"Mr T" <nospam@hotmail.com> wrote in message
news:JCx%e.4598$O%.2043@newsfe1-gui.ntli.net...
>I have recently setup a wireless network with my laptop and 3 desktops. At
> present I have no security on my network. Can someone advise me what
> security I need to setup on my network?
> Thanks
>
> Mr T
>
>
>
The best thing to do is enable MAC address filtering on the access point.
Add the MAC addresses of the wireless networkcards. This will make it much
harder for any random passer to even connect to the AP network.
"Mark" <sagum@yourheadntlworld.com> wrote in message
news:9sI%e.4569$0f3.926@newsfe1-win.ntli.net...
>
> "Mr T" <nospam@hotmail.com> wrote in message
> news:JCx%e.4598$O%.2043@newsfe1-gui.ntli.net...
>>I have recently setup a wireless network with my laptop and 3 desktops. At
>> present I have no security on my network. Can someone advise me what
>> security I need to setup on my network?
>> Thanks
>>
>> Mr T
>>
>>
>>
>
> The best thing to do is enable MAC address filtering on the access point.
> Add the MAC addresses of the wireless networkcards. This will make it much
> harder for any random passer to even connect to the AP network.
>
"David Taylor" <djtaylor@bigfoot.com> wrote in message
news:MPG.1da9bf26e3806564989e81@news.cable.ntlworl d.com...
>> 2nd that
>> best & simplest way
>
> So what security does MAC filtering bring to the table?
>
> It doesn't provide any encryption whatsoever.
>
> The valid MAC addresses are broadcast for anyone to sniff.
>
> If the objective is to prevent casual bypassers from connecting, then
> even 40 bit WEP has value here and even gives a slither of security.
>
> MAC filtering brings nothing useful from a security standpoint which was
> the original question.
>
> David.
"David Taylor" <djtaylor@bigfoot.com> wrote in message
news:MPG.1da9bf26e3806564989e81@news.cable.ntlworl d.com...
>> 2nd that
>> best & simplest way
>
> So what security does MAC filtering bring to the table?
>
> It doesn't provide any encryption whatsoever.
>
> The valid MAC addresses are broadcast for anyone to sniff.
>
> If the objective is to prevent casual bypassers from connecting, then
> even 40 bit WEP has value here and even gives a slither of security.
>
> MAC filtering brings nothing useful from a security standpoint which was
> the original question.
>
> David.
Sure it does, If your next door neighbor can't access the AP because the MAC
address isn't on the allowed list, then unless they go out their way to
clone one of your wireless card's MAC address they're not going to get
access by default. There for it is useful from a security standpoint.
Not only that, but unless your neighbor knows you have a wireless AP and
have cloned one of the MAC addresses, they won't even see it on the list of
available networks to connect to.
Sure, they can run a lot of tools, a large list can be found at www.wardrive.net/wardriving/tools. The OP might want to run a few of them on
his network to check how secure is really is. These are the kind of tools
crackers might be using to gain access to the network, but given enough
time, even WEP and any key/pass phrase can be found if you sniff enough
packets on the network.
> Sure it does, If your next door neighbor can't access the AP because the MAC
> address isn't on the allowed list, then unless they go out their way to
Again, even WEP, poor and cracked though it is, provides the same
inability to associate with the AP *and* encrypts the payload.
MAC filtering does not encrypt the payload so anyone within range gets
to sniff the contect even if they haven't associated so tell me again,
how MAC filtering brings any security to the OP's data?
Don't confuse security with the inability to associate with an AP, it's
not the same thing.
> Not only that, but unless your neighbor knows you have a wireless AP and
> have cloned one of the MAC addresses, they won't even see it on the list of
> available networks to connect to.
Turning on MAC filtering will not prevent the display of the SSID in XP
or netstumbler and turning off SSID broadcasts does not prevent it being
discovered by anyone with a sniffer or even just a copy of kismet or
similar so tell me again, how MAC filtering secures a network because
you did say just MAC filtering.
> crackers might be using to gain access to the network, but given enough
> time, even WEP and any key/pass phrase can be found if you sniff enough
> packets on the network.
Yes, 500,000 packets which can be captured in say 15 minutes. Without
even WEP, no key to crack i.e. NO SECURITY!
> it's one aspect of security, and MAC filtering gives you that aspect,
> which is all many people want.
Well since the original poster hasn't said whether he wan't security or
to just keep accidental stumblers off his network we won't know.
> Just because you want *more* security doesn't mean MAC filtering is
> *no* security.
I'd just want some rather than nothing. MAC filtering prevents people
from associating for the amount of time it takes them to run a sniffer
and spoof their MAC address. That in my mind is no security from either
association and certainly no security of the data packets in transit so
I still call that no security.
If you are happy with the illusion that MAC filtering provides your
network with some security, i'm happy for you! :) Just let me know
where you live. ;)
>Just because you want *more* security doesn't mean MAC filtering is
>*no* security.
>
>-- Richard
Ah, 5 newsgroups to crosspost. ntl internal groups dropped because my
usenet news server doesn't carry them.
I thought you might be amused to know that the original MAC address
filtering feature was added to solve a problem with multiple access
point systems. There was no way to pre-select which access point one
would connect if all the SSID's were the same. This was a critical
feature for WISP (wireless ISP service) and corporate WLAN's with
fixed wireless desktops. With MAC address filtering one could nail
down a connection to a specific access point and still have roaming
among the other access points for laptops and PDA's. Eventually, this
mutated into a security feature when blocking by MAC addresses was
added. I don't think anyone originally intended it to be much of a
security feature as everyone was counting on encryption to provide
security.
MAC address filtering for security is like locking your door with duct
tape. It does present an obstacle, but is not a replacment for a good
lock.
On Sun, 02 Oct 2005 11:20:40 GMT, David Taylor <djtaylor@bigfoot.com>
wrote:
>> Have you got any suggestions then please?
>
>WPA with a strong passphrase (strong, non dictionary phrase, greater
>than 20 characters, non a-z characters.
>
>You haven't actually said what it is that you'd like to achieve from a
>security standpoint.
>
Be aware that you will incur a significant overhead by setting up
encryption. IIRC it was about 30% when I last set one up at work.
Personally I don't bother with any security on the wireless component
of my network. If anyone is stealing my bandwidth it hasn't been
noticable.
Why do you think you need it?
--
Warning: Do not look directly into laser with remaining eye.
> Be aware that you will incur a significant overhead by setting up
> encryption. IIRC it was about 30% when I last set one up at work.
There are many variable which determine whether it's an issue. For most
home users, 30% less performance than say a max of 22Mbps leaves me with
15Mbps which is *still* faster than my internet connection.
> Personally I don't bother with any security on the wireless component
> of my network. If anyone is stealing my bandwidth it hasn't been
> noticable.
If you think that stealing bandwidth is the only concern you should have
then think again.
> Why do you think you need it?
Well for starters, I'd like to collect my email from a client. I don't
have the desire to use a web based email client doing SSL from home. I
quite like being wireless at home and so I think that being able to
collect email via say POP3 is ok for me. However, POP3 is clear text
authentication as is the resultant traffic. What a great way to begin
an identity theft experiment for someone sniffing.
With the wireless portion encrypted, the simple eavesdropping won't
succeed and neither will the kiddie porn get downloaded over my
connection nor will my connection end up being used by a spammer. I
don't consider any of these likely knowing where I live but there's no
reason why not.
David Taylor wrote:
>>it's one aspect of security, and MAC filtering gives you that aspect,
>>which is all many people want.
>
>
> Well since the original poster hasn't said whether he wan't security or
> to just keep accidental stumblers off his network we won't know.
>
>
>>Just because you want *more* security doesn't mean MAC filtering is
>>*no* security.
>
>
> I'd just want some rather than nothing. MAC filtering prevents people
> from associating for the amount of time it takes them to run a sniffer
> and spoof their MAC address. That in my mind is no security from either
> association and certainly no security of the data packets in transit so
> I still call that no security.
>
> If you are happy with the illusion that MAC filtering provides your
> network with some security, i'm happy for you! :) Just let me know
> where you live. ;)
>
> David.
I've been following this thread with some interest as I took my laptop
to work on the train the other day, initially I was looking for an
access point in the station but noticed a number of open wireless
networks which didn't seem to be commercial setups so I kept on scanning
during the journey, I reckon I found 40-50 open & unencrypted networks
during the 1 hour journey. I found this quite shocking really
particularly as the tools are there to make it fairly easy to enable
encryption on wireless kit.
I realise that encryption isn't foolproof but it'll deter the casual hacker.
For the effort involved I would:
1. enable MAC filtering.
2. turn off SSID broadcast
3. choose a different SSID from the default
4. turn on encryption
It should only take a few minutes to set it all up, & once done you can
forget all about it.
> access point in the station but noticed a number of open wireless
> networks which didn't seem to be commercial setups so I kept on scanning
> during the journey, I reckon I found 40-50 open & unencrypted networks
> during the 1 hour journey. I found this quite shocking really
I'm surprised you found so few. I drove around the city here and in 15
minutes had found 270 of which half were (apparently) unencrypted, some
commercial. This was only with netstumbler although I did the same
route last week and found 277 with kismet so very little difference.
> I realise that encryption isn't foolproof but it'll deter the casual hacker.
Yes but again, if it's just the casual hacker that you're looking to
deter then:-
> For the effort involved I would:
> 1. enable MAC filtering.
Does not deter even a casual hacker who has the intent on spoofing and
if it's to avoid people falling onto your network by accident then (4)
does this already.
> 2. turn off SSID broadcast
Does not in any way hide the SSID, it's in the frames and kismet,
wellenrieter etc pick it up just fine. Just makes it harder for other
people to avoid your channel and you end up with interference. Also
breaks some client functionality. The only people you're hiding from
here are the XP zero config clients and they're not your worry anyway.
> 3. choose a different SSID from the default
Ok but only so as to not look like a target. Nothing like a ripe
company with an SSID which matches the company name.
> 4. turn on encryption
Which deters the accidental person connecting, provides some security
and hopefully deters the lazy hacker who may seek other low hanging
fruit. This is the only one of the above that is really in the realms
of any security despite what you might read on the web, much of it which
is several years old in principle and has never been updated.
On Mon, 03 Oct 2005 18:25:25 GMT, Geoffrey <Gfourmyle@hotmail.com>
wrote:
>On Sun, 02 Oct 2005 11:20:40 GMT, David Taylor <djtaylor@bigfoot.com>
>wrote:
>
>>> Have you got any suggestions then please?
>>
>>WPA with a strong passphrase (strong, non dictionary phrase, greater
>>than 20 characters, non a-z characters.
>>
>>You haven't actually said what it is that you'd like to achieve from a
>>security standpoint.
>>
>Be aware that you will incur a significant overhead by setting up
>encryption. IIRC it was about 30% when I last set one up at work.
>
Which for most home networks would be imperceptible, as they will very
rarely use it to anywhere near capacity.
Although it shouldn't be anywhere near that high anyhow.
>Personally I don't bother with any security on the wireless component
>of my network. If anyone is stealing my bandwidth it hasn't been
>noticable.
>
>Why do you think you need it?
Because only people who never access anything that needs a password,
and never use credit cards on line don't need it.
And even then, they could well find themselves struggling to prove it
wasn't them if the person piggybacking on their account starts using
the connection for illegal activities.
Or if said person starts breaching your ISPs AQUP, you could well lose
your account with no comeback.
There is no reasonable reason NOT to secure your network as much as
you can.
--
Alex Heney, Global Villager
Take my advice, I don't use it anyway.
To reply by email, my address is alexATheneyDOTplusDOTcom
> 1. disable MAC filtering
> 2. turn on SSID broadcast
> 3. choose a SSID which clearly identies it as your network [1]
> 4. turn off encryption [1]
> 5. only permit VPN traffic between the WLAN and any other network
> (and only allow VPN authentication through certificates, not
> PSKs).
Maybe I'm just demonstrating my ignorance, but doesn't VPN require a VPN
server on the other end? If I was an authorized user on your WLAN, how
would I browse the Internet?
--
derek
On Mon, 03 Oct 2005 21:23:33 GMT, David Taylor <djtaylor@bigfoot.com>
wrote:
[ntl newsgroups dropped because Newsguy doesn't carry them]
>I drove around the city here and in 15
>minutes had found 270 of which half were (apparently) unencrypted, some
>commercial.
Don't assume that just because it's not encrypted, it's also insecure.
The local hospital wireless system is a good example. It shows up as
unencrypted. Anyone can connect. However, they're greeted with an
SSL encrypted splash web page that demands a user name and password
(along with some instructions). Once you login, all traffic is SSL
encrypted. It also delivers a magic cookie for temporary
authentication making session hijacking difficult. At first glance,
this would appear to be insecure, but it's really quite secure.
The same thing with VPN over wireless. The wireless connection is
unencrypted. However, all traffic is configured to go to the VPN
server. All ports are blocked except those required for the VPN. The
only way to get anywhere is to fire up the VPN client. All traffic
appears encrypted by the VPN tunnel.
There is an issue with client-to-client security on such systems, but
most access points have a "client isolation" feature that prevents
unencrypted bridging between connected clients.
While I'm ranting on security, I have a really bad attitude about
security by group rather than by individual. Having a common WEP or
WPA key for a system is rediculous. The chances of social engineering
or simple theft causing the key to leak out is far to risky to even
consider WEP or WPA a useable security mechanism. Would you trust
your co-worker with *YOUR* system passwords? Encryption should be
individualized so that a leak or security breach by one person does
not compromise the rest of the users or the rest of the system.
In message <lkqa13-3qt.ln1@news.pointerstop.ca> Derek Broughton
<news@pointerstop.ca> wrote:
>Dave Dowson wrote:
>
>> 1. disable MAC filtering
>> 2. turn on SSID broadcast
>> 3. choose a SSID which clearly identies it as your network [1]
>> 4. turn off encryption [1]
>> 5. only permit VPN traffic between the WLAN and any other network
>> (and only allow VPN authentication through certificates, not
>> PSKs).
>
>Maybe I'm just demonstrating my ignorance, but doesn't VPN require a VPN
>server on the other end? If I was an authorized user on your WLAN, how
>would I browse the Internet?
Yes.
Personally, I don't run MAC filtering, WEP, WPA, or anything else...
However, the only services you'll get on my wireless LAN are a DNS
server and a VPN server. Depending on which firewall I'm using, the
only query the DNS server will answer is the VPN server's IP, it doesn't
even resolve on it's own, it's just there so that I can use the same VPN
icon on my desktop when I'm on my wireless network or when I'm
traveling.
Anyone with the ability to break my VPN's encryption will have better
things to do then monitor my wireless traffic :)
--
If electricity comes from electrons, where does morality come from?
Re: Wireless security 
Linear Mode
