Topic: Securing my Wireless Access Point

[Dave Owen]

I have a plan to (attempt to) make my home LAN with Wireless Access Point more secure, and thought I'd post it here in case (a) I am making a blatant mistake or two, or (b) someone else has used a similar setup and can suggest tools to make it more secure/easier to configure, and to solve my outstanding issue (see below).

Current (and not secure) setup, leaving out the wired machines connected to the switch:

DSL Static IP <---> E-Smith <-(192.168.x.x)-> Switch <-(192.168.x.x)-> Access Point <-(WEP, 192.168.x.x)-> Wireless Client(s)

Proposed setup, again leaving out the wired machines connected to the switch:

DSL Static IP <---> E-Smith <-(192.168.x.x)-> Switch <-(192.168.x.x)-> Access Point <-(WEP/PPTP, 10.219.x.x)-> Wireless Client(s)

My assumption is that, by having the Access Point running a different network (10.219.x.x), wireless clients will not be able to access the E-Smith network (192.168.x.x) without using PPTP. Please correct me if I am wrong.

Also: just to be safe, I'd love to allow internet access only to those users who have had successful domain logins -- from surfing the forums, it is unclear whether or not squidguard or dansguardian could do this.

Thanks in advance for any advice.

[Dave Owen]

A bonus would be to redirect non-logged-in users to a default local web page.

[Nathan Fowler]

Some folks are lucky/smart enough to have an access point that will allow MAC address filtering.  IE, deny all and explicitly allow [these] MAC addresses to connect.  I recommend this method since it is much simpler and would provide a greater level of protection because the 10.x.x.x and the 192.168.x.x network would be unreachable and inaccessible.  Even with PPTP, the remote and local network are still reachable and succeptible to attack.  Leaving the AP open, or depending solely on WEP may leave yourself open for a possible attack or intrusion attempt.

Also, there's much less to break  If you're super paranoid, use MAC address control and 128bit WEP (bandwidth hog).  

If you are so paranoid that you feel like PPTP in addition to the suggestions above, you must be sitting on an OC-48 or OC-12.  I know very few people (if any) that would invest the time to successfully spoof a MAC address (first they would have to know what MAC to spoof) and/or crack 128Bit WEP just to access a DSL or Cable modem line.

If you have not yet purchased the hardware, may I recommend the Compaq CP-2W, you can get one for about $80 and they can be configured as either a router/access point, or just a router.  The embedded OS is outstanding, powerful, and stable.  The range is quite impressive.  I've tried my luck with LinkSys, D-Link, and some of the more popular brands with no luck.  I did not purchase a NetGear, however, I have had very good luck with their products in the past.

Hope this helped,
Nathan

[Belthazar]

The following might be beneficial for background information.

Wireless LAN Security Control Checklist

Radio interference
Place Access Points (AP’s) well within the building so that they are shielded as much as possible from any unwanted radio transmissions from the outside world. Install wireless network equipment as far from potential interference sources as possible, such as microwave ovens and DECT cordless phones.
Check for other networks within the intended coverage area prior to implementing a wireless LAN. If these are insecure then the relevant network owner(s) should secure them.
Test for radio interferences.
-----------------------------------------------------------
Radio Propagation
Place Access Points (APs) well within the building so that they are shielded as much as possible from any unwanted connections.
Configure wireless APs and wireless NICs to use WEP in order to encrypt all network traffic. Consider using directional antennas to focus the radio transmission into the building.
-----------------------------------------------------------
Wired Equivalent Privacy (WEP) weaknesses
Configure wireless APs and wireless NICs to use WEP in order to offer a rudimentary level of protection from malicious third parties.
Consider encrypting specific sensitive traffic on an individual basis using an encryption application on the client computer (e.g. PGP).
Consider using a Virtual Private Network (VPN) in order to encrypt all data being transmitted across the wireless LAN.
Consider changing WEP keys frequently, for example daily for critical networks and monthly for non-critical installations.
Consider using proprietary key management solutions.
-----------------------------------------------------------
Poor network address management
Change the default SSID (Service Set Identifier) of the Access Point.
Disable beacons within APs that broadcast the SSID.
Use IP address filtering to limit access to client computers with authorised IP addresses.
Use MAC address filtering to limit access to client computers with authorised MAC addresses.
Disable the DHCP server in the AP and configure the AP to assign static IP addresses only to authorised MAC addresses.
-----------------------------------------------------------
Lack of user authentication
Consider using an authentication server solution, such as IEEE 802.1x
Consider using APs or wireless NICs that employ proprietary authentication services.
Consider using a VPN in order to provide user authentication.
-----------------------------------------------------------
Unauthorised or inappropriate hardware implementation
Perform wireless network monitoring, using tools such as Network Stumbler, on a regular basis in order to detect any unauthorised equipment.
Check the configuration of wireless NICs in clients computers so that they do not act as APs.
Protect the AP with a firewall.
Consider placing the AP in a De-Militarized Zone (DMZ) so that all wireless network traffic is logged.
Standardize wireless network equipment upon a single preferred manufacturer.
Use only equipment that carries the “Wi-Fi” logo.
Test all wireless network equipment prior to using it to support business applications.
-----------------------------------------------------------
Client computer attacks
Check the configuration of wireless NICs in client computers so that they are not set-up in Ad-Hoc mode.
Install a personal firewall software product on each client device and configure it to reject any unknown inbound connections.
Disable the use of file or drive sharing on client computers.
Configure the client computer to only permit connection to an AP with a known SSID.
Password protect the client computer so that if lost or stolen it cannot be used easily.
-----------------------------------------------------------

[Dave Owen]

Thank you both for your responses. I've run into a bit of difficulty with my proposed method (primarily that the VPN over WEP slows things down quite a bit, and secondarily that I can't VPN across networks properly, although I think I have a fix for that) -- but your advice (esp. the background stuff) is really useful. I'll update when I have achieved success or failure.