Axiom Home Page Forums General Discussion The Water Cooler Ain't WiFi great?

wireless internet -- $150
laptop computer -- $$$
Bela Fleck and the Flecktones CD -- $15
Axiom M22ti speakers -- $400
SVS PB1-ISD subwoofer -- $599
Browsing the Axiom Forum while sitting in the sweet spot and listening to the Flecktones REALLY LOUD -- Priceless

huh.

Doing the same right now!

...Sitting in the beloved listening couch, listening to Stravinsky's Firebird Suite (Bernstein/Israel Philharmonic), browsing the forum via WiFi, and (supposedly) writing up a paper.

WiFi users remember to set SID to not broadcast and configure a 128bit WEP key for security's sake. If you need help let me know.

DanTana:

Its pretty funny you say that. Since I moved into my new apartment, I have gone to visit two ppl in my vicinity because I was close enough to get on their network. They give you a weird look when you say "you're network is vulnerable...im here to help!"

Did I mention I work in the IT field?

I doubt anyone will be war-driving my neighborhood, but even so, I've locked it down well:

- 128-bit WEP is enabled
- SSID broadcasting is disabled
- MAC access list is enabled

Yeah, I'll say that Peter's is the tightest wireless network I've encountered. It's really a pain! ;-)

Well, I've done what Peter did except for the WEP. Is it too weak?

To think its only going to get better, and *explode* even more when the PSP (PlayStation Portable) comes out... The thing comes with a built in 802.11x support for wireless multiplayer head to head gaming, as well as web opportunities at any hot spot.

Bringing WiFi right to the mass market. SONY plans to sell 10 Million of these buggers in their first year.

Woohoo - a good time to be making games

Stop telling people to lock up their network. I will have to start buying my own internet access......

Yeah Sushi, WEP is weak, but it is better than nothing.

I am also in the IT field.

I'm also in IT and configure all the WiFi for our entire network. I got handed the WiFi stuff when a user next door called and told us the names of our servers he could see. Anyway, 128bit WEP is strong enough to keep 99% of the people out. The other 1% probably won't bother unless your a multi-millionaire or something. It does create a little overhead adding the encryption to the packets, but worth it unless you want someone sucking up your bandwidth. I got a neat tool at work, a Fluke Wireless Tester, amazing how many access points are out there.

To break 128bit WEP, it takes about 4gigs of data. So depending on how heavy WiFi is used in your area, it actually is pretty easy. Someone just has to sit somewhere they can get a signal, capture data, leave, run a utility, come back and be on your net.

I sent one of my guys to security school, and WEP was covered. They actually sent the students war-driving.

New technologies are on the way or here that will help.

curtis

I am no IT expert, so here is my question...

I didn't think my neighbors and street onlookers can easily break in to my home-WiFi, because I have the MAC access restriction enabled, so that only my laptop and my wife's can physically access the network. Is it easy to break/override the MAC list without first break in to our house or stealing one of our laptops?

And yes, the 128-bit WEP seems to add a small but noticeable overhead. That's why I choose not to enable it at this time. But I am open to your expert suggestions.

Is there ANY way of preventing someone from capturing those packets? I know my MAC access list will prevent them from actually using my network (unless they guess and spoof an address in that list), but once they break WEP, can they just sit out there and spy on all my traffic?

Yeah...the MAC thing can be overridden, not easy, but can be done.

And yes...once the WEP is broken, people can easily check out your data.

The question is, do they have reason to? It is much easier for them to sit outside and listen to your conversations.

You have to remember that network security is not an absolute. You can not make any network 100% secure, there is always a way around the security. It is matter of how difficult it is, and if it is worth it for someone to break-in.

Sushi, you may have important research on your machines that you do not want someone else to see. I would encrypt the data on those machines. And depending on how far you want to go, I would use a hard wire connection as often as I could, and turn off my wireless access point when not in use. Just a matter on how extreme you want to get.

How many of you use passwords that are random characters and symbols rather than words or names?

curtis

In reply to:

---

How many of you use passwords that are random characters and symbols rather than words or names?

---

That sounds suspiciously like social engineering to me. You're not holding a clipboard, are you?

First you have to have a packet capturing program, and second you need to be able to extract the header with the key in it and piece it together, I'm sure there are programs that can probably do that for you, but the average person won't go through that much trouble, and if you have a router with wireless access point, you can look at the DHCP table, see who is on your system, delete it then change the key.

In reply to:

---

That sounds suspiciously like social engineering to me. You're not holding a clipboard, are you?

---

I hired a company to do that and check our security.

In reply to:

---

How many of you use passwords that are random characters and symbols rather than words or names?

---

/me raises hand.

As long as we're on this wifi security subject, here's another tip for everyone.

For god's sake, don't plug your wi-fi access point into a hub! I recommend using only switches in most cases, but especially this one. You don't want your wired traffic being broadcast into the airwaves as well.

A brief note: even with a switch, there is broadcast traffic. It's best to use a WiFi on a DMZ port. In much smaller (most?) installations, use the WiFi router as the router for the network where possible.

One objection to using it on a DMZ is that it then becomes more visible to the outside world. A few good reasons to use a DMZ is for web or e-mail servers, or possibly a VPN, if you keep the wireless behind or within your router I think is the best choice. If you use NAT (Network Address Translation) then it is even more difficult to get into your network. One idea we were thinking here is using a server to authenticate wireless accounts to allow access to the trusted network. Separating them by using VLAN security which the Cisco AP's support with firmware 12.00 and up.

Hmm. One of our network guys is recommending it for the client I'm at right now (waiting for someone to show). I wonder what his response to that would be. He had a good reason when he explained it to me... Why would it be more visible to the outside world? The DMZ is just another port on the firewall. I don't see a way to hook up the wireless to anything without a switch or hub without putting it on a separate network, such as the DMZ. NAT is not really security, it is just obfuscation. However, the last line of yours sounds pretty good to me.

The DMZ is another port on the firewall but specifically to make for easier access from outside of it. Hence web servers and e-mail server access. Doesn't make sense to put a access point on it, unless you can filter ports going in both ways to your trusted and outside networks. But then you'd have to be using something like Cisco PIX or Nokia firewalls. But putting such a device there can make the temptation of getting into it that much greater, and potentially easier to hack from the outside without having to know the SID or WEP keys. Simply telnet into it and change the keys from outside the network unless your firewall blocks port 23. All our webservers, VPN's and e-mail servers reside in the DMZ here. But we use Nokia firewalls to block traffic both ways in/out of it.

We're working with SonicWalls. I'll have to check with my guys about whether this is reasonable. I'm still learning the network stuff!

SonicWalls seem to work pretty well...until they start dying on you.

Had one die on me a few weeks ago. It was a 100. They replaced it after we reinstated the warranty with a 320. Not too shabby.,..

Yeah, I work for a consulting company and we were installing them for clients for a while, but too many seemed to die after a year or two. Low end firewall installs are PIX now. Raptor for the better ones.

Dear friends,

We recently moved to a new house (good). Qwest is still our dsl/phone provider (must...control...fist...of...death...). Where we want to put the computer, there is no phone jack (annoying). So, I'm thinking of taking the wi-fi plunge in anticipation of also getting a wireless laptop in the not-too-distant future.

So, can anybody help me with specific SoHo wireless router or access point model advice? I have a Cisco dsl modem and a Netgear firewall/router now. The plan is to put the modem and wireless thingy in an upstairs bedroom and add a wireless PCI card to the main PC in the living room and possibly to the one in the kids room.

Keep in mind that the more I spend on networking, the less I have to spend on home theatre. Maybe I should just run cat5 everywhere anyway...

I only aspire to your geekdom, so be gentle. TIA for sharing your wisdom and guidance.

Just my personal opinion, but I would never buy a linksys wireless access point/router again.

Whenever we used our old cordless phone, it lost connection to the network. So we got a new cordless phone. About a month later, it started again. Changing the channel on the phone did not help. There were not your cheap $20 phones, but pretty nice cordless phones.

Just my 2 cents worth here. Check out the forums at www.fatwallet (dot) com (not sure if they kill links here or not). They post good deals on wirelss routers all the time. I think there is a great deal on a D-Link now.

That's why I'm sticking with my 900Mhz cordless phones. No chance of interference.

I've had good luck with the D-link brand in general. They have a very large range of wireless offerings, too.

I use the D-Link at home, too. So far, no problems whatsoever for over 2 years.

I have another question for you guys IT gurus. This has nothing directly to do with Wi-Fi, but rather a question about home-network NAT routers in general. I think, with Port 113 (auth/ident) on the router set to "stealth," you can read but cannot post to many forum message boards (e.g. AVSforum). I currently set Port 113 to "closed" on my router, which has resolved all previous problems.

Am I doing something dumb or dangerous?

Naw - what you did was fine.

Not many services really use ident anymore... and having port 113 set to "stealth" means that when someone tries to talk to you over that port, it gets no response. So whatever is trying to talk to port 113 will usually just keep waiting for a response... most will timeout, but it may be a while.

Setting it to "closed" makes your firewall say right away "rejected" and whatever was trying to connect will usually just go on with it's business, since it actually did get a response.

Hope that helped.

Not dumb or dangerous, in my opinion, unless you were running in full stealth mode to begin with.

Stealth really only works if ALL your ports are operating in that mode. If you're running in full stealth mode your network is invisible to all pings and port probes and it will appear to a hacker that there is nothing there. If you have a bunch of stealth ports and a single "closed" port, a port probe directed at you will reveal that there's something alive there, potentially blowing the cover off all the stealth ports.

I suggest getting a Linksys wireless access point/router. Having one myself I find it very configurable. I use Cisco access points at work but the multitude of options are unnecessary for home use. The Linksys does what you need it to and at a reasonable price. Try to go with the "G" standard it allows higher throughputs and is downward compatible to "B" devices. Just be careful of wireless phones or microwave ovens nearby as they will interfere with the 2.4 ghz wavelength they use. Just use common sense when configuring it to not broadcast SSID is the #1 mistake I've seen. Adding 128bit WEP is a very good safeguard. You should be able to get good flexibility with one of these access points as they also contain a 4 port switch if you wish to go CAT5/6 later.

It turns out that he wanted to have the wireless users VPN in through the DMZ port to which all the wireless routers would be attached. Now it all makes more sense...

In reply to:

---

Not dumb or dangerous, in my opinion, unless you were running in full stealth mode to begin with.

---

That's the problem, Peter! I was running in full stealth, which apparently did not allow me to post on many forums. I could, of course, read everything with no problem; but posting always hung and timed-out. I don't exactly remember whether the Axiom message boards were one of the problematic ones, but I am positive that I couldn't post to the AVSforum.

Could somebody positively confirm that you can post to the AVSforum with a full-stealth setup?

My boss and I were contemplating having the wireless users attach to wireless, but then those accounts would have to be authenticated to an NT box with a domain account. The NT box would then be routed to the appropriate network. The DMZ port idea doesn't sound all that bad, but I would still be leary putting an access point on a DMZ. It might be entered via telnet much easier from outside than it would behind the DMZ. Or even DOS'd from outside the DMZ, depending on the firewall and ruleset used.

Sushi, some forums require a type of reverse lookup, (not like DNS lookup), which means the IP has to be verified. Stealth mode usually blocks ICMP which is what ping uses. It's easy to test and turn off. Also, blocking the Netbios ports is generally recommended as well.

Not to mention the infamous RPC ports. $@%T#@ Microsoft....

Hmm. Good point. Wireless security is a bitch!

For those of you who have wireless internet but feel it's a little slower than when you use a wired connection, a brand-new product has been developed to speed things up for you.

Check it out!

(I believe this product can also do wonders for the sound of your system! If it works this well on radio waves, it must improve sound waves, too!)

Hilarious, Peter; the math almost had me convinced. Also loved the click to order.