Linksys WTR300N
Moderator: ElTaco
Linksys WTR300N
I just installed this router in my home. Could any of you network gurus fill me in on the best settings for security and performance?
-
Mister Bushice
- Drinking all the beer Luther left behind
- Posts: 9490
- Joined: Fri Jan 14, 2005 2:39 pm
Wow, thats a really wonderful thread. However I am wondering about my router specifically.
I of course changed the default SSID and disabled the SSID broadcast. And I have also changed the default passwords. I tried to enable MAC address filtering, but after that I could not connect so I disabled it.
Aside from these normal security changes is there anything else I should do? I have a friend who is a networking genius and he spends most of his time running large port scans of our ISP's network from routers he has taken over.
I of course changed the default SSID and disabled the SSID broadcast. And I have also changed the default passwords. I tried to enable MAC address filtering, but after that I could not connect so I disabled it.
Aside from these normal security changes is there anything else I should do? I have a friend who is a networking genius and he spends most of his time running large port scans of our ISP's network from routers he has taken over.
-
Mister Bushice
- Drinking all the beer Luther left behind
- Posts: 9490
- Joined: Fri Jan 14, 2005 2:39 pm
If you have a neighbor who has a wireless network, or if you have a computer not on your network yet, plug the wireless card in and let it sniff out all local networks, or right click on the connection to show all available networks. If it doesn't show, you're good. If it shows as needing an encryption key and you can't get in, you're still ok but it is broadcasting the SSID. Still, you're as safe as you can get without MAC addressing, provided your password is complex enough. Remember unless you live in a high risk area like a near a university or where there are a lot of young people, the chances anyone will be hacking in to your home system aren't all that high.
As for MAC addressing, you have to configure a list of client computers that will you will allow to be on your network. So first get the MAC addresses of each client computer from the op sys or the configuration utility. Then enter those addresses into your WAP, or router. Then switch on the MAC filtering option.
When the system is on, the list in your router gets matched with the MAC address of each client computer, and it is allowed in, or if there's no match, it's denied.
If you don't do it in that order it won't work. And again, your provider should be able to help you set that up if you get stuck.
As for MAC addressing, you have to configure a list of client computers that will you will allow to be on your network. So first get the MAC addresses of each client computer from the op sys or the configuration utility. Then enter those addresses into your WAP, or router. Then switch on the MAC filtering option.
When the system is on, the list in your router gets matched with the MAC address of each client computer, and it is allowed in, or if there's no match, it's denied.
If you don't do it in that order it won't work. And again, your provider should be able to help you set that up if you get stuck.
If this were a dictatorship, it'd be a heck of a lot easier, just so long as I'm the dictator." —GWB Washington, D.C., Dec. 19, 2000
Martyred wrote: Hang in there, Whitey. Smart people are on their way with dictionaries.
War Wagon wrote:being as how I've got "stupid" draped all over, I'm not really sure.
-
ElTaco
- Networking Securely
- Posts: 907
- Joined: Fri Jan 14, 2005 4:12 pm
- Location: Northern VA
- Contact:
We probably need to set up a wireless security thing again.
Here is the quick and dirty:
When you are securing a wireless router, you are doing two different things. One is access control to your router/network/internet connection and the second is securing your own connection from Spies. This means there are two different types of people who would want access to your network. Type one is the people who just want to use your internet connection. They aren't really dangerous to you, but if they doing something other then basic web and email surfing, they could eat up your bandwidth. The second type of 'attacker' is the one you might consider a Hacker (or Cracker to be more accurate). They are out to sniff your traffic for passwords, account information, financial gain or just to cause damage. These individuals may connect to your network and then attack any computer on the network or they could just sniff any unencrypted traffic between any wireless PCs/Laptops and the router.
With this said you want to control both types of attackers and here is how to do it:
SSID: Hiding your SSID is an easy security thing to get around but worth using against the average wireless surfer. Hidden SSID's can be sniffed by watching for people authenticating against he access point. The SSID is still transmitted in the clear.
Remember, anything you transmit over the air can be 'sniffed'. Anything you send clear text (without some type of encryption) can be read a second after you send it. The SSID is transmitted in clear Text.
Channel: This is not security related at all but you should realize that you can change the channel your wireless network operates on just in case you experiance a lot of dropped packets. Wireless networks don't like to be on the same channel, and on top of that, microwaves and wireless phones also use some of the same frequencies. Most access points come configured for Ch 6 or 11. If you experiance problems, you may want to change it.
Authentication: This is the big one. Most new Access Points support WEP, WPA, WPA2. If you select WEP, you have the option of doing shared or open authentication. WEP is the original authentication/encryption method that came with 802.11b/g wireless networks. If you use the Shared authentication method with WEP, it means it uses the same password for authentication and for encrypting the traffic. This was shown to be very bad and so the industry came out with WPA fairly quickly. If you don't mind allowing people onto your network, useing 128bit WEP open authentication is fine and actually very secure. The problem is that this allows people to connect to your network and use your internet connection. I personally discourage WEP. Unless you have an old wireless router and/or an old Laptop running windows without the latest service pacs, you should use WPA-Personal. This allows you to set a password. The better your password is, the safer your network will be.
You may find some other authentication methods too such as WPA-Enterprise. These just allow the system to interface with RADIUS servers and MS Domains and are useless for you at home.
Filtering: MAC address filtering is ok, but it can quickly become a pain in the butt. Again, it is very easy to sniff out a MAC address of a computer that is already connected to the network. It is also very easy to fake your own MAC address in Windows, OSX and Linux. As a result, if you already hide the SSID and are using WPA, you may find that also using the MAC Address filtering may become a pain if you have visitors often enough. Anyway, its a good thing if you use it, just don't forget about it in 6 months when you have a family member visit and you are trying to put them on the network.
I can't think of any other settings that are security related on most wireless access points. I would determine what kind of information you are storing on your network, and base my decisions on that. If you set up WPA with a good, secure password/passphrase and also secure the access point with a good password, you shouldn't need to worry too much about anything else. Any hacker will take a look and move on because a block down, they stand a good chance of finding someone with an open Access Point.
Here is the quick and dirty:
When you are securing a wireless router, you are doing two different things. One is access control to your router/network/internet connection and the second is securing your own connection from Spies. This means there are two different types of people who would want access to your network. Type one is the people who just want to use your internet connection. They aren't really dangerous to you, but if they doing something other then basic web and email surfing, they could eat up your bandwidth. The second type of 'attacker' is the one you might consider a Hacker (or Cracker to be more accurate). They are out to sniff your traffic for passwords, account information, financial gain or just to cause damage. These individuals may connect to your network and then attack any computer on the network or they could just sniff any unencrypted traffic between any wireless PCs/Laptops and the router.
With this said you want to control both types of attackers and here is how to do it:
SSID: Hiding your SSID is an easy security thing to get around but worth using against the average wireless surfer. Hidden SSID's can be sniffed by watching for people authenticating against he access point. The SSID is still transmitted in the clear.
Remember, anything you transmit over the air can be 'sniffed'. Anything you send clear text (without some type of encryption) can be read a second after you send it. The SSID is transmitted in clear Text.
Channel: This is not security related at all but you should realize that you can change the channel your wireless network operates on just in case you experiance a lot of dropped packets. Wireless networks don't like to be on the same channel, and on top of that, microwaves and wireless phones also use some of the same frequencies. Most access points come configured for Ch 6 or 11. If you experiance problems, you may want to change it.
Authentication: This is the big one. Most new Access Points support WEP, WPA, WPA2. If you select WEP, you have the option of doing shared or open authentication. WEP is the original authentication/encryption method that came with 802.11b/g wireless networks. If you use the Shared authentication method with WEP, it means it uses the same password for authentication and for encrypting the traffic. This was shown to be very bad and so the industry came out with WPA fairly quickly. If you don't mind allowing people onto your network, useing 128bit WEP open authentication is fine and actually very secure. The problem is that this allows people to connect to your network and use your internet connection. I personally discourage WEP. Unless you have an old wireless router and/or an old Laptop running windows without the latest service pacs, you should use WPA-Personal. This allows you to set a password. The better your password is, the safer your network will be.
You may find some other authentication methods too such as WPA-Enterprise. These just allow the system to interface with RADIUS servers and MS Domains and are useless for you at home.
Filtering: MAC address filtering is ok, but it can quickly become a pain in the butt. Again, it is very easy to sniff out a MAC address of a computer that is already connected to the network. It is also very easy to fake your own MAC address in Windows, OSX and Linux. As a result, if you already hide the SSID and are using WPA, you may find that also using the MAC Address filtering may become a pain if you have visitors often enough. Anyway, its a good thing if you use it, just don't forget about it in 6 months when you have a family member visit and you are trying to put them on the network.
I can't think of any other settings that are security related on most wireless access points. I would determine what kind of information you are storing on your network, and base my decisions on that. If you set up WPA with a good, secure password/passphrase and also secure the access point with a good password, you shouldn't need to worry too much about anything else. Any hacker will take a look and move on because a block down, they stand a good chance of finding someone with an open Access Point.