Fun without wires

Archive for the ‘airsnort’ tag

Security Preference?

without comments

Here’s a question for anyone out there who’s ‘wireless-security-minded’. If you have to choose between the 2, are you better off having WEP enabled on an access point, or only allowing trusted stations to connect (via MAC-address restrictions)? Obviously it’s better to have both, but if you can only have one, which one is more secure?

I was thinking that if you couldn’t get WEP to work for whatever reason, then it might be ok to just configure your WAP to only accept connections from certain MAC addresses. This would mean that the data wasn’t encrypted in transmission, but wouldn’t it also mean that people couldn’t snoop your traffic, because they couldn’t connect in the first place? Or am I missing something?

The down-side is that if (somehow), an outsider knew the MAC address of your machine/network adaptor, then they could use something like SMAC to spoof it and connect to your WAP.

WEP is supposed to be pretty insecure, and tools like AirSnort can be used to determine the encryption key given enough sample data, so is it really worth the effort? (unless you’re regularly cycling your keys perhaps?)

Any thoughts out there?

Written by Beau Lebens

March 5th, 2004 at 4:00 pm

Posted in Uncategorized

Tagged with , , , ,

Securing My Netgear Network

without comments

On advice from someone who works in the DSD (pretty good advice on this sort of thing I’d say!), I went about securing my network as soon as I had it installed. This is basically all I had to do;

  1. Get connection going normally (unencrypted) between my WAP and my wireless-card-equipped laptop.
  2. Log into the admin interface on my WAP/switch
  3. Under the ‘Maintenance’ section, go to ‘Set Password’ and change the admin password for the administration interface (default is ‘password’ on Netgear devices)
  4. Under ‘Setup’ go to the ‘Wireless Settings’ and configure the WAP with the following details;
    1. Region: Australia (don’t know why this is required, but set it anyway)
    2. SSID: ansible (see previous post about origin of this name)
    3. Click to ‘Configure WEP’
      1. Leave ‘Authentication Type’ on ‘Automatic’
      2. Set ‘Encryption’ to 128-bit
      3. Enter a passphrase (remember it, will need for the PC Card later, and if anyone else is going to access this network)
      4. Click ‘Generate Keys’ and ‘Apply’ when done to save it all to the WAP, this will reboot WAP to initiate settings (losing wireless connection in the process, because I am no longer authorised to connect!)
  5. On the ‘Security’ tab of the config utility for my PC Card (on my laptop) adjust the following settings;
    1. ‘Enable Encryption’ (check this box to turn it on)
    2. Change ‘Key Length’ to ‘104/128 bit’
    3. Under ‘Create with Passphrase’ enter the same passphrase as was used on the WAP
    4. Click ‘Apply’ to save the settings, then go to the ‘Status’ tab and click ‘Re-Scan’ which connects back onto the WAP (using encryption this time)
  6. Now that we are connected using WEP, we are little more secure, but we also want to restrict connections to only certain MAC addresses (the hardware signature of the PC card).
  7. Get the MAC for you wireless card; I got mine by going back to the WAP admin, then selecting ‘Attached Devices’ under ‘Maintenance’.
  8. Again, under the ‘Wireless Settings’ under ‘Setup’ in the WAP admin interface, we now click the ‘Trusted PCs’ button under the ‘Access Point’ section (to specify trusted PCs)
  9. Enter the MAC for your wireless card in the space provided and click ‘Add’ – mine came up with the name of my machine next to the MAC, so I assume it is either encoded in the MAC, or it contacted my machine and asked (?)
  10. Click ‘Back’ when you’re done so we can turn on the security access based on MAC.
  11. Now select ‘Trusted PCs only’ under ‘Allow access by:’ so that only those machines on your trusted list can connect.
  12. Click ‘Apply’ to save these changes and reboot the WAP. You should reconnect successfully once it’s on again, since you are now on the trusted list. If you have another device, try connecting to confirm that it’s secure. I haven’t been able because I don’t have anything else, but I assume it just won’t be able to connect 🙂

More security info to come, including some experiments with things like AirSnort hopefully 🙂

Written by Beau Lebens

October 19th, 2003 at 4:00 pm