|
|
|
#1
|
|||
|
|||
Need some Wireless internet security tips
We've decided to go wireless here at the house so I can have a computer in the basement to run an automated BD processor I'm working on and so others can use their laptops with wireless cards anywhere in the house.
So..., this brings to mind a HOST of security issues. Anyone want to give some thoughts on dealing with this? Encryption SW?
__________________
1984 300D Turbo - 4-speed manual conversion, mid-level resto 1983 300D - parts car 1979 300TD Auto - Parts car. 1985 300D Auto - Wrecked/Parts. ========================= "If you don't know where you are going, any road will get you there". Lewis Carrol |
#2
|
||||
|
||||
It really only depends on how many people are around you or if people are trying to hack you. The max range is 1000 feet but I have never been able to get that kind of signal. If you are concerned set the WEP encryption to maximum of 256 bit or more likely 128 bit (depending on your model) and enter the encryption keys on all of your WiFi computers and you'll be in good shape!
|
#3
|
|||
|
|||
I agree with the above. Please bear in mind that what you are doing is securing your network from someone that has direct access to it i.e. someone that is within wireless range. So barring that scenario your network is as secure as a wired one regardless of what security measures you take like enabling WEP because anyone logged directly on to your network has the same access as if there was no WEP and obviously once you connect to the internet anything sent and received is not affected by WEP. If you find that the WEP decreases your range/bandwidth significantly and you do not have anyone close enough to access the network it is safe to leave it off. Most of the time it is not a big deal and therefore best to leave it on.
The router/NAT system acts as a firewall from traffic inbound from the internet and will guard against direct connection attacks from the network e.g. the blaster worm. Granted you must only open needed ports to the appropriate machines. If you have a DMC setting where all ports not specified go to a certain machine then that machine is at risk. So just having the router is a huge increase in security. However, the most common means of infection is not from something that this type of security is going to prevent. Most security issues are from viruses, spyware and adware that you install yourself without intending to. The most important thing is to keep your operating system, email clients, browsers, and other software updated regularly. This is much more important than having anti-virus software. Use www.windowsupdate.microsoft.com or the link on your start menu for windows. Just set it to auto-update and prompt you when updates are available. For adware/spyware use one of the adware/spyware removers. I personally do not use antivirus because it slows down my computer and I have not yet been infected by a virus. I do use spyware/adware removers and also scan for viruses occasionally. I would still suggest that most people use anti-virus software but keeping your software updated is much more useful. |
#4
|
||||
|
||||
Tom, i agree with Laurence, make sure that the firewall is in place and shut off the DMZ capability unless you are using a lot of ports. If you do use the DMZ on a machine for some reason make sure that computer has a competent firewall software monitoring network activity.
The loss from the encryption in my experiences are minimal if any when the WEP is turned on. Try to put the router in a central location if possible relative to the computers of course and see what kind of signal you can get. That also depends on the type of material your house it made of concrete, wood, stone etc....will affect RF frequencies differently. If it's too weak you can always use a repeater unit which will boost signal if your house happens to be too big laurence, i'd reccomend using something like AVG http://www.grisoft.com It's free and it offers good protection without bogging your machine down like Norton does. |
#5
|
|||
|
|||
I use both Norton and AVG when I feel the need to check my system. I have yet to be infected by a virus on my main machine. Although I have had computers other than my main machine infected because most of those are sort of expendable and I tend to be careless with them. A mildly amusing story was when a company that I was working for had just had a new server built for them. I was 17-18 at the time and I was unofficially running my own servers (PWS and Tomcat and FTP) on a Windows 98 machine for some development that I was doing. So the lead "computer guy" that built the server was showing me, a secretary, and a few others the new server and we were oohing and ahhing over the multiple GHz processors and multi gigabytes of RAM. It was running NT Server 4.0 and IIS 4 and some mail server. So I opened the task manager to see the graphs of the multiple processors and it takes forever to load. So I'm like what's going on here. Then the secretary pipes up "oh yeah its been running really slow." So I looked at the processes and this one process was taking up all the CPUs power. So at this point no one really knows that something was wrong but I kept digging and found that this thing was writing thousands of 0 byte files a second. So I asked if the guy had patched the machine. "Oh yes that's the first thing we did" So to make a long story short I went online and searched for the process and symptoms that I had found and discovered that the computer was infected with a derivative of the Code Red worm. At this point I'm thinking all is lost my little server is done for and I hope it wasn't my machine that infected the real one. But after checking my machine I determined that I wasn't affected by anything. Well it turns out that these guys connected it to a network that was assigned ips which were the same as their static internet ips for about an hour just to test network connectivity and before they patched it and it was during this short window that it was infected. So the funny thing was my horribly insecure Win98 PWS combination was clean and the "Enterprise" server was down in less than an hour. Just luck I guess.
|
#6
|
|||
|
|||
I would just offer up my experience recently. I initially bought a Motorola wireless router. Could never get it to work. Poor manuals. Sent it back.
Bought a Linksys unit. If you are running XP, they have an on-line installation program that worked great. Up and running in less than 10 minutes. Great manual. Just my 2 cents. Steve |
#7
|
|||
|
|||
Thanks for the info everyone.
Never been infected either (well..., unless you count one on a DOS machine about 15 years ago), and have firewall SW on all systems that access the cable. Problem is, we now plan to share all the systems and use one desktop as a "server" that will be hard wired to the printer, fax, scanner, etc. so all the other wireless conn systems can use those. The idea of having ANYTHING shared, even on a closed LAN like this doesn't sit right with me, but it's the only way I can think of NOT to have cables running all over and switch boxes for the printer, fax, etc. So that's what concerns me is the sharing/wireless combo. Still worked as an engineer when NT4.0 came out and I remember that the shared machines were always getting hammered.
__________________
1984 300D Turbo - 4-speed manual conversion, mid-level resto 1983 300D - parts car 1979 300TD Auto - Parts car. 1985 300D Auto - Wrecked/Parts. ========================= "If you don't know where you are going, any road will get you there". Lewis Carrol |
#8
|
|||
|
|||
It won't matter if they are all behind a single router/firewall because nothing will be able to get to the local network unless you explicitly open a port in the router to one of the machines. So if you don't open the ports that Windows Networking uses you are safe. Now that doesn't help you much in the event that someone gets a virus that then proceeds to use vulnerabilities in Windows Networking. In the case where you have a very large network that you want to secure you can set up a domain system that will not list what is being shared and require that you authenticate to access anything. It is possible to lock down a Windows Network but it just isn't that way by default for convenience (a good thing IMO).
|
#9
|
||||
|
||||
At my house my friends laptop picks up about 4-6 non secure wireless networks. Free high speed internet is nice!
__________________
1999 SL500 1969 280SE 2023 Ram 1500 2007 Tiara 3200 |
#10
|
||||
|
||||
Quote:
Perhaps that might be a bit excessive unless he's running a T-1 to the Cisco with fiber runs for a SMB AND a biodiesel processor out of the basement unless you are.....which in that case, go for it |
#11
|
|||
|
|||
wireless network security measures
Some good points have been raised, however I'd add to the discussion and modify some of the suggestions as follows:
1) do not use WEP. Ever. There were flaws with it right out of the gate, and has only become easier to break with time; the effort to crack a WEP key is now trivial (read here for more info). Only use Wi-Fi Protected Access (WPA), and if you are going to use the Pre-Shared Key component (WPA-PSK mode), then make sure you are assigning a password of at least 20 characters. Use a combination of numbers, letters, and symbols, nothing found in a dictionary. It will probably allow a range from 8 to 63, depending on the implementation, but do not enter less than 20 or else your PSK will also be subject to cracking. 2) router placement -- ideally you want this to be in a location that's central to all the systems which you want to have access to it in your home, while being away from any areas which might allow RF leakage more easily (windows, corner of the house facing the street, etc.). The 1000 feet limit is typically an open space limit, indoors you will more likely see at most 300 feet depending on the composition of your home. However, even with careful placement, this won't stop somebody from camping out at a nearby location with an external antenna that can still pick up your signal and provide an avenue for attack. A good Yagi antenna can pick up your signal from a few miles away, so don't rely on perceived isolation as a defense -- assume that your wireless network will be under attack and lock down not only the wireless component but all systems behind it as best as possible (it sounds like you're doing that already with AV and software firewalls). You can mitigate some of this by placement/aiming of the antennas on your router -- if you have a multi-level home, rotate one of the omnidirectional antennas on the back of the router so that it's horizontal, as they have a donut shaped dispersion pattern that goes in a halo around the antenna, so this will push most of the signal up and down instead of around on the same floor. 3) Also in the vein of router placement, try to keep it away from 2.4 GHz (assuming you're getting equipment based on Wi-Fi b/g) cordless telephone base stations, microwave ovens, and fluorescent lighting. 4) Channel selection -- if you see wireless networks in your vicinity from neighbors, they will probably be on channels 6 or 11. There are 11 channels allowed for use in the US for b/g equipment and most people never move it off of the factory default, which creates problems in high density areas like apartment complexes or condos because everybody is stomping all over the other networks. Only channels 1, 6, and 11 don't have any overlap with each other, so stick to one of those three, unless you're really isolated from current/potential networks, then you can experiment with other channels if it seems you're getting a lot of interference. 5) Other simple but important items: (a) change the default password on the router (everybody knows the defaults, you'll make their job easier if you leave it intact), and use a combination of numbers and letters, nothing easily guessed or found in a dictionary. (b) Also change the default SSID for the router, and don't have it be anything that's personally identifiable (i.e. surname, street address, etc.) -- once again this raises the barrier for any potential eavesdropper, by making it harder for them to casually associate whatever traffic they're trying to monitor with a physical location. 6) As far as equipment, I haven't been pleased with anything in the consumer arena; I've seen build quality (both hardware and firmware) going way downhill for Netgear and Linksys over the past couple of years. I've have some okay results swapping in Belkin units in place of defective Netgear models (and brand new Netgear models, at that). I've been examining ZyXel's products and am leaning that direction, they seem to have a much better track record in terms of uptime, and also in stable, consistent firmware delivery and bug fixes, than any of the other products which I have examined. Any other questions, let me know! |
#12
|
|||
|
|||
Quote:
Good info here, will do all of the above. Already procured the HW though, D-Link stuff (had bad luck with Linksys) Since it's in a house that has 3 stories and is about 600ft from others (but the cable comes in upstairs under a window!) there might be some issues getting to the basement, but tests will tell I suppose. Thanks for the load of info!
__________________
1984 300D Turbo - 4-speed manual conversion, mid-level resto 1983 300D - parts car 1979 300TD Auto - Parts car. 1985 300D Auto - Wrecked/Parts. ========================= "If you don't know where you are going, any road will get you there". Lewis Carrol |
Bookmarks |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
How is our social security being invested currently? | Flash Gordon | Off-Topic Discussion | 306 | 04-28-2007 06:19 PM |
General Anthony Zinni on 60 Minutes | Joseph Bauers | Off-Topic Discussion | 75 | 05-31-2004 05:17 PM |
New Exhaust Tips on the SL | Bruce Hat | Mercedes-Benz SL Discussion Forum | 4 | 04-27-2004 12:40 PM |
Internet taxes on the way... | mikemover | Off-Topic Discussion | 11 | 01-16-2004 02:15 PM |