEP+SID hide+MAC filter.

Even I can find a hiden SID WLAN, all it takes is netstumbler software. I know that one can then listen to the data and in ~15 min get the WEP encryption key and used MAC addresses. I dont know how to do that, im no hacker, but its all on google actualy.

So if one uses encryption, use WPA+PSK and dont bother with hiding SID or MAC filters.

If one does not use encryption, then using MAC filter is faster, but then you should have some other protection. Like WLAN access your DMZ not Internet. So you have an other firewal betwen WLAN and Internet.

I use now WPA+PSK, because I dont use my WLAN for heavy usage these days. Also my WLAN is connected to DMZ. My kids and wife use the WLAN DMZ, and has to use proxy server to access Internet. My desktop is directly connected to Internet. I dont even have virus protection on my PC

But I know what im doing. (nothing may slow down my games lol)

As my 6 and 8 year old kids know how to google, and surf the net, I took an old PC (300MHz/128MB RAM) and installed Linux (ubuntu) + Shorewall (firewal) + SQUID (proxy server) + Dansguardian (Internet content filter block porn and stuff). This is connected between the WLAN router and Internet.
I never figured out how to get anti virus to run on the Linux server. It should be easy, but to hard for me. The other linux stuff was very easy to do. Well it took me one week, but I am no linux user...

Hmm, am I getting of topic here

I beter stop writing now lol