Encrypting a wireless network

[HemlockGrey]

So I'm going to be setting up another wireless network in my house...nothing big, just "plug the internet into the wireless router." But I want to encrypt it so that you need a password to tap into it...how do I do this?

[Chris OFarrell]

So I'm going to be setting up another wireless network in my house...nothing big, just "plug the internet into the wireless router." But I want to encrypt it so that you need a password to tap into it...how do I do this?

I think your confusing the word 'secure' with encrypt

You wouldn't want to encrypt a wireless network unless you absoloutly had to, you would have rather significant overheads from all the extra data...MAC filtering is the most simple and effective way of keeping the neighbours the heck off your internet account and out of the network.

[HemlockGrey]

Alrighty then...how do I secure it?

[InnocentBystander]

It's slightly different, depending on who makes your router, but generally the trick is simply to go into your router's setting, go to the wireless section, or security, basically look around, you'll eventually come across things like MAC Filtering (router only accepts computers that you've registered with the MAC filter, to find your mac address type ipconfig /all in the command prompt, it's the one called "physical address"). Now if you want anyone to access, but you want it password protected, you'll want to look for something that says "WEP" or "WPA" (WPA requires sp2 I think though).

It's pretty simple, just poke around the router's settings until you run across that stuff.

For more specific help, tell us the type of router you have

[brianeyci]

My router is a D-Link. I just type in "192.168.0.1" to get to the router's configuration page. Like IB said, it's called WEP or WPA, and you type in a key into your router, then the same key into your laptop. Then nobody can get in unless they know the key.

Also, worth a mention is that if you keep getting random disconnects while using wireless, and you are using Windows XP, it is because you need to disable Windows Zero Point wireless service. If you use Zero Point to connect, then disable it immediately after you connect (it won't kill your connection). This was a very aggravating problem for me, and I went through all kinds of hoops with tech support guys before doing some research and figuring out the problem myself. To disable it, type in services.msc into the "run" bar, and then go down to Wireless Zero Point and disable it when you're connected.

Brian

<edit>Type in +http://192.168.0.1/ into your browser page to see if that works. If not, manual </edit>

[InnocentBystander]

Some routers use 192.168.1.1, but google, or the manual will tell you. Additionally, anyone can still get onto your wireless network with a rather simple brute force password finder, which may or may not work (WPA would give you better protection). This security feature is deisgned to keep out the casual intruder, if someone acutually wanted to hack onto your network the could. MAC filtering might provide more security, I'm not sure. However, MAC filtering shouldn't give you any problems like WEP/WPA might (as brian described). However don't be afraid, most people aren't going to go out of their way to bust into your network.

[brianeyci]

I use a software firewall anyway, and lo and behold Zonealarm says there's been 9 attempts at intrusion. Not the same as the hundreds I get on my desktop every day, but I live in an apartment building and am surrounded by wireless networks.

You can actually configure it so that for example only 2 connections or 3 or however many laptops or desktops you have attached to it can connect at a single time.

I'm always paranoid and careful not to download suspicious programs because I'm afraid of keystroke loggers and I do all my banking online.

Brian

[Glocksman]

MAC filtering, using static IP's, and disabling 'broadcast SSID' are false security, as anyone beyond the dumbest of script kiddies who really wants to hack your WiFi setup can do it if you don't encrypt it.

Even WEP encryption can be cracked, but it beats the shit out of no security.
WPA-PSK encryption is currently the best way to really secure your wireless network.

[Faram]

MAC filtering, using static IP's, and disabling 'broadcast SSID' are false security, as anyone beyond the dumbest of script kiddies who really wants to hack your WiFi setup can do it if you don't encrypt it.

Even WEP encryption can be cracked, but it beats the shit out of no security.
WPA-PSK encryption is currently the best way to really secure your wireless network.

Agreed, WPA-PSK is the best you can aim for at home WPA-Radius is much better but no normal home user has that equipment at home.

Here is a good page to generate passkeys for WEP/WPA

http://www.kurtm.net/wpa-pskgen/

This is from my AP, here you set the security options in a DI-624

[Pu-239]

Agreed, WPA-PSK is the best you can aim for at home WPA-Radius is much better but no normal home user has that equipment at home.

Whee- howto for WPA-Radius (FreeRADIUS comes precompiled for Debian): http://homepage.mac.com/andreaswolf/public/wpaeap.html . Then again, you said normal home user, so eh

Too bad I'm missing a wireless router (wired ethernet), plus the effort would be better spent on making my various passwords even more secure for stuff like email, SSH, and the like, which would be more stuff that's more likely to be compromised.

Like other's said, MAC filtering alone is really insecure, since someone could run a packet sniffer and discover the MACs in use, and change their's.

[Glocksman]

If you need a hardware recommendation, I heartily recommend the Zyxel Prestige 334W


Robust, reliable, and has a true SPI firewall.
What else could you ask for?


I used to have a DI-624 like Faram's, but it gave me no end of problems dropping wireless and wired connections, no matter which firmware I used.

Maybe I had a bad unit, but D-Link's tech support couldn't have been less helpful in resolving the issue if they'd tried to be useless.

[InnocentBystander]

I've heard stories about D-Link's being unreliable, and have first hand experience that AT&T routers are god awful. I've never gone wrong with Linksys, and have heard that Belkin are good as well.

[Arrow]

Netgear has been good for me. We also used their basic router at work for the longest time, but once we got around twenty computers in the office with several switches, it would crap out daily.

[Glocksman]

I've heard stories about D-Link's being unreliable, and have first hand experience that AT&T routers are god awful. I've never gone wrong with Linksys, and have heard that Belkin are good as well.

If you look around enough, you can find horror stories about almost any brand out there, including Linksys, Netgear, and Zyxel.

I went with the Zyxel to replace my D-Link because it's one of the few inexpensive routers out there (the Netgear WGR614NA v6 is another) that has a true SPI firewall and you can telnet into it and set it up via command line interface.

That appeals to the geek in me.

EDIT:
Added screencaps of the command line interface via HyperTerminal.

Pic#1
Pic#2
Pic#3

[Pu-239]

What about the Linksys WRT54G? Are there any other routers which have customizable firmware?

[Glocksman]

What about the Linksys WRT54G? Are there any other routers which have customizable firmware?

To the best of my knowledge, certain Linksys routers are the only consumer level equipment that use a linux based firmware.

My experience with routers is this:

My first router was a Linksys BEFSR41, and I had no problems out of it at all.
Then I moved on to the D-Link DI-624 wireless router, which I wound up using as a wireless AP only (connected to a Zyxel Prestige 334 wired router) because of the WAN connection being dropped at random.

To cut down on the cable and box clutter (D-Link wireless, Zyxel router, Trendnet print server, and cable modem), I bought the wireless version (Prestige 334W) of the Zyxel wired router that I already owned.

And newegg's customer service rocks.
I ordered my router on the 14th.
On the 15th, Zyxel started offering a $25 rebate on the $50 router.
I called newegg and the guy told me that instead of having me send the unit back and they send me another one with a receipt dated during the rebate period, they would simply refund me $25.

Getting a $25 refund from newegg beats the shit out of waiting 4-6 weeks for a rebate check.

[LORDDOOMMASTER]

What about the Linksys WRT54G? Are there any other routers which have customizable firmware?

I have this router, and it works very well. And as Glocksman said, it is one that has the linux-based firmware on it. I've never had a problem getting it configued and has many features that most people probably won't ever use. They also have the WRT54GS (I'm pretty sure that's the right letter), which stands for Speedstep. It's suppose to give you even faster than 54Mb wireless connections, but the router and wireless cards cost more. They are backwards compatible with regular G, though, so if you get the router you aren't stuck just using the Speedstep-only
equipment.

And as others have said, use WPA-PSK when securing your network. Make sure you use a key that is at least 32 random characters long, as well as using special keys and uppper/lower case letters, and numbers. Anyone with enough knowledge and time can break into a wireless network (WEP is very easy to break, I can do it in less than 30 minutes with 1 computer, like 10 minutes with 2), but at least WPA will make it difficult and much more time consuming.

One thing I would also like to say it don't bother using the installation software for a Linksys wireless card. I love my router, but I really wish I would have gotten a different wirelss G card. The software installation is a pain and it didn't work longer than 2 minutes after I had gotten it to connect to the router. So I had to uninstall everything and then reinstall it manually, then install the software. And it still has an error everytime you restart WIN98, but at least it works. Seems other people have had this problem with WIN98/ME, but it works fine on WIN2000/XP. Ah well, it works at least.