How Do You Secure Your Network?

How do you secure your wireless network from intruders?

This is my setup:

________________

Linksys WRT54GS

SSID Not Broadcast

WPA2 Enabled with random 63 character key

Mac Address Filtering Enabled

Default Router Admin Logon Change

________________

I was wondering because the number of wireless networks detectable from my house has gone from 1 in early 2006 to 5 and sometimes more in 2007.

And most of them are unsecured or use WEP.

 

WPA-PSK and Mac filter.

 

WPA-Personal with long random key
Hidden SSID
MAC Filtering

 

WPA personal
hidden SSID
no mac filtering...haven't seen the need yet.

This is at home...it was unsecured for the longest time until I helped my folks out.

At school now so its protected by a user name/pw login.

 

wpa-psk and mac filter for 2 computers and dns set to allow only 2 computers

 

WPA2 psk
Mac Filtering
SSID broadcast off
Changed default router name and password

 

WPA-Personal
SSID set to hidden
MAC Filtering

I could probably have an open network where I live, but better safe than sorry.

 

WPA2 - Personal
SSID - broadcast off
MAC Filtering

I live in an apartment building that's next to another apartment building and so on. At any given time, I've got at least 10 networks that are detected, most being open.

 

This is a bit off topic, but I was configuring a friend's wireless router today and couldn't get his older (2002 or 2003) Dell laptop to recognize WPA-PSK. Actually, it would only log on when I set it to 64bit WEP or Open. It's on a Belkin 54g wireless router. I expected it to not work with WPA-PSK, but why not 128bit WEP?

 

the network card might have newer drivers available that enable better encryption.

 

I used ...

WEP
SSID, hidden (not broadcasted)
MAC address specific to allow only the machines of my household

 

I don't secure (one) of my wireless routers.

I like to let people (illegally) steal my wireless.

So I figure I can (legally) snoop on what their looking at.

Fun? Yes. Right? Maybe not. Should you try it? No.

 

lots of tin foil.

seriously though, im in the process of getting a cheap buffalo router and throw some ddwrt on it for some fun

i plan on:
mac filtering
SSID not broadcast
admin login changed
WPA-PSK
DHCP from .100 -> .102 (static IPs for everyone!) for wireless, then other statics for wired
line the house with tin foil from the movie Signs

 

I have two networks, I use WEP on one of my routers because my smartphone can't do WPA. I use WPA Personal on my other router. I really don't know much about the differ btwn the rest of the WPA choices.

Edit: I also use MAC filter. My list gets pretty long with 3 OS's and VMWare on 2 of them, and my smartphone.

 

A 130lb Rottweiler usually keeps most people far enough away from any usable signal! If people only knew what big babies, rotties really are...

I use:

WEP (soon to go to WPA2)
SSID not broadcast
mac filter on
admin login change

 

No broadcasting of SSID
WPA-PSK
Change my network key every two months
No MAC filtering as of yet.

 

WPA with 44 chr, random generated with ALL printable char. SSID Hidden and power setting on low. Gives me the coverage I need with out bothering others. Cracking time at 100,000 trys/sec, 2+ life times.

 

Radius server hosted on Hotspot.net.

 

Man you guys are paranoid.

Yeah, me too.

 

George Ou's blog entry on Wireless LAN Security Myths was an interesting read. Mainly geared toward businesses, but some points applicable to home/school users.

Not sure I agree with all of his points as a home user in a rural area. Anymore, I think of ZDNet more like the National Enquirer than the New York Times. Still, some stuff to think about.

 

MAC filtering and Admin logon changed

 

No encryptions or security at home apart from a simple MAC address filter.

 

Be careful. Some MC Escher dude might sneak their way into your system!

 

Network security? Wireless sniffer, and a Louisville Slugger

j/k. It's just standard WPA, since I don't want to deal with the rigmaroles of having to get WPA2 working on my roommate's machines. They tend to be resistant to any change I make that makes things "not work". When I move in with my girlfriend, things will change.

 

WEP
SSID Broadcasting
Admin logon changed for router

Mac filtering is not turned on right now. I did use WPA2 Enterprise but I found out the Nintendo DS does not support WPA so I started using WEP. There are no other networks around so I am not too worried about someone using it and if someone does then they are going to be disappointed at the internet speeds. I use it to split out a dialup connection. All machines are firewalled within network. The rest are just standalone devices. They can help themselves to the network printer but I will see what they print out. It's a Canon iP4300 running on an IOGear Network Print Server.

 

Wired: Labrador crossbreed that doesn't like strangers.
Wireless: WPA2-AES with long key.

 

anyone still running WEP should be seriously considering upgrading hardware...

http://hardware.slashdot.org/article.pl?sid=07/04/03/2116239&from=rss

the story is about cracking a WEP-protected network in under 1 minute

 

I have a WRT300N & WPC300N.

I'd hide my SSID but when I do my notebook doesn't find it & that's using the internal or the pcmcia.

The WPA-2 Personal does just fine.

 

WPA with a 64 random all printable character key. That's all you need.

As for MAC filtering and not broadcasting your SSID, they don't do anything and degrade performance. MAC addresses are easily obtained and spoofed and your SSID is still viewable whether you broadcast it or not.

 

Actually it isn't the SSID that they see it will be the BSSID that they see. The SSID is the identifier that you give your network. The BSSID is the mac address of the router broadcasting the wireless signal and you always will see that one. If you do not then the software is filtering out the routers that are only broadcasting the BSSID. They get confused alot though.

EDIT: I originally put ESSID when I meant BSSID. SSID and ESSID are basically the same thing! BSSID is the basic version and ESSID is the extended version.

http://en.wikipedia.org/wiki/SSID

http://en.wikipedia.org/wiki/BSSID

 

WPA2 Personal
From what i've read, WEP, MAC filtering, SSID hiding, and decreasing the power of your router are all useless to safeguard your network.

 

well, if someone REALLY wanted to get into your network, they could regardless of what security you're using on consumer-type equipment.

 

how do you actually see and connect to your wireless when the router isnt broadcasting the network?
i use only mac address filtering.

 

you manually enter it.

 

LOL. I think this kind of hints to my own perpective, all jokes aside.

Yeah. My perspective here is that if someone is really adamant about getting into a network, they will. I just need a simple procedure to stop random neighbors from stealing internet bandwidth by mistake. I find that MAC address filtering works very well for this simple operation. You might say that they could mask their MAC and use a dummy one - but 1) they need to know the MAC of a registered computer, and 2) that computer shouldn't be on the network at the same time...so its a decent protection system.

 

i use my neighbours wireless
i know its wong but then again i got good neighbours

 

Mac filter. I'm too lazy to do the rest and it's easy to change.

 

How do you hide your SSID. I have a WRT54G router. I can only find this setting in the setup..."Wireless ID broadcast" enable or disable. Is this the same thing

 

Yes, it is the same thing.

 

Thanks a lot!!!

 

Mine's open and unsecured. Once you receive an IP address from my DHCP server, you're automatically redirected to a secure login page. You must have the right credentials before you can do anything on my wireless network. I have also separated my wired network from my wireless network, so if someone has gained access to my wireless network for some reason, they won't be able to access my wired network.

 

Update: Since I just moved in with my girlfriend, I have a Linksys WRT54GL with the DD-WRT firmware on it broadcasting a WPA encrypted signal (soon to be WPA2 as soon as I can get all the updates and everything I need on my other computers), and a second 802.11b Linksys access point that's broadcasting a different, unencrypted signal and is segregated on it's own VLAN for Internet access, so that guests and neighbors can get free, low-priority web access, but can't access my internal network.

If you don't use WPA though, even if I can't get access to your network, all of your transmissions will be in the clear, so I can sniff and watch everything you do, if I were so inclined MAC filtering is a good additional step, but it's not in any way a replacement for WPA/WPA2.

 

I changed the SSID and set it to not broadcast, changed the admin logon and password, use WPA-PSK with a good long key, do not use MAC filtering, and review the logs weekly for oddities.

 

AKAJohnDoe,

Just one question, why don't you use MAC filtering?

 

There's no real reason to use MAC filtering unless you really think you might be attacked and need that extra paranoia layer, or if you're running a large network like at a business, where you only want registered, clean machines on the network, and you may not have as tight of control over who has the encryption password. If you have WPA installed, it's yet another step you have to go through if you want to add another computer to the network, you have to figure out their MAC address, and then add it to the acceptable MAC list, etc. Just pick a strong WPA/WPA2 password, and it'd even be secure from me, and I'm one of the more dangerous people to have poking at your network

 

Thanks Pitabred, for the reply. Somehow I sleep much better with MAfiltering activated and only my set machines able to access my network. Yes, I am very paranoid; but may be that is due to what I keep on my network

 

As long as you have WPA as well. MAC filtering without any encryption doesn't provide you with any protection from wireless snooping. People can see anything you send across the network. They just might not be able to leech Internet access from you. But there are ways around that if you're devious It's MUCH harder to get around with WPA enabled with a strong password, and with both WPA and MAC filtering, you're pretty much uncrackable. You have to make sure your WPA password isn't something that's dictionary crackable, otherwise it's not of much use. It's more important to have a strong WPA password than a strong password on your computer itself, if your computer has a good firewall and doesn't offer any services like SSH or remote desktop.

 

Please... security analysts will tell you that disabling SSID broadcasting and enabling mac filtering is ABSOLUTELY USELESS. It's insanely easy to sniff both of those and very very easy to change your MAC. The MAC is supposed to be burned into the hardware, but you can change it in linux and in some cases windows.

Do NOT use WEP: it can be cracked in < 5 mins by someone who knows what they are doing. Using WPA is really the only way to secure your WLAN.

 

100% agreed.

Wireless is not 100% secure and never will be. If you want to prevent wireless snoopers from logging into your network and seeing all your computers, just separate your wireless network from your wired network. You can do this by using 2 routers, one in front and one in the back. Basically it looks like this:

Internet - router 1 (wireless clients) - router 2 (wired clients).

 

OK, now I am begining to think of moving BACK to wired network; not only for security reasons but for speed and simplicity too!

May be keeping a wired a wireless infrastructure, but using the wired as the primary network.