Need advice securing my home WiFi connection (1 Viewer)

[Ronald Epstein]

I just bought a new router, the Linksys WRT54GX4
SRS 400 router.

This baby packs a lot of power and puts out an
incredible amount of range -- far better than the
D-Link 624 Wireless Router I had before.

This concerns me greatly as with so much range
I am afraid that neighbors will tap into my
wireless connection.

I need to secure my connection. I have a few
questions I hope you can assist with....

First, I hate setting up or fiddling with
routers. One mistake can lead to the loss of
all your initial settings or even a router
lockup that can render your unit permanently
useless.

I need to know EXACTLY what has to be done
in the most simplistic terms possible.

1. Is there software that I can buy that
will automatically secure my network? I'd
rather go that route than risk going into
the router settings and doing something I
shouldn't be.

2. If you recommend I do go into my router
settings, where EXACTLY do I go? Does the
password have anything to do with the HEX
CODE settings, and if so, how do I pick those
numbers? If not, do I just put in any worded
password I like?

Now....regarding the LAPTOP on the receiving side...

3. Once I password my network, what happens
when I try to log into it with my laptop?

I would love to have some sort of screen come
up on the laptop that asks for the password (such
as what you get when using WiFi at a hotel).

4. If a password screen on the laptop is an
impossibility, where do I go in the network
area to put the password I need for the laptop
to receive the WiFi signal?

I'd like to make this process as easy as possible
as my brother sometimes is visiting my home with
his laptop and I'd like logging him into my
network to be as hassle-free.


Would greatly appreciate any advice that you
guys can provide on easily securing my WiFi
network.

 

[Ronald Epstein]

PS:

I'd be happy to purchase this software if
it meant not having to deal with the hassle
of manually inputting all the information
(although reviews on AMAZON.COM are not good).

 

[Scott Merryfield]

A few simple configuration changes on the router should make your wireless network pretty secure.

1. Limit your DHCP range of addresses on your router to the exact number of devices on your network. If you want to be more secure, you can also assign IP addresses directly to the MAC (i.e. ethernet) address of each device.

2. Use one of the encrypted authentication methods supported by your wireless router -- either WPA or WEP. I would recommend WPA if all your wireless devices support this method.

3. Turn off the broadcasting of your SSID on your router. This will prevent others from automatically seeing your wireless LAN when they are within range.

4. Turn down the power setting on the wireless radio to the lowest setting where you still have coverage everywhere you need it.

5. Install personal firewall software on your PC. This will stop anyone who happens to break through all the above precautions (which is highly unlikely) from getting to your PC. ZoneAlarm is free, or you can just turn on the built-in firewall that comes with Windows XP SP2. Since your Linksys router is also acting as a firewall, I do not think it's necessary to spend money on a personal firewall, too, when free ones will do the job in conjunction with the external Linksys firewall.

I had been using ZoneAlarm on both my PC's until recently. However, the program was locking up my LAN connection on my new Hewlett-Packard AMD Athlon 64 PC, so I just turned on the Windows XP firewall on that device. I still use ZoneAlarm on the Dell PC that I demoted to my wife's home office after getting the new HP. Some co-workers have also experienced similar problems with ZoneAlarm.

Even if you do not feel comfortable messing with the settings in your Linksys router, Ron, I would still recommend performing items 1-3 above. They are simple configuration settings, and will make your home wireless network secure against all but the most deliberate attacks.

 

[Ronald Epstein]

Scott,

Appreciate the advice and I can do most of
the steps you recommended on my own sans
step #3 which seems confusing.

Another problem I may run into is that I am
about to add this to my network
so I don't know how much more complicated things
will become with encryption.

 

[Tekara]

To disable the broadcast, log into your router and under wireless there should be a pulldown menu labeled "SSID broadcast" set this to disable. That is where it is on my linsys AP, it may differ a bit on your's.

When you scan the area for wireless networks on your computer, you see all sorts of names, that is the SSID. Not broadcasting it means that the name won't show up on these scans making it difficult for a person to initially connect.

Another thing is to make sure that you change the default SSID which would be linksys in your case, I reccomend thinking of it like a password and use something a little uncommon, but don't use anything like your ssid, real passwords, etc. since the SSID can be found out

- - -

The router will keep a log of mac addresses that connect to it. so you can use this the have the router assign a specific IP to the squeezebox like that. And typically the router should have the ability to select already connect devices which can make life just that much easier for setting up.

- - -

again, of the many years that I have ran a wireless network, having just disabled my ssid was enough to keep people from leeching off me. Though I do run WEP encryption nowadays, but the basic idea is still there. Be more secure than your neighbor and don't be overly paranoid or when a friend with a laptop comes over it'll take you all day to connect them to the network

 

[Scott Merryfield]

Ron,

According to the website for the product in your link, the device supports WPA encryption. From the hardware overview section:

"Supports both WPA Personal, WPA2-AES and 64/128-bit WEP encryption".

WPA personal should be the same as WPA-PSK, whereby you setup a common password on your Linksys router and your wireless devices. WPA is more secure than WEP, since the broadcasted encryption keys are changed periodically, unlike WEP which uses a static encryption key that can be decrypted in less than 30 minutes by anyone with the proper software on a laptop or PC with a wireless adapter.

As for turning off the SSID broadcast, there should be some sort of checkbox for enabling or disabling the broadcast on the same screen where you actually add your SSID label. See page 20 of your Linksys router manual for a description of how to do this. I found the manual here -- I own a Dlink router, so I cannot point you to the exact spot in the router administration screens.

 

[Vivek_IVB]

Also enable & add MAC filters for only those machines on your network. You can grab that by connecting all of them, then checking the status page. This will allow ONLY those machines that you've specified onto your network.

Most routers do this only for wireless, so there's minimal risk. I'll pull up the manual for your router in a bit to give you detailed instructions. I need to give the kids a bath first, so this might be a while. Look for MAC filtering/etc.

Worst case is that you push that little "mega-reset" button that resets everything to factory defaults, so there's no huge risk.

 

[Scott Merryfield]

The SSID is not a security mechanism for wireless LANs, and should not be used as such. From a Cisco Systems white paper on wireless LAN security:

" The SSID is a construct that allows logical separation of wireless LANs. In general, a client must be configured with the appropriate SSID to gain access to the wireless LAN. The SSID does not provide any data-privacy functions, nor does it truly authenticate the client to the access point."

Also:

"The SSID is advertised in plain-text in the access point beacon messages (Figure 8). Although beacon messages are transparent to users, an eavesdropper can easily determine the SSID with the use of an 802.11 wireless LAN packet analyzer, like Sniffer Pro. Some access-point vendors, including Cisco, offer the option to disable SSID broadcasts in the beacon messages. The SSID can still be determined by sniffing the probe response frames from an access point (Figure 9).

The SSID is not designed, nor intended for use, as a security mechanism. In addition, disabling SSID broadcasts might have adverse effects on Wi-Fi interoperability for mixed-client deployments. Therefore, Cisco does not recommend using the SSID as a mode of security."

You can read the entire white paper here.

 

[Ronald Epstein]

A lot of stuff here - a bit confusing - but
I'm sure I'll be able to figure most of it out.

Once I encrypt my router with a password, how
do I set up my laptop(s) to receive the signal?

 

[SethH]

That's understandable, but you must also consider the source. Cisco is gearing most of their stuff to corporate or government customers. People already know these organizations will probably have wireless networks, so people may go looking for these networks. As a home user, if you disable SSID then someone will have to go looking for your network because it will not show in their list of networks. Sure, they could get a sniffer program and find it easily, but they'd have to want to do that.

I look at it kind of like camo -- camo doesn't make you invisible or keep you from getting killed, but if you're more difficult to see you're probably safer.

 

[SethH]

This depends on your card. Your wireless card may have its own software. You can configure that software, or you can use the Windows XP software.

To use the Windows XP software, go into Control Panel --> Network Connections --> right-click on your wireless card and select Properties. Click on the Wireless Networks tab, select your SSID and then click Properties. This brings you to the screen where you can input the password. (This works for WEP, and I assume it works for WPA as well)

 

[Kimmo Jaskari]

Limiting the transmission range by stepping down the power of the transmitter is just dumb. The same is true for turning on MAC address filtering, although admittedly the latter is less of a problem on a small home network where you don't need to change out the hardware much.

A better antenna in either end of a wireless network connection will improve the connection immensely. That means that anyone who wants to pick up what is going on in your house can just point a directional antenna at it and get a better signal than the house owner gets in the furthest reaches of the house with his transmitter power turned down.

The house owner is inconvenienced, the wireless hacker isn't. Not a good scenario.

Bottom line: the only wireless security that is worth squat at the moment is WPA. WPA enterprise is best, but WPA-PSK is quite decent and difficult to crack. Once that is turned on, the other stuff (MAC address filtering, SSID turned off etc) is just useless by comparison and it adds the potential for complications - a friend with a laptop can't get online at your place, many Pocket PC's can't connect reliably at all with SSID turned off etc etc.

Turn on WPA on all devices and you're a fairly hard target to crack; few hackers will even bother to try when the neighbours Wifi is wide open.

 

[Vivek_IVB]

The reason I still personally always put MAC filtering on is that if I have a friend with a laptop, I can take the 68 seconds to lower the shields, grab his MAC addr, put it in the list, raise the shields.

Then I'm reasonably guaranteed that no one is on my network who I don't know about. And it's not like I'm running a hotel, where I have friends with laptops who come over all the time.

Ronald: Should I hunt down how to setup MAC filtering on your router, or are you uninterested in that?

 

[Kevin G.]

I have also had a Linksys wireless G for a while, though not as nice as yours, Ron...
I have had a concern as well since hooking everything up.
I know that I installed it as PSK WPA, but when I bring up the Linksys monitor, it says that the security is disabled, (in one area) and "no" in the other...
Do i have no security?

 

[Vivek_IVB]

It's probably not setup; check the router; what does it say? [it's probably 192.168.2.1 or 192.168.1.1]

 

[Kevin G.]

yes 192.168.1.1, what does this mean??

 

[Vivek_IVB]

192.168.x.x is the range of addresses for your local network. 192.168.x.1 is usually the address for the router, which is the "main" address that establishes a cxn to your DSL or Cable modem.

Open up internet explorer, type in that address. It'll go to the router's "homepage", which is basically a way of establishing settings for your router since it doesn't have an LCD screen on it. It'll ask you for a uid/pw - if you haven't changed it, look in your manual for what the default one is. (then change it).

Then, find where it says something like Wireless, Security, etc. Click on that link, and it should tell you what it's set to.

WARNING: If you set a key on that page from a wireless cxn, you'll lose the cxn as soon as you hit the apply key. This is ok, all you have to do is type in that same key on your laptop's wireless cxn setting. I'm not sure what s/w you use - i usually use XP's default wireless detection to grab it. It's usually pretty straight forward.

I can get you very detailed instructions if you tell me the model # of the router, and the nature of your cxn from the laptop.

 

[SethH]

This brings up another very good point for Ron. If you haven't changed the user id & p/w for your router yet, do that immediately. Setting up the encryption doesn't do too much good if someone can get into your router and turn off the encryption.

 

[Kevin G.]

Well mine is on a desktop, so is it the same procedure??
And I DID set up a password and ID, so I dont know why I have no security.

 

[Vivek_IVB]

There's varying types of security to defend against different things, and you need to do them all to protect yourself. Just as there's different medicines to protect different diseases [daughter was just on Zithromax for her ear infection, Robitussin with codeine for her really bad cough, and motrin for pain, all at the same time].

1) A UID/PW prevents a random dude from coming in and changing the settings on your router. However, anyone can still attach to your network.
2) WEP/WAP [wireless encyrption protocol, not sure what WAP is] encrypts the transmissions and requires a key to connect to your network. Anyone who doesn't know the key
cannot gain access. But if they know they key, they're in like flynn. Keep in mind that this does add overhead, so it'll slow down your network speed. Not that noticeably unless you're moving huge files. I used to use a laptop to watch TV, and it sucked with WEP on.
3) MAC filtering prevents unknown machines from attaching to your network, even if they know they key.
4) Broadcasting SSID is a way of telling machines nearby that a wireless network exists, and what your name is. Disabling the broadcast means that
machines have to know you exist, and what your name is, before your router will respond. WiFi PPCs quite often need broadcast [mine does], as they can't connect to a non-broadcasting router.