add security to wireless network

You can certainly enable security measures after the fact.

If you need us to help you with that, you need to tell us what operating system(s) you're using, and the exact makes/models of your networking hardware.

Right now, I am using windows xp. I have a wireless G broadband router and 2 laptops running with wireless G card.

As I asked:

... and the exact makes/models of your networking hardware

The configuration software utilities vary between manufacturers, and even between models; if you want specific help, you'll have to give us specific info.

I still have the boxes for my hardware, but here is all I could find that looked like it might help(the model numbers)

Linksys Wireless G Broadband router - wrt54G

Linksys Wireless G Notebook adapter - WPC54G

Note: Could you tell me exactly what your wanting me to tell you?

Note: Could you tell me exactly what your wanting me to tell you?

You just did. ;)

I just wanted to know the exact make/model numbers of your router and wifi network card(s) so that I could give instructions that were specific to those particular devices. Also, knowing the exact version of Windows that you use would be helpful.

I can't give you a full answer on this until tomorrow because I have other work that I need to finish tonight, but in the mean time could you tell us exactly what your needs are security-wise? There are many things you can do to "lock down" a wireless network, but you may not need to put all of those protections in place if you're only running wireless on a home network. Also- some of the security settings can get rather complex, and aside from the added layers of complexity, implementing them in situations where they aren't absolutely necessary can have a negative effect on your overall network performance.

Give us an idea of what your concerns are security-wise, and I'll give you specific instructions on how to put those in place for the hardware that you have.

Don't worry about when you reply, I'm in no hurry and I have school everyday.

I run windows xp pro on the desktop connected to the router.
The two laptops run xp home addtion.

As for security, all of my neighbors have cable. I just wouldn't want any interference(spelling!) between us. Also, I just don't feel like it's "correct" to have a wirless network without security. I really don't know how strict I should go or what.

Hello,

You want to go strict, because if you have a traditional firewall setup, that firewall is protecting you from attacks on the internet, but not inspecting anything coming through the wireless, because it is *assumed to be trusted*.

DMR is very good at what he does, and he will walk you through steps of forcing encryption on your network, and maybe even turning your transmitter power down some so that you ownly have the range that you need, instead of being able to talk to a few houses down the road (I run mine at 50 percent power). Encrypting means that your neighbors cannot see/utilize/abuse your connection.

He might even show you MAC address exclusions, but I would think that is excessive for what you want to do.

Enjoy!

Christian

He might even show you MAC address exclusions, but I would think that is excessive for what you want to do.

lol. Actually, being a paranoid bugger, I am going to throw MAC filtering in there!

Most of the configuration is done in the router's setup utility, so open your web browser and point it to http://192.168.1.1, which is the default IP for that model of router.

Speaking of "defaults", it is never a good idea to leave settings such as the IP address, device name, aministrative password, SSID, etc. of a wireless router or other wireless access device at their defaults. The default settings for different manufacturer's devices are well known, and getting just one of those pieces of information can give an attacker a lot to go on.

For instance: if I wander around downtown San Francisco with my laptop, I can usually pick up at least 7 wireless networks in any given place. Most of the time, 3 or so of those networks will be broadcasting the default SSID "Linksys". Just from seeing that, I can be 99% sure that at least one of those networks:

- Is not using WEP encryption.
- Is using the Linksys default IP of 192.168.1.1 for the router.
- Is using the Linksys default password "admin" for the router.
- Is not using MAC address filtering.
- Is using the router as the DHCP server for the network.
- May likely have remote administration enabled on the router.

Bingo! Set my wireless for DHCP, connect to that network, and at the very least I now have free Internet access. If I felt like being nasty, I could log into their router's setup page and reconfigure it to deny access to anyone but me.

So:

1. In the router's Basic Setup page:

- change the router name to something unique and/or obscure.
- change the router's internal (LAN-side) IP to something non-standard, keeping in mind that the IP address you choose still need to be within one of the ranges of private, non-routeable address ranges (the 192.168. or 10. ranges for example). If you understand the consequesnces, you can also change the subnet mask.
- Disable the router's DHCP server; manually assign the IP info on each computer on your network instead. If you want or need to use DHCP, you can limit the DHCP scope (the "Maximum number of DHCP users" setting) to a number equal to the number of computers on your LAN. That way someone else can't just join your network and automatically get handed an IP.

2. In the "Wireless" setup tab:

- Change the default SSID to something meaningful to you, but something that does not give anyone else any hints about your network. For example, using your name or your residence's street address as the SSID is not what you'd call a bright idea.
- Disable SSID broadcasting so that your SSID is not visible to the outside world.

3. The Wireless Mac Filter page under the Wireless tab:

Every network device has a unique (12 hexidecimal digit) identifier called the Media Access Control address. In the filter page, you can permit or deny computers permission to connect to your wireless network based on their individual MAC addresses. If you know that your two laptops should be the only computers connecting to your network, you would choose the "Permit only" filter option and then enter the MAC address of each laptop in the filter list. In Windows 2000 and XP, you can find the MAC address of a computer's network card by opening a DOS box and typing the following command at the prompt: ifconfig /all. For Win 9x/ME, the command is: winipcfg. The MAC address will be listed on the "Physical Address" line in the resulting output of the ifconfig command.

Yikes! Gotta go- I'm late for an appointment with a client. I'll post the rest as soon as I can.

I gotta get ready to go to school right now. I'll look at it this afternoon and get back to you. But thank you for posting all of that to help me!

I tryed to change my ip address, it did it and then it keep trying to reconnect to the old one. Then I could'nt do anything. It was like everything was screwed up, I couldn't access the router config page. I reset the router hoping that would help. I left everything as the defaults seeing if I could get it to work and now, I am getting a connection timed out error message when I try to connect to the internet. I checked the LAN settings and all that kind of stuff, but nothing looks wrong..

I finally just connected the modem directly to the computer and the internet worked fine. I don't know why I can't get the internet when I plug the modem into the router. Can you please help me?

Changing the default IP of the router can make it impossible for your computer to access the router's configuration page after the changes unless you then reconfigure the IP settings on the computer from which you are connecting to the router accordingly. If done incorrectly, your router and your computer will essentially be on separate (logical) networks and will be unable to communicate.

Changing the default IP/etc. info on the router may be a bit of overkill at the moment, and since it will cause problems if not done correctly, let's put that aside for now and get your basic communication with the router restored:

- BTW: Is your Internet connection via cable, or DSL? If DSL, who is your ISP?

- If your reset of the router worked, you should be able to plug the router back in to the equation and access it at its default 192.168.1.1 IP address.

a) Power down the modem.

b) Reconnect the router to the modem and apply power to it. Let it stabilize (get through its power-up tests).

c) Turn on the modem and let it stabilize as well.

d) The computer that you want to use to access the router's configuration page should be connected to the router by an Ethernet cable, not via a wireless connection. Before connecting the cable between that computer and the router, set the TCP/IP settings in the Properties of the (wired) Local Area Connection network adapter to obtain IP address and DNS server info automatically. then connect the Ethernet cable fron the computer to the router, and turn the computer on.

e) Once the computer is up and running, can you now at least get to router's setup page through your browser as I described in my last post? If not, please do the following and post the results:

- Under your Start button, go to Programs->Accessories and click on Command Prompt.

- In the resulting DOS box/window, type "ipconfig /all" (omit the quotes, and note the "space" character before the "/")

I have cable with media com. I did what you said and can get to the config page, but the internet's still not working. I made sure a firewall wasn't blocking it, and that it obtained an ip automatically.

OK- since you can now get back to the router's config pages, what info does the router's Status page give you for Login Type, Login Status, IP Address, Subnet mask, etc.?

Sorry for late post. I just got this, so I'll have to give you the results after I get back from school.

That's OK- the past couple of days have been crazed for me as well, which is why I haven't followed up with the rest of the info. Hopefully the weekend will allow me the spare time to do so...

Cool. I finally got it fixed. I don't know what I did different but it just started working. I did find out why the changiing of my ip address didn't work. When I did it, I never released and then renewed it. That's all I did wrong. This afternoon I'm going to run through the tutorial you posted for me and get some security on here. I can't do it now, because I'm heading to my grandma's house. :eek:

Glad you got it figured out. :) I usually do a reboot after changing DHCP-related settings just to make sure that the changes fully take effect. Rebooting shouldn't be necessary, but I've found that sometimes the changes just don't ripple down the way they should if you don't.

I'm glad you're not in a hurry here- I've been too busy to post the rest of the info (WEP encryption, etc.), but I should be able to do so before Monday.

Thanks for your patience!

I got all the other things you posted set up right now. Although, I can't seem to get my laptops connected to it. So you might have to explain a little about that. But don't worry about time. If you don't feel like posting until next week, then that's fine! I'm just taking this one step at a time.

Note: I hate that I keep bothering you about this, but I don't know much about networking and you have learned me SO MUCH.

Are you guys going to get back to this thread? I just discovered it, have the same setup and was really getting into reading the posts and it just stops in the middle. Did server crash´s net get its security?

Sorry- we track and respond to so many threads here that sometimes one just slips throught the cracks.

I'll flag this thread and post the rest of the security info as soon as I get a chance.

Are you guys going to get back to this thread? I just discovered it, have the same setup and was really getting into reading the posts and it just stops in the middle. Did server crash´s net get its security?

Nah, I haven't had much time, but now that it is spring break, I might get back to it. I just couldn't get the laptops connected for some reason.

While we are waiting for spring break to be over. can one of you guys tell me if setting the number of users to the exact number of computers running on the router would be enough security if you did nothing else? Just wondering really...

The first part that DMR posted would probably be very sufficent security, and as long as you specify the number of connections and the allowed mac address', I would say that would be sufficent. I mean, I would do whateven DMR says in the second half of his security tutorial though.

Yes, I realize that would be good. However, it just seemed to me that if nobody could sign on to the network because all the available slots were full, then there would not be a security issue. If you can't get on, you can't mess with anything, scenario...

However, it just seemed to me that if nobody could sign on to the network because all the available slots were full, then there would not be a security issue.

Yes, but what if one or more of your legit users/computers were not on the network at the exact time someone tries to gain access from "the outside"?
That would leave an open "slot", as you put it, for a cracker, because the "limit number of users/connections"-type options don't perform any authentication in terms of exactly who is connected.

That being the case, if you relied on the connection-limit alone as your security measure, you might find youself denied access to the network if someone hacked into your system while your computer was off the network for some reason.
Fun thought, eh? You wouldn't be able to rejoin you own network at all until your "unwanted guest" signed off and freed up the slot he'd taken. :mrgreen:

If you can't get on, you can't mess with anything, scenario...

No- network traffic can actually still be "sniffed" without the person doing the sniffing having to officially/technically "join" your network, and this is much more true of wireless transmissions than it is of wired connections.

Can they "mess with anything" in terms of mucking with your internal network? Less likey if they can't actually join your network/workgroup/domain, but still not impossible.

Can they still intercept and capture specific data transmitted over your wireless connection? Absolutely, especially if you aren't using encryption.

Which, I guess, leads to the fact that I need to finish this post with a run-down on encryption. *Groan* That's rather like writing a dissertation, but OK....

Yes, but what if one or more of your legit users/computers were not on the network at the exact time someone tries to gain access from "the outside"?

OK, this is the kind of stuff I was waiting for. Remember that I´m asking this from a purely theoretical standpoint; I realize that you would never set up a wireless lan like this... but in my case, I have 5 computers on the network and they are never shut down. If I do shut them down, I shut them all down and shut the router down, for example when the family leaves the house for a trip or something. So, for all practical purposes, there would never be a time when there was an open port (sorry about slot). Forget about accidental shutdowns (this is MY theoretical world) and power outages would shut everything down anyway.

No- network traffic can actually still be "sniffed" without the person doing the sniffing having to officially/technically "join" your network, and this is much more true of wireless transmissions than it is of wired connections.

Can they "mess with anything" in terms of mucking with your internal network? Less likey if they can't actually join your network/workgroup/domain, but still not impossible.

Can they still intercept and capture specific data transmitted over your wireless connection? Absolutely, especially if you aren't using encryption.

OK, can you give a short explanation, even technical, of how these could be accomplished?

Which, I guess, leads to the fact that I need to finish this post with a run-down on encryption. *Groan* That's rather like writing a dissertation, but OK....

Yes, but we who are short on this type of knowledge, bow to your wisdom and have been patiently awaiting your words of encryption...:rolleyes:

Yes, but we who are short on this type of knowledge, bow to your wisdom and have been patiently awaiting your words of encryption...:rolleyes:

Oh, the demands.. if only I were paid for this. :mrgreen:

You're going to have to hang tight here- I do have a full-time, real-life computer support companty to run after all, and that's what pays the rent.

The good news is that I've already started to compose the rest of what you're asking for, but it's rather in-depth, so to get it all condensed into something less than a 4-post response will take some effort.

Other then ones mentioned earlier (Add 128 bit WEP, turn off DHCP on WiFi device [bridge or router, MAC filtering, change admin name & password, change private IP address schema, disable remote/external administration)

Turn off SSID. There is no reason to tell everyone your WiFi AP is there, and your machines should know about it already, right?

Other then ones mentioned earlier...Turn off SSID. There is no reason to tell everyone your WiFi AP is there, and your machines should know about it already, right?

Yup- been there... ;)

Disable SSID broadcasting so that your SSID is not visible to the outside world.