Tell me about wireless routers

[IronWolf]

The LinkSys routers have the single advantage of being Linux-based, and hence, hackable.

Yep! One of the reasons I like them.

In the last 2+ years, I have never had to reset the D-Link due to problems with it hanging or crashing. I *have* had to reset the cable modem at least once every 3-4 months (stupid piece of sh*t!) and I live in the lightning capital of the world: central Florida.

Perhaps different models or versions of firmware or just lousy luck. ::shrug:: The D-Link I have in place does need rebooted. There are usually several months between restarts though so its not *that* problematic. But since I have a LinkSys at home that almost never needs restarted I tend to recommend the LinkSys' instead. Plus the oddities I saw once trying to get a PDA SD wireless card to connect to it soured me a little.

First, be aware that unless you *really* know what you are doing, you WILL NOT be able to secure your communications over a wireless link. First off, MAC addresses are easily spoofed (I can listen on your network and within seconds have your MAC address, which I can then program my NIC to use). Second, not broadcasting your ESSID is good, but it's only used as a "selector" so that when multiple wireless access points are available, a user can choose the one they want. Third, setting a WEP key is necessary, but within 35 minutes and a few thousand data packets, I can decrypt your WEP key and be watching your packets zip across the airwaves. Three strikes, you're out!

Sysadmin here who has done my fair share of securing of wireless networks. Agreed that there is more to it than *just* reading the manual, but for most home users reading the manual and securing it by their directions is leaps and bounds better than the vast majority of wireless users. Sometimes it's just a matter of being more secure than the neighbor to either side of you. (applies to home users only, not business/corporate use).

What this all comes down to is: DO NOT EXPECT PRIVACY on a wireless link.

Also agreed. But a lot of this can be said for life on the web in general. A fair number of people don't know their email password and SMTP traffic is travelling along the Information Highway in plain text. Or about man in the middle attacks. Or any number of other exploits. Never expect privacy on the web - wired or unwired.

The correct way to go wireless is to set up a RADIUS server. If you don't want to spend money, put a small Linux box on your network and run a FreeRADIUS server.

Your average home user will not be setting up a RADIUS server. Though I agree it is the safest way to fly!

 

[tarchon]

Third, setting a WEP key is necessary, but within 35 minutes and a few thousand data packets, I can decrypt your WEP key and be watching your packets zip across the airwaves. Three strikes, you're out!

Or you could use WPA instead of WEP. It's currently considered secure if the key is sufficiently long, 20 character minimum, and it's not particularly any more difficult to set up than WEP.

 

[Setanta]

Is there a documented bug report that backs this up? I did some quick googling but it appears my google-fu is weak today.

Not that I now of. It's just something a customer mentioned. He had been using LinkSys, and they worked fine whether their customers used a plain text password or the same values as a HEX key. We replaced the AP's for another reason, and the new AP's only work if clients send an identical key.

Sysadmin here who has done my fair share of securing of wireless networks. Agreed that there is more to it than *just* reading the manual, but for most home users reading the manual and securing it by their directions is leaps and bounds better than the vast majority of wireless users. Sometimes it's just a matter of being more secure than the neighbor to either side of you. (applies to home users only, not business/corporate use).

Agreed. I use a WEP key, suppress SSID advertisements, and restrict based on MAC addresses, but I know someone who wants to get in can. I just hope I've made it more trouble than it's worth, considering there are several wireless networks in the neighbourhood advertising SSID's like "LinySys" with no encryption whatsoever.

 

[Fenris]

Thanks all for the input. azhrei_fje has scared me off of a wireless router for the home. And I need to use the work wireless for any access but I had obviously better be very carefull with it. It is a university wireless network and you have to signon to it, so I suppose that is good. But I will wait and see if I need to have the laptop connected at home as well.

Fenris

 

[azhrei_fje]

Okay, sounds like there are a bunch of knowledgeable people frequenting this thread.

My concern is to make sure people understand that wireless is not perfect. If they understand that, and take the risks knowingly, then we (as IT professionals) have done all we can. Part of my motivation is to reduce the number of Windows machines taken over by spammers and black hat hackers who will use them as zombies. If even a single person learns enough to protect their machine, then my time spent has been worth it. (Stopping one zombie might not seem like a lot, but stopping one means that the machine won't be out there patrolling the 'net looking for others to take over.)

Listen to what IronWolf said and secure your network as much as possible, based on the documentation you received. Each additional security feature gets you about some percentage closer to being 100% secure (in reality there is no such thing, but we still want to strive for it). So, the first feature (using WEP) will be 60%, let's say. Turning off SSID broadcasts will get you another 60% closer to 100%, so you're at 60%+(60% of the remaining 40) is 84%. Filtering based on MAC isn't worth much at all, so let's get you another 20% closer; now you're at 84%+(20% of 16) or 87%.

Concerning WPA, there are issues with any implementation that doesn't use RADIUS. As IronWolf pointed out, no one who isn't an IT geek is going to run a RADIUS server at home!! The fact that the software is free, though, should help tilt things in that direction in the future. If such software can be easily downloaded and configured, it will become more popular.

There are Live CD distributions of Linux that specialize in security and I read about one recently that has FreeRADIUS installed (don't remember which one, though; check www.distrowatch.org). The configuration files can be kept on a write-protected floppy. Pull the hard drive out of an old machine, boot from CD, and put the floppy in when prompted. You now have a FreeRADIUS server without any chance of corruption! If it *does* somehow get hacked, reboot it and you're ready to go again. Cool.

I've modified the quote slightly:

Insisting on perfect safety security is for people who don't have the balls to live in the real world.

 

[azhrei_fje]

Thanks all for the input. azhrei_fje has scared me off of a wireless router for the home.

I'm sorry!! I hope this is a reasoned decision and not a knee-jerk reaction? But if you don't need one at home, you're better off without it -- certainly don't do it without knowing the risks!!

Since your work environment is a university, I expect you're running some pretty good protection software! I used to be a university student in my ancient past.

One of the biggest things to remember: if someone *does* hack your network, the data flowing through the air is at risk. And given the security problems with Windows, even the files on the hard drive are fair game. Just don't use the wireless laptop for data that you want to keep private, and you should be alright. (What's that saying? Don't tell anyone anything that you wouldn't want to see printed in the newspaper. Although it could be literal in this case!)

 

[Setanta]

And given the security problems with Windows, even the files on the hard drive are fair game.

Fenris- this is certainly an important point. If you're running windows, make sure windows file and print sharing is off when you're running on the wireless network. It's just not secure. It's one thing on a wired network, but on wireless you're asking for trouble. So, go ahead and use wireless for stuff like web browsing, and the chances of something bad happening are really quite low, as long as you do the basic security stuff listed above in this thread. Also note that most e-mail programs send their password (and the body of most e-mails) in clear text, so if you check your e-mail over wireless, you're inviting others to read it.

 

[Fenris]

Thanks all. The wireless router would have been for home to use the laptop on the internet without tying up the desktop computer. I think I can do without. I have to compete with my wife for internet time, but for now that's OK.

But if I may. Let me ask what I need to do and not do with the laptop. So this is my personal laptop. It is a (gasp!) windows machine. The university has a wireless system on many parts of the campus. We have to sign on to acess it. Past that I have no idea what security measures are in place. I have McAfee virus protection, firewall and privacy service on the laptop. Principly I will be using the laptop to write with. I need to access the library databases with it. I now know not to hit my bank site. Email I could probably avoid. What about sites like ENWorld? They have passwords, should I avoid them as well?

How do I turn off windows file and print sharing?
I don't know if all those other suggestions are in my control since I don't control the network. But what else ought I do to protect my machine?

While my research (and thus most of my documents) is propriatary, it isn't confidential per se. There is some gaming files on there as well.

Thanks again for all your help!

 

[Setanta]

How do I turn off windows file and print sharing?

Unfortunately, it's possible that windows file and print sharing is how you're going to access things like the library database. It could be done another way, but we'd need more info. You can turn it off and see if you can still get to what you need to get to, and turn it back on if you can't. To turn if off, go start-> control panel -> network connections. Right click on your wireless network connection, and choose properties. In the dialog box that comes up, click on the checkboxes next to windows file and print services so that it's turned off. Click OK, wait for it to do its thing, and you're good. Having Client for Microsoft Networks turned on is also probably a security problem knowing MS, but I can't be positive on that one. I leave that turned off as well, and you should too if you don't need it.

As for browsing EN World, if someone steals your password, will it matter? If the worst thing that can happen if someone logs in here with your account and posts something that gets you in trouble with the mods, you'll get over it. If your password here is the same as some important passwords in your life, especially if you use Fenris in other places, then you should change your EN World password

 

[Fenris]

Setanta,
I turned off file and print sharing and turned off Client. I went onto the network, and had no problem interacting with the library database or extarcting the files I needed. Thanks!

And Your point about ENWorld is good, I just hate to have to be confined on the web, but to be safe I guess I will judiciously choose my web site.

Fenris