making a secure access point..

ShinkunoNamida · 06-08-2002, 11:07 AM

Any Ideas on how to make an access point secure from intentional or even unintentional misuse?

Seeing as I can't reach it from my front yard I'm not too concerned, but right now it's sheilded by the basement walls.

If I move to an apartment or another inoportune locality I may not be so fortunate.

Callahan · 06-08-2002, 12:17 PM

First, enable any WEP that you can use. Yes its not all that secure and people can use AirSnort or equiv to grab keys, but its at least a start. Second, limit access only to MAC addresses of the cards you own. Again, this can be spoofed but there isn't any point of making it easy for anyone.

That will stop the casual people from accessing it. You will also want to turn off broadcasting of your SSID so that it doesnt show up to Netstumbler, etc. This makes a little more inconvenient to connect to the AP as its not automatic, but its a lot more secure as they have to know the AP is there.

Finally, if you want to do this properly, setup a 2k/Linux server that you can VPN to from your remote computer. If all traffic on the wireless link is encrypted again you will be fine.

Aaron Cake · 06-08-2002, 10:26 PM

There is no way to secure an access point. Any security features available can be broken in a matter of hours (WEP is a joke, an SSID is not a secret code, and MAC addresses are easy to sniff and spoof). The only way to be truely secure is to use a VPN.

PoBoy · 06-08-2002, 11:06 PM

I heard people were going around with Pringle cans on their access points and wireless cards to get better range. I couldnt believe it, but it actually works.

Instructions on building one
http://www.oreillynet.com/cs/weblog/view/wlg/448 to aid in its creation

Wireless hacking story with Pringle cans
http://news.bbc.co.uk/hi/english/sci...00/1860241.stm

PoBoy

Callahan · 06-09-2002, 01:26 AM

Quote:

Originally posted by Aaron Cake
There is no way to secure an access point. Any security features available can be broken in a matter of hours (WEP is a joke, an SSID is not a secret code, and MAC addresses are easy to sniff and spoof). The only way to be truely secure is to use a VPN.

Just because something is possible does not mean that EVERYONE will be able to do it. What you have said is true for any technology. The only safe computer is the one turned off and at the bottom of the ocean.

Yes many of the above listed security features can be circumvented, but that does not mean that you shouldn't enable them. Do you not lock your doors because lock picks exist? Do you not put a security system in a car because wire cutters exist?

Seriously, it simply makes it more of a pain to use your AP, and 9/10 times this means they will use another AP (especially in a populated area where there may be several in range). No thief or attacker wants trouble unless you are worth it. If you are a big corporation, sure maybe they will still try and break in. But if they figure you are just somebody's home network its just not worth the time to sit there and collect gigs and gigs of data to be able to determine the WEP key.

freestyler · 06-09-2002, 06:00 PM

One of the first things to do tho is to disable the SSID broadcast, NetStumbler can't find the access point at all then, if the war driver is using linux programs then they can typically still see the packets with most of the linux programs, but that is a good place to start. I also have mac addy auth on my ap and on my router. VPN is a must also, use it. Disable WEP, it isn't worth the slowdown in network speed.

Callahan · 06-09-2002, 07:08 PM

Quote:

Originally posted by freestyler
One of the first things to do tho is to disable the SSID broadcast, NetStumbler can't find the access point at all then, if the war driver is using linux programs then they can typically still see the packets with most of the linux programs, but that is a good place to start. I also have mac addy auth on my ap and on my router. VPN is a must also, use it. Disable WEP, it isn't worth the slowdown in network speed.

A decent wireless card and AP shouldn't notice any slow down at all from the encryption. Cheapies will of course yea.

freestyler · 06-09-2002, 07:42 PM

Quote:

Originally posted by Callahan

A decent wireless card and AP shouldn't notice any slow down at all from the encryption. Cheapies will of course yea.

Actually they all do....from the Linksys to the Avaya(Orinoco, Agere,etc)

Callahan · 06-09-2002, 10:27 PM

Quote:

Originally posted by freestyler

Actually they all do....from the Linksys to the Avaya(Orinoco, Agere,etc)

Actually, No they all don't. It really does depend on the card/AP. Check out http://practicallynetworked.com and their reviews. They test every card for the performance decrease with WEP enabled. Yes, the Orinoco cards look at around a 15-20% decrease in performance, but many (SMC USB for example) have no noticeable decrease.

Although, as we both mentioned, a VPN is the solution and should be used over WEP. But having both enabled (if you happen to not be affected by both the WEP and VPN overhead) doesnt hurt.

saletel · 06-09-2002, 11:06 PM

line your house with anti-static bags, i just realized my ez-pass is in one and says to keep it in the bag when not in use......

freestyler · 06-10-2002, 12:01 AM

Quote:

Originally posted by Callahan

Actually, No they all don't. It really does depend on the card/AP. Check out http://practicallynetworked.com and their reviews. They test every card for the performance decrease with WEP enabled. Yes, the Orinoco cards look at around a 15-20% decrease in performance, but many (SMC USB for example) have no noticeable decrease.

Although, as we both mentioned, a VPN is the solution and should be used over WEP. But having both enabled (if you happen to not be affected by both the WEP and VPN overhead) doesnt hurt.

who wants to use SMC crap? They have the poorest range out of ANY card out there. practicallynetworked has good reviews yes, but usually don't try the cards in a real-life situation, at the University I go to which I also work for doing computer support we have tried all the main brands out there, SMC has the worst range while the Orinoco cards have the best. For WEP slowdown all of them showed a decrease, we just don't use WEP as it isn't worth it, why use resources up for something that doesn't do anything? No matter how small, it adds up when you have a few hundred users. There are 100k+ users at U I go to, of those granted only a few have wireless but we have begun pushing it and have noticed a large increase, using WEP would make it so that you would have to use the same brand as our access points as even though they state WEP will work with anything it doesn't, Linksys does it a proprietary way while Lucent does it another. In all WEP just isn't worth it. Just use VPN + SSID broadcast disable + MAC auth + firewall. You could also easily setup a redirect on your network that if the user doesn't input a username/password that is referenced from a secure databse then they won't get on, granted they can grab packets but they can't steal bandwidth.

Callahan · 06-10-2002, 03:19 PM

Quote:

Originally posted by freestyler

who wants to use SMC crap? They have the poorest range out of ANY card out there. practicallynetworked has good reviews yes, but usually don't try the cards in a real-life situation, at the University I go to which I also work for doing computer support we have tried all the main brands out there, SMC has the worst range while the Orinoco cards have the best. For WEP slowdown all of them showed a decrease, we just don't use WEP as it isn't worth it, why use resources up for something that doesn't do anything? No matter how small, it adds up when you have a few hundred users. There are 100k+ users at U I go to, of those granted only a few have wireless but we have begun pushing it and have noticed a large increase, using WEP would make it so that you would have to use the same brand as our access points as even though they state WEP will work with anything it doesn't, Linksys does it a proprietary way while Lucent does it another. In all WEP just isn't worth it. Just use VPN + SSID broadcast disable + MAC auth + firewall. You could also easily setup a redirect on your network that if the user doesn't input a username/password that is referenced from a secure databse then they won't get on, granted they can grab packets but they can't steal bandwidth.

Your real life situation does not equal everyone elses real world situation. I have had pretty good success with SMC cards, as well as Orinoco (both branded and Dell rebadges). The SMCs worked just as well and through some pretty nasty areas and over a pretty good distance.. in ad hoc mode as well.

You are in a very different situation as well, you are FAR more succeptible to someone snorting the keys because its easy to sit in the univ and collect the data. With someone's house, unless you are in the same building you probably won't bother getting close long enough to bother with it. I'm not saying that WEP is perfect, its not even close. But its not 'worthless'. It is weak yes if you know what you are doing, but a lot of the time in a busy area people are going to move on and go after an open WAP. Again, I totally agree with you that you should be VPNing across any wireless link, because you just don't know who is listening.

My D-link WAP hasn't had a problem with any of the Wireless NICs have I have used, and I haven't noticed any WEP slow down.

To me it would be try it with WEP on (if you can get it to work, some people do have a lot of problems) and with it off. If you don't notice the difference whats it hurt to add one more layer, even if its thin?

freestyler · 06-10-2002, 04:36 PM

Well I also have a network in my apartment and haven't had luck with Linksys WAP11 using WEP on an orinoco card, smc, dlink, only the linksys one worked. It's a flaky protocol, if you get it to work great, but just doesn't seem worth it to me.

bgoodman · 06-10-2002, 04:50 PM

I've been thinkinbg about a wireless addtiion to my network, but i'm hoping it won't need any of the WEP stuff. I think i'm far enough from the main road that I won't have anyone snooping onto my network. though I can always just have my dhcp server not assign addresses to other cards other than mine

inline4 · 06-10-2002, 05:14 PM

just unplug it when not being used