mcarterbrown.com  

General Chat MCB's Coffee House: Pull up a seat, and grab your favorite caffeinated beverage. Non-paintball related chat within.

Reply
 
Thread Tools
Old 11-16-2006, 03:15 PM   #1 (permalink)
Supernatural Anaesthetist
 
Wycke's Avatar
 
Join Date: Apr 2006
Location: Cheesesteak Country
Send a message via AIM to Wycke

Wireless network security quandry

I know the "wireless network security" is something of an oxymoron, but I know the inherent insecurities of wireless and therefore want to take any steps possible to prevent neighbors or passers-by from leeching off my connection. I've always used MAC address filtering, but lately find myself buying a new router every 3-4 months. Why that often? Well, I'm cheap, so I buy refurbished ones or those that, well, suck and get marked down for quick sale. My latest purchase is a D-Link DI-624M. Back to the topic, MAC filtering works fine, but transferring that list of "allowed" MAC addresses each time I get a new router is a royal pain, esp. since it seems that none of the manufacturers do this in a consistent or standardized fashion. Why can't they just let me upload & import a text file with the addresses to allow? I guess mainly because so few people use that feature and they don't want to make it easy for you to migrate to another vendor's equipment.

"Just use WEP", some people have suggested, but I know that even a 128-bit key can be broken in a matter of minutes. Besides, I'd rather not have to configure all of my wifi devices (and those of friends & family who use my network when at my house) for WEP.

So, I guess what I'm looking for is a standalone device (or even an app that'll run on a linux server) that will act as sort of a gateway between the wireless router & the rest of my network & the internet. I just can't seem to find anything like this out there. I thought about using another wired router that would basically remain in place, but then I'd need to use a wireless router that'll run in some kind of "bridge" mode so that it would pass the source MAC addresses to the router that does the filtering. This would still allow outsiders to connect to my wireless network, but not the wired network or the internet, which is all I really care about.

Anyone done this or have any suggestions? Am I entirely overcomplicating the situation??

-Chad
__________________
Porch Monkey 4 Life!

s'ok...I'm takin' it back...

My Feedback Thread
Wycke is offline   Reply With Quote
Old 11-16-2006, 03:33 PM   #2 (permalink)
Ghost with the most
 
Phantom Power's Avatar
 
Join Date: Mar 2006
Location: Pender Island, BC
Send a message via AIM to Phantom Power Send a message via MSN to Phantom Power

As for an app on a linux server, you can use the built in iptables to drop any IP connection that doesn't match on a certain MAC address. It won't stop ARP requests or other link layer protocols, but without IP traffic, it won't be very useful to people who want to use your connection.
Phantom Power is offline   Reply With Quote
Old 11-16-2006, 03:33 PM   #3 (permalink)
Sh*t, I'm a mod?
 
Azzy's Avatar
 
Join Date: Mar 2006
Location: Finleyville, PA

Fan of EMR
Brass and Wood Fan
Heather is running the same Dlink router for 3 years now, and its set up with mac filtering.

I would wonder why you go through the routers so easily... is there a power issue here? Over / under voltage?
__________________
Riverside Renegade Paintball / C.C. S.V.S. Plankowner - LPPC#6
TeamADW.com - Maker of Jeep ThingsOld Timer Feedback
Azzy is offline   Reply With Quote
Old 11-16-2006, 03:43 PM   #4 (permalink)
Active Member
 
sniper1rfa's Avatar
 
Join Date: Jul 2006

i was thinking the same thing. I've been running the same linksys router for years. Have it stacked with a seperate wireless router and a dlink cable modem. Never had a problem, and it's not really a very expensive setup...

Hell, i have a 20 port 10BaseT switch that's older than any of my networking gear and it's still going strong. Slow, but strong.
sniper1rfa is offline   Reply With Quote
Old 11-16-2006, 03:45 PM   #5 (permalink)
MCB Member
 
DarkStar's Avatar
 
Join Date: Mar 2006

Fan of EMR
Brass and Wood Fan
For the record, MAC address filterning is less secure than any of the Authentication schemes. WEP, WAP, all of em.

Anyone who knows how to crack the above, can change their MAC address to an approved one, much easier than cracking the security scheme.

However, whenever I wanted to use MAC filtering (usually because it can be set up in seconds, untill a more robust solution can be put into place) I've used the security log within the router to capture what i want. meaning let everybody get an IP through DHCP, then go look at the log. Copy paste the MAC address's from the LOG into the Approved MAC list..

Also, Some routers allow you to put the wireless clients into a "walled garden" wich can not access the wired side of the router, only the internet. I know my netgear supports this, I'm sure other routers do as well.

I'm partial to netgear products. Favorite used to be Linksys but CISCO has ruined the Linksys products in an effort to sell more CISCO products (IMHO).

-MR
__________________
FeedBack FS: Triggers/Sears FS: Pumps

Quote:
Originally Posted by Marauder_Pilot View Post
It will eventually get to the point where you're living in the back of a '78 Oldsmobile with a trunk full of the finest paintball gear known to man.
DarkStar is offline   Reply With Quote
Old 11-16-2006, 04:03 PM   #6 (permalink)
I have a Phantom
 
Rayodder's Avatar
 
Join Date: Apr 2006
Location: Richmond, British Columbia
Send a message via MSN to Rayodder Send a message via Yahoo to Rayodder

MAC filtering is lot easier to hack into than even WEP, it is really simple to intercept a valid MAC address.

if you are really that concern about security, spend the cash and get a better wireless router that does not broadcast the SSID, you can't hack in what you can not see , also instead WEP try using WPA-TKIP encryption, create a long *** key makes it harder to hack into your system.

To be honest I wouldn't really worry about it too much, wireless signals don't have a lot of range after it has gone thru the walls of your house, also take a look at your neighbours and ask yourself "are these people capable of hacking into my system?"
Rayodder is offline   Reply With Quote
Old 11-16-2006, 05:37 PM   #7 (permalink)
Supernatural Anaesthetist
 
Wycke's Avatar
 
Join Date: Apr 2006
Location: Cheesesteak Country
Send a message via AIM to Wycke

Well, let's say there's just bad blood between me & wireless routers. My first one (Netgear MR-614) worked great for 3 years, right up until all but one of the LAN ports died on me. Actually, my sister's using it now (she has exactly one wired computer and one wireless) without any problems. Next, I got a USR 8056 (refurbed), then it died just inside the 90 day warranty, as did its replacement, and then another replacement. Now, I have this D-Link POS that I'm wishing I hadn't bought.

As for other security steps, I've turned off the SSID broadcast on all of them that have been able (all but the first Netgear, that is). And yes, I know that MAC addresses are easy to intercept and spoof, hence the disabling of the broadcast. Also, for anything that needs to be really secure, I connect to my employer's VPN.

And, to be honest, I'm not really sure why I'm so concerned about people sponging off of me...I mean, as it is, none of the routers I've had have been able to provide sufficient signal within my house, let alone outside of it. So, yeah...maybe I'll just not worry so much about it...
__________________
Porch Monkey 4 Life!

s'ok...I'm takin' it back...

My Feedback Thread
Wycke is offline   Reply With Quote
Old 11-16-2006, 07:14 PM   #8 (permalink)
I'm on a boat!
 
Greywolf's Avatar
 
Join Date: Apr 2006
Location: I'm on a boat!
Send a message via AIM to Greywolf Send a message via Yahoo to Greywolf

I have a network of WAP54G and WAP11B access points on the ship. Since it's for the crew, no enceyption.
We use a Terabeam BCU bandwidth controller which limits all computers to 1kb/sec access unless they are specifically allowed on the network (or specifically disallowed). Not a cheap solution, but easy to configure--once the crew member shows us the PC (so we can ensure it is virus/spyware free) we up them to 54k/sec max (ship has 512k to share with 25+ computers).
If a computer is constantly maxed out, we can log that and check to see why.

At home...I leech off the neighbors and give them a few bucks a month as a thank-you (why pay for it 12 months a year when I'm barely there 6?).
We use a WAP54, Airlink 101G and a Belkin (forget the number) to bridge 2 houses and 2 garages. Eventually I'm burying a cat-5...

Thus far, we've had no trouble and it's much cheaper to go in with the neighbors. I suppose they could hack me if they wanted, but, they don't really have the time or inclination and I leave my computers turned off unless they need to be on. My MP3 server network is not connected to the internet, and I simply plug in my laptop to the (Linksys 5-port) switch when I want to transfer files/updates.

Ben
__________________
Two wrongs is a u-turn. It takes THREE wrongs to make a right.
Greywolf is offline   Reply With Quote
Old 11-16-2006, 08:40 PM   #9 (permalink)
Super Moderator
 
Lrrpie-CT's Avatar
 
Join Date: Mar 2006
Location: CT

Chad, Sonicwall Wireless. TZ-170W. Skip the Staples grade wireless stuff. Sonicwall ain't cheap, though.

*edit* It can create multiple segmented networks through the same device.

Last edited by Lrrpie-CT; 11-16-2006 at 08:55 PM.
Lrrpie-CT is offline   Reply With Quote
Old 11-16-2006, 08:42 PM   #10 (permalink)
Super Moderator
 
Lrrpie-CT's Avatar
 
Join Date: Mar 2006
Location: CT

Quote:
Originally Posted by Greywolf View Post
Terabeam
No kidding?
Lrrpie-CT is offline   Reply With Quote
Reply

  mcarterbrown.com » General » General Chat

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Forum Jump


All times are GMT -4. The time now is 07:28 AM.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO
© MCB Network LLC