Topic: Wireless & E-Smith security

[Brendan D'Sousa]

ok here the problem i want to protect a wireless connection as a very strong signal can be recived on the streets and im scared of people abusing my internet connect (1 gig cap here in Australia for $50 american a month and people can rack up nearly 300 US dollars a hour after the cap!!!) anyway i want to make it as secure as possible so people dont get acess, ive installed a proxy server thing from contribs.org but it can be got around very easily (using different ports) anyone know a more secure way than that

[Bill Talcott]

If you're using a separate wireless access point, you can have its DHCP server give out private IPs on a separate subnet. Then anyone using it will also have to create a PPTP VPN connection to actually use the SME's features. This also adds more security to the data itself.

[Tom Keiser]

Here's some info for you:

http://kb.linksys.com/cgi-bin/om_isapi.dll?clientID=540909&QuestionText=wireless%20security%20in%20WAP%2011&SelectName1=&advquery=%5bs%5d%5bRank%2c%2050%3a%5bSum%3a%20wireless%20security%20in%20WAP%2011%5d%5bMerge%3a%20%5bThesaurus%3a%20wireless%20security%20in%20WAP%2011%5d%5d%5d&infobase=linksysrev.nfo&record={3DC}&softpage=IKW_ENU_JDocView

http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf

And my favorite is this one:

http://techzone.reefedge.com/dolphin/about.page

(free for certain usages).

Hope this helps,

Tom

[Duncan]

I would use a dedicated box running something like IPcop. Port forward PPTP to your SME server and run vpns.

The Dolphin link looks interesting - especially with its IPSec implementation - pity it doesnt support wireless cards as of yet.

My personal favourite is http://www.mikrotik.com - fully featured router with PPTP, L2TP and IPSec. You need to write your own firewall rules though - it comes with a Java client - for remote administration. This one is preferable to the above as it is highly configurable.

Regards Duncan

[Graeme Fleming]

I just installed a Netgear NG524MAU wireles siwtch/router for a friend that allowed you to enter the MAC address of the NIC's allowed to connect - if ya not on the list then ya outta luck.

He's using a 512k Bigpond account in WA which I think has an excess volume charge.

If you want to be extra secure enable 128bit WEP encryption for ya data if its sensitive.

HTH

[brian kirk]

Hi - my 2c worth as I have been researching this for a client.
Enable MAC filtering  - only allow the Access Point to talk to known MAC addresses.
Be aware MAC addresses are transmitted in clear text allowing detection and spoofing.
Close the n/w. This stops the Secure Set Identifier (SSID) from being broadcast and AP wont respond to clients with "Any" in the SSID frame.
Change the SSID from the manufacturer's default.
Enable  WEP with 128bit encryption but be aware of the 24bit Initialization Vector weakness (The sender produces a new IV with each frame but because it is only 24bit they get reused fairly frequently) This means a WEP key could be cracked in just a few hours. I think this also means 128bit on a wireless n/w is no more secure than 40bit.
Use VPN  to SME.
Reduce the range of the AP to the minimum necessary (shielding antenna etc).
My conclusions are that all the above security measures except for VPN will not keep out determined attackers but will discourage casual snoopers. VPN seems to me the only security measure that would let me sleep at night.
Good luck
Brian

[Jesper Knudsen]

Most Access points support IEEE 802.1x which is authentication validated by a RADIUS server. I have seen somewhere in this forum that someone had made a SME contrib of a RADIUS server. This is the "professional" way of dealing with security for both wireless and LAN.

BTW: I will try it out as soon as I have my secondary test up an running in the next days.

Rgds,
JEsper

[Duncan]

Simply authenticating to a Radius server without any form of encryption would never be enough.

Regards Duncan

[Ben Johns]

That is true, but you wouldn't just auth against the radius server - you would enable the AP and radius server to use a form of EAP for port based (layer 2) security and encryption. This means that only 802.11x traffic is allowed to pass the AP, until the client authenticates. WEP keys are dynamically exchanged and TKIP/Broadcast WEP Key Rotation
 can solve the WEP weaknesses (and there's always MIC). All traffic is always encrypted, if configured correctly (ie, setting a WEP key on each AP to make sure that multicast authentication traffic is encrypted etc).

Mind you that 'most' APs don't support such enterprise security features - Netgear have only just implemented such features on their upcoming products (business series). So many folks would have to make do with the cheaper alternative - VPN, if done correctly (using IPSec) it can be just as secure as the above methods.

I'm working on a e-smith/radius config atm:
http://www.naturalnetworks.net/mainPub/index_html?key=1051325574.84

It's dodgy, but I've got it working resonably well with Cisco APs and Clients (both 34x and 35x, latest firmware). 1100's and 1200's won't be much different.