Archived from groups: (
More info?)
"Marc Schwartz" <MSchwartz@mn.rr.com> wrote in message
news:fGw_e.75371$32.29810@tornado.rdc-kc.rr.com...
> Postmaster wrote:
>> <strutsng@gmail.com> wrote in message
>> news:1127882106.585473.170040@g44g2000cwa.googlegroups.com...
>>
>>>Jeffrey Goldberg wrote:
>>>
>>>>strutsng@gmail.com wrote:
>>>>
>>>>>In terms of wireless network security, is WEP encryption the
>>>>>most secure choice?
>>>>
>>>>There is a very serious flaw in WEP which allows it to be cracked fairly
>>>>easily. If you have a choice between WEP and WPA go with WPA.
>>>>
>>>
>>>I am using linksys wireless router, and it doesn't support WPA, it has
>>>WEP.
>>>any ideas??
>>>
>>
>>
>> If you go out to the Linksys web site, you can download
>> a newer version of the firmware for the box. This will
>> add WPA.
>>
>> Other options:
>> 1. Use a VPN (openvpn, poptop)
>> 2. Use a Radius authentication server.
>> 3. Use a different router.
>> 4. Use this router as a front-end to another firewall,
>> so you'll have WiFi (public, and open, and also
>> have a secure private LAN).
>>
>> Enjoy
>> Postmaster
>
> There are also three other things to do here, which will provide some
> additional layers that someone would have to go through:
>
> 1. Properly configure a local firewall on your computers. The router
> will provide protection from someone coming in via the hardwired ISP WAN
> connection, but will not protect you from someone trying to do
> computer-to-computer access via wireless.
>
> 2. Disable the ESSID broadcast on the WAP. This disables the ability for
> someone to casually identify your WAP passively using common clients.
> Also change the ESSID from the default to something that is not
> associated with you or your location. The number of my neighbors who
> have WAPs in their homes was easy for me to determine, including their
> use of ESSID's that reflected their names or addresses or the defaults.
> I have spoken to each.
>
> 3. Use MAC address filtering on the WAP, which links the WAP connection
> to the physical ID's of the wireless NIC's on your computers. It is
> possible to spoof MAC addresses, but it is one more thing for someone to
> do to get into your network.
>
> The key to security is layers. Do not depend upon a single protection
> mechanism.
>
> HTH,
>
> Marc Schwartz
Gee guys, we forgot the big-ie...
Change the password on the router to something other
than "admin"
-----------------
and of course one might consider hiding in a toxic cloud ...
Get another router with WAP, but hook up that old
beast to a separate computer that is infested with
viruses. Set it to channel 6, NO encryption, ESSID = linksys,
Enable DHCP, Don't connect to the net, just to the
honeypot/infested system, (change the password on the router),
Export plenty of Windows shares with read-only permissions.
( Not drive C )
and every few minutes send a Winpopup type message
to your guests... "Come on in, the water is fine"
And just let the invaders choke in a toxic cloud
Then at the same time, on your new router..
1. Enable WAP (Use a 20+ character password)
2. Enable MAC filtering.
3. Change the router management password
4. Disable broadcast of ESSID.
5. Disable WAN ICMP (ping replies)
6. Use a Radius authentication server.
7. Use a VPN. ( IPSEC with certs )
8. Enable router logging.
9. Router's LAN side only goes to the internal firewall
and VPN gateway.
Now your comfortable fort is moderately secure and has a
nifty toxic cloud, for the "casual" invader's entertainment
Enjoy,
Postmaster