Wireless Router Security

[mrreizor]

Ok, my ole trusty Linksys Wireless B router kicked the bucket a few months back and I went and got a Dynex Wireless G router (Best Buy brand). It works for what i want it to do but I do have a security dilemma.

My old Linksys would allow me to restrict the number of IP's DHCP hands out. For instance, I have 4 computers in my house and i set DHCP to hand out 3. I'll never have 4 computers on at the same time so it worked out well. That way, DHCP couldn't assign another IP if someone tried to connect to my network.

Well my new router, the lowest DHCP setting is 10. I can't change it to any lower. This seems to be a huge security risk. I only have 4 computers, so why is DHCP setup to hand out a minimum of 10?

Now, what would happen if I turn off DHCP at the router and set static IP's on my pc's? If an outside computer tried to connect to my network, what would happen? Would they have to guess what IP range i have my network set to?

Note: This is a WEP enabled wireless network.

 

[CalvinHobbes]

Using WEP is already a security risk. I would recommend WPA2. Turn off SSID broadcasting, turn off DHCP and use static IPs and you can even enable MAC filtering as an extra measure.

 

[mrreizor]

I think i used WEP because one of my wireless cards is rather old, and didn't support anything else. I'll double check that though.

So if i turn off DHCP, then the person connecting would have to guess the IP range that i'm using locally?

 

[xSauronx]

Originally posted by: CalvinHobbes
Using WEP is already a security risk. I would recommend WPA2. Turn off SSID broadcasting, turn off DHCP and use static IPs and you can even enable MAC filtering as an extra measure.

using WPA2 removes the need (read: hassle) of MAC filtering. SSID broadcasting won't hurt a thing (and youre better off with it on, than off) if you have good security, and someone who knows how to crack a WEP password to start with can probably find the SSID, or at least the broadcasting WAP and its security type anyway.

Originally posted by: mrreizor
I think i used WEP because one of my wireless cards is rather old, and didn't support anything else. I'll double check that though.

So if i turn off DHCP, then the person connecting would have to guess the IP range that i'm using locally?

you can get 802.11g wireless adapters in most any form from newegg for under $30 shipped. buy a new card, implement proper security. you can save yourself a lot of hassle, and security, for cheap.

get a new wifi adapter, use WPA2, and leave SSID on, DHCP on, MAC filtering off...and just use a password to connect. its a cheap way to have good security and save a lot of hassle for yourself

 

[Crusty]

Originally posted by: CalvinHobbes
Using WEP is already a security risk. I would recommend WPA2. Turn off SSID broadcasting, turn off DHCP and use static IPs and you can even enable MAC filtering as an extra measure.

The only thing that is a good recommendation is using WPA2.

Disabling SSID broadcasting is a joke, it only takes 5 extra seconds to find the hidden SSID's when looking to break into a wifi. Disabling DHCP won't help either, just by listening to your packets I can tell you what your routers IP is, and a MAC filter... same as DHCP.

All those are going to do is make it frustrating for people who have a legitimate use for your wireless network.

 

[kevnich2]

Seconded for just using WPA/WPA2. All the rest just add in hassles for those legitimately needing the wireless. As for the older wireless card that needs WEP, better just to buy a new card that uses WPA rather than using a card with WEP only.

 

[TheKub]

You disable DHCP, I simply set a static one and "hax0rz your networkz dude!"

WEP will stop Joe Schmo from double clicking on your network and connecting. It will not stop someone who is determined (neither will dhcp\hidden ssid\mac filtering). If you really are concerned about security update your client machines so they can support wpa2. If you just want to stop someone from simply hopping on a surfing on your dime WEP (may) achieve that.

 

[mrreizor]

Thanks everyone for your replies!

I have enabled WPA/WPA2 and i only have one machine that has a card that needs to be upgraded. I'll pick up another card soon.

Why am I getting an error that my laptop can't get a certificate from my router? The tab that i normally go check (Authentication i think) is fully grayed out. Any ideas?

 

[JackMDS]

The Authenticaion 802.11x is meant for installation with logons (Like RADIUS) server).

If you are using regular End_user system what ever relateds to authentication or special security should be UnChecked.

The only thing to check is waht evr needed for WPA/WPA2.

From the weakest to the strongest, Wireless security capacity is.
No Security
MAC______(Band Aid if nothing else is available).
WEP64____(Easy, to "Break" by knowledgeable people).
WEP128___(A little Harder, but "Hackable" too).
WPA-PSK__(Very Hard to Break).
WPA-AES__(Not functionally Breakable)
WPA2____ (Not functionally Breakable).

Note 1: WPA-AES the the current entry level rendition of WPA2.

Note 2: If you use WinXP and did not updated it you would have to download the WPA2 patch from Microsoft. http://support.microsoft.com/kb/893357
The documentation of your Wireless devices (Wireless Router, and Wireless Computer's Card) should state the type of security that is available with your Wireless hardware.

All devices MUST be set to the same security level using the same pass phrase.
Therefore the security must be set according what ever is the best possible of one of the Wireless devices.

I.e. even if most of your system might be capable to be configured to the max. with WPA2, but one device is only capable to be configured to max . of WEP, to whole system must be configured to WEP.

If you need more good security and one device (like a Wireless card that can do WEP only) is holding better security for the whole Network, replace the device with a better one.

Setting Wireless Security - http://www.ezlan.net/Wireless_Security.html

The Core differences between WEP, WPA, and WPA2 - http://www.ezlan.net/wpa_wep.html

 

[ChAoTiCpInOy]

Is Dynex just a rebranded Belkin?

 

[Baked]

I think WPA2 AES+PSK and turning off SSID broadcast will be enough to discourage anyone from hacking your wireless. I use the mentioned methods + MAC filtering.

 

[drebo]

The point is that if you use WPA2, any other "security" features are nothing but added headache and needless complication for legitimate users.

 

[JackMDS]

In my own Wireless I do keep MAC filter On (beside WPA2).

Some times I need for short period to disable security, MAC filter insures that I am protected from accidental logons for the duration of the No security period.

 

[ScottMac]

Originally posted by: mrreizor
Ok, my ole trusty Linksys Wireless B router kicked the bucket a few months back and I went and got a Dynex Wireless G router (Best Buy brand). It works for what i want it to do but I do have a security dilemma.

My old Linksys would allow me to restrict the number of IP's DHCP hands out. For instance, I have 4 computers in my house and i set DHCP to hand out 3. I'll never have 4 computers on at the same time so it worked out well. That way, DHCP couldn't assign another IP if someone tried to connect to my network.

Well my new router, the lowest DHCP setting is 10. I can't change it to any lower. This seems to be a huge security risk. I only have 4 computers, so why is DHCP setup to hand out a minimum of 10?

Now, what would happen if I turn off DHCP at the router and set static IP's on my pc's? If an outside computer tried to connect to my network, what would happen? Would they have to guess what IP range i have my network set to?

Note: This is a WEP enabled wireless network.

This (bolded above) in no way enhances your security. The intruder only needs to set a static address in the same block and he's in. DHCP is merely an administrative convenience; generally, it is not tied to security in any way, shape, or fashion.

Since nearly all consumer routers come out of the box set for 192.168.{0|1}.{host range}, it's a pretty good bet to get a hit, even without analysis tools. The other likely addresses are also well known.

Even with security cranked up to Max, some traffic must be in the clear, by protocol spec. For the current security protocols (WPA,WPA2) there's not enough info "in the clear" to crack (as opposed to WEP, which provided predictable information and made cracking the encryption much easier). That is why turning off SSID does not enhance security, it just prevents unintentional (and sometime intentional and desirable) connection.

WPA|WPA2 using a passphrase may or may not be secure, depending on the length & strength of your passphrase. Anything using "dictionary" words or common mangling of dictionary words ("h@x0rs") make it a much easier target.

For best security using a passphrase, it should be long, and should contain a non-predictable mix of upper case, lower case, numbers, and symbols. You only need to enter the passphrase once (per device), so a long, ugly string is not too painful.