Maximizing wireless security

[Dan]

I have a Netgear WGR614 v6 wireless router which I have recently begun to
use wirelessly for my wife's work laptop. There is also a desktop connected
to the router via cat 6. Both machines are running XP SP2 with all updates.
I have the router set as follows & want to be sure I'm doing all I can to
maximize security on the network:

- File sharing is OFF on both PC's
- Router setup password has been changed to 14 random characters
- Router updated with most recent firmware
- SSID set to 13 random characters
- SSID broadcast is OFF
- WPA-PSK activated w/10 random character passphrase (tried a longer
passphrase, but Windows Networking seemed to have trouble with it, kept
defaulting to a shorter phrase). Key lifetime is the default 60 minutes.
- Access control is ON with the MAC addresses for the 2 PC's being the only
ones entered.

We live in a fairly remote suburban area, so I don't think the threat of
"wardriving" is what it might be in a more populated area, but I still want
to be sure I'm doing all I can in terms of security.

TIA

Dan

 

[msg]

Dan wrote:

> I have a Netgear WGR614 v6 wireless router which I have recently begun to
> use wirelessly for my wife's work laptop. There is also a desktop connected
> to the router via cat 6. Both machines are running XP SP2 with all updates.
> I have the router set as follows & want to be sure I'm doing all I can to
> maximize security on the network:
>

Just my preferences: run the network open but with MAC address access
controls and install IPSec VPN software with strong encryption on
your hosts (you can run a port of OpenBSD's ISAKMPD under cygwin
on the desktop if you don't have a border router, and the laptops can
run the free SSH_Sentinel Ver. 1.3.2.2). Even with WPA/WPA2 it is
often better to handle the encryption on your hosts rather than to
expect the appliance AP/router product to do it well.

Regards,

Michael

 

[dold@96.usenet.us.com]

In alt.internet.wireless msg <msg@_cybertheque.org_> wrote:
> controls and install IPSec VPN software with strong encryption on

Where is the other end of the VPN? He doesn't have file sharing turned on
for either PC.

--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5

 

[msg]

dold@96.usenet.us.com wrote:

> In alt.internet.wireless msg <msg@_cybertheque.org_> wrote:
>
>>controls and install IPSec VPN software with strong encryption on
>
>
> Where is the other end of the VPN? He doesn't have file sharing turned on
> for either PC.
>

If high security is a top priority, I was suggesting that he establish
the desktop as a VPN endpoint. This would also entail a separate segment
for the wireless VPN (separate NIC or perhaps using the USB connection
to the AP/router). I assume the desktop O/S is XP-Pro my experience
doing this is with Win2k. Filters to pass only AH and ESP and ICMP
would be needed on the wireless i/f. Doing this on a Windows O/S
under cygwin and with ported unix code is possible, but I would
really recommend adding and obsd box as a border router and running
ISAKMPD for the wireless segment. This is just my personal approach.
I assume there are native MS solutions for this as well, (L2TP and
less secure methods?). I am replying as a reader of alt.internet.wireless
and my suggestions come from experience building similar small VPNs
as described. All of this presumes that the O.P. has really serious
security concerns.

Michael

 

[Anteaus]

"Dan" wrote:

> - File sharing is OFF on both PC's
> - Router setup password has been changed to 14 random characters
> - Router updated with most recent firmware
> - SSID set to 13 random characters
> - SSID broadcast is OFF
> - WPA-PSK activated w/10 random character passphrase (tried a longer
> passphrase, but Windows Networking seemed to have trouble with it, kept
> defaulting to a shorter phrase). Key lifetime is the default 60 minutes.
> - Access control is ON with the MAC addresses for the 2 PC's being the only
> ones entered.

I think the average war-driver will say, 'Cor blimey, an Abrams tank has
less protection than that!' and go looking for an easier one.

A slight further improvement would be to unbind File and Printer Sharing
from the wireless card, or else to stop the Server service.

 

[Adair Winter]

"Dan" <none@hotmail.com> wrote in message
>I have a Netgear WGR614 v6 wireless router which I have recently begun to
>use wirelessly for my wife's work laptop. There is also a desktop
>connected to the router via cat 6. Both machines are running XP SP2 with
>all updates. I have the router set as follows & want to be sure I'm doing
>all I can to maximize security on the network:
>
> - File sharing is OFF on both PC's

If you trust the PC's turn file and print sharing back on - unless you
really don't need it.

> - Router setup password has been changed to 14 random characters

Fine, so long as you remember it.

> - Router updated with most recent firmware

Ok

> - SSID set to 13 random characters

This really doesn't matter, whether 1 or 100 it's just a ID

> - SSID broadcast is OFF

Might not be applicable if you don't have neighbors or many near by wireless
networks however I would turn it back on so that it's possible for others to
see your network and not plop down on top of making it unuseable anyway.

> - WPA-PSK activated w/10 random character passphrase (tried a longer
> passphrase, but Windows Networking seemed to have trouble with it, kept
> defaulting to a shorter phrase). Key lifetime is the default 60 minutes.

Should be fine.

> - Access control is ON with the MAC addresses for the 2 PC's being the
> only ones entered.

Not necessary and makes it a pain if a friend or family member comes over
and wants to use your internet.

>
> We live in a fairly remote suburban area, so I don't think the threat of
> "wardriving" is what it might be in a more populated area, but I still
> want to be sure I'm doing all I can in terms of security.

If you want to do everything install a RADIUS server on your network and use
it to manage encryption keys and do some sort of point to point vpn
encryption between the machines as msg stated. You could even go as far as
encrypting your most important files on the disk of each computer. But I
doubt that's necessary.

Honestly most of what you have done has just make it more difficult to
manage your small network. If you trust the computers on your network than
things like mac filtering and turning off file and print sharing is simply
unnecessary IMHO.
The odds of someone breaking a WPA/WPA2 key that is random characters, case,
numbers and and punctuation is VERY slim.
I found a website about a year ago that said it would take like 14years to
crack a 7 character WPA key. *Shrug* not sure how true that is reguardless
it would take enough time that you would notice someone sitting outside your
house.

Adair

 

[Peter Pan]

Adair Winter wrote:
> "Dan" <none@hotmail.com> wrote in message
>
>> - SSID broadcast is OFF
>
> Might not be applicable if you don't have neighbors or many near by
> wireless networks however I would turn it back on so that it's
> possible for others to see your network and not plop down on top of
> making it unuseable anyway.
>
> Adair

Actually, fairly often when people turn the broadcast off, their software
supports profiles to automatically connect when seen... no ssid, no profile,
no auto connect... forces you to re-enter the wep/wpa/etc when turning on
the 'puter.. If you sotware doesn't support profiles, then never mind....
Just a major annoyance/complaint

 

[Dan]

"Peter Pan" <PeterPanNOSPAM@AkamailNOSPAM.com> wrote in message
news:6024s5F1p35deU1@mid.individual.net...
> Adair Winter wrote:
>> "Dan" <none@hotmail.com> wrote in message
>>
>>> - SSID broadcast is OFF
>>
>> Might not be applicable if you don't have neighbors or many near by
>> wireless networks however I would turn it back on so that it's
>> possible for others to see your network and not plop down on top of
>> making it unuseable anyway.
>>
>> Adair

Thanks for all the helpful replies. I'm afraid you guys lost me with the
Radius server & VPN bits, I'll have to look those up -) If anyone knows of
an especially good sites on this, please pass them along. The laptop in
question does logon to the wireless automatically, without SSID broadcast.
As far as MAC filtering & visiting PC's are concerned, they're few & far
between, it's pretty easy to shut the access control off if/when this might
arise. I was surprised to see the new laptop (a Lenovo) had a sticker on
the bottom with the MAC address, I had gotten it from the router setup when
the PC was wired. On the file sharing part, I do have server service killed
on each pc, along with a ton of other resource wasting & potentially
troublesome background noise, like remote registry, computer browser,
distributed link tracking service, terminal services, and others that for
reasons I've never fully understood are on "automatic" by default.

Thanks again,

Dan

 

[Eric]

"Dan" <none@hotmail.com> wrote in message
news:-6mdnUYyHcLA4wbanZ2dnUVZ_j6dnZ2d@comcast.com...
>I have a Netgear WGR614 v6 wireless router which I have recently begun to
>use wirelessly for my wife's work laptop. There is also a desktop
>connected to the router via cat 6. Both machines are running XP SP2 with
>all updates. I have the router set as follows & want to be sure I'm doing
>all I can to maximize security on the network:
>
> - File sharing is OFF on both PC's
> - Router setup password has been changed to 14 random characters
> - Router updated with most recent firmware
> - SSID set to 13 random characters
> - SSID broadcast is OFF
> - WPA-PSK activated w/10 random character passphrase (tried a longer
> passphrase, but Windows Networking seemed to have trouble with it, kept
> defaulting to a shorter phrase). Key lifetime is the default 60 minutes.
> - Access control is ON with the MAC addresses for the 2 PC's being the
> only ones entered.
>
> We live in a fairly remote suburban area, so I don't think the threat of
> "wardriving" is what it might be in a more populated area, but I still
> want to be sure I'm doing all I can in terms of security.
>
> TIA
>
> Dan

Hi,

VPN and Radius Servers are complete overkill for your environment. Unless
you view setting either up as a learning exercise, its pretty silly to
consider either.

All you measures that you wrote are fine. I would, however, suggest that
you do broadcast a SSID. Broadcasting an SSID is part of the 802.11
specifications. By not broadcasting an SSID, at best it may cause you
problems, at worst your neighbors will consider it rude RFI.

Even with SSID broadcast disabled, you can still easily be seen. Disabling
SSID broadcast may even make you a more likely target because it looks like
you are trying to hide (which you can't).

As for using MAC filtering, that is your call. If MAC filtering is tied
into being able to dish out two static IP's to your two computers, then use
it. If not, then it doesn't really offer that much extra security. MAC
filtering may be another effective layer for that 80 year old granny across
the street, but not for her 14 year old great grandson.

Again, you sound fine on your LAN side, but are you okay on your WAN
(internet) side?

 

[S. Pidgorny]

Not broadcasting SSID and doing MAC filtering is security theatre and not
real security.
War driving is not a threat.
Your setup looks quite secure.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Dan" <none@hotmail.com> wrote in message
news:-6mdnUYyHcLA4wbanZ2dnUVZ_j6dnZ2d@comcast.com...
>I have a Netgear WGR614 v6 wireless router which I have recently begun to
>use wirelessly for my wife's work laptop. There is also a desktop
>connected to the router via cat 6. Both machines are running XP SP2 with
>all updates. I have the router set as follows & want to be sure I'm doing
>all I can to maximize security on the network:
>
> - File sharing is OFF on both PC's
> - Router setup password has been changed to 14 random characters
> - Router updated with most recent firmware
> - SSID set to 13 random characters
> - SSID broadcast is OFF
> - WPA-PSK activated w/10 random character passphrase (tried a longer
> passphrase, but Windows Networking seemed to have trouble with it, kept
> defaulting to a shorter phrase). Key lifetime is the default 60 minutes.
> - Access control is ON with the MAC addresses for the 2 PC's being the
> only ones entered.
>
> We live in a fairly remote suburban area, so I don't think the threat of
> "wardriving" is what it might be in a more populated area, but I still
> want to be sure I'm doing all I can in terms of security.
>
> TIA
>
> Dan
>

 

[S. Pidgorny]

Another box to secure traffic over a cable in the house? Brilliant!

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"msg" <msg@_cybertheque.org_> wrote in message
news:13pn723jq5qec0c@corp.supernews.com...
> dold@96.usenet.us.com wrote:
>
>> In alt.internet.wireless msg <msg@_cybertheque.org_> wrote:
>>
>>>controls and install IPSec VPN software with strong encryption on
>>
>>
>> Where is the other end of the VPN? He doesn't have file sharing turned
>> on
>> for either PC.
>>
>
> If high security is a top priority, I was suggesting that he establish
> the desktop as a VPN endpoint. This would also entail a separate segment
> for the wireless VPN (separate NIC or perhaps using the USB connection
> to the AP/router). I assume the desktop O/S is XP-Pro my experience
> doing this is with Win2k. Filters to pass only AH and ESP and ICMP
> would be needed on the wireless i/f. Doing this on a Windows O/S
> under cygwin and with ported unix code is possible, but I would
> really recommend adding and obsd box as a border router and running
> ISAKMPD for the wireless segment. This is just my personal approach.
> I assume there are native MS solutions for this as well, (L2TP and
> less secure methods?). I am replying as a reader of alt.internet.wireless
> and my suggestions come from experience building similar small VPNs
> as described. All of this presumes that the O.P. has really serious
> security concerns.
>
> Michael

 

[Jeff Liebermann]

"S. Pidgorny <MVP>" <slavickp@yahoo.com> hath wroth:

>Another box to secure traffic over a cable in the house? Brilliant!

Yep. Paranoia is a good thing. To someone with "serious security
concerns", such added boxes will pacify them for a while. At least
until the next alarmist theoretical exploit is released in the trade
press. Besides, wearing one of those cool looking electronic key
loaders on a neck chain is high tech fashion.

I'm waiting for home Tempest qualified packaging and shielded
keyboards. Maybe home routers with built in RADIUS servers and
biometric authorization. Maybe a video camera in the laptop that
recognizes the owner. Naw, too easily spoofed. Maybe an
olfactometric (smell) sensor that recognizes the user by their
distinctive aroma. Simple fingerprint readers are so passe and can be
faked. I almost forgot the encrypting ethernet adapters for securing
LAN traffic from sniffing.

Of course, the same users that are so concerned about their security
can't seem to get OpenPGP and Enigmail encrypted email working. They
also can't seem to remember their 100+ odd passwords (or use the same
same password for everything). They also lose their X.509 certificate
dongles and barely understand how the technology is used, much less
how it works. Meanwhile, their Vista box demand approval for doing
just about everything, that genuine security alerts are lost in the
muddle.

For those with "serious security concerns" (and for those selling the
technology), no amount of additional security or additional black
boxes, is enough.


--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

 

[Les Cargill]

Jeff Liebermann wrote:
> "S. Pidgorny <MVP>" <slavickp@yahoo.com> hath wroth:
>
>> Another box to secure traffic over a cable in the house? Brilliant!
>
> Yep. Paranoia is a good thing. To someone with "serious security
> concerns", such added boxes will pacify them for a while. At least
> until the next alarmist theoretical exploit is released in the trade
> press. Besides, wearing one of those cool looking electronic key
> loaders on a neck chain is high tech fashion.
>
> I'm waiting for home Tempest qualified packaging and shielded
> keyboards. Maybe home routers with built in RADIUS servers and
> biometric authorization. Maybe a video camera in the laptop that
> recognizes the owner. Naw, too easily spoofed. Maybe an
> olfactometric (smell) sensor that recognizes the user by their
> distinctive aroma. Simple fingerprint readers are so passe and can be
> faked. I almost forgot the encrypting ethernet adapters for securing
> LAN traffic from sniffing.
>
> Of course, the same users that are so concerned about their security
> can't seem to get OpenPGP and Enigmail encrypted email working. They
> also can't seem to remember their 100+ odd passwords (or use the same
> same password for everything). They also lose their X.509 certificate
> dongles and barely understand how the technology is used, much less
> how it works. Meanwhile, their Vista box demand approval for doing
> just about everything, that genuine security alerts are lost in the
> muddle.
>
> For those with "serious security concerns" (and for those selling the
> technology), no amount of additional security or additional black
> boxes, is enough.
>
>

If you have "serious security concerns", take the bloody thing
offline.

--
Les Cargill