On Sun, 17 Jun 2007 00:34:07 -0700, Jeff Liebermann wrote:
> Then the IP addresses are NOT visible and cannot be sniffed over the
> air. Obscuring and limiting the IP addresses would be effective.
> However, as I pointed out, a physical attack on any client will
> extract a usable WPA key, which can then be used to decrypt a capture
> file, and thus extract the necessary IP addresses.

By "physical", do you mean hands'on access to the router & the PC machine?
If it matters, I also change my "pre-shared key" weekly (it's just a long
string of gibberish which I ad hoc write down on paper and then set my
machines to every Sunday).

>>> 2. What's the LAN netmask?
>>On the router, it is 255.255.255.0
> So, you have 254 available IP addresses.

Oh no! I did not realize that. I change both the router starting IP address
and the router login address every Sunday. For example, I just changed to a
starting IP address of 192.168.120.134 and I changed to a router login
address of 192.168.200.134.

One question: Do I have to use 192.168.xxx.xxx? Can I use, for example,
123.123.123.123 as my router login address and, for example,
231.123.101.201 to 231.123.101.203 as my 3 available DHCP addresses?

Even so, what is the logic of the Linksys router question asking how many
IP addresses I wish to limit it to while the netmask should have done that
already? I'm confused because you say a netmask of 255.255.255.0 allows way
more than 3 IP addresses.

> I presume that you also change the IP address of the default gateway
> weekly.
Yes. And the MAC address & hostname of BOTH the router and the windows PC's
because I read a good hacker can see both the router and the pc behind the
router.

> I note that you do not mention changing the WPA shared key every week
That's what started this whole thing actually. I learned I should change my
pre-shared-key - and - while I was there, I figured I may as well change
everything I could. I even changed all the beacon and interval numbers but
then the router didn't work so I had to reset the router and go more slowly
with the changes of everything I could.

> You might want to look at the available tools to see what can be
> (easily) accomplished.
I tried airsnare to see if I could find out who was connecting to me, which
installed ethereal and winpcap, but I can't get it to capture anything yet,
not even things on my own network. So I must be doing something wrong.

>>> 3. Where's the DHCP address pool?
> So, with those settings, your DHCP address pool is
> .100 through .102. However, because you don't have the netmask on
> the LAN side set to something less than /24, an evil hacker (like me)
> can easily set their client computah to use any of the *OTHER* 251 IP
> addresses, which will work just fine.
Oh. Should I use a different netmask to limit the "hidden" allowable IP
addresses?

>>> 4. Is there a MAC address filter?
>>Yes.
> A few seconds sniffing will reveal the MAC addresses in use.
> Ethereal, Wireshark, Kismet, and even Netstumbler will reveal
> all the MAC addresses in use.

You know, since I am on winxp, I tried Network Stumbler (actually the
hacked netcrumbler which allows connections at the same time) and all I see
is the MAC address of my access point. I do NOT see the MAC address of any
client machines. Does netstumbler really provide the MAC addresses of the
client machines?

And, with Ethereal, when I say "Capture > Options > MyWirelessCard", and
then "Capture > Start", all I get is a "Captured Packets" window that never
captures anything.

I can't believe I'm (accidentally) so secure that Ethereal can't capture my
packets nor Netstumbler will find my windows pc MAC address. So, I must be
doing something wrong.

>>> 5. Any 802.1x authentication? RADIUS authorization/authentication?
>>I just use WPA2-PSK.
>
> Then you have a problem.
> the weak link is the encrypted WPA key stored on the client

Oh no. I must research this radius thing. I am a home user. I thought
Radius (whatever it is) was for office users. I must look this up. Thank
you for the pointer.

>>> 6. Any secure tunnels (VPN)?
>>No, I am not using VPN.
> That's the way you get real security.

I'm confused. I use VPN when connecting to my company but I thought VPN
needed a client and a server. On a home network, if I used vpn, my PC would
be the client but could the Linksys WRT54G router act as the server?

> once they have the encryption key, the other security measures are little
> better than putting a "do not enter" sign on the door. It wouldn't
> stop even a beginner.
I'll keep this in mind and try to secure my pre-shared keys and change them
more often and make them even longer now.

> You didn't mention anything about logging. Putting a lock on the
> door doesn't buy you much if you don't check the lock regularly.
> That's what logging does. When something unusual appears on your
> network, you would want to know about it. For simple Linksys
> wireless, see AirSnare:
> <http://home.comcast.net/~jay.deboer/airsnare/>
I'm still trying to get AirSnare to work. It gives an error which I'm
trying to figure out.

> 4. If your wireless operations is only during business hours, setup a
> timer to disable the wireless during off hours. The evil hackers
> (like me) prefer operating under cover of darkness.
Interesting. I never thought of that!

This is a WONDERFUL discussion! I very much appreciate your expert (super
expert in fact) advice!