When I was at church tonight looking at a power supply they asked me to help them set up a wireless network. I didn’t go about securing it just yet because I was paranoid about locking myself out.
I learned enough anyway.
The first thing I learned was that mix-and-matching your stuff for initial setup isn’t the best of ideas. We had a 3Com access point, a D-Link PCMCIA NIC, and a Linksys USB NIC. The D-Link and the 3Com didn’t want to talk to each other. Differing SSIDs turned out to be the culprit. The 3Com’s SSID was “3Com”. The D-Link’s SSID was “default”. The Linksys’ SSID was “Linksys”. But the Linksys setup program hinted that if you changed the SSID to “Any”, it would work with anything. It was right. It linked right up to the 3Com access point, while the D-Link just kept blinking away, looking for something. So we used the Linksys to configure the 3Com access point and changed the D-Link’s SSID. We had to reboot a couple of times before it kicked in, but then the D-Link connected up and held a link.
So the moral of that story is to make sure your access point and at least one of your cards match. And if you can’t match brands, get one Linksys, since you can set its SSID to “Any” and it’ll connect to anything. (I couldn’t figure out how to make the D-Link do that; maybe if I’d set it to “Any” it would have found the 3Com too.) Of course the only way to find out the 3Com’s SSID was to connect to it, so if we hadn’t had that Linksys, we’d have been up a creek.
So now I just have to figure out how to secure the network and they’ll be set. The plan is to only break the wireless stuff out during events, so it’s not like they’ll become much of a wardriving target, but I’ll still feel better if it’s secure. I’m a little bit afraid to just connect to the access point, enter a passphrase and turn on 128-bit encryption, because I couldn’t figure out how to give the cards themselves the passphrase and I didn’t want to take the chance of whether it’ll ask for it upon initial connection.
Time for more research.
And I think I’ll be getting some wireless stuff for myself soon. I’ve thought about phone networking, but Linux support is spotty. Wireless is less secure and more expensive, but it’s a whole lot easier. And it’ll be nice to be able to take a laptop anywhere I want and still be connected. CompUSA has their wireless gear on sale right now.
One suggestion: If the 3Com will do it, set the access point to only connect to the MAC addresses of your wireless nics.
Office Depot and Office Max are offering sales on rotating products also. Office Max is pushing Belkin; Office Depot, Linksys.
There’s really no good way to secure a WLAN when using home-grade equipment. The MAC addr suggestion above isn’t bad, but it isn’t hard to get a wireless card to spoof a MAC addr, once you use Airsnort to sniff the valid addr off the network. The minimum to do is:
set the SSID to something unique
enable 128-bit WEP
enable MAC addrs as suggested above
and even then you’re only safe for a bit. Don’t send any sensitive data over a WLAN link that isn’t encrypted (ssh connection, IPSec over a VPN, etc…) At least the hacker kiddies won’t get your on-line banking password while they’re using your DSL connection for free 😉
Any commercial WLAN should, at least today, be using all Cisco gear with their LEAP protocol to secure the keys. This, however, is not a cheap solution…
Good post. Keep us informed on how well the security thing goes on the wlan. I am thinking about a similar project for my house and church. The security issue is of great concern.
Seven Security Problems of 802.11 Wireless by Matthew Gast
Wireless LANs at Risk by Craig Ellison
Hardening IEEE 802.11 wireless networks by Tyson Macaulay
WLAN Hardening Checklist
Top 10 tips to spoil a wireless hacker’s day by Gary Boniface