SSID

Two more questions about wireless security

Dave Farquhar security , , ,

I got two good questions last week, via Facebook, that I answered briefly in the comments, but are worth further exploration: Does it beef up wireless security to hide the SSID and only allow the MAC addresses of hardware you own?

Those are good questions. Smart questions. I like those kinds of questions.

Unfortunately, neither measure gets you a whole lot. Against a sophisticated attacker, that buys you minutes, compared to the security of a strong password, which buys you years. It’s like having a locked screen door in front of the vault door at Fort Knox. (Assuming you’re using a strong password–if you’re using a weak password and these measures, it’s like having multiple locked screen doors.)

Then again, not everyone is a sophisticated attacker.
Read more

How to make a DMZ with two routers

Dave Farquhar security , , , , , , , ,

I’ve alluded in the past to why it’s a good idea to make a DMZ with two routers, but I’ve never gone into depth about how and necessarily why to do it.

If your ISP gave you a combination modem/switch/access point/router and it only supports 100 megabit wired and 54-megabit (802.11g) wireless and you want to upgrade to gigabit wired/150-meg (802.11n) wireless, here’s a great way to make the two devices work together and improve your security.

Read more

How to secure your wi-fi router

Dave Farquhar Servers and Networking , , , , , , , , , ,

It’s not enough to know what to look for in a router. I wanted to get some solid advice on wi-fi network security. Who better to give that advice than someone who built an airplane that hacks wi-fi? So I talked to WhiteQueen at http://rabbit-hole.org, the co-builder of a wi-fi hacking airplane that made waves at Defcon.

Hacker stereotypes aside, WhiteQueen was very forthcoming. He’s a white hat, and I found him eager to share what he knows.

Read more

Things to look for in a wireless router

Dave Farquhar Servers and Networking , , , , , ,

It’s the time of year that a lot of people buy computer equipment, and wireless networking is one of the things people look for. But what things should be on the shopping list?

I was hoping you’d ask that question.Compatibility with what you already have, if possible. Routers are available that speak 802.11a, 802.11b, and 802.11g, or all three. If you already have some wireless equipment, look for something that can speak its language.

Cordless phone interference. 2.4 GHz cordless phones will interfere with 802.11b and 802.11g. 802.11a works at a different frequency, but it might be cheaper to replace your 2.4 GHz phone with a 900 MHz phone.

Speed. 802.11a and 802.11g operate at 54 Mbps, which is considerably nicer than 802.11b’s 11 Mbps, although both are much faster than current U.S. broadband connections, which tend to top out around 3 Mbps. If you move a lot of files around, you’ll appreciate the 54 Mbps speed. If your primary use of wireless is sharing an Internet connection and a printer or two, 802.11b is probably fast enough, and it’s usually cheaper, with the downside of shorter life expectancy.

802.11g is currently the most popular standard, because it gives 54 Mbps speed and offers compatibility with existing 802.11b equipment. Use this information as you will. If you’re of the security by obscurity mindset, 802.11a is a better choice, as a wardriver is more likely to be driving around with an 802.11b or 802.11g card. If you want to make sure your buddies can hook up when they come over, or you can hook up at your buddies’ places, 802.11g is the better choice.

Brand. Match the brands of router and cards, if at all possible. This makes configuration and security much simpler.

WPA. The encryption used by older standards is relatively weak. You want to enable 128-bit WEP (256-bit WEP is better but still not as good as WPA), change the SSID and disable SSID broadcast, and hard-code your MAC addresses so that only your cards can use your router. This protects you from someone driving around your neighborhood with a laptop and using your Internet connection to send out spam or transfer illicit material that can be traced back to you. Do you want the RIAA suing you because someone used your Internet connection to download 400 gigs’ worth of boy-band MP3s off Kazaa? Worse yet, if that happens, word might get out that you like that stuff.

WPA adds another layer of protection on top of these (which are standard issue by now). Rather than the security key being fixed, it’s dynamically generated from trillions of possibilities. Sufficient CPU power to crack WPA and either monitor your transmissions or use your access point might someday exist, but for now it gives the best protection available, so you should get it and use it. This USRobotics whitepaper on security ought to be a must-read.

Built-in firewall with port forwarding. This is a standard feature on all brand-name units and ought to be on the off brands as well, but it doesn’t hurt to double check. Hardware firewalls are far superior to software firewalls–they don’t annoy you with popups and they can’t be disabled by a malicious process. Port forwarding is necessary for a lot of games, and also if you want to run your own mail or web server.

Hackability. By this I don’t mean the ability of an outsider to get in, I mean your ability to add capability to it. The Linksys WRT54G is based on Linux, so it has a big following with an underground community adding capabilities to it all the time. If you want to take advantage of this, look for a WRT54G or another device with a similar following.

Network infrastructure for a small office

Dave Farquhar Servers and Networking , , , , , , , , , , ,

We talked earlier this week about servers, and undoubtedly some more questions will come up, but let’s go ahead and talk about small-office network infrastructure.
Cable and DSL modems are affordable enough that any small office within the service area of either ought to get one. For the cost of three dialup accounts, you can have Internet service that’s fast enough to be worth having.

I’ve talked a lot about sharing a broadband connection with Freesco, and while I like Freesco, in an office environment I recommend you get an appliance such as those offered by Linksys, US Robotics, D-Link, Netgear, Siemens, and a host of other companies. There are several simple reasons for this: The devices take up less space, they run cooler, there’s no need to wait for them to boot up in case of power failure or someone accidentally unplugging it, and being solid state, theoretically they’re more reliable than a recycled Pentium-75. Plus, they’re very fast and easy to set up (we’re talking five minutes in most cases) and very cheap–under $50. When I just checked, CompUSA’s house brand router/switch was running $39. It’s hard to find a 5-port switch for much less than that. Since you’ll probably use those switch ports for something anyway, the $10-$20 extra you pay to get broadband connection sharing and a DHCP server is more than worth your time.

My boss swears that when he replaced his Linksys combo router/100-megabit switch with a much pricier Cisco combo router/10-megabit switch, the Cisco was faster, not only upstream, but also on the local network. I don’t doubt it, but you can’t buy Cisco gear at the local office supply store for $49.

For my money, I’d prefer to get a 24-port 3Com or Intel switch and plug it into a broadband sharing device but you’ll pay a lot more for commercial-grade 3Com or Intel gear. The cheap smallish switches you’ll see in the ads in the Sunday papers will work OK, but their reliability won’t be as high. Keep a spare on hand if you get the cheap stuff.

What about wireless? Wireless can save you lots of time and money by not having to run CAT5 all over the place–assuming your building isn’t already wired–and your laptop users will love having a network connection anywhere they go. But security is an issue. At the very least, change your SSID from the factory default, turn on WEP (check your manual if it isn’t obvious how to do it), and hard-code your access point(s) to only accept the MAC addresses of the cards your company owns (again, check your manual). Even that isn’t enough necessarily to keep a determined wardriver out of your network. Cisco does the best job of providing decent security, but, again, you can’t buy Cisco gear at your local Staples. Also, to make it easier on yourself, make sure your first access point and your first couple of cards are the same brand. With some work, the variety pack will usually work together. Like-branded stuff always will. When you’re doing your initial setup, you want the first few steps to go as smoothly as possible.

I’d go so far as to turn off DHCP on the wireless segment. Most wardrivers probably have the ability to figure out your network topology, gateway, and know some DNSs. But why make life easier for them? Some won’t know how to do that, and that’ll keep them out. The sophisticated wardriver may decide it’s too much trouble and go find a friendlier network.

Why worry about wireless security? A wardriver may or may not be interested in your LAN. But that’s one concern. And while I don’t care if someone mooches some bandwidth off my LAN to go read USA Today, and I’d only be slightly annoyed if he used it to go download the newest version of Debian, I do care if someone uses my wireless network to send spam to 250,000 of his closest friends, or if he uses my wireless network to visit a bunch of child porn or warez sites.

Enough about that. Let’s talk about how to wire everything. First off, if you use a switched 100-megabit network, you can just wire everything together and not give much thought to anything. But if you’re using hubs or wireless to connect your desktops, be sure to put your servers on 100-megabit switch ports. The servers can then talk to each other at full speed if and when that’s necessary. And a switch port allows them to talk at full speed to a number of slower desktop PCs at once. The speed difference can be noticable.

Let’s talk wireless networking

Dave Farquhar Hardware , , ,

When I was at church tonight looking at a power supply they asked me to help them set up a wireless network. I didn’t go about securing it just yet because I was paranoid about locking myself out.
I learned enough anyway.

The first thing I learned was that mix-and-matching your stuff for initial setup isn’t the best of ideas. We had a 3Com access point, a D-Link PCMCIA NIC, and a Linksys USB NIC. The D-Link and the 3Com didn’t want to talk to each other. Differing SSIDs turned out to be the culprit. The 3Com’s SSID was “3Com”. The D-Link’s SSID was “default”. The Linksys’ SSID was “Linksys”. But the Linksys setup program hinted that if you changed the SSID to “Any”, it would work with anything. It was right. It linked right up to the 3Com access point, while the D-Link just kept blinking away, looking for something. So we used the Linksys to configure the 3Com access point and changed the D-Link’s SSID. We had to reboot a couple of times before it kicked in, but then the D-Link connected up and held a link.

So the moral of that story is to make sure your access point and at least one of your cards match. And if you can’t match brands, get one Linksys, since you can set its SSID to “Any” and it’ll connect to anything. (I couldn’t figure out how to make the D-Link do that; maybe if I’d set it to “Any” it would have found the 3Com too.) Of course the only way to find out the 3Com’s SSID was to connect to it, so if we hadn’t had that Linksys, we’d have been up a creek.

So now I just have to figure out how to secure the network and they’ll be set. The plan is to only break the wireless stuff out during events, so it’s not like they’ll become much of a wardriving target, but I’ll still feel better if it’s secure. I’m a little bit afraid to just connect to the access point, enter a passphrase and turn on 128-bit encryption, because I couldn’t figure out how to give the cards themselves the passphrase and I didn’t want to take the chance of whether it’ll ask for it upon initial connection.

Time for more research.

And I think I’ll be getting some wireless stuff for myself soon. I’ve thought about phone networking, but Linux support is spotty. Wireless is less secure and more expensive, but it’s a whole lot easier. And it’ll be nice to be able to take a laptop anywhere I want and still be connected. CompUSA has their wireless gear on sale right now.