Hi guys,
Had a look on google and the such, but thought i'd ask the experts at Hexus.
Basically i have a Wireless access point on my home network, to which only my laptop connects. I have setup a 64bit encryption on the connection with a key, but no other security.
How else can i seccure the network, or is it really not worth it?
Cheers guys
you can lock down the access point by the MAC address on the wireless cards.
if you really want to go for it , you can segment the wireless network off on the lan and make all clients connect to your main network by a VPn , but that may well be too much for you.
the best way is to switch your access point off when you dont use it !
a timer switch can be usefull for this.
my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net
128-bit encryption over 64-bit - though the initialization vector is the same length (24 bits) so it's not as superior as people assume.
MAC address restriction - make it so the AP will only accept your laptop's physical address.
(You can get this by entering ipconfig /all at a command prompt.)
Make sure on the laptop's wireless interface you only have TCP/IP enabled - you don't need the Client for Microsoft Networks and certainly not File & Printer Sharing turned on.
(I'm assuming it's Windows.)
Those are the simple changes, anything else is probably a little more advanced and may require features your AP doesn't support such as LEAP encryption, the ability to reduce the power (and hence range) of the signal.
For a single PC using a WLAN it's not quite so tricky to secure - if you have more clients that might want to communicate with each other through it then that's a different ball-game.
~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3
Also check whether the AP and the laptop will support WPA (Wi-Fi Protected Access) as opposed to WEP; even if the current driver/firmware doesn't, there may be an update which does, and it's much better.
Yeah, both support WPA.
It is a Windows laptop, disalbed all but TCP/IP.
Thanks for the advice guys, sounds like its abotu as secure as its going to get. TBH, i don't think it needs to be massively secure, as no personal info is kept on any of our PCs, i would just be more pissed off with someone stealing my bandwidth!
Dont even bother with MAC filtering its pointless. You can spoof the mac address in less the 5 minutes. Dont believe the hype about WEPs vulnerability it was near enough eliminated 2 years ago. If anyone says that a skilled hacker will still be able to crack it thats bollocks. Skilled or unskilled they have to do it the same way and it takes months to try and get the key. If you really are worried you can use a key generator which comes with airtools on FreeBSD, which apparently will generate a safe key. Stick with 64 bit you really dont have to worry, though if WPA is available then do it.
Want to back that up with some evidence?Originally Posted by Kumagoro
MAC addresses have been spoofable for years, and even on an encrypted WLAN they are broadcasted unencrypted so easy to obtain.
When 2 devices with the same address exist on a WLAN, it's the one with the strongest signal who wins - so it's likely to be yourself if you are in the building as you'll be closer.
On an encrypted WLAN there is a remote possibility of someone managing to get on your network, but it's more a problem of stolen bandwidth or denial of service.
If someone wants to just break your wireless service our of spite, they can.
Oh, back to the original question - turn off SSID broadcasting too, that's a simple fix to help obscure you a little bit.
~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3
You can spoof mac's easilly, but you need to know what you're trying to spoof the MAC to be, so it's security by obscurity. Sure someone could setup a script to spoof the address and cycle through the possibilities, but they'd have to really want to get onto your network. It's a good extra measure, but alone it's pretty weak, especially since the first few (3?) groups of hexadecimal digits are a manufacturer identifier.
I'm not saying it can't be done - the point I was trying to make is that Mac filtering isn't pointless - It's an extra hurdle to overcome.
My wi-fi securirty is a simple 4 step strategy:
1) Hide SSID
2) Mac filtering
3) WPA encryption
4) Honey trap second access point
Although I must confess number 4 was switched off after netstumbling continously for 3 weeks and not having so much as sniff of anyone trying my network! A healthy dose of paranoia doesn't go amiss though!
The point is, if someone is going to take the trouble of continually monitoring your network for months and months to get your key then 5 minutes to alter their MAC address is nothing. Your hurdle is equivalent closing a door without locking it, its like punching your way out of a wet paper bag.
To find a client MAC takes literally seconds
I also dont see the point in trying to hide your BSSID it takes less then a second to find it out. Besides which it might affect the stability of your network.... it certainly does on mine.
Have you any idea on a layered approach to security ?
Each additional layer makes it that much more attractive for a cracker to give up and try to break the other networks on his/her/its list.
I'm all for segmenting WLAN users off on a VPN anyhow , so even if you break the wireless segment , you wont get much further.
Kumagoro , I'd suggest you start backing up your claims, as your arguments are starting to loose credibility.
my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net
ditto
I personally follow the same ideas, no single peice of network security is totally secure, but by adding another hurdle for the would be hacker to get over, you are increasing the length of time it takes for them to hack, which gives you a better chance of them not sucseeding, or just giving up.
The honeypot idea is quite a good one, funnel them off into a really easy to crack area even give them net access from it, but restrict the bandwidth to like 2k/sec they'll soon get bored and leave..
There's also that program to create phantom AP's isn't there?
(\__/)
(='.'=)
(")_(")
My honey pot AP was connected to a win98 laptop contains lots of open shares, filled with files with enticing names; all as downloaded from various newsgroups.
In short....... The biggest virus lab about!
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote