# security questions from somebody that knows JACK



## pdxireland (Nov 11, 2004)

OK....
Just set-up a D-Link DI-514 2.4ghz router.
Seems to be working fine!
(Hey Sarkast, thanks for the tip $20.00)
I have some basic questions most to do w/ security....
I used the WEP option & have around a 20 digit encryption code in place.
How safe is this?
Does the threat go in both directions?
There is little or nothing that I'm concerned with on the computer going wireless.
The computer hard-wired to the router I would like to keep safe!
Is the greatest concern just that somebody in the area could jump on-line useing my router & DSL?
Are there any additional measures I can take to make this safer?

Another thing.
What is the best way to avoid conflict between the router and my phones?
There was a little buzz/clicking on the default ch 6 but it seems to have gone away when I changed to a new ch?

Thanks in advance !

fmg


----------



## shuuhen (Sep 4, 2004)

WEP is a good start. It sounds like you are using 128 bit encryption (about 13 pairs or 26 digits). If all wireless devices on the network support it, you may consider switching to WPA encryption. I haven't used WPA yet (need to compile stuff for Linux), but I've read it's better than WEP (WEP still is good though).

I recommend you add MAC address filtering. The manual for your router should include instructions. You can find the MAC address for your network interface by going to Start Menu->Run type cmd, press return. Now that there is a command prompt, type

```
ifconfig /all
```
 You should see MAC address, hardware address, hw address or something similar somewhere in the output. If your device can be removed easily, like PCMCIA/Cardbus cards, you can usually find the hardware address printed somewhere on the physical device.

As far as security on your hardwired computer, if someone gets access to your wireless network, they should be able to interact with any of your computers (hardwired or wireless). The MAC address filtering with either WEP or WPA encryption should be fine for security.

Conflict between wireless devices is solved in exactly the manner you used; changing the channel.


----------



## pdxireland (Nov 11, 2004)

*thanks for the info but...*

when I....

You can find the MAC address for your network interface by going to Start Menu->Run type cmd, press return. Now that there is a command prompt, type Code: ifconfig /all

I got this....

" 'ifconfig' is not rcognized as an internal or external command, operable program or batch file."

& what is the Clone Mac Address all about in the set-up?
Does this option "auto-configure" what you are you talking about?

Thanks for all the help...

fmg


----------



## shuuhen (Sep 4, 2004)

Looks like I was thinking of the Linux command for the same purpose. Instead of ifconfig it should be

```
ipconfig /all
```
Sorry 'bout the command mixup.

Cloning the MAC address is used when you need to use a specific address from a previous device. Usually you shouldn't need it.

I don't know how your router works, but the one I have will auto detect some MAC addresses when you turn the feature on. To see if your router does this, you could save the router's settings in case you have to reset it, then connect both of your computers and turn on MAC address filtering.


----------



## Chevy (Jul 25, 2003)

I think that one apsect that get overlooked is the actual risk involved. WEP encryption at 128-bits is pretty tight. You have to ask yourself "Is someone going to start a blanket capture of all transmissions on my network?" and "EVen if they do, how much time will they invest in breaking the cypher?".

WEP encryption, SSID supression (turn off the broadcast), and MAC filtering make for a relatively tight wireless network. As always, take precautions - but the the guide says "Don't Panic!"


----------



## pdxireland (Nov 11, 2004)

*If I could only get my*

head around and understand the MAC filtering thing.
Am I understanding this....
I should be able to list the acceptable MAC ID's that can use my router?
In my case two....
The MAC ID of my main wired computer & MAC ID of the wireless card in my other computer?
And then all other would be blocked....
I probably have this wrong?
Aslo....can you please explain SSID supression?
thanks,

fmg


----------



## Chevy (Jul 25, 2003)

I believe the MAC filtering applies to the wireless sides only.

SSID - the wireless network name - by default the router broadcasts its availability; this is how your pc finds it. By turning off this broadcast feature, you must know the id in order to connect to it. Also, change the SSID from the default to something harder to guess.


----------



## johnwill (Sep 26, 2002)

Actually, other than encryption, most of these methods of securing a wireless network are a waste of time, and only complicate the already complex issue of reliable WiFi communications. Let's examine each one.

MAC filtering: This is like handing a security guard a pad of paper with a list of names. Then when someone comes up to the door and wants entry, the security guard looks at the person's name tag and compares it to his list of names and determines whether to open the door or not. Do you see a problem here? All someone needs to do is watch an authorized person go in and forge a name tag with that person’s name. The comparison to a wireless LAN here is that the name tag is the MAC address. The MAC address is just a 12 digit long HEX number that can be viewed in clear text with a sniffer. A sniffer to a hacker is like a hammer to a carpenter except the sniffer is free. Once the MAC address is seen in the clear, it takes about 10 seconds to cut-paste a legitimate MAC address in to the wireless Ethernet adapter settings and the whole scheme is defeated. MAC filtering is absolutely worthless since it is one of the easiest schemes to attack. The shocking thing is that so many large organizations still waste the time to implement these things. The bottom line is, MAC filtering takes the most effort to manage with zero ROI (return on investment) in terms of security gain.

SSID hiding: There is no such thing as "SSID hiding". You're only hiding SSID beckoning on the Access Point. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms are; probe requests, probe responses, association requests , and re-association requests. Essentially, you re talking about hiding 1 of 5 SSID broadcast mechanisms. Nothing is hidden and all you ve achieved is cause problems for Wi-Fi roaming when a client jumps from AP to AP. Hidden SSIDs also makes wireless LANs less user friendly. You don't need to take my word for it. Just ask Robert Moskowitz who is the Senior Technical Director of ICSA Labs in his white paper Debunking the myth of SSID hiding.

Disable DHCP: This is much more of waste of time than it is a security break. DHCP allows the automatic assignment of IP addresses and other configurations. Disabling DHCP has zero security value and just wastes time. It would take a hacker about 10 seconds to figure out the IP scheme of any network and simply assign their own IP address. Anyone who tells you that this is a way to secure your wireless LAN doesn’t know what they’re talking about.


----------



## sinclair_tm (Mar 11, 2005)

hold on there, i have always been told that a MAC address it a uneak id of a network interface, like a fingerprint, and that it was hard wired in. besides, if someone really is going to take the time to hack the mac and the wep, there is no stoping them anyway. even if mac address is changeable, i think that wep and mac filtering is not a waste of time, but a great efficent way of keeping freeloaders and wantabe hackers out. both take no time to set up, and once they are, they don't need changing for the life of the router.


----------



## johnwill (Sep 26, 2002)

Well, you're free to believe what you like. In point of fact, while the theory is that every piece of Ethernet equipment has a unique MAC address, the reality is that just doesn't happen. For instance, every Hawker Horizon biz-jet that's flying around has a bunch of Ethernet devices within it, because I was part of the development team. Every airplane has the same set of MAC addresses for those devices. You can change the MAC address of most routers to anything you like, and many NIC's have a similar capability. Finally, there are multiple simple hacks to alter the MAC address presented to the outside world from Windows (and Linux, etc.) so that anyone can have any MAC address they like.

WEP takes some time to hack, the MAC address takes minutes.


----------



## be23skido (Aug 7, 2008)

So how do you suggest securing a wireless network?


----------



## johnwill (Sep 26, 2002)

WPA or WPA2 encryption. 

*A good read: **The Six Dumbest Ways to Secure A Wireless LAN*


----------

