Wireless Security

[Otto Pylot]

Howdy all,
I'm setting-up a wireless network for my daughter and her three
roommates. Two Macs (both running Jaguar), and two Wintel's of unknown
OS. They haven't moved in yet but I'm trying to get the basics done
before they do. The router is a Linksys BEFW11S4 (802.11b) with a DSL
connection.

I know I can password protect access to the router to keep the configs
safe but how do I set password access to their network? None of the
girls are too network savvy and I don't want someone to discover they
have access to their wireless network because their apartment is a
"hotspot". Our computers are the Macs so do I just setup a little
password in the Internet Control Panel or whatever the equivalent is in
OS 10.x. I'm still learning OS 10.x so bear with me. On the Windows
boxes, I haven't a clue as where to begin. Thanks.

--
Deja Moo: I've seen this bullshit before.

My address has been anti-spammed.
Please reply to: [email]scasse@invalid.net[/email] replacing the invalid with sonic.

[Frederick Cheung]

>

> I know I can password protect access to the router to keep the configs
> safe but how do I set password access to their network? None of the
> girls are too network savvy and I don't want someone to discover they
> have access to their wireless network because their apartment is a
> "hotspot". Our computers are the Macs so do I just setup a little
> password in the Internet Control Panel or whatever the equivalent is in

In the network preference pane, in the airport tab there is a place to
enter a password for the network, how you enable this for the router
should be in the router documentation.

You might also want to consider making the network closed (basically this
means that the network doesn't shout out to everyone "hey there's a
802.11b network here"), enabling WEP and restricting access by MAC
address.

Fred

[SSM]

In article <200720031136511953%otto@bogus.address.invalid>,
Otto Pylot <otto@bogus.address.invalid> wrote:

> Howdy all,
> I'm setting-up a wireless network for my daughter and her three
> roommates. Two Macs (both running Jaguar), and two Wintel's of unknown
> OS. They haven't moved in yet but I'm trying to get the basics done
> before they do. The router is a Linksys BEFW11S4 (802.11b) with a DSL
> connection.
>
> I know I can password protect access to the router to keep the configs
> safe but how do I set password access to their network? None of the
> girls are too network savvy and I don't want someone to discover they
> have access to their wireless network because their apartment is a
> "hotspot". Our computers are the Macs so do I just setup a little
> password in the Internet Control Panel or whatever the equivalent is in
> OS 10.x. I'm still learning OS 10.x so bear with me. On the Windows
> boxes, I haven't a clue as where to begin. Thanks.

The following security options are available:

1) Don't broadcast the network SSID (as noted above). This means you
have to know the name of the network to connect to it. Also change the
default admin password for the router.

2) Only allow certain MAC addresses to connect to it. I don't know if
your particular router supports this capability; the newer Linksys
802.11g wireless router certainly does.

3) Enable WEP (wired equivalent privacy).

All of these techniques have significant limitations, as has been noted
in the popular media. However, If you do all of them it should help to
protect your network against "casual" hackers or miscreants. Those
aren't the ones you need to worry about though. I would definitely do
all three for the situation you describe.

Sandeep

[Otto Pylot]

In article
<Pine.LNX.4.44.0307202000520.28668-100000@kern.srcf.societies.cam.ac.uk>,
Frederick Cheung <fglc2@srcf.DUH.ucam.org> wrote:

<snip>

> In the network preference pane, in the airport tab there is a place to
> enter a password for the network, how you enable this for the router
> should be in the router documentation.

I saw that but wasn't sure if the router would.

>
> You might also want to consider making the network closed (basically this
> means that the network doesn't shout out to everyone "hey there's a
> 802.11b network here"), enabling WEP and restricting access by MAC
> address.
>

There is a warning in the config panel about using WEP so that looks
like this is where I need to go. I'm still fuzzy about MAC addresses.

--
Deja Moo: I've seen this bullshit before.

My address has been anti-spammed.
Please reply to: [email]scasse@invalid.net[/email] replacing the invalid with sonic.

[Georg Schwarz]

Frederick Cheung <fglc2@srcf.DUH.ucam.org> wrote:

> You might also want to consider making the network closed (basically this
> means that the network doesn't shout out to everyone "hey there's a
> 802.11b network here"), enabling WEP and restricting access by MAC
> address.

the network should still be detectable. Restricting access by MAC
address won't keep out those who really want in (you can change your
NIC's MAC). If the installation uses standard WEP without making any
further specific effort it's not save agains eavesdropping.


--
Georg Schwarz [url]http://home.pages.de/~schwarz/[/url]
[email]geos@epost.de[/email] +49 177 8811442

[foo]

On Sun, 20 Jul 2003 12:50:26 -0700, Otto Pylot
<otto@bogus.address.invalid> wrote:

>In article <ssm-698136.15195420072003@reader1.news.rcn.net>, SSM
><ssm@noEmail.invalid.com> wrote:
>

>> In article <200720031136511953%otto@bogus.address.invalid>,
>> Otto Pylot <otto@bogus.address.invalid> wrote:
>>

><snip>

>>
>> The following security options are available:
>>
>> 1) Don't broadcast the network SSID (as noted above). This means you
>> have to know the name of the network to connect to it. Also change the
>> default admin password for the router.

>
>The SSID default is linksys so I changed it to something else. However,
>under the Airport menu, the new name appears and the iBook is still
>able to connect without a hitch. I've already changed the password to
>the router to protect the configs but that doesn't restrict usage of
>the router (as I'm sure you already know).

Tell the router not to broadcast the SSID too.

>> 2) Only allow certain MAC addresses to connect to it. I don't know if
>> your particular router supports this capability; the newer Linksys
>> 802.11g wireless router certainly does.

>
>I'm fuzzy (basically clueless) on MAC addresses.

Every NIC has a unique address, called a MAC address. Figure out what
everyone's is, and plug that into the router and tell it to only allow
these 4 MAC addresses to connect to it. That's the best way to limit
access.

>> 3) Enable WEP (wired equivalent privacy).

>
>That function is avaialbe but there appears to be a warning about using
>it in the config panel so it must be pretty heavy-duty (i.e. easy to
>screw things up).

It's dead simple. Pick a passphrase, key it in, and the router config
should spit out binary numbers. Using either those numbers or the
original passphrase you'll configure each of the client computers
(passphrase is easier, obviously). Again, read the manual for info on
this - it's very simple.

>>
>> All of these techniques have significant limitations, as has been noted
>> in the popular media. However, If you do all of them it should help to
>> protect your network against "casual" hackers or miscreants. Those
>> aren't the ones you need to worry about though. I would definitely do
>> all three for the situation you describe.
>>

>
>It would appear that I have some reading to catch up on. I didn't stay
>current with the wireless pros and cons because, at least up until
>about 4 days ago, we had no need for wireless at home.

[SSM]

In article <rstlhvc64kse79at2hujb33a2qkuarqq6u@4ax.com>,
foo <foo@bar.com> wrote:

> On Sun, 20 Jul 2003 12:50:26 -0700, Otto Pylot
> <otto@bogus.address.invalid> wrote:
>

> >In article <ssm-698136.15195420072003@reader1.news.rcn.net>, SSM
> ><ssm@noEmail.invalid.com> wrote:
> >

> >> In article <200720031136511953%otto@bogus.address.invalid>,
> >> Otto Pylot <otto@bogus.address.invalid> wrote:
> >>

> ><snip>

> >>
> >> The following security options are available:
> >>
> >> 1) Don't broadcast the network SSID (as noted above). This means you
> >> have to know the name of the network to connect to it. Also change the
> >> default admin password for the router.

> >
> >The SSID default is linksys so I changed it to something else. However,
> >under the Airport menu, the new name appears and the iBook is still
> >able to connect without a hitch. I've already changed the password to
> >the router to protect the configs but that doesn't restrict usage of
> >the router (as I'm sure you already know).

>
> Tell the router not to broadcast the SSID too.

Exactly. Then you need to know the network's name to connect. However,
the motivated hacker can discover it anyway by sniffing the packet you
use to connect.

> >> 2) Only allow certain MAC addresses to connect to it. I don't know if
> >> your particular router supports this capability; the newer Linksys
> >> 802.11g wireless router certainly does.

> >
> >I'm fuzzy (basically clueless) on MAC addresses.

>
> Every NIC has a unique address, called a MAC address. Figure out what
> everyone's is, and plug that into the router and tell it to only allow
> these 4 MAC addresses to connect to it. That's the best way to limit
> access.

But not that it's not a perfect solution: MAC addresses can be spoofed
by the motivated miscreant.

>

> >> 3) Enable WEP (wired equivalent privacy).

> >
> >That function is avaialbe but there appears to be a warning about using
> >it in the config panel so it must be pretty heavy-duty (i.e. easy to
> >screw things up).

>
> It's dead simple. Pick a passphrase, key it in, and the router config
> should spit out binary numbers. Using either those numbers or the
> original passphrase you'll configure each of the client computers
> (passphrase is easier, obviously). Again, read the manual for info on
> this - it's very simple.
>

> >>
> >> All of these techniques have significant limitations, as has been noted
> >> in the popular media. However, If you do all of them it should help to
> >> protect your network against "casual" hackers or miscreants. Those
> >> aren't the ones you need to worry about though. I would definitely do
> >> all three for the situation you describe.

The latest linksys (and I would assume yours too) makes this all pretty
easy to manage.

Good luck!

Sandeep

[nospam]

> I've told the router not to broadcast the SSID but it still shows up
> under the Airport in the menu bar.

if you are *currently connected* to that network, the name will show
up. if you turn airport off and then back on, it should not show up.
then pick 'other...' and type in the network name/ssid and password,
and then it will show up again.

> So far I'm only dealing with one Mac
> (an iBook) so I've still got some time to set it all up properly. It
> appears that this is what I need to do:
>
> 1. Disable SSID broadcasting so it's not readily apparent that there is
> a wireless router in close proximity.
>
> 2. Password protect the router so that the configs can't be changed.
>
> 3. Allow only the MAC addresses from my daughter's and her three
> roommates computers access to the router.

all three are excellent. also, consider disabling dhcp and assigning ip
addresses for each computer manually. this makes it even more difficult
to connect.

some routers can tie a mac address to a specific ip, so not only must
they use a specific card, but that particular card must have a specific
ip number. other routers don't care what ip number is used as long as
the card is allowed to connect. either way, its yet another thing to
set to use that network.

> I take it that the MAC addresses are machine specific and don't change
> unless there is some sort of networking hardware change on the
> individual computer.

the mac address is a serial number of the network interface, either an
ethernet port or a 802.11 card. if a machine has both, then there are
two mac addresses - one for each interface. it cannot be changed
(unless the card is swapped out), but it can be spoofed.

[SSM]

In article <200720031614460134%otto@bogus.address.invalid>,
Otto Pylot <otto@bogus.address.invalid> wrote:

> In article <ssm-30F6C0.16371720072003@reader1.news.rcn.net>, SSM
> <ssm@noEmail.invalid.com> wrote:
>

> > In article <rstlhvc64kse79at2hujb33a2qkuarqq6u@4ax.com>,
> > foo <foo@bar.com> wrote:
> >

> > > On Sun, 20 Jul 2003 12:50:26 -0700, Otto Pylot
> > > <otto@bogus.address.invalid> wrote:

> <snip>
>

> > > Tell the router not to broadcast the SSID too.

> >
> > Exactly. Then you need to know the network's name to connect. However,
> > the motivated hacker can discover it anyway by sniffing the packet you
> > use to connect.
> >

>
> I've told the router not to broadcast the SSID but it still shows up
> under the Airport in the menu bar. So far I'm only dealing with one Mac
> (an iBook) so I've still got some time to set it all up properly. It
> appears that this is what I need to do:
>
> 1. Disable SSID broadcasting so it's not readily apparent that there is
> a wireless router in close proximity.
>
> 2. Password protect the router so that the configs can't be changed.
>
> 3. Allow only the MAC addresses from my daughter's and her three
> roommates computers access to the router.
>
> I take it that the MAC addresses are machine specific and don't change
> unless there is some sort of networking hardware change on the
> individual computer.

Correct, each network adapter has a unique MAC. This isn't foolproof
though, because hackers can sniff the MAC address that's transmitted
when you connect to the wireless network and use it themselves.

You also should enable WEP. Then you've taken all measures that are
available to you, imperfect as they are.

Sandeep

[nospam]

In article <MPG.19850b3a39b82519896c1@news.newsguy.com>, Diane Wilson
<diane@firelily.com> wrote:

> If the access point is set to disable broadcast of the SSID, how is the
> network detectable in any useful way?

sniffing utilities can reveal the network name.

> > Restricting access by MAC
> > address won't keep out those who really want in (you can change your
> > NIC's MAC).

>
> OK, so a MAC address can be spoofed. What are you going to use for
> a spoofed MAC address? How will you know what MAC addresses
> the router is listening for?

by watching what mac addresses are being used by machnes that *can*
connect. then the cracker then uses one of those when spoofing, and
along with the previously sniffed ssid name, he can probably connect.
if there is wep, that can be cracked too.

> > If the installation uses standard WEP without making any
> > further specific effort it's not save agains eavesdropping.

>
> This is the only point you've made that I'd agree with.
> WEP *can* be broken. Most people who know how to break
> WEP probably won't bother if there are easier networks
> to break into, though.

yep - there are *lots* of wide open networks, so as long as your
network is harder to connect than your neighbor's, you are somewhat
safe.

[Matthew Russotto]

In article <MPG.19850b3a39b82519896c1@news.newsguy.com>,
Diane Wilson <diane@firelily.com> wrote:

>In article <1fyf1ca.1az0nfavofrupN@geos.net.eu.org>, [email]geos@epost.de[/email] says...

>> Frederick Cheung <fglc2@srcf.DUH.ucam.org> wrote:
>>

>> > You might also want to consider making the network closed (basically this
>> > means that the network doesn't shout out to everyone "hey there's a
>> > 802.11b network here"), enabling WEP and restricting access by MAC
>> > address.

>>
>> the network should still be detectable.

>
>If the access point is set to disable broadcast of the SSID, how is the
>network detectable in any useful way?

You can watch for an ASSOCIATE. Or, if you're feeling nasty, you can
spoof a DISASSOCIATE for a detected client without knowing the SSID.
The client will respond by re-associating, giving you the
SSID.
--
Matthew T. Russotto [email]mrussotto@speakeasy.net[/email]
"Extremism in defense of liberty is no vice, and moderation in pursuit
of justice is no virtue." But extreme restriction of liberty in pursuit of
a modicum of security is a very expensive vice.

[Georg Schwarz]

what about disabling that WEP stuff etc. altogether and using something
safe instead such as IPSEC?

--
Georg Schwarz [url]http://home.pages.de/~schwarz/[/url]
[email]geos@epost.de[/email] +49 177 8811442

[Otto Pylot]

In article <3qn0f890lo.fsf@shell4.tdl.com>, Phil Stripling
<phil_stripling@cieux.zzn.com> wrote:

> Phil Stripling <phil_stripling@cieux.zzn.com> writes:
>

> > You might find some helpful information on
> > [url]http://www.threemacs.com/[/url]
> >
> > Those guys cover both the Macs and the PCs concerning setting up the
> > network.

>
> I hate to say this, but I read the manual when I put our WiFi network on
> the air. :-> I think it's pretty good.

I checked out that site but it seemed fairly rudimentary. The info that
I got from the replies to my post were much more on target. Maybe I
missed something and should go back and check more carefully. The
printed manual and the online manual from Linksys are ok but they don't
go into enough detail for a novice such as myself. Some of it has been
made a little more clearer with the reponses I've received. I don't
want to make the security too cumbersome for the girls because all
they're gonna want to do is click and go <sigh>. I will be adding an
Airport card to the G4 as soon as it arrives this week so that will
give me two computers to play with before I hook up all four sometime
next month. I can always reset the Linksys if I screw up and start from
scratch again. I do have all my settings etc written down. Thanks.

--
Deja Moo: I've seen this bullshit before.

My address has been anti-spammed.
Please reply to: [email]scasse@invalid.net[/email] replacing the invalid with sonic.