wi-fi security

[TheLastColdBeer]

Just swapped out a new Netgear wi-fi router for the old Belkin. Our desktops are still hard wired to the LAN. My wireless is currently open, and I was wondering what level of security ya'll use for wireless. I would like to just name our system and add a password. Don't really feel like piggybacking the neighborhood on our network for free.  Detecting two other networks along with our own, but they're really weak. Closest neighbor is 250'. Suggestions?

Thanks

Jim (lastcoldbeer)

[deerejon]

I just use WEP i think and a password....

[Sitting-Duc]

I just use the in-built security - nothing extra. Your router has a cpanel installed where you can change the network name/password and play with the settings like the firewall. 

 

.

 

EDIT: WPA is fairly easy to crack and there are many tools available to do so, WPA/WPA2 are more security and come standard with most routers.

[Gump]

You want to use the strongest form of encryption that all of your Wi-Fi devices support.For me that's WPA2.WEP encryption is easily broken.

 

 

 

 

 

 

 

 

 

 

 

 

 

[Cavey]

Yeh the industry standards are WEP, WPA and WPA2.  WPA2 being the strongest going backwards.  Only use WEP if your hardware (laptop, printer, etc) doesn't support WPA2.  Though most devices do these days.  I would even hide your SSID from broadcasting, that way when people browse for wireless networks nearby, it will not even display yours.  This doesn't stop you from connecting to yours, it's just that you have to manually type in the SSID AND password.  Added security really, as it stops bute force attacks, as they can't find it (well not easily).

 

In the UK, it is actually illegal to not have a password on your wireless!!!  Though I don't think anyone would actually get prosecuted for it.

[eidolonFIRE]

Yea, WEP is not even secure anymore... I can personaly crack a WEP in a couple minutes (depending on how much traffic is on the network)

 

+1  WPA2   (and have a good password or it's easily crackable with a simple rainbow-table.)

[DEEJAYKEG]

Cavey

Yeh the industry standards are WEP, WPA and WPA2.  WPA2 being the strongest going backwards.  Only use WEP if your hardware (laptop, printer, etc) doesn't support WPA2.  Though most devices do these days.  I would even hide your SSID from broadcasting, that way when people browse for wireless networks nearby, it will not even display yours.  This doesn't stop you from connecting to yours, it's just that you have to manually type in the SSID AND password.  Added security really, as it stops bute force attacks, as they can't find it (well not easily).

 

In the UK, it is actually illegal to not have a password on your wireless!!!  Though I don't think anyone would actually get prosecuted for it.

WEP is quickly breakable.  WPA-PSK/ WPA2 certainly.  If you don't need it, switch it off!

 

No, it isn't illegal to fail to set a password in the UK.  All routers have one set by default...  

 

It is illegal, however, to use an insecure wi-fi without authority.

[Astronomer]

Yep, WPA2. You can also keep your SSID (whatever name you give your wireless connection) hidden. When you allow folks to connect to your wireless, you have to enter the SSID and the WPA2 password. If the neighbours can't see it, they can't access it.

[TheLastColdBeer]

Ok, sounds like WPA2 with hidden SSID. I don't want to sound Scroogish, but I'd rather not let others use what I'm paying for. One neighbor is in and out of county for various warrants, and he's the one I don't want reading my mail.

Thanks Lads!

[baldie]

TheLastColdBeer

Ok, sounds like WPA2 with hidden SSID. I don't want to sound Scroogish, but I'd rather not let others use what I'm paying for. One neighbor is in and out of county for various warrants, and he's the one I don't want reading my mail.

Thanks Lads!

 Yep and just a final thought for all of you.....IF someone downloads ilegal or illicit content via your connection you can also be prosecuted and held responsible.

eg court action, PC confiscated and depending on the content downloaded possible fine or jail time...Thats why virgin brought out the Hubs password and encryption already set up because one of our customers nearly went to jail when his neighbour used his broadband to download child porn...And then tried to take virgin to court which failed as the courts said it was his responsibillity to protect his connection....

So lock it down and hide it......

[NickTheGrip]

Ditto to all of the above. WPA2 and hide your SSID

Also change your password and network SSID once a month. I know it sounds like a pain, but it is worth it for peace of mind. As Baldie says, you are responsible if someone uses your connection for illegal activity of any kind. There have been numerous cases of people being arrested for something they haven't done because of their neighbors or even someone driving past their house and stealing their connection.

Another more radical item is to assign static IP addresses to all computers that connect. That will really limit the connectivity from outside. most people gravitate towards DHCP (Dynamic host configuration protocol) where the router assigns IP addresses automatically, but with static, you have to have the correct IP in order to connect and most hackers simply aren't going to go to the trouble of searching for your assigned static range.

My 2 cents

[TheLastColdBeer]

You mean static addresses within the LAN? My Internet supplier provides a dynamic address for my connection. Had to clone all the information off my old router, including MAC addresses, for the swap to work in the first place. Would I have to supply a MAC address for every device that connects wirelessly? This is somewhat off the map for me, and I'm learning as I go. Main things are our Nooks, a PDA, and her Iphone. We're a couple hundred feet off the road, and I don't know what signal strength we have left by the time you get to the end of the property.......have to check that out.

[Astronomer]

No, not MAC Addresses, just the assigned internal IP addresses for your network i.e. 192.168.1.107 or 192.168.0.103 etc. They will begin with "192.168". Your router assigns them dynamically via DHCP by default. You can assign static/permanent IP addresses for your systems. Best practice is to set the number range outside of the defaults, which usually have numbers that end at 101, 102, 103 etc. Your router signal will be very weak at the end of your driveway if you're 200 feet off the road, so I wouldn't be too worried. Also, if managing and configuring a router is fairly new to you and you want to minimize the hassle, keeping your SSID hidden will negate the need to change it monthly. Again, if it can't be seen, it can't be broken into.

[Cavey]

Yes static ip addresses for your LAN. Default router ip is normally 192.168.1.1 or 192.168.0.1. Your router then gives out any address from 192.168.1.2 or 192.168.0.2 up to .254

 

It will not give .255 as this is a broadcast address. Also note that this ip range is a APIPA range (Automatic Private Internet Protocol Allocation). Which means its not a public ip address range, and hence your ISP will provide with a ip address from a completely different public range.

 

You will not have to supply MAC address unless you want to make your network bomb proof for security. Which means if you have switched on MAC address filtering, then in the MAC address table of the router you must supply the list of all device MAC addresses you will allow to connect to your router. If the MAC address isn't listed, then that device will not be allowed to connect to your router. This would be a real pain in the ass if you want to do co-op modes in online gaming, where you are hosting, as you would have to add you friends MAC address to your router. In short its overkill for what you need. I only set this up in our Corporate environment.

[Cavey]

Oh and by the way you don't really need to change your wireless password frequently, just use a long alpha numerical password, with upper and lower case. Also change the default password for connecting into the control panel of your router, and ensuring its strength and being different to your wireless password.

[Sitting-Duc]

Cavey

Yes static ip addresses for your LAN. Default router ip is normally 192.168.1.1 or 192.168.0.1. Your router then gives out any address from 192.168.1.2 or 192.168.0.2 up to .254It will not give .255 as this is a broadcast address. Also note that this ip range is a APIPA range (Automatic Private Internet Protocol Allocation). Which means its not a public ip address range, and hence your ISP will provide with a ip address from a completely different public range. You will not have to supply MAC address unless you want to make your network bomb proof for security. Which means if you have switched on MAC address filtering, then in the MAC address table of the router you must supply the list of all device MAC addresses you will allow to connect to your router. If the MAC address isn't listed, then that device will not be allowed to connect to your router. This would be a real pain in the ass if you want to do co-op modes in online gaming, where you are hosting, as you would have to add you friends MAC address to your router. In short its overkill for what you need. I only set this up in our Corporate environment.

 

oh that's another thing i have set MAC address filtering

 

Mobile Phone, Netbook, Laptop all on the whitelist (computer is connected via lan) xD

[BigPapaDean]

Very intere3sting gentlemen! Ooops thats if you are gentlemen! >XI< Til I die!!!

[TheLastColdBeer]

Thank you m8's;

WPA2 & hidden SSID is what I'm set at now. Assigned password to router itself, foolishly I never did that for the old LAN. Glad I didn't need to assign MAC addresses for individual devices, that would've drove me nuts. It's just for home, and we're fairly isolated. Nice to keep things somewhat accessible.....lol!

 Oh yeah Dean, Gentlemen? We be monsters here in IdiotLand!

[VANHELSING]

Wpa2 and Hide your SSID is the way to go. I agree with Nick change the password once a month, I use to do some war driving and you would be surprised how many connections are wide open. Usually it's not your pc's information they're after it's your connection. Wep is so outdated I'm surpised that they even put the option on new routers.

[deerejon]

vanhelsing

Wpa2 and Hide your SSID is the way to go. I agree with Nick change the password once a month, I use to do some war driving and you would be surprised how many connections are wide open. Usually it's not your pc's information they're after it's your connection. Wep is so outdated I'm surpised that they even put the option on new routers.

 War driving....lol..the good old days...I remember them well....hell I even remember war DIALING.....lol...

[PingLo]

deerejon

vanhelsing

Wpa2 and Hide your SSID is the way to go. I agree with Nick change the password once a month, I use to do some war driving and you would be surprised how many connections are wide open. Usually it's not your pc's information they're after it's your connection. Wep is so outdated I'm surpised that they even put the option on new routers.

 War driving....lol..the good old days...I remember them well....hell I even remember war DIALING.....lol...

Do you remember Phreaking, making calls all over the world for free, 2600hz tones etc.  Those were the days when we ruled the phone lines and Bell just thought they did..

[PingLo]

Cavey

Yes static ip addresses for your LAN. Default router ip is normally 192.168.1.1 or 192.168.0.1. Your router then gives out any address from 192.168.1.2 or 192.168.0.2 up to .254It will not give .255 as this is a broadcast address. Also note that this ip range is a APIPA range (Automatic Private Internet Protocol Allocation). Which means its not a public ip address range, and hence your ISP will provide with a ip address from a completely different public range. You will not have to supply MAC address unless you want to make your network bomb proof for security. Which means if you have switched on MAC address filtering, then in the MAC address table of the router you must supply the list of all device MAC addresses you will allow to connect to your router. If the MAC address isn't listed, then that device will not be allowed to connect to your router. This would be a real pain in the ass if you want to do co-op modes in online gaming, where you are hosting, as you would have to add you friends MAC address to your router. In short its overkill for what you need. I only set this up in our Corporate environment.

I love it when Cavey talks about MACs!

 

The real way to do it is just open up your Wifi to whomever but put it behind a stateful Firewall that only allows access to your IPSec or SSH based VPN solution. Then configure your client machines for two factor security (RSA SecurID soft token is good) and only allow those folks who authenticate to traverse onto your network and the internet via that connection.

 

This is pretty much a best practice, no need for mac addresses, even if they are using a Mac...

 

[DEEJAYKEG]

PingLo

Cavey

Yes static ip addresses for your LAN. Default router ip is normally 192.168.1.1 or 192.168.0.1. Your router then gives out any address from 192.168.1.2 or 192.168.0.2 up to .254It will not give .255 as this is a broadcast address. Also note that this ip range is a APIPA range (Automatic Private Internet Protocol Allocation). Which means its not a public ip address range, and hence your ISP will provide with a ip address from a completely different public range. You will not have to supply MAC address unless you want to make your network bomb proof for security. Which means if you have switched on MAC address filtering, then in the MAC address table of the router you must supply the list of all device MAC addresses you will allow to connect to your router. If the MAC address isn't listed, then that device will not be allowed to connect to your router. This would be a real pain in the ass if you want to do co-op modes in online gaming, where you are hosting, as you would have to add you friends MAC address to your router. In short its overkill for what you need. I only set this up in our Corporate environment.

I love it when Cavey talks about MACs!

 

The real way to do it is just open up your Wifi to whomever but put it behind a stateful Firewall that only allows access to your IPSec or SSH based VPN solution. Then configure your client machines for two factor security (RSA SecurID soft token is good) and only allow those folks who authenticate to traverse onto your network and the internet via that connection.

 

This is pretty much a best practice, no need for mac addresses, even if they are using a Mac...

 

The best way is to turn wireless off and use Homeplugs!

[Heffalump]

I am fucked if I know what you lot are on about, but I hear once you know your hacked/exploited and you find them, a cricket bat and steel toecaps work wonders!

[Sammy]

It's a bit of a pain but you can use a MAC filter. That should remove any possibility of an outsider of logging onto your network. And no that doesnt mean keeping out Apple products.

 

edit: ooops, someone beat me to it.