wireless networking

A

a deadly fart

Joined
Apr 29, 2004
Messages
151
some of my friends are going to be living in the same appartment complex this year and they were wondering if i want to share internet with then. so i was wondering what kind of experience have you had with different companies, models, b vs g series. probably going to head towards g since i heard it is safer.. being in a college area.. i don't want people freeloading of me.
 
Wireless Ethernet (802.11a,b, and g sofar) is quite nifty.

A decent router should cost no more than $150, and you can often get good deals.

For normal use, .11b is quite safe enough, even un-encrypted. Geeks, hold on, bear me out.

You should think of the internet as just as secure as if you were shouting everything really loud. Anyone in the right spot can hear everything, Wifi just makes it easier.

That said, basic security is so easy to use that there's no point not doing it.

Basically, your steps are simple:
1) Turn off ESSID broadcasting. THis makes your access point/router stop shouting who and what it is.
2) Enable MAC whitelisting if its available. This allows only authorized computers to connect.
3) Enable WAP. WAP encrypts all wireless traffic and means that you need the secret key to connect.

None of these will stop a determined attacker, but just like a car alarm, the point isn't to make it un-stealable, just to make the neighbors' an easier target.

For lots more information, including some newer standards, read through Ars Technica's Wireless Security Blackpaper

WRT vendors, I've had great luck with D-Link and Orinoco/Proxim (pricey). Netgear and SMC are also good.

The real reason to chose g over b is speed. Yes g does have WPA which is better than WAP, but anything that needs more than WAP security (like online banking) should be done over an encrypted channel anyway (like the SSL connection to your bank), so I wouldn't worry too much about it.

802.11a is still around and you actually may want to look into it, especially if you're in a wifi-hostile area (places with lots of other APs, microwave ovens, etc) as it operates at a higher frequency and has different signal obstruction issues that may be useful.

Also, bear in mind that anything that works over 2.4Ghz including some phones and all microwaves will interfere BADLY with wifi. There is also a protocol limit to how many APs can overlap in a single area (A rule of thumb is 3 APs can overlap, more gets complicated).

Good luck and happy surfing!
 
Just a few corrections:

WPA (stands for WiFi Protected Access) is not specific to only 802.11g (i.e. there is nothing inherent to 802.11g that makes it more secure than 802.11b).

802.11g's main advantage to the user is its higher speed (54 Mbits/second vs 11 Mbits/second for 802.11b). But if you just want share an internet connection then you need to realize that the bottleneck of your connection speed will be your wired connection to your service provider, probably 1 Mbits/second for typical Ethernet.

Skorgu is correct that neither MAC filtering, WEP encryption (he said WAP but I presume he means WEP), nor not-broadcasting your SSID is a foolproof way of stopping a determined and relatively skilled attacker. But it's more than enough for home user security. But of those, MAC filtering and "hiding" your SSID are VERY easy to overcome.

Coverage wise, a typical wireless access point will provide a 300 foot spherical radius of radio coverage in open air. In an apartment building, I would say anywhere from 100-200 feet. Cordless phones operating IN the 2.4Ghz frequency band will interfere with the signals, this is more likely if the phone operates on a radio channel close to the channel the access point is on. I've never personally had my microwave interfere with my wireless network, but it's possible.

I've worked with most of the industry's vendors. I'd suggest Proxim and Broadcom products. Also, even after you have bought your equipment, make sure you get the latest drivers and firmware for you equipment. I can't tell you how many problems turn out to be bad drivers. 802.11a products are not widespread in the consumer market right now, and you'll end up paying more for those products.
 
802.11b is fine for consumer use.

You will find MANY deals on products. I've pointed one of my associates at work to this deal at Amazon...

Netgear WMB521 802.11b Wireless Kit

Price After Rebates: $29.94
Shipping is FREE

Thats for the router and a PC card. You may still need additional PC cards if you have more than one laptop.

Additionally, you can always just cable between computers and use the built in switch ports in the back for internet access..

Just an idea..
 
Just a little bit of personal experience to share. I had an 802.11b system running at 2.4 ghz. My cordless phone ran on the same frequency. Whenever the phone was on, my wireless signal was effectively "jammed". :grumpy: I've since then upgraded to 802.11g. Same phone, no problems.
 
Err...yeah.

Note to self: stop writing these things at night.

Yes, I certainly did mean WEP, not WAP...wow.

And although WPA is available with some .11b cards and chipsets, support is by no means univesal in my (admittedly limited) experience. At least with g it seems more likely that you can just shop for "802.11g" without having to find a product that guarantees to support WPA.

Just to expand and clarify about wireless specifically but any computer security really: you have to look at a wireless network as something that's going to get broken into. If someone wants to use your network, you can't stop them, don't even try. It's a matter of determination and resources. Like I said before, anything important should damn well be encrypted point-to-point anyway, whether or not its going over wifi.

No matter how much low-level security you pile on, I still won't trust Wifi. Then again, I don't trust wires either, so take it as you will. Security is a state of mind not a product.

MAC whitelists and non-broadcasting SSID are far better than the default setup for everyone. In fact, nobody at home should be broadcasting SSIDs. Of course an attacker could bypass them easily, but it stops a casual user from parking next to your house and downloading child porn, which is about the only thing I personally worry about. Bear in mind that the much-vaunted Club does basically nothing to stop a determined attacker from stealing your car. The only thing it is is a deterrent. Which car woul YOU steal? the one with the club or the one without.

The point isn't neccesarily to make it impregnable, just not worth it. This is only for home users, of course. If you're IBM or Merrill Lynch or something, you'd want a far more capable security system.

Anyway, I'll stop ranting.
 
I already use MAC filtering and WEP, but what does turning off the SSID broadcast do? Does that mean that the wireless users won't be able to detect the network at all until they manually configure? In the document, they do mention that enabling SSID broadcast allows both authorized and unauthorized users to detect the network easier, but it didn't mention how it affects the authorized users.

Thanks for that link--I'm going to have to read through it later.
 
Turning off SSID broadcasting prevents casual observers (i.e. those within radio range) from readily knowing the existence of your wireless network. As you mention, if they happen to know your (hidden) SSID, they can manually configure a wireless connection with that SSID, to which the respective network will respond to.

Basically, the way broadcasting works is if an access point (AP) is configured to broadcast its SSID, it basically sends out packets in the air to anyone and everyone saying "I am here, my name is X". So any wireless client can passively listen to the air and see the network.

If the AP is configured to not broadcast its SSID, then a wireless client must perform what's called a directed probe. If an AP receives a directed probe, it will respond to the wireless client, announcing its presence. So basically a wireless client would have to know the AP's SSID, and try to "find" it. Following our previous analogy, this would be akin to the wireless client shouting out "Yo X, are you there?", and the AP will specifically respond to the client, "yeah, it's me X, I'm here".

The reason why relying on not broadcasting your SSID as a form of privacy is not secure is because with a minimum set of tools, anyone can "listen" to packets in the air, even if those packets are not specifically addressed to them or a general audience. Each packet has what amounts to a "from" piece of information, and a "to" piece of information (much like a postal letter).
 
MAC whitelists and non-broadcasting SSID are far better than the default setup for everyone. In fact, nobody at home should be broadcasting SSIDs. Of course an attacker could bypass them easily, but it stops a casual user from parking next to your house and downloading child porn, which is about the only thing I personally worry about. Bear in mind that the much-vaunted Club does basically nothing to stop a determined attacker from stealing your car. The only thing it is is a deterrent. Which car woul YOU steal? the one with the club or the one without.
Click to expand...


I don't quite agree that noone should be broadcasting their SSID. Not broadcasting your SSID is almost no more "secure" than broadcasting it.

MAC filtering is just as easily circumvented. The way MAC filtering works is the AP is configured such that it will ignore all incoming traffic unless the packet's "from" field matches a MAC address in its list of "allowed" MAC addresses. But the thing is that once again, anyone can listen to packets in the air, taking note of the packet's "to" and "from" fields. It is a trivial matter to figure out which packets are being accepted by an AP, and what MAC address those packets are coming from. Once you've done that, an intruder could change their own MAC address to match the accepted MAC address.

Anyway, for home users today, the only minimal acceptable security solution is encryption (i.e. WEP). WEP encryption is not as easily broken, it would take a relatively adept and dedicated attacker to get past it. (And FYI, 128 bit WEP is no more secure than 64 bit WEP, so save yourself some typing).

But as Skorgu points out, there is no infallible security scheme, only security schemes that have not yet been broken. And in the end, they are all just deterrents.
 
wep may not be easily broken, but i would consider it not much better than no encryption. it doesn't take much traffic on the network to break it. from people that i've talked to :) . If there is important data to be sent (well, it's probably not a good idea to use wireless in the first place) but i would echo what someone already said, i would use application level encryption (https [been broken hasn't it?], ssh, etc).

umm... regarding b/g/a, a g router is more future friendly. a could come back though. i have a linksys that i got because i wanted dynamic dns ( a feature to think about) but before that i had an smc that i liked a lot. (edit: didn't even realize i was digging up an old thread, oh well)
 
The difference between WEP encryption levels is just a few seconds to break through from 64 to 128. If you are worried about privacy...keep your info on a seperate PC off the network. Otherwise don't bother worrying about your information's safety.

As a heads up, I am a Network Security Admin...but I have seen the same information I have learned at work and my classes on websites run by 12 year olds.
 
QUOTE:

The difference between WEP encryption levels is just a few seconds to break through from 64 to 128.

ENDQUOTE

I am not an expert but I think the difference between 64 bit 128 bit is rather significant, like several min. vs several days or longer. I do know that 1024 bit encryption is virtually unbreakable with anything less than one of the supercomputers.
 
WEP is not cracked by a brute-force method. This is where a 128 bit cypher key would really come into play. Its cracked by gathering data.

For a fairly good look at how they do it...

CRACKING WEP

A good quote from this article:

"Regardless of the issues surrounding WEP, it should be understood that cracking WEP is not as easy as everyone makes it sound. Although cracking WEP is possible on the typical home-owned WLAN, it would take two to four weeks to capture enough data to successfully extract the key."
 
No matter what you get, learn to use it, learn how it works in relation to your LAN. I am a DSL tech support agent by trade, and 75% of the customers I deal with have no idea how their equipment works, so all I hear is how the DSL does not work. I can't tell you how many times I hear this, only to find a cord unplugged somewhere, or find that other PC's on the network ARE connected. Good luck, hope it works out.
 
skunked said:
I am not an expert but I think the difference between 64 bit 128 bit is rather significant, like several min. vs several days or longer. I do know that 1024 bit encryption is virtually unbreakable with anything less than one of the supercomputers.
Click to expand...

You might want to research this topic a little before you speak.

All attacks are not brute force attacks. Distributed computing can overcome the lack of a "supercomputer" if you want to try this approach.
 
In the case of WEP, the problem is how it's implemented (poorly using static keys) -- hence, in this case the 128 bit key does not offer the protection one would expect from properly implemented 128-bit encryption -- not even close!

For those really interested, Google AirSnort
 
You must log in or register to reply here.
Back
Top