Wireless Security

[Chubasco]

I live in a densely populated urban area and have become a bit concerned about the security of my wireless home network. All of my PC's are connected wirelessly and run Windows XP Pro, nortorn antivirus, and zone alarm software firewall. I consider myself fairly technical (i.e. build my own PC's, aside from notebooks, and work in software), however, I am not at all a "network" guy. Below is the basic configuration of my wireless router.

Does anyone have any additional security suggestions? I'm open to software and hardware possibilities under $400, including replacing my router.

- Linksys Wireless Router WRT54G
- WPA-PSK turned on
- MAC filtering turned on
- SSID Broadcasting Disabled
- Zone Alarm software firewall on each client

Thanks in advance.

Also, I can't find any mention of support for NAT in my Linksys WRT54G wireless router documentation. WEP, WPA, and MAC Address filtering are mentioned, but even a noob like me knows these are often not enough. Anyone know if my wireless router (Linksys WRT54G) does in fact NAT and it's just transparent to me?

 

[phatrabt]

IT does NAT. If you have a 192.168.X.X address then you're NAT'ed. There should be a setting in the router for LAN setup. Check there...

 

[Chubasco]

Thank you very much phatrabt.

 

[InlineFive]

Any router has NAT. Period.

 

[phatrabt]

You're welcome! As for the security question, I run my wireles network with the same security settings as you. To be honest there's not much more you can do to secure your wireless network (short of turning off the wireless network entirely). I use an anology when people ask about wireless security...

You have a row of houses that someone wants to break into. Imagine that WEP is like the lock on the door, although it's not sturdy enough to really withstand an assault, it's better than nothing. If someone walks up to the door and tries it and it is locked (as flimsy as the lock may be) they know that they have many other houses they ca try (which would probably be easier than trying to break into yours). The caveat is that a determined cracker WILL EVENTUALLY break into your network if they try long enough and hard enough. However, most crackers wouldn't take that kind of time on a network for a *possible* reward of getting something.

My .02 cents...

 

[JackMDS]

Chubasco

You are mixing the word Security in conjunction with Internet Security and Wireless Security and there is No real connection between the two.

Wireless Security is totally specific to the capacity of your Wireless hardware and it entails securing you from unwelcomed Local Leachers. As an Example if you are in a Farm sitting in the middle of few acres of farmland you do not need Wireless Security.

Link to: Wireless - Basic Configuration.

Link to: Wireless Security for the Home User.

Internet Security involves securing what can come from the Internet and should be a concern of any Internet connection anywhere, regardless if it is one computer, Network, wired, or wireless.

Link: http://www.ezlan.net/firewall.html]Basic Protection for Broadband Internet Installation.[/URL]

Link to: Internet infestation -Or, how you are getting Internet "Junk" in and compromise your Computer/Network?

:sun:

 

[Chubasco]

Thanks JackMDS, I understand the basics and have grouped them because I am still not certain of the following:

1. If someone hacks into my wireless home network, then do they have access to all of my shared folders (i.e. the directories that I have specified, within Windows, as shared on my network)? Or can they "easily" get access to all of the drives for all networked PC's? I think the answer is "yes" to the shared folders.

2. Aside from stealing my bandwidth and deleting the files in my shared folders, can this same hacker "easliy" do anything more malicious?

3. If I do my banking electronically (i.e. using my browser with 128 bit encryption of it's own) and I'm connected wirelessly while doing so, then are my banking transactions still secure because the key for the browser encryption is different than my wireless key?

I know that if someone is determined enough, has the proper tools, has the proper knowledge, and spends enough time trying they can eventually hack anything. Given this, I also appreciate that it is difficult to answer my questions above.

What I'd like to know is, is there anything further that I can do to deter an "average" hacker? I do pay all of my bills and manage my bank account electronically, and I do store all of my personal contacts on my PC.

Again, thanks in advance for your feedback.

 

[JackMDS]

1. If someone hacks into my wireless home network, then do they have access to all of my shared folders (i.e. the directories that I have specified, within Windows, as shared on my network)? Or can they "easily" get access to all of the drives for all networked PC's? I think the answer is "yes" to the shared folders.

2. Aside from stealing my bandwidth and deleting the files in my shared folders, can this same hacker "easily" do anything more malicious?

Answer to both 1 and 2.

?Easily? the intruder would be able to access the shares without any effort. If they are experienced ?Hackers? they might access other thing as well.

Q: If I do my banking electronically (i.e. using my browser with 128 bit encryption of it's own) and I'm connected wirelessly while doing so, then are my banking transactions still secure because the key for the browser encryption is different than my wireless key?

A: The Wireless encryption is pertaining to the Wireless connection only.

Browser Encryption relates on the way the Browser transfer the info over the Internet.

The password and other info is not necessarily stored encrypted on your Drive, it depends on how the specific program that needs the password stores it. Many of these programs store the passwords in a way that is very easy to uncover. There are third party programs that might help in storing sensitive information encrypted on your Hard Drive.

Q: I know that if someone is determined enough, has the proper tools, has the proper knowledge, and spends enough time trying they can eventually hack anything. Given this, I also appreciate that it is difficult to answer my questions above.

A: It we take it to the extreme I would say: ?You full proof your Wireless and every thing else?. Someone can brake to your house and steal the whole computer as is, and have a good time with your hard drive.

People buy Cars.

Some do not Lock it at all. :shocked::

Some add no security.:shocked::

Some put the Club.

Some put an Alarm that makes noise. :music:

Some put an Alarm that pages them in case of intrusion. :camera:

Some have a LOJack. :thumbsup:

Some have few of the above, some has it all.

And even then; Nothing will help if the Car is already inside a Metal Container in the Port of Bayon, waiting to be shipped abroad.:thumbsdown:

So What to you do?

It depends on what you are using the Car for. :brokenheart:

What is in the make and model of the Car.:gift:

The Value of the Car.

The Neibourhood that you Parked in.

Your own level of Anxiety. :evil:

And so On, and So On.

The same is with Wireless. :thumbsup:

:sun:

 

[ColdZero]

Actually you can secure a wireless conection completely and securely, it just takes a little doing. This is what I do at a school I work at for their wireless network:

1. On our switch we define a new VLAN and do not create a routing entry for it in our routing table. No traffic can now get off of this VLAN at all, it is seperated from the rest of our network.

2. On this VLAN go all of our wireless access points

3. There is also a DHCP server that runs that will hand out IP's to only this VLAN

4. Our DHCP server has a firewall running that blocks everything except DHCP requests and VPN traffic.

5. We don't use any form of WEP on our wireless network. We broadcast SSID's and don't filter MAC addresses.

6. On that same DHCP server we run a VPN server

7. For any wireless client to have access to our network they must first connect to the VPN server with will authenticate them agaist Active Directory.


This way the only way to get to our network is through a VPN server which encrypts all the traffic through the tunnel. We really don't care if people see our VPN traffic since it is already encrypted. Since there is no routing available on that network unless you go through the VPN, nobody can access our servers or use our internet connection. The one weak point in the system is if somehow the DHCP/VPN server is hacked, which is unlikely.

 

[watts3000]

A wireless network can be secured through a combiniation of firewalls and vpn. For example, at work I use a sonic wall to secure our wireless lan. I plugged a switch into the dmz port I than connect the ap's to the switch. The windows clients are on a entirely different subnet thus the purpose of a dmz. The clients will than select log in using a dial up connection. This kicks off a vpn connection that I've already configured on the client workstation. The vpn connects first than uses a radius server that ties them back into our active directory. At that point the client is on the lan and everything works as if he was plugged in with a wire. By the way you can do this at home by using a old p2 thats running smoothwall or antoher linux firewall distrubution.

 

[VirtualLarry]

Originally posted by: ColdZero
Actually you can secure a wireless conection completely and securely, it just takes a little doing. This is what I do at a school I work at for their wireless network:
This way the only way to get to our network is through a VPN server which encrypts all the traffic through the tunnel. We really don't care if people see our VPN traffic since it is already encrypted. Since there is no routing available on that network unless you go through the VPN, nobody can access our servers or use our internet connection. The one weak point in the system is if somehow the DHCP/VPN server is hacked, which is unlikely.

That sounds basically like the same sort of security architecture design that I came up with here , for my home WiFi setup. I haven't actually gotten around to trying to hack together my own WRT54G Linux firmware build combined with OpenVPN, so still using the out-of-box WEP 128-bit security, but my ideal result was to implement a VPN endpoint in the router itself, which is effectively similar to what you implemented.