WiFi security settings

[Guest]

Archived from groups: (More info?)

Hello...

I'm setting up a wireless network behind the firewall at
our corporate office. There's a DHCP server on the network,
so I need to be very careful with my security.

I was wondering if someone could improve on my setup.

Linksys WAP54G Access Point with...
-Non standard AP Name
-Static IP - within our private ip space (10.x.x.x)
-Non-standard SSID
-Channel 6 (default)
-SSID not broadcast
-WPA Pre-Shared Key (9 chars - upp/lower letters, and
numbers)
-TKIP
-Group Key Renewal 300 seconds (default)
-Filtering MAC addresses - only permitting known MACs

And of course a non-standard password for the web based
config utilities. Adapter cards may be a mix of
Linksys/Netgear/and whatever laptops came with. Win98/2k/XP
clients.

I'm willing to spend more money if necessary (RADIUS
server?).

Any suggestions? Any improvements?

Thx,
D.

 

[Chuck]

Archived from groups: (More info?)

On Fri, 02 Apr 2004 21:36:34 GMT, dsmcd <*email_address_deleted*> wrote:

>Hello...
>
>I'm setting up a wireless network behind the firewall at
>our corporate office. There's a DHCP server on the network,
>so I need to be very careful with my security.
>
>I was wondering if someone could improve on my setup.
>
>Linksys WAP54G Access Point with...
>-Non standard AP Name
>-Static IP - within our private ip space (10.x.x.x)
>-Non-standard SSID
>-Channel 6 (default)
>-SSID not broadcast
>-WPA Pre-Shared Key (9 chars - upp/lower letters, and
>numbers)
>-TKIP
>-Group Key Renewal 300 seconds (default)
>-Filtering MAC addresses - only permitting known MACs
>
>And of course a non-standard password for the web based
>config utilities. Adapter cards may be a mix of
>Linksys/Netgear/and whatever laptops came with. Win98/2k/XP
>clients.
>
>I'm willing to spend more money if necessary (RADIUS
>server?).
>
>Any suggestions? Any improvements?
>
>Thx,
>D.

D.,

Did you disable remote management on the router (do you need to use it?)? Is
the router management password non-trivial (complex / non-guessable)? If you
need to keep remote management, I would make the password very complex, and
regularly changed.

Have you enabled the router logs? Do you have procedures to examine them
regularly?

Do you have software firewalls on the computers?

Other than that, your setup looks pretty tight to me.

Please learn to munge your email address properly, to keep yourself a bit safer
when posting to open forums. Protect yourself and the rest of the internet -
never post your address unmunged.
http://www.mailmsg.com/SPAM_munging.htm

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Guest]

Archived from groups: (More info?)

Chuck <none@example.net> wrote:
>On Fri, 02 Apr 2004 21:36:34 GMT, dsmcd
><*email_address_deleted*> wrote:
>
>>Hello...
>>
>>I'm setting up a wireless network behind the firewall at
>>our corporate office. There's a DHCP server on the
>>network,
>>so I need to be very careful with my security.
>>
>>I was wondering if someone could improve on my setup.
>>
>>Linksys WAP54G Access Point with...
>>-Non standard AP Name
>>-Static IP - within our private ip space (10.x.x.x)
>>-Non-standard SSID
>>-Channel 6 (default)
>>-SSID not broadcast
>>-WPA Pre-Shared Key (9 chars - upp/lower letters, and
>>numbers)
>>-TKIP
>>-Group Key Renewal 300 seconds (default)
>>-Filtering MAC addresses - only permitting known MACs
>>
>>And of course a non-standard password for the web based
>>config utilities. Adapter cards may be a mix of
>>Linksys/Netgear/and whatever laptops came with.
>>Win98/2k/XP
>>clients.
>>
>>I'm willing to spend more money if necessary (RADIUS
>>server?).
>>
>>Any suggestions? Any improvements?
>>
>>Thx,
>>D.
>
>D.,
>
>Did you disable remote management on the router (do you
>need to use it?)?

>Did you disable remote management on the router (do you
>need to use it?)?

No, and not sure.

Is
>the router management password non-trivial (complex /
>non-guessable)? If you
>need to keep remote management, I would make the password
>very complex, and
>regularly changed

Yes, and yes..
>
>Have you enabled the router logs? Do you have procedures
>to examine them
>regularly?

Yes, and yes.
>
>Do you have software firewalls on the computers?

No. We have the netscreen firewall at the wired network's
perimeter.
>
>Other than that, your setup looks pretty tight to me.

Good to hear.


>Please learn to munge your email address properly, to keep
>yourself a bit safer
>when posting to open forums.

Usually do. This time the defaults got gunged up.

Thx,
D.

 

[Guest]

Archived from groups: (More info?)

if you can find out how many machines you have connected to the network,
taking advantage of the DHCP server, count them and then enter that figure
into the DHCP pool size, this stops unwanted connections. if you find after
doing that, that there is a problem, with a couple of machines or one,
connecting, just up that figure by one, till all are ok.


HTH

Louis

"dsmcd" <dsmcd@qwest.net> wrote in message
news:C1lbc.60$a96.64263@news.uswest.net...
> Hello...
>
> I'm setting up a wireless network behind the firewall at
> our corporate office. There's a DHCP server on the network,
> so I need to be very careful with my security.
>
> I was wondering if someone could improve on my setup.
>
> Linksys WAP54G Access Point with...
> -Non standard AP Name
> -Static IP - within our private ip space (10.x.x.x)
> -Non-standard SSID
> -Channel 6 (default)
> -SSID not broadcast
> -WPA Pre-Shared Key (9 chars - upp/lower letters, and
> numbers)
> -TKIP
> -Group Key Renewal 300 seconds (default)
> -Filtering MAC addresses - only permitting known MACs
>
> And of course a non-standard password for the web based
> config utilities. Adapter cards may be a mix of
> Linksys/Netgear/and whatever laptops came with. Win98/2k/XP
> clients.
>
> I'm willing to spend more money if necessary (RADIUS
> server?).
>
> Any suggestions? Any improvements?
>
> Thx,
> D.
>

 

[Guest]

Non-standard SSID - good (re: cowpatty pre-computed tables)
SSID not broadcast - trivial, I can sniff this from your clients in the header in like 2 secs
WPA Pre-Shared Key - if its not a dictionary word, or created from, this is good
Filtering MAC addresses - Again, trivial, using a nix setup I can easily sniff+spoof any client MAC

go RADIUS or AES instead of TKIP, read the linux wireless hacking forums to gauge security, If no-one is cracking it with the latest release of BackTrack, you can sleep a little easier.

"A fool and his bandwidth are easily parted"

 

[Guest]

...I realize this is an old post from 2004, but for anyone looking at this in 2009+ you should know the only thing protecting this guy is the strength of his password.