ET,
My router arrived yesterday and I hooked it up no problem, it is the D-Link DI-624. Well no problem hardwired to my desktop, wifey didn't have here wireless card last night so we could not test that aspect out. I'll try that out tonight.
I was looking through the software/configuration stuff and there was a lot of stuff I haven't a clue as to what it is for. I don't want you to have to give me a full lesson on some of this stuff unless you want to, but do you know of resource somewhere that I can do some research on some of the capabilities of the router and what they mean. In another thread you mentioned there was a previous discussion on alot of this stuff at TOT, I very infrequently visited that board so I don't have the URL to try to find it. I scanned through the manual and it basically tells me how to enable and disable things no problem but I want to find out what the shiit means. Stuff like the
SSID, WEP Encryption, Virtual Servers etc, basically the shit this D-Link router allows.
I admit I am a network tard, but I would like to learn a little about what I'm doing and probably more important what I shouldn't do.
Thanks
El Taco some router questions if you don't mind.
Moderator: ElTaco
-
ElTaco
- Networking Securely
- Posts: 907
- Joined: Fri Jan 14, 2005 4:12 pm
- Location: Northern VA
- Contact:
Wireless Post
This was the 2nd post in a 3 post series if you will. I don't have the time to actually review the content right now or to make any changes so I'm posting it as is.
Part 2
Today I figured I would follow up yesterday’s Wireless thing with a message about hardware. If you didn’t get to take away too much from the last message, do not worry because for the most part, you do not have to worry about most of it unless you run into problems. On the other hand, you should strive to purchase decent equipment that will protect you and your network. Most of the equipment I will talk about are for SOHO (small office/home office) users. There are companies that put out professional equipment that work a lot better in every way. This message will start out with discussing wireless hardware in general and features that you need to look for and then I will review some common companies/products. Again, this is mostly based on what I’ve read on the web and what I learned in the wireless security course I took this week.
As with all networks, you generally will need two pieces of equipment. You will need a client (in this case a client wireless network card) and a receiver (Access Point (AP) or wireless router). Ultimately, your needs should guide you in purchasing your equipment. For example, if you already have a router at home, you should be able to just purchase a wireless card and a wireless Access Point (AP) instead of having to replace your router. On the other hand, if you are now considering getting high speed Internet, such as Cable or DSL (partial, full T1/T3, OC line, etc…) and putting more then one machine on the internet then you should purchase a router anyway, so why not make it wireless.
If you read the 1st part of the wireless post then you will know that there are a lot of different standards in use with wireless equipment. The current ones to look for are: 802.11b (11mbps), 802.11g (54mbps) and 802.11a (54mbps). You shouldn’t get an 802.11b only router anymore, unless money is an issue because 802.11g is backwards compatible and can support 802.11b as well. Your biggest consideration is if you want 802.11a or 802.11g. They both support up to 54mbps connections, but 802.11a standard is still rather new. It does have a higher throughput rate but it doesn’t work as well over greater distances. Another advantage with the 802.11g over the 802.11a hardware is that you have more variety. A good reason to go with 802.11a hardware is if you have problems with your cordless phones (you can hear your neighbors conversation regularly) then you should go for the 802.11a, but this will cost a little extra.
Hardware Features:
Wireless Access Points (AP)
Wireless APs are small devices that can be hooked into your wired network and will connect your wired network with your wireless network. They can also be used to connect two wired networks or forward traffic from clients to other APs actually connected to a wired network. These APs should support Ad-Hoc and Infrastructure Network Architectures and possibly the Extended Service Architecture. It should also support all 3 Network AP Modes: Root (Act as a single AP), Bridge (act as a bridge between two wired networks) and Repeater (act as a repeater for traffic from clients to a 2nd AP). Some APs will rename these modes but they should be able to forward traffic to other APs. For security, at the very least, the clients should support WEP, however I would strongly suggest WPA (Wi-Fi Protected Access) if you can get it. Your AP should allow you to disable broadcasting your SSID (standard, all of them have this option). An additional feature that is useful but only certain APs support it is having the ability to control access to the AP through MAC address filtering. WEP should support 64 and 128bit encryption. Be careful because some companies promise a 256bit encryption, which is a lie. They only use a 128bit key and add an extra set 128bit code on top of it that does not change. Some companies only use a 40 bit key, which is actually the same as a 64 bit key. 128 bit keys are the best and are practically unbreakable in any useful time with a correct implementation. Hardware wise, APs should have one or more Ethernet ports and preferably an external antenna. Be careful because the antennas should always point up so if you mount the AP on the wall, the antenna should be turned so it faces up. This will keep a good signal going outwards instead of up into the air where it is useless.
Wireless Routers:
Wireless routers are essentially the same as wireless APs, they just have a firewall, switch and Wan port built in. You should have all the features that an AP has, plus all the features of a router combined into one. Some wireless routers do not have a switch built into them. I would not get these. Your router should have VPN capability and if you get a decent one, it will allow you to control logins using a built in server or an external excess server (you will only find these in more expensive ones).
I would recommend that at this point, you should get equipment that has been certified by the Wi-Fi compatibility group. The box should have a large black and white Wi-Fi emblem on it.
Wireless Network cards:
There is not much difference in a card. If you have an AP that supports something funky, such as 108mbps connection like the D-links do then you have to get a D-link card that supports it.
Companies:
Linksys (Cisco)
Linksys is one of the largest manufacturers of SOHO network equipment. It is usually an excellent deal because it is cheap and their equipment generally will support all the standard features. The problem with Linksys is that their implementations of the features are not always the most secure or the best. Because of this, there are plenty of complaints out on the web about weird problems with compatibility. Specifically with wireless, I’ve heard that up till recently, their implementation of WEP and other security features were rather weak. Without getting too technical, what this meant is that it was relatively easy to figure out the encryption key that Linksys APs and Routers were using. I’ve been told that since CISCO has acquired Linksys, a lot of these security issues have been fixed with their wireless line so if you purchase wireless equipment from Linksys, make sure that it has the Cisco emblem on it. I should also mention that security is not necessarily all that important in the SOHO environment, however you don’t want your neighbor’s kid sniffing your credit cards and purchasing a ton of crap on them.
Netgear
Netgear suffers from the same problem that Linksys does when it comes to their wireless equipment. Their equipment is fairly cheap, which is Ideal for everyone; however, their implementation of WEP and other security measures are relatively cheap. Unfortunately for them, they haven’t been purchased by Cisco so for now I would tell you all not to purchase their wireless equipment. With that said, I did purchase a wireless card from them and it is working great for windows and Linux, but is not very useful for hacking and is not supported by MACs.
D-Link
From what I’ve read and heard about this company, they have gone out of their way to be along the cutting edge of wireless equipment, even for SOHO users. Some of their current offerings support WEP and WPA, VPN pass through (the best way to secure wireless is by VPN incidentally), and more. One of the more impressive features is their 108MB/s throughput technology, which only they support. What is impressive about D-Link is that they implemented WEP and WPA correctly and didn’t seem to take shortcuts. D-Link is slightly more expensive then most of the other SOHO companies, but well worth the money if you want to be secure.
Orinoco/Lucent/Proxim
Orinoco was one of the first companies to come out with wireless equipment and has exchanged hands over the time. Currently Proxim owns the company and has been making some changes to the software that runs the devices. What is impressive about their wireless PCMCIA cards is that they come with external antenna plugs, what kind of sucks is that if you plan to use them for hacking, the drivers don’t let you use all the features. I would definitely recommend picking up an Orinoco card if you plan to do some wireless hacking but I would get one of the original Orinoco cards or the Lucent version.
Cisco
As usual Cisco is one of the largest players and one of the best ones, but you will have to pay a little extra to get the best. Cisco not only produces one of the better wireless lines (Aeronet) but also produces one of the more popular chips used in wireless equipment, unfortunately you mostly find it in the more expensive hardware. Cisco PCMCIA cards are also probably the best cards to purchase for wireless hackers. <technical on>Not only is there great support for these cards, including their advanced features, in Linux, but they also have some built in features that no other cards have, such as the ability to automatically scan all of the wireless channels.</technical off> These cards cost about $120 brand new, but you can pick them up on eBay for about half that.
Note: I purchased a Cisco Aeronet 350 and an Orinoco Gold card on eBay recently for my hacking pleasures. They should be here within the next two to three days. Next I’ll be looking to build/purchase some external antennas. Who needs to buy an Internet connection when so many people give it up for free.
So what does all this mean? Well, I’d just recommend that you be careful. Ultimately if you enable the security properly you will most likely not have to worry too much about being hacked at home. If you are planning to put a wireless router/AP in at work, you will need more security then most APs provide anyway and will probably need to work with your System administrator. From what I’ve heard, I would probably go with a D-Link or a cheaper business class Wireless class AP. As far as cards are concerned, most of them will work fine, but if you intend to use a special feature or WPA, make sure your card/driver support those features. I think that Linksys will improve a lot now that Cisco owns them, and I personally do like the company but they have their share of mysterious problems, like our Print server at work, which will burp when you send a 100 page document to it after about 20 pages.
Part 2
Today I figured I would follow up yesterday’s Wireless thing with a message about hardware. If you didn’t get to take away too much from the last message, do not worry because for the most part, you do not have to worry about most of it unless you run into problems. On the other hand, you should strive to purchase decent equipment that will protect you and your network. Most of the equipment I will talk about are for SOHO (small office/home office) users. There are companies that put out professional equipment that work a lot better in every way. This message will start out with discussing wireless hardware in general and features that you need to look for and then I will review some common companies/products. Again, this is mostly based on what I’ve read on the web and what I learned in the wireless security course I took this week.
As with all networks, you generally will need two pieces of equipment. You will need a client (in this case a client wireless network card) and a receiver (Access Point (AP) or wireless router). Ultimately, your needs should guide you in purchasing your equipment. For example, if you already have a router at home, you should be able to just purchase a wireless card and a wireless Access Point (AP) instead of having to replace your router. On the other hand, if you are now considering getting high speed Internet, such as Cable or DSL (partial, full T1/T3, OC line, etc…) and putting more then one machine on the internet then you should purchase a router anyway, so why not make it wireless.
If you read the 1st part of the wireless post then you will know that there are a lot of different standards in use with wireless equipment. The current ones to look for are: 802.11b (11mbps), 802.11g (54mbps) and 802.11a (54mbps). You shouldn’t get an 802.11b only router anymore, unless money is an issue because 802.11g is backwards compatible and can support 802.11b as well. Your biggest consideration is if you want 802.11a or 802.11g. They both support up to 54mbps connections, but 802.11a standard is still rather new. It does have a higher throughput rate but it doesn’t work as well over greater distances. Another advantage with the 802.11g over the 802.11a hardware is that you have more variety. A good reason to go with 802.11a hardware is if you have problems with your cordless phones (you can hear your neighbors conversation regularly) then you should go for the 802.11a, but this will cost a little extra.
Hardware Features:
Wireless Access Points (AP)
Wireless APs are small devices that can be hooked into your wired network and will connect your wired network with your wireless network. They can also be used to connect two wired networks or forward traffic from clients to other APs actually connected to a wired network. These APs should support Ad-Hoc and Infrastructure Network Architectures and possibly the Extended Service Architecture. It should also support all 3 Network AP Modes: Root (Act as a single AP), Bridge (act as a bridge between two wired networks) and Repeater (act as a repeater for traffic from clients to a 2nd AP). Some APs will rename these modes but they should be able to forward traffic to other APs. For security, at the very least, the clients should support WEP, however I would strongly suggest WPA (Wi-Fi Protected Access) if you can get it. Your AP should allow you to disable broadcasting your SSID (standard, all of them have this option). An additional feature that is useful but only certain APs support it is having the ability to control access to the AP through MAC address filtering. WEP should support 64 and 128bit encryption. Be careful because some companies promise a 256bit encryption, which is a lie. They only use a 128bit key and add an extra set 128bit code on top of it that does not change. Some companies only use a 40 bit key, which is actually the same as a 64 bit key. 128 bit keys are the best and are practically unbreakable in any useful time with a correct implementation. Hardware wise, APs should have one or more Ethernet ports and preferably an external antenna. Be careful because the antennas should always point up so if you mount the AP on the wall, the antenna should be turned so it faces up. This will keep a good signal going outwards instead of up into the air where it is useless.
Wireless Routers:
Wireless routers are essentially the same as wireless APs, they just have a firewall, switch and Wan port built in. You should have all the features that an AP has, plus all the features of a router combined into one. Some wireless routers do not have a switch built into them. I would not get these. Your router should have VPN capability and if you get a decent one, it will allow you to control logins using a built in server or an external excess server (you will only find these in more expensive ones).
I would recommend that at this point, you should get equipment that has been certified by the Wi-Fi compatibility group. The box should have a large black and white Wi-Fi emblem on it.
Wireless Network cards:
There is not much difference in a card. If you have an AP that supports something funky, such as 108mbps connection like the D-links do then you have to get a D-link card that supports it.
Companies:
Linksys (Cisco)
Linksys is one of the largest manufacturers of SOHO network equipment. It is usually an excellent deal because it is cheap and their equipment generally will support all the standard features. The problem with Linksys is that their implementations of the features are not always the most secure or the best. Because of this, there are plenty of complaints out on the web about weird problems with compatibility. Specifically with wireless, I’ve heard that up till recently, their implementation of WEP and other security features were rather weak. Without getting too technical, what this meant is that it was relatively easy to figure out the encryption key that Linksys APs and Routers were using. I’ve been told that since CISCO has acquired Linksys, a lot of these security issues have been fixed with their wireless line so if you purchase wireless equipment from Linksys, make sure that it has the Cisco emblem on it. I should also mention that security is not necessarily all that important in the SOHO environment, however you don’t want your neighbor’s kid sniffing your credit cards and purchasing a ton of crap on them.
Netgear
Netgear suffers from the same problem that Linksys does when it comes to their wireless equipment. Their equipment is fairly cheap, which is Ideal for everyone; however, their implementation of WEP and other security measures are relatively cheap. Unfortunately for them, they haven’t been purchased by Cisco so for now I would tell you all not to purchase their wireless equipment. With that said, I did purchase a wireless card from them and it is working great for windows and Linux, but is not very useful for hacking and is not supported by MACs.
D-Link
From what I’ve read and heard about this company, they have gone out of their way to be along the cutting edge of wireless equipment, even for SOHO users. Some of their current offerings support WEP and WPA, VPN pass through (the best way to secure wireless is by VPN incidentally), and more. One of the more impressive features is their 108MB/s throughput technology, which only they support. What is impressive about D-Link is that they implemented WEP and WPA correctly and didn’t seem to take shortcuts. D-Link is slightly more expensive then most of the other SOHO companies, but well worth the money if you want to be secure.
Orinoco/Lucent/Proxim
Orinoco was one of the first companies to come out with wireless equipment and has exchanged hands over the time. Currently Proxim owns the company and has been making some changes to the software that runs the devices. What is impressive about their wireless PCMCIA cards is that they come with external antenna plugs, what kind of sucks is that if you plan to use them for hacking, the drivers don’t let you use all the features. I would definitely recommend picking up an Orinoco card if you plan to do some wireless hacking but I would get one of the original Orinoco cards or the Lucent version.
Cisco
As usual Cisco is one of the largest players and one of the best ones, but you will have to pay a little extra to get the best. Cisco not only produces one of the better wireless lines (Aeronet) but also produces one of the more popular chips used in wireless equipment, unfortunately you mostly find it in the more expensive hardware. Cisco PCMCIA cards are also probably the best cards to purchase for wireless hackers. <technical on>Not only is there great support for these cards, including their advanced features, in Linux, but they also have some built in features that no other cards have, such as the ability to automatically scan all of the wireless channels.</technical off> These cards cost about $120 brand new, but you can pick them up on eBay for about half that.
Note: I purchased a Cisco Aeronet 350 and an Orinoco Gold card on eBay recently for my hacking pleasures. They should be here within the next two to three days. Next I’ll be looking to build/purchase some external antennas. Who needs to buy an Internet connection when so many people give it up for free.
So what does all this mean? Well, I’d just recommend that you be careful. Ultimately if you enable the security properly you will most likely not have to worry too much about being hacked at home. If you are planning to put a wireless router/AP in at work, you will need more security then most APs provide anyway and will probably need to work with your System administrator. From what I’ve heard, I would probably go with a D-Link or a cheaper business class Wireless class AP. As far as cards are concerned, most of them will work fine, but if you intend to use a special feature or WPA, make sure your card/driver support those features. I think that Linksys will improve a lot now that Cisco owns them, and I personally do like the company but they have their share of mysterious problems, like our Print server at work, which will burp when you send a 100 page document to it after about 20 pages.
-
ElTaco
- Networking Securely
- Posts: 907
- Joined: Fri Jan 14, 2005 4:12 pm
- Location: Northern VA
- Contact:
Part 3
For those wireless hackers out there (this info is something extra), wireless equipment is based on a few chipsets. The 3 main ones are – Intersil based PRISM chipset, Lucent based Hermes chipset and the Cisco based Aironet chipset.
Prism is the most popular one and is used in most of the cheaper solutions such as Linksys, SMC, D-link and Netgear. The midpriced ones are based on the Hermes chipset and these are usually the Lucent/Orinoco/Agere, Cabletron, Compaq, Apple, Ibm and Dell Truemobile 1150s. The high end devices are based on the Cisco chipset and these are the Cisco Aironet and Xircom equipment. You do need to be careful because some device manufacturers tend to jump around, even in the same product line. Some other chipsets out there are the Intel Centrino and Atheros chipsets. These are fairly limited in their use and there are probably a few more out there. This is only an issue if you are going to use Unix/Linux/BSD or are going to start wardriving/hacking wireless networks. Also if you run into problems with your drivers, you can usually use another driver for another device that is based on the same chipset
Wireless Network Architectures
In a wireless network, you can set up multiple types of Architectures and you should aim to buy equipment that supports all 3. Architecture refers to the type of network you are going to set up, or in other words, who are you planning to connect to and how big the network is.
1. Ad-Hoc / Independent Basic Service Set
2. Infrastructure Basic Service set (default for AP and routers)
3. Extended Service Set
Ad-Hoc means that you are essentially setting up a local network between multiple wireless clients. It means that you do not have an AP, but instead you have 5 clients that are connected to each other.
Infrastructure architecture refers to when you are connecting to one Access Point/Router. In this case you have one wireless AP that will be receiving every ones traffic and it will probably be connected to a wired network.
Finally, you have the Extended Service architecture, in which case multiple APs act as if they were on one network. For the technical folks, they essentially play with the layer two info so that you can walk between those APs and your PC/wireless card thinks it is on the same AP. The wireless signal has to overlap between the APs for this to work properly.
As I pointed out above, by default, APs will come configured for Infrastructure architecture and you should probably just used that by default. Ad-Hoc is good if you want to share info between two machines and there are no APs around. Extended architecture is not needed at home unless you have a very large house.
Wireless AP Modes:
APs can be in 3 different modes. They can be in Root, Repeater or Bridge mode. Root means that the Client machines (like laptops) connect to the AP, which is connected to the wired network. Generally, you should keep APs separated and their signal shouldn’t overlap much. Repeater mode is something I mentioned before. An AP can be set up to repeat all the traffic it receives and send it to another AP that is connected to a wired network/internet. In other words, if you have your wireless router at one end of the house and its too far for your laptop to connect to it from the other end of the house, you can set up a wireless AP in the middle and set it into Repeater mode. In this case you would connect to the AP from your laptop and it would forward your traffic to the wireless router, without having to run wires from one end of the house to the other. This could also work in between floors. Finally you have the Bridge mode. This mode can be used to tie two wired networks together with wireless APs. In this case both APs are hooked into two separate wired networks and traffic is forward between networks through the APs. This can be useful if you have run wires on two separate floors for example but don’t want to run wires between the floors. Or maybe you could run wires from your PS2 to your AP, which would be on the 3rd floor but closer to the wireless router. The AP would forward the wired traffic to your wireless router.
This may be a little confusing but lets just say that it is useful if your wireless equipment supports all 3 Architectures and all 3 modes.
Authentication
There are 3 types of Authentications that are used a lot today. Authentication is how your Router or AP will make sure that you are allowed to connect to it.
1. Open System Authentication
2. Shared Key Authentication
3. EAP (Extensible Authentication Protocol) / 802.1x
The 802.11 protocols only require the Open System Authentication. There is no real authentication that takes place. It basically allows anyone to connect. Interestingly enough, this is actually the preferred authentication unless you get an AP that supports EAP. The only identification that is needed for OSA is a MAC address. It is really easy to spoof a MAC address. WEP is supported under OSA but it is only used to encrypt the data. Some venders add MAC Address Filtering to make OSA more secure. This is a good idea to have, but you have to actively manage it.
Shared Key Authentication requires that the client provide the Key to the AP. The problem is that it uses the WEP key to authenticate itself and this is a BIG problem. Never use the Shared Key Authentication method because it will actually enable people to snoop on your traffic easier. The reason Shared Key Authentication is insecure is that with encryption you have 3 pieces of information: the text, the encrypted text and the encryption key. For authentication, the AP will send your client clear text and ask it to encrypt it with the key. If when the client sends back the encrypted text and the AP can un-encrypt it with the key then you are authenticated. Makes sense, however, the problem is that if you sniff out the clear text and the encrypted text then it doesn’t take much work to get the encryption key. The bigger problem is that once you have the encryption key, not only can you connect to the network, but you can also sniff out and read what other users are sending. In fact, before you say that it is hard, there are programs out there that can do this within minutes.
EAP is still not being implemented all that much but it is the best authentication method. The reason it isn’t implemented much in SOHO systems is that it requires a special server to authenticate you. This can be by using a password or some other identifying method. Some more advanced wireless APs/Routers have a built in server that will authenticate people.
Broadcasting your SSID
By default Wireless APs/Routers will broadcast the SSID (network name), which means that anyone can connect without any problem. To help secure APs, all manufacturers give you the option of turning broadcasting off, which is kind of a lie. The AP will still broadcast itself, it will just not include the SSID until you request to connect to it. In other words, usually the AP is sending out packets saying, I’m here. If you turn off the Broadcast option, it will still send those packets; it will just leave the SSID field empty. This makes it more secure, except that when someone sends a connection packet back, the AP will send another packet, with the SSID included, in clear text. If you are sniffing, you will then be able to pick up the SSID.
MAC address filtering
I mentioned before that some Wireless APs and Routers also support the ability to filter connections based on MAC addresses. This is a great feature, even though it is kind of useless when a knowledgeable hacker tries to hack your network. The way that this works is that before you can connect to the AP, the administrator has to register your Wireless cards MAC address (looks like 00 00 00 00 00 00 00 00: mine is 00 09 5b 92 c2 db) and all network cards (wired and wireless) have these. When you connect, you supply your MAC address as part of the communication and before the AP will let you connect, it will check your MAC address in its database to make sure you are allowed to connect. This is a great idea in theory because every Network card can only have one MAC address and no one but the manufacturer can change that. In theory this sounds like the perfect authentication method. The problem is that while no one can change the MAC address within the card, they can spoof it within the driver/software so it is actually very easy in just about every OS to fake your MAC address. The reason that this is still a good idea is that not many people realize that it is easy to change their MAC address so most of them never try. (Hint: it is a registry hack in windows and an ifconfig command in linux.)
VPN/other Authentication methods
Ultimately business’ should not trust any of the tools that are built into APs because they are not secure. If someone relatively knowledgeable wants to get in, they will be able to get around your security. I already told you that Shared Key authentication is very insecure for anyone that knows the small trick to hack it but if you do not use it (leave your system in Open System Authentication) then your system is open and anyone can connect to your AP, but will not be able to hack your traffic. So how do you secure your wireless network for real? Well one option is to spend a little more money on an AP that has the WPA. Another option is to run a VPN server on your network and force all users to run a VPN tunnel to your wired network. Some routers also support authentication servers such as RADIUS, which will force you to authenticate using a password and/or key before you are allowed to connect to the network. Incidentally WPA also supports Radius servers and for those wondering, there are some free ones out there. In fact if you have a windows 2000 or 2003 server sitting around with IIS on it then you already have a Radius server available to you.
So to summarize:
If you currently own a wireless AP/Router you should connect to it and
Disable broadcasting
(if you only have WEP and aren’t tech savy)
Enable Shared Key Authentication
Create 4 Keys and make use the 2-4th key. If you want the added security then change
keys every week or month.
If you have EAP and/or WPA then enable that instead.
If your AP/Router supports MAC address Authentication then Enable it and add your
wireless card’s MAC address (all of them have it on the outside or it will be listed
under the network card properties).
If you are running a small business and you consider your data valuable then you will need EAP and/or WPA. If those features are not available in your AP/Router then you should use VPN and separate your wireless network from your wired network.
Note: As a final note, everyone should realize that enabling WEP, EAP, WPA or VPN will slow down your network connectivity so make sure you research whichever equipment you purchase to make sure that it doesn’t break down when you enable these features.
For those wireless hackers out there (this info is something extra), wireless equipment is based on a few chipsets. The 3 main ones are – Intersil based PRISM chipset, Lucent based Hermes chipset and the Cisco based Aironet chipset.
Prism is the most popular one and is used in most of the cheaper solutions such as Linksys, SMC, D-link and Netgear. The midpriced ones are based on the Hermes chipset and these are usually the Lucent/Orinoco/Agere, Cabletron, Compaq, Apple, Ibm and Dell Truemobile 1150s. The high end devices are based on the Cisco chipset and these are the Cisco Aironet and Xircom equipment. You do need to be careful because some device manufacturers tend to jump around, even in the same product line. Some other chipsets out there are the Intel Centrino and Atheros chipsets. These are fairly limited in their use and there are probably a few more out there. This is only an issue if you are going to use Unix/Linux/BSD or are going to start wardriving/hacking wireless networks. Also if you run into problems with your drivers, you can usually use another driver for another device that is based on the same chipset
Wireless Network Architectures
In a wireless network, you can set up multiple types of Architectures and you should aim to buy equipment that supports all 3. Architecture refers to the type of network you are going to set up, or in other words, who are you planning to connect to and how big the network is.
1. Ad-Hoc / Independent Basic Service Set
2. Infrastructure Basic Service set (default for AP and routers)
3. Extended Service Set
Ad-Hoc means that you are essentially setting up a local network between multiple wireless clients. It means that you do not have an AP, but instead you have 5 clients that are connected to each other.
Infrastructure architecture refers to when you are connecting to one Access Point/Router. In this case you have one wireless AP that will be receiving every ones traffic and it will probably be connected to a wired network.
Finally, you have the Extended Service architecture, in which case multiple APs act as if they were on one network. For the technical folks, they essentially play with the layer two info so that you can walk between those APs and your PC/wireless card thinks it is on the same AP. The wireless signal has to overlap between the APs for this to work properly.
As I pointed out above, by default, APs will come configured for Infrastructure architecture and you should probably just used that by default. Ad-Hoc is good if you want to share info between two machines and there are no APs around. Extended architecture is not needed at home unless you have a very large house.
Wireless AP Modes:
APs can be in 3 different modes. They can be in Root, Repeater or Bridge mode. Root means that the Client machines (like laptops) connect to the AP, which is connected to the wired network. Generally, you should keep APs separated and their signal shouldn’t overlap much. Repeater mode is something I mentioned before. An AP can be set up to repeat all the traffic it receives and send it to another AP that is connected to a wired network/internet. In other words, if you have your wireless router at one end of the house and its too far for your laptop to connect to it from the other end of the house, you can set up a wireless AP in the middle and set it into Repeater mode. In this case you would connect to the AP from your laptop and it would forward your traffic to the wireless router, without having to run wires from one end of the house to the other. This could also work in between floors. Finally you have the Bridge mode. This mode can be used to tie two wired networks together with wireless APs. In this case both APs are hooked into two separate wired networks and traffic is forward between networks through the APs. This can be useful if you have run wires on two separate floors for example but don’t want to run wires between the floors. Or maybe you could run wires from your PS2 to your AP, which would be on the 3rd floor but closer to the wireless router. The AP would forward the wired traffic to your wireless router.
This may be a little confusing but lets just say that it is useful if your wireless equipment supports all 3 Architectures and all 3 modes.
Authentication
There are 3 types of Authentications that are used a lot today. Authentication is how your Router or AP will make sure that you are allowed to connect to it.
1. Open System Authentication
2. Shared Key Authentication
3. EAP (Extensible Authentication Protocol) / 802.1x
The 802.11 protocols only require the Open System Authentication. There is no real authentication that takes place. It basically allows anyone to connect. Interestingly enough, this is actually the preferred authentication unless you get an AP that supports EAP. The only identification that is needed for OSA is a MAC address. It is really easy to spoof a MAC address. WEP is supported under OSA but it is only used to encrypt the data. Some venders add MAC Address Filtering to make OSA more secure. This is a good idea to have, but you have to actively manage it.
Shared Key Authentication requires that the client provide the Key to the AP. The problem is that it uses the WEP key to authenticate itself and this is a BIG problem. Never use the Shared Key Authentication method because it will actually enable people to snoop on your traffic easier. The reason Shared Key Authentication is insecure is that with encryption you have 3 pieces of information: the text, the encrypted text and the encryption key. For authentication, the AP will send your client clear text and ask it to encrypt it with the key. If when the client sends back the encrypted text and the AP can un-encrypt it with the key then you are authenticated. Makes sense, however, the problem is that if you sniff out the clear text and the encrypted text then it doesn’t take much work to get the encryption key. The bigger problem is that once you have the encryption key, not only can you connect to the network, but you can also sniff out and read what other users are sending. In fact, before you say that it is hard, there are programs out there that can do this within minutes.
EAP is still not being implemented all that much but it is the best authentication method. The reason it isn’t implemented much in SOHO systems is that it requires a special server to authenticate you. This can be by using a password or some other identifying method. Some more advanced wireless APs/Routers have a built in server that will authenticate people.
Broadcasting your SSID
By default Wireless APs/Routers will broadcast the SSID (network name), which means that anyone can connect without any problem. To help secure APs, all manufacturers give you the option of turning broadcasting off, which is kind of a lie. The AP will still broadcast itself, it will just not include the SSID until you request to connect to it. In other words, usually the AP is sending out packets saying, I’m here. If you turn off the Broadcast option, it will still send those packets; it will just leave the SSID field empty. This makes it more secure, except that when someone sends a connection packet back, the AP will send another packet, with the SSID included, in clear text. If you are sniffing, you will then be able to pick up the SSID.
MAC address filtering
I mentioned before that some Wireless APs and Routers also support the ability to filter connections based on MAC addresses. This is a great feature, even though it is kind of useless when a knowledgeable hacker tries to hack your network. The way that this works is that before you can connect to the AP, the administrator has to register your Wireless cards MAC address (looks like 00 00 00 00 00 00 00 00: mine is 00 09 5b 92 c2 db) and all network cards (wired and wireless) have these. When you connect, you supply your MAC address as part of the communication and before the AP will let you connect, it will check your MAC address in its database to make sure you are allowed to connect. This is a great idea in theory because every Network card can only have one MAC address and no one but the manufacturer can change that. In theory this sounds like the perfect authentication method. The problem is that while no one can change the MAC address within the card, they can spoof it within the driver/software so it is actually very easy in just about every OS to fake your MAC address. The reason that this is still a good idea is that not many people realize that it is easy to change their MAC address so most of them never try. (Hint: it is a registry hack in windows and an ifconfig command in linux.)
VPN/other Authentication methods
Ultimately business’ should not trust any of the tools that are built into APs because they are not secure. If someone relatively knowledgeable wants to get in, they will be able to get around your security. I already told you that Shared Key authentication is very insecure for anyone that knows the small trick to hack it but if you do not use it (leave your system in Open System Authentication) then your system is open and anyone can connect to your AP, but will not be able to hack your traffic. So how do you secure your wireless network for real? Well one option is to spend a little more money on an AP that has the WPA. Another option is to run a VPN server on your network and force all users to run a VPN tunnel to your wired network. Some routers also support authentication servers such as RADIUS, which will force you to authenticate using a password and/or key before you are allowed to connect to the network. Incidentally WPA also supports Radius servers and for those wondering, there are some free ones out there. In fact if you have a windows 2000 or 2003 server sitting around with IIS on it then you already have a Radius server available to you.
So to summarize:
If you currently own a wireless AP/Router you should connect to it and
Disable broadcasting
(if you only have WEP and aren’t tech savy)
Enable Shared Key Authentication
Create 4 Keys and make use the 2-4th key. If you want the added security then change
keys every week or month.
If you have EAP and/or WPA then enable that instead.
If your AP/Router supports MAC address Authentication then Enable it and add your
wireless card’s MAC address (all of them have it on the outside or it will be listed
under the network card properties).
If you are running a small business and you consider your data valuable then you will need EAP and/or WPA. If those features are not available in your AP/Router then you should use VPN and separate your wireless network from your wired network.
Note: As a final note, everyone should realize that enabling WEP, EAP, WPA or VPN will slow down your network connectivity so make sure you research whichever equipment you purchase to make sure that it doesn’t break down when you enable these features.
-
ElTaco
- Networking Securely
- Posts: 907
- Joined: Fri Jan 14, 2005 4:12 pm
- Location: Northern VA
- Contact:
This is fairly dated material. It is over a year old and as we know, in the Tech industry things change fairly quickly. One of the newest wireless standards to look for is the 802.11i standard which will be made especially with security in mind. I believe the final standard will be out sometime this year, although some companies usually get to market before the official standard is finalized. If you are really worried about security, try to work with wireless equipment that is capable of using WPA instead of WEP as this equipment is based on better encryption and has better user autentication built in.
I think the first version of the document talked specifically about the settings available in wireless devices. I may have to re-write some of that unless someone can find a copy in the tech archives on TOT.
I think the first version of the document talked specifically about the settings available in wireless devices. I may have to re-write some of that unless someone can find a copy in the tech archives on TOT.
There are tons of articles online about the problems with WEP and how by just capturing enough packets, which is just a matter of days at most, it can be easily figured out. Like this one from AirSnort
http://airsnort.shmoo.com/faq.html
AirSnort and Kismet will still be able to see any network no matter what the SSID is or whether it is disabled or not.
In my home network I have
SSID Disabled (prevents casual people from seeing your network)
MAC Filtering (Stops the average person from being able to send packets to your AP, but MACs are very simple to clone)
WPA with random password.
I use WPA-AES with very long random string generated with by KeePass
http://airsnort.shmoo.com/faq.html
AirSnort and Kismet will still be able to see any network no matter what the SSID is or whether it is disabled or not.
In my home network I have
SSID Disabled (prevents casual people from seeing your network)
MAC Filtering (Stops the average person from being able to send packets to your AP, but MACs are very simple to clone)
WPA with random password.
I use WPA-AES with very long random string generated with by KeePass
-
atomicdad
- Eternal Scobode
- Posts: 1112
- Joined: Mon Jan 17, 2005 8:52 pm
- Location: on the eastern pacific rim
Thanks for the information, I'll go through it and see what I can digest.
So for another stupid question, as long as someone isn't hacking my network while I am actively using my machine, otherwise it is typically off, what is the worst that can happen? I don't care if the neighborhood kid wants to download his pron while sitting in front of my house or launch his next killer worm.
So for another stupid question, as long as someone isn't hacking my network while I am actively using my machine, otherwise it is typically off, what is the worst that can happen? I don't care if the neighborhood kid wants to download his pron while sitting in front of my house or launch his next killer worm.
-
frodo_biguns
- gibbering dumbfuck
- Posts: 2202
- Joined: Mon Mar 21, 2005 10:03 am
Re: El Taco some router questions if you don't mind.
Just make sure you go in and change your administrator password. Open a browser and type this in http://192.168.0.1 Leaving it with the factory installed password could leave you vulnerable to anybody snooping ports.atomicdad wrote:ET,
My router arrived yesterday and I hooked it up no problem, it is the D-Link DI-624. Well no problem hardwired to my desktop, wifey didn't have here wireless card last night so we could not test that aspect out. I'll try that out tonight.
I was looking through the software/configuration stuff and there was a lot of stuff I haven't a clue as to what it is for. I don't want you to have to give me a full lesson on some of this stuff unless you want to, but do you know of resource somewhere that I can do some research on some of the capabilities of the router and what they mean. In another thread you mentioned there was a previous discussion on alot of this stuff at TOT, I very infrequently visited that board so I don't have the URL to try to find it. I scanned through the manual and it basically tells me how to enable and disable things no problem but I want to find out what the shiit means. Stuff like the
SSID, WEP Encryption, Virtual Servers etc, basically the shit this D-Link router allows.
I admit I am a network tard, but I would like to learn a little about what I'm doing and probably more important what I shouldn't do.
Thanks
And write down your username and password and "SAVE" it somewhere you can find it!
-
ElTaco
- Networking Securely
- Posts: 907
- Joined: Fri Jan 14, 2005 4:12 pm
- Location: Northern VA
- Contact:
Your bigger problem would be if the kid decided to try out his hacking on your computer or if he decided to figure out if he could sniff out some financial information as you transmit it.
Your legal problem could include you being accused of hacking and/or releasing the next big virus that cost the world billions.
With that said, some people do elect to share their internet when they are not home or all the time. In that case you would just want to encrypt the connection so your particular traffic cannot be sniffed. Also you will want to protect your own computer by runing a personal firewall on it and making sure its patched and protected.
Your legal problem could include you being accused of hacking and/or releasing the next big virus that cost the world billions.
With that said, some people do elect to share their internet when they are not home or all the time. In that case you would just want to encrypt the connection so your particular traffic cannot be sniffed. Also you will want to protect your own computer by runing a personal firewall on it and making sure its patched and protected.