Need advice securing wireless home network

D-boy

Please could someone clear up some confusion and also offer some advice on securing my wireless home network…

I am an A+, NET+, MCDST, 2x MCP certified IT professional, but I lack wireless and security experience, something I would like to learn and get certified in one day.

I have the following equipment:

D-link Wireless router DI-624
2x DW311U Wireless USB Print servers
1 Win XP home edition PC (Wired)
1 Win XP edition Laptop with Wireless D-link Aircard
2x HP USB 1012 LaserJet printers

When I use WEP 128-bit encryption with Open system selected on the router my 2 printer server’s work wirelessly, but when I select Shared key with WEP 128-bit encryption they do not work wirelessly (they only print when I plug in a network cable).

I called D-link support and they told me you couldn’t use shared key with WEP 128-bit encryption, is this true?

What is the difference between shared key and open system?

Also I have took the following security measures:

Enabled MAC filtering on my router for my 2 PC's and 2 print servers only

Disabled SSID broadcasting

Enabled WEP 128 encryption on my router for my 2 PC's and 2 print servers

Changed the DHCP lease time to daily instead of weekly

Installed Norton Firewall on each PC with antiVirus and spyware protection

Only gave access to IP addresses used on my local network for my Router DHCP assignments in Norton Firewall

Enabled Windows Update to run automatically on both PC's (but PC's upto date)


Is this enough to be secure? Are there any other measures I can take to secure my wireless home network from attacks/hackers? Is there a way I can try and hack my own network? And what tools would I use?

Aslo when setting up my network I also found 5 other networks in the area 5 SSID id’s displayed

lordy

I called D-link support and they told me you couldn’t use shared key with WEP 128-bit encryption, is this true?

This is correct. 128-bit WEP isn't any stronger then 40-bit WEP so it's pretty pointless anyway...

Scanning through your precautions list you have done pretty much everything possible to secure your network. As you are running WEP there are two improvement possibilities if your data might be of value to other people:

1.) Upgrade your equipment/firmware to use WPA.
2.) Run IPSec or some other VPN type over the wireless network if possibile.

If you are just afraid of "drive-by-hackers" you can feel pretty safe because the goal here is to be a tougher target then your neighbor is and you definitely accomplished that

Regards,
Lordy

johnnynodough

cuople of things I do in addition to WEP and MAC address filtering is DHCP reservations for the MAC address of my wireless cards, and I also use 255.255.255.252 (you would want to use 255.255.255.24 for my subnet mask, so there can only be 2 devices communicating at any time which is all the wireless I have anyways. Pick an unusual network number as well, like 10.34.34.0, anything besides the standard 192.168.X.X.

JDMurray

1. Do not use DHCP. Use fixed addresses in an address space other than 192.168.0.0. If you are NAT'ted behind a firewall, you can use any private or public addresses you want. Don't make it easier for intruders by handing them an IP address.

2. I like to make LANs a little bit more difficult to hack by using mis-matched netmasks. For example, using the 10.0.0.0 address space with a 255.255.255.0 mask.

3. If you have all Windows XP clients, then do not use WEP. Use WPA/TKIP with a pre-shared key. Don't use WPA/AES unless your machines have the CPU horsepower to crunch the AES algorithm (which is overkill for SOHO use anyway).

4. If Dlink doesn't support pre-shared keys with WEP 128-bit encryption, that is a limitation in Dlink's firmware. Ask them when they will be releasing a new firmware revision to "fix" this deficiency. If they say "never," then tell them you are returning their router and buying Linksys instead (a consumer bluff, but your email will get circulated in their next customer support staff meeting).

Otherwise, your system looks more secure than 99% of the SOHO systems that are in operation.

johnnynodough

Static IP address are the way to go for your desktops for wireless security, but if you are like me with a laptop, I am hooking up to a new WAP 10 times a day, so static IP is not convenient at all. Thats why I use DHCP reservations based on the MAC, Although Im not sure if I would trust the Dlink to handle the reservations correctly. Past that, if someone really wanted to get my MAC, they could use AirMagnet, but if they were going that far, I doubt they would be in my neighborhood doing it : )

darkuser

you can still find out the address space with netstumbler and crack 128 but web keys w/ kismet ....

goasakawa

darkuser wrote:

you can still find out the address space with netstumbler and crack 128 but web keys w/ kismet ....

I got a Linksys wireless router with 4-Port switch. If someone can get into my LAN with snooping tools and crack my keys what other alternatives to i have.

I have been suspecting someone stealing my net due to the fact that there are strange 'dhcp clients' in my client tables. My LAN consist of 2 gamming rigs and 6 pcs and 2 xboxes. could the xboxes show up in my client dhcp table?

JDMurray

goasakawa wrote:

I have been suspecting someone stealing my net due to the fact that there are strange 'dhcp clients' in my client tables. My LAN consist of 2 gamming rigs and 6 pcs and 2 xboxes. could the xboxes show up in my client dhcp table?

Do not use DHCP on your WLAN. That's just handing an intruder an IP address. Use static addresses and a non-standard IP addressing scheme (this is OK for private networks behind a NAT'ted router). XBoxes can use static or dynamic IP addresses. Use the dashboard to check the [Network] section.

Rotate your WEP key selection once every week or two and change your passphrase every other month. That'll frustrate any sophisticated attackers who are cracking your WEP keys. After doing this for a while you'll realize why WPA and dynamic WEP key rotation is a good convenience.