StarDestroyer.Net BBS

I'm staying at my parents' house for the summer, and it's a good chance to switch the network to wireless. My mother has been complaining about the cables crisscrossing the house forever, and I promised her I'd fix it. There are three computers in the network, all connected to a single ADSL router. All of them are in different rooms, in three different corners of the house.

Now, security is my main concern with a wireless LAN. It's ridiculously easy to connect to an unsecured network, even if you don't have mad computer skillz. Heck, I've done it myself. I know the basics about security, like changing the router's password, using static IP addresses instead of DHCP and getting devices that support the 802.11i protocol. But what else could I do to secure the network? Are there specific router and network adapters I should prefer?? And is there anything else I should know?

Narkis wrote:I'm staying at my parents' house for the summer, and it's a good chance to switch the network to wireless. My mother has been complaining about the cables crisscrossing the house forever, and I promised her I'd fix it. There are three computers in the network, all connected to a single ADSL router. All of them are in different rooms, in three different corners of the house.

Now, security is my main concern with a wireless LAN. It's ridiculously easy to connect to an unsecured network, even if you don't have mad computer skillz. Heck, I've done it myself. I know the basics about security, like changing the router's password, using static IP addresses instead of DHCP and getting devices that support the 802.11i protocol. But what else could I do to secure the network? Are there specific router and network adapters I should prefer?? And is there anything else I should know?

I don't have any specific gear recommendations, but if the house is fairly large you might have connectivity problems, especially if the home has more than 2 levels and the router is in the basement.

Other than that, as Destructionator said, use WPA2 with a long passphrase and you should be fine.

Alright, I'll make sure I'll get something that uses WPA2. I was already intending to use a random digit password, so that's no problem. My old professor had stressed that static IPs were important, but that's one less thing to worry about. And the house isn't that large, just roughly 120 sq. meter on a single floor. Their cordless phone has no trouble picking up the signal even on the terrace. The network shouldn't have problems, right? Oh, and I've seen some USB network adapters instead of the proper PCI. Are they worse than their internal counterparts, or can I safely get those instead? They should make installation that much easier. Assuming I find some that meet the other requirements, of course.

Under the right circumstances, its also possible to use the power lines to set up a (non-wireless, obviously) LAN.
Whether or not and how good this works is dependable on how modern your power lines are, but it definatley is a good alternative if a house is either too big or is otherwise blocking WLAN.

Narkis wrote:My old professor had stressed that static IPs were important, but that's one less thing to worry about.

Static IPs add zero meaningful security. It's trivial for an attacker to sniff the traffic and determine the subnet range, and if necessary impersonate an existing host. Restricting access to a fixed set of devices (MAC addresses) is slightly better, but won't stop a determined attacker. Similarly, you can set your network to not broadcast its SSID, which will prevent untrained people from randomly trying (and failing) to connect, but is not a meaningful security measure against determined attackers. Really WPA2 with a strong passphrase is all you need and the only genuinely effective security measure anyway.

Oh, and I've seen some USB network adapters instead of the proper PCI. Are they worse than their internal counterparts, or can I safely get those instead?

Generally, there is no functional difference between the USB and PCI ones.

Destructionator XIII wrote:Just make sure you are using WPA2 with a good passkey (not a dictionary word) and you should be OK.

That sets the bar high enough to keep casual snoopers out, which are by far the most likely threat.

Static IP addresses are pretty worthless security wise; the encryption is the important thing.

Indeed, this would be my advise as well. Also set the SSID for non-broadcast. It is harder to connect to a wireless LAN when you don't have its name (it's not impossible, just a little harder).

Now, on non-security related issues...

Check the wireless phones that you might have on the house. If they work on a 2.4Ghz replace them for either 900Mhz or 5.8Ghz. Most wireless routers work on a 2.4Ghz frequency, so any time you want to make a call your wireless LAN will die and will not come back up until you turn off the phone (completely dead, not just poor signal quality). Another option would be to buy a wireless router wich doesn't work on a 2.4Ghz frequency, but they are not as common or cheap as the 2.4 ones.

Microwave ovens might affect your signal as well, so you might wan to keep the router away from them. Thick walls will affect your signal strenght also. So you might want to put your router on a centered location of the house (to get the best coverage) away from microwave ovens and thick brick walls.

ANGELUS wrote:Check the wireless phones that you might have on the house. If they work on a 2.4Ghz replace them for either 900Mhz or 5.8Ghz. Most wireless routers work on a 2.4Ghz frequency, so any time you want to make a call your wireless LAN will die and will not come back up until you turn off the phone (completely dead, not just poor signal quality).

In every case where this has happened to me or someone I know, the problem was solvable by changing the access point's channel selection from 'auto' to a specific channel, then changing the channel until the interference stops. Phones only use one channel in the 2.4 Ghz band.

Microwave ovens might affect your signal as well, so you might wan to keep the router away from them. Thick walls will affect your signal strenght also. So you might want to put your router on a centered location of the house (to get the best coverage) away from microwave ovens and thick brick walls.

My parents had a bizarre wireless dead spot that turned out to be due to a large mirror placed on the opposite side of the wall from the router - the conductive metallic layer in the mirror was reflecting the signal.

Oberst Tharnow wrote:Under the right circumstances, its also possible to use the power lines to set up a (non-wireless, obviously) LAN.
Whether or not and how good this works is dependable on how modern your power lines are, but it definatley is a good alternative if a house is either too big or is otherwise blocking WLAN.

Using the power lines for a LAN appeals to my inner child, but I don't think I should experiment now. It'll definitely be something to consider if more PCs are added to my house sometime.

Starglider wrote:Static IPs add zero meaningful security. It's trivial for an attacker to sniff the traffic and determine the subnet range, and if necessary impersonate an existing host. Restricting access to a fixed set of devices (MAC addresses) is slightly better, but won't stop a determined attacker. Similarly, you can set your network to not broadcast its SSID, which will prevent untrained people from randomly trying (and failing) to connect, but is not a meaningful security measure against determined attackers. Really WPA2 with a strong passphrase is all you need and the only genuinely effective security measure anyway.

I thought it was difficult for any but the best attackers to do that. Guess I was wrong, but this is exactly why I posted here. Thanks.

ANGELUS wrote: Check the wireless phones that you might have on the house. If they work on a 2.4Ghz replace them for either 900Mhz or 5.8Ghz. Most wireless routers work on a 2.4Ghz frequency, so any time you want to make a call your wireless LAN will die and will not come back up until you turn off the phone (completely dead, not just poor signal quality). Another option would be to buy a wireless router wich doesn't work on a 2.4Ghz frequency, but they are not as common or cheap as the 2.4 ones.

Microwave ovens might affect your signal as well, so you might wan to keep the router away from them. Thick walls will affect your signal strenght also. So you might want to put your router on a centered location of the house (to get the best coverage) away from microwave ovens and thick brick walls.

I'll probably have problems with the wireless phone, it does use 2.4Ghz. I'll use Starglider's solution first before getting a new one though. And the kitchen is right in the middle of the house, so I just hope the microwave oven won't cause much trouble. I can't do anything about it anyway.

I'll be going shopping later, and barring any unforeseen difficulties (a mirror?!) should have the network ready by the end of the day. Just one more thing: I haven't found a single store in my town that carries 802.11i routers. Should I order one online, and wait for a week to be delivered, or can I get by with an 802.11n or g? Is there even a meaningful difference, or was I wrong about that as well?

I'll be going shopping later, and barring any unforeseen difficulties (a mirror?!) should have the network ready by the end of the day. Just one more thing: I haven't found a single store in my town that carries 802.11i routers. Should I order one online, and wait for a week to be delivered, or can I get by with an 802.11n or g? Is there even a meaningful difference, or was I wrong about that as well?

There's really no difference. I would recommend sticking with 802.11g -- Everything works with it, and last I heard, 'n' hadn't been approved by IEEE. I've never head of 'i'.

Well, my parents decided to spend the money on vacations after all. Can't say I blame them. Anyway, thanks for the help everyone. I should have no problem now if my mother asks again on Christmas.

Narkis wrote:

Starglider wrote:Static IPs add zero meaningful security. It's trivial for an attacker to sniff the traffic and determine the subnet range, and if necessary impersonate an existing host.

I thought it was difficult for any but the best attackers to do that.

Determining and spoofing IP settings is much easier than cracking encryption; all the information you need is plainly available in the packet headers. Anyone with the tools and motivation to crack a WEP network will not be stopped by the lack of DHCP. The only thing disabling DHCP will do is prevent random unskilled non-malicious people from connecting to an unencrypted network - but there are much better ways to achieve that.

Just one more thing: I haven't found a single store in my town that carries 802.11i routers. Should I order one online, and wait for a week to be delivered, or can I get by with an 802.11n or g? Is there even a meaningful difference, or was I wrong about that as well?

802.11n includes the entire feature set of 802.11i. In fact most (by no means all) new access points labeled as '802.11g' are 802.11-2007 devices, a spec which includes i and all the other pre-n amendments, but the former term has name recognition and the later does not.