Sign in with
Sign up | Sign in
Your question

Wireless Network Security for Dummies, Please

Last response: in Wireless Networking
Share
Anonymous
a b 8 Security
October 27, 2004 4:25:06 PM

Archived from groups: (More info?)

I am completely new to this issue and basically “computer illiterate�, so
please forgive my naivety. However, I am able to follow step-by-step
instructions in user guides etc., as long as they do not use too much jargon.

Have followed multifarious threads in these User Groups, over the past few
days, trying to understand security and encryption etc of wireless networks
(before I went ahead and tried anything myself). Unfortunately, I became
totally confused and disillusioned.

All my home PCs, laptops and peripherals (network router & wireless
adaptors) are Dell and have XP with SP2. Initial setup was relatively simple
and the network has been working great for over 18 months. However, I had not
had the time (nor the courage, nor the inclination) to tackle
encryption/security. Especially as we have no near neighbours. Therefore, I
have simply relied on Norton Internet Security Pro 2002, Windows Firewall &
Spybot.

From the threads, and bearing in mind the numerous problems of hardware &
software configuration & incompatibility and the SP2 issue etc., which so
many people are experiencing, I had decided, over the weekend, that security
was not a priority (at least for me). It was more important to keep a network
that just worked.

However, it occurred to me that inputting the MAC addresses of the network
adaptors into the router (and nothing else) could possibly be much easier(?)
than & just as secure(?) as encryption (and without signal strength loss(?)
nor transmission speed loss(?)).

This I have now done. In total it took less than 10 minutes, including the
time to read the 5 MAC addresses on the adaptors/ cards, input them onto the
router and reboot (took longer to find the router’s original installation CD,
which contained the User Guide).

Now only the designated PC’s can connect to my network. However, the Windows
XP “Wireless Network Connection� box tells me that the network is “Unsecured�
and “configured for open access�. This I guess is because it is not
encrypted.

I am obviously deluding myself as I have not found absolutely any reference
to it at all in any of the threads anywhere. So what basic facts am I
missing? What are the dangers/weaknesses of this solution?
October 27, 2004 11:00:56 PM

Archived from groups: (More info?)

Hi

Bear in mind that though the same word Security is used to describe secure
Internet Connection and Secure Wireless, there is No real relation between
the two

Norton Internet Security is a Firewall; Wireless Security has Nothing to do
with Firewalls.

Wireless is just a replacement for a Wire and thus can be intercepted by
people in the neighborhood attaching then self to your LAN. That why there
is Wireless Security measures to avoid Local Tapping. These measure are
unique only the Wireless itself, and has to be used even if there is No
Internet Connection.

Link to: http://www.ezlan.net/Wireless_Security.html

The Firewall "Job" is to protect the Internet connection from being
invaded, and to prevent your LAN computers from transmitting out to the
Internet privileged information.

Each computer on your Network that has access to the Internet should have
its own Firewall regardless of whether you use Wire or Wireless.

Internet -Basic protection: http://www.ezlan.net/firewall.html

In addition you should have tools available if your computers get Infested.

Internet Infestation: http://www.ezlan.net/infestation.html

Jack (MVP-Networking).



"John TCI" <JohnTCI@discussions.microsoft.com> wrote in message
news:8415DF7C-6528-46DF-8EEF-9CA86DA801DA@microsoft.com...
> I am completely new to this issue and basically "computer illiterate", so
> please forgive my naivety. However, I am able to follow step-by-step
> instructions in user guides etc., as long as they do not use too much
jargon.
>
> Have followed multifarious threads in these User Groups, over the past few
> days, trying to understand security and encryption etc of wireless
networks
> (before I went ahead and tried anything myself). Unfortunately, I became
> totally confused and disillusioned.
>
> All my home PCs, laptops and peripherals (network router & wireless
> adaptors) are Dell and have XP with SP2. Initial setup was relatively
simple
> and the network has been working great for over 18 months. However, I had
not
> had the time (nor the courage, nor the inclination) to tackle
> encryption/security. Especially as we have no near neighbours. Therefore,
I
> have simply relied on Norton Internet Security Pro 2002, Windows Firewall
&
> Spybot.
>
> From the threads, and bearing in mind the numerous problems of hardware &
> software configuration & incompatibility and the SP2 issue etc., which so
> many people are experiencing, I had decided, over the weekend, that
security
> was not a priority (at least for me). It was more important to keep a
network
> that just worked.
>
> However, it occurred to me that inputting the MAC addresses of the network
> adaptors into the router (and nothing else) could possibly be much
easier(?)
> than & just as secure(?) as encryption (and without signal strength
loss(?)
> nor transmission speed loss(?)).
>
> This I have now done. In total it took less than 10 minutes, including the
> time to read the 5 MAC addresses on the adaptors/ cards, input them onto
the
> router and reboot (took longer to find the router's original installation
CD,
> which contained the User Guide).
>
> Now only the designated PC's can connect to my network. However, the
Windows
> XP "Wireless Network Connection" box tells me that the network is
"Unsecured"
> and "configured for open access". This I guess is because it is not
> encrypted.
>
> I am obviously deluding myself as I have not found absolutely any
reference
> to it at all in any of the threads anywhere. So what basic facts am I
> missing? What are the dangers/weaknesses of this solution?
>
Anonymous
a b 8 Security
October 28, 2004 3:07:43 PM

Archived from groups: (More info?)

Hi John,

Jack answered a bunch of your questions in his followup post, but I
wanted to make a couple of points in addition.

Entering the MAC addresses of your wireless cards into the router makes
use of a feature called 'MAC address filtering'. Ideally this should only
let the computers you own become active participants in your wireless
network. However, MAC address filtering is not a secure solution for a
wireless network. It can be defeated very easily, because:
1) the data you are sending between your computers and router is still
unencrypted and anyone close enough can listen to it (it's just radio waves)
2) it's fairly easy to spoof MAC addresses (here's a link to a product
that does this: http://www.klcconsulting.net/smac/ )

If you want to improve the security of your wireless network, you have
to configure your computers and router for encryption.

http://www.microsoft.com/hardware/broadbandnetworking/1...

Thanks,
Chris Gual [MSFT]
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"John TCI" <JohnTCI@discussions.microsoft.com> wrote in message
news:8415DF7C-6528-46DF-8EEF-9CA86DA801DA@microsoft.com...
>I am completely new to this issue and basically "computer illiterate", so
> please forgive my naivety. However, I am able to follow step-by-step
> instructions in user guides etc., as long as they do not use too much
> jargon.
>
> Have followed multifarious threads in these User Groups, over the past few
> days, trying to understand security and encryption etc of wireless
> networks
> (before I went ahead and tried anything myself). Unfortunately, I became
> totally confused and disillusioned.
>
> All my home PCs, laptops and peripherals (network router & wireless
> adaptors) are Dell and have XP with SP2. Initial setup was relatively
> simple
> and the network has been working great for over 18 months. However, I had
> not
> had the time (nor the courage, nor the inclination) to tackle
> encryption/security. Especially as we have no near neighbours. Therefore,
> I
> have simply relied on Norton Internet Security Pro 2002, Windows Firewall
> &
> Spybot.
>
> From the threads, and bearing in mind the numerous problems of hardware &
> software configuration & incompatibility and the SP2 issue etc., which so
> many people are experiencing, I had decided, over the weekend, that
> security
> was not a priority (at least for me). It was more important to keep a
> network
> that just worked.
>
> However, it occurred to me that inputting the MAC addresses of the network
> adaptors into the router (and nothing else) could possibly be much
> easier(?)
> than & just as secure(?) as encryption (and without signal strength
> loss(?)
> nor transmission speed loss(?)).
>
> This I have now done. In total it took less than 10 minutes, including the
> time to read the 5 MAC addresses on the adaptors/ cards, input them onto
> the
> router and reboot (took longer to find the router's original installation
> CD,
> which contained the User Guide).
>
> Now only the designated PC's can connect to my network. However, the
> Windows
> XP "Wireless Network Connection" box tells me that the network is
> "Unsecured"
> and "configured for open access". This I guess is because it is not
> encrypted.
>
> I am obviously deluding myself as I have not found absolutely any
> reference
> to it at all in any of the threads anywhere. So what basic facts am I
> missing? What are the dangers/weaknesses of this solution?
>
Related resources
Anonymous
a b 8 Security
October 28, 2004 4:09:02 PM

Archived from groups: (More info?)

"Chris Gual [MSFT]" wrote:
> 2) it's fairly easy to spoof MAC addresses (here's a link to a product
> that does this: http://www.klcconsulting.net/smac/ )

I doubt that SMAC really does what it claims.
From the description on their site, it seems to detect that adapter
supports overriding MAC address, but does not expose this to user -
then it simply employs this feature.

However, this trick will fail if the netcard driver or firmware don't allow
overriding MAC address. The wireless router will see the original MAC address,
no matter what address Windows sees.
In this case only modification of the driver and/or firmware can help,
and it is possible.

Regards,
--PA
Anonymous
a b 8 Security
October 28, 2004 4:15:02 PM

Archived from groups: (More info?)

Jack & Chris,

Many thanks to you both. Think I understand.
Great articles and relatively easy to understand, even for me. Thanks again.
I was preparing a follow up to Jack when the response from Chris came in. He
must be psychic as he has already answered the first question in section 2.

May I crave your indulgences a little further? Grateful if you could
clarify/amplify a few points taken in order from your most excellent
replies:-

(1) Firewalls etc: As mentioned previously, each of my 5 computers has
Norton Internet Security. Windows Firewall is also enabled. Just read the
manual on the DSL Modem (Actiontec GT704-WG……. our ISP uses PPPoA not PPPoE).
Understood very little, because of the jargon/abbreviations, but have now
realized that it is also a gateway with the following default settings: DMZ
Hosting, UPnP & Remote Management are “off�. NAT is on. Firewall Security was
set to basic. There are 3 other security levels and I have now set it to
“Medium� (which allows all services “out� and leaves open ports 25,110, 7070,
1503, 163, 443, 983 & 885 in the “in� column.). I have deliberately not
touched the Port Forwarding section…..yet (Presume I may have to if I get
“access out� problems - have already lost “Remote Desktop� ability).

Took the recommendation from one of the articles to install NetBEUI and
unchecked TCP/IP in file & printer sharing. Also had IPX/SPX, which had to be
unchecked before the computers lost their ability to connect to one
another…now they all have NetBEUI and everything fine- except “Remote
Desktop�. I assume that they are only now connecting with NetBEUI).

Questions: (a) Do you now consider this arrangement sufficient for “normal
home� use? If not, can you specifically (or generally) recommend any other
programs/add-ons etc.?
(b) Have just had a quick look in the Remote Desktop discussions…….phew!!!!!
What is the best way to restore “Remote Desktop�? (enable Remote Management
in the modem/gateway, open specific port(s) which? or do I have to do both?)

(2) Local Tapping: Each computer on the network is connected via the router
(not directly to the DSL modem) and identified by its unique MAC address. The
router is set to “deny access to all others�. How can my neighbours or
passers by connect locally to the router and hence to my network?
This was my original concern. QUOTE: Wireless Network Connection box tells
me that the network is "Unsecured" and "configured for open access". This, I
guess, is because it is not encrypted. UNQUOTE.

Questions: (a) Would you recommend encryption on top? Can you recommend a
similar article to the others for “trouble free encryption for dummies� (The
modem/gateway has options for WEP (up to 256bits), WEP+802.1x and WPA but the
wireless adaptors/cards only for WEP 64/128? So am limited to WEP 128).
Presume it would be best to use the wizard in XP SP2 and transfer the
settings to the other computers with a flash drive and to the modem/gateway
manually (as its USB connector is the “wrong end� to accept the flash drive).


(3) Internet Infestation: I have Spybot and Norton Antivirus (within Norton
Internet Security Pro) on each computer.

Question: Considering that I would also like to avoid overkill, which of the
other programs would you recommend, out of those in the article (StartUp,
Process Explorer, Ad-Aware, a2-free) to best complement/supplement what I
already have?

Many thanks in advance, your advice is much appreciated.



"Chris Gual [MSFT]" wrote:

> Hi John,
>
> Jack answered a bunch of your questions in his followup post, but I
> wanted to make a couple of points in addition.
>
> Entering the MAC addresses of your wireless cards into the router makes
> use of a feature called 'MAC address filtering'. Ideally this should only
> let the computers you own become active participants in your wireless
> network. However, MAC address filtering is not a secure solution for a
> wireless network. It can be defeated very easily, because:
> 1) the data you are sending between your computers and router is still
> unencrypted and anyone close enough can listen to it (it's just radio waves)
> 2) it's fairly easy to spoof MAC addresses (here's a link to a product
> that does this: http://www.klcconsulting.net/smac/ )
>
> If you want to improve the security of your wireless network, you have
> to configure your computers and router for encryption.
>
> http://www.microsoft.com/hardware/broadbandnetworking/1...
>
> Thanks,
> Chris Gual [MSFT]
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "John TCI" <JohnTCI@discussions.microsoft.com> wrote in message
> news:8415DF7C-6528-46DF-8EEF-9CA86DA801DA@microsoft.com...
> >I am completely new to this issue and basically "computer illiterate", so
> > please forgive my naivety. However, I am able to follow step-by-step
> > instructions in user guides etc., as long as they do not use too much
> > jargon.
> >
> > Have followed multifarious threads in these User Groups, over the past few
> > days, trying to understand security and encryption etc of wireless
> > networks
> > (before I went ahead and tried anything myself). Unfortunately, I became
> > totally confused and disillusioned.
> >
> > All my home PCs, laptops and peripherals (network router & wireless
> > adaptors) are Dell and have XP with SP2. Initial setup was relatively
> > simple
> > and the network has been working great for over 18 months. However, I had
> > not
> > had the time (nor the courage, nor the inclination) to tackle
> > encryption/security. Especially as we have no near neighbours. Therefore,
> > I
> > have simply relied on Norton Internet Security Pro 2002, Windows Firewall
> > &
> > Spybot.
> >
> > From the threads, and bearing in mind the numerous problems of hardware &
> > software configuration & incompatibility and the SP2 issue etc., which so
> > many people are experiencing, I had decided, over the weekend, that
> > security
> > was not a priority (at least for me). It was more important to keep a
> > network
> > that just worked.
> >
> > However, it occurred to me that inputting the MAC addresses of the network
> > adaptors into the router (and nothing else) could possibly be much
> > easier(?)
> > than & just as secure(?) as encryption (and without signal strength
> > loss(?)
> > nor transmission speed loss(?)).
> >
> > This I have now done. In total it took less than 10 minutes, including the
> > time to read the 5 MAC addresses on the adaptors/ cards, input them onto
> > the
> > router and reboot (took longer to find the router's original installation
> > CD,
> > which contained the User Guide).
> >
> > Now only the designated PC's can connect to my network. However, the
> > Windows
> > XP "Wireless Network Connection" box tells me that the network is
> > "Unsecured"
> > and "configured for open access". This I guess is because it is not
> > encrypted.
> >
> > I am obviously deluding myself as I have not found absolutely any
> > reference
> > to it at all in any of the threads anywhere. So what basic facts am I
> > missing? What are the dangers/weaknesses of this solution?
> >
>
>
>
Anonymous
a b 8 Security
October 29, 2004 12:27:49 AM

Archived from groups: (More info?)

only one thing i would change.disable all windows firewalls, as they only
protects against incoming stuff & install ZA free on ALL machines.
this protects bothways so will stop said 'phone-home' virus stuff or mailer
worms.

mike

"John TCI" <JohnTCI@discussions.microsoft.com> wrote in message
news:9FEF162F-4AC8-4F55-9C96-117CA530DA3D@microsoft.com...
> Jack & Chris,
>
> Many thanks to you both. Think I understand.
> Great articles and relatively easy to understand, even for me. Thanks
again.
> I was preparing a follow up to Jack when the response from Chris came in.
He
> must be psychic as he has already answered the first question in section
2.
>
> May I crave your indulgences a little further? Grateful if you could
> clarify/amplify a few points taken in order from your most excellent
> replies:-
>
> (1) Firewalls etc: As mentioned previously, each of my 5 computers has
> Norton Internet Security. Windows Firewall is also enabled. Just read the
> manual on the DSL Modem (Actiontec GT704-WG... our ISP uses PPPoA not
PPPoE).
> Understood very little, because of the jargon/abbreviations, but have now
> realized that it is also a gateway with the following default settings:
DMZ
> Hosting, UPnP & Remote Management are "off". NAT is on. Firewall Security
was
> set to basic. There are 3 other security levels and I have now set it to
> "Medium" (which allows all services "out" and leaves open ports 25,110,
7070,
> 1503, 163, 443, 983 & 885 in the "in" column.). I have deliberately not
> touched the Port Forwarding section...yet (Presume I may have to if I get
> "access out" problems - have already lost "Remote Desktop" ability).
>
> Took the recommendation from one of the articles to install NetBEUI and
> unchecked TCP/IP in file & printer sharing. Also had IPX/SPX, which had to
be
> unchecked before the computers lost their ability to connect to one
> another.now they all have NetBEUI and everything fine- except "Remote
> Desktop". I assume that they are only now connecting with NetBEUI).
>
> Questions: (a) Do you now consider this arrangement sufficient for "normal
> home" use? If not, can you specifically (or generally) recommend any other
> programs/add-ons etc.?
> (b) Have just had a quick look in the Remote Desktop
discussions...phew!!!!!
> What is the best way to restore "Remote Desktop"? (enable Remote
Management
> in the modem/gateway, open specific port(s) which? or do I have to do
both?)
>
> (2) Local Tapping: Each computer on the network is connected via the
router
> (not directly to the DSL modem) and identified by its unique MAC address.
The
> router is set to "deny access to all others". How can my neighbours or
> passers by connect locally to the router and hence to my network?
> This was my original concern. QUOTE: Wireless Network Connection box tells
> me that the network is "Unsecured" and "configured for open access".
This, I
> guess, is because it is not encrypted. UNQUOTE.
>
> Questions: (a) Would you recommend encryption on top? Can you recommend a
> similar article to the others for "trouble free encryption for dummies"
(The
> modem/gateway has options for WEP (up to 256bits), WEP+802.1x and WPA but
the
> wireless adaptors/cards only for WEP 64/128? So am limited to WEP 128).
> Presume it would be best to use the wizard in XP SP2 and transfer the
> settings to the other computers with a flash drive and to the
modem/gateway
> manually (as its USB connector is the "wrong end" to accept the flash
drive).
>
>
> (3) Internet Infestation: I have Spybot and Norton Antivirus (within
Norton
> Internet Security Pro) on each computer.
>
> Question: Considering that I would also like to avoid overkill, which of
the
> other programs would you recommend, out of those in the article (StartUp,
> Process Explorer, Ad-Aware, a2-free) to best complement/supplement what I
> already have?
>
> Many thanks in advance, your advice is much appreciated.
>
>
>
> "Chris Gual [MSFT]" wrote:
>
> > Hi John,
> >
> > Jack answered a bunch of your questions in his followup post, but I
> > wanted to make a couple of points in addition.
> >
> > Entering the MAC addresses of your wireless cards into the router
makes
> > use of a feature called 'MAC address filtering'. Ideally this should
only
> > let the computers you own become active participants in your wireless
> > network. However, MAC address filtering is not a secure solution for a
> > wireless network. It can be defeated very easily, because:
> > 1) the data you are sending between your computers and router is
still
> > unencrypted and anyone close enough can listen to it (it's just radio
waves)
> > 2) it's fairly easy to spoof MAC addresses (here's a link to a
product
> > that does this: http://www.klcconsulting.net/smac/ )
> >
> > If you want to improve the security of your wireless network, you
have
> > to configure your computers and router for encryption.
> >
> >
http://www.microsoft.com/hardware/broadbandnetworking/1...
> >
> > Thanks,
> > Chris Gual [MSFT]
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
rights.
> >
> > "John TCI" <JohnTCI@discussions.microsoft.com> wrote in message
> > news:8415DF7C-6528-46DF-8EEF-9CA86DA801DA@microsoft.com...
> > >I am completely new to this issue and basically "computer illiterate",
so
> > > please forgive my naivety. However, I am able to follow step-by-step
> > > instructions in user guides etc., as long as they do not use too much
> > > jargon.
> > >
> > > Have followed multifarious threads in these User Groups, over the past
few
> > > days, trying to understand security and encryption etc of wireless
> > > networks
> > > (before I went ahead and tried anything myself). Unfortunately, I
became
> > > totally confused and disillusioned.
> > >
> > > All my home PCs, laptops and peripherals (network router & wireless
> > > adaptors) are Dell and have XP with SP2. Initial setup was relatively
> > > simple
> > > and the network has been working great for over 18 months. However, I
had
> > > not
> > > had the time (nor the courage, nor the inclination) to tackle
> > > encryption/security. Especially as we have no near neighbours.
Therefore,
> > > I
> > > have simply relied on Norton Internet Security Pro 2002, Windows
Firewall
> > > &
> > > Spybot.
> > >
> > > From the threads, and bearing in mind the numerous problems of
hardware &
> > > software configuration & incompatibility and the SP2 issue etc., which
so
> > > many people are experiencing, I had decided, over the weekend, that
> > > security
> > > was not a priority (at least for me). It was more important to keep a
> > > network
> > > that just worked.
> > >
> > > However, it occurred to me that inputting the MAC addresses of the
network
> > > adaptors into the router (and nothing else) could possibly be much
> > > easier(?)
> > > than & just as secure(?) as encryption (and without signal strength
> > > loss(?)
> > > nor transmission speed loss(?)).
> > >
> > > This I have now done. In total it took less than 10 minutes, including
the
> > > time to read the 5 MAC addresses on the adaptors/ cards, input them
onto
> > > the
> > > router and reboot (took longer to find the router's original
installation
> > > CD,
> > > which contained the User Guide).
> > >
> > > Now only the designated PC's can connect to my network. However, the
> > > Windows
> > > XP "Wireless Network Connection" box tells me that the network is
> > > "Unsecured"
> > > and "configured for open access". This I guess is because it is not
> > > encrypted.
> > >
> > > I am obviously deluding myself as I have not found absolutely any
> > > reference
> > > to it at all in any of the threads anywhere. So what basic facts am I
> > > missing? What are the dangers/weaknesses of this solution?
> > >
> >
> >
> >


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.784 / Virus Database: 530 - Release Date: 27/10/2004
Anonymous
a b 8 Security
October 29, 2004 3:18:03 AM

Archived from groups: (More info?)

Gentlemen,
Quick update on Encryption (section 2 below): Your replies had confirmed the
necessity to encrypt. So I ignored all the possible things that have gone
wrong within the other threads and took the plunge with WEP128. Couldn't have
been easier. All 5 computers working fine. Many thanks.

Now only have to sort out "Remote Desktop" - section (1b) and whether to add
anything else to address the "Infestation" issue - section (3).

"John TCI" wrote:

> Jack & Chris,
>
> Many thanks to you both. Think I understand.
> Great articles and relatively easy to understand, even for me. Thanks again.
> I was preparing a follow up to Jack when the response from Chris came in. He
> must be psychic as he has already answered the first question in section 2.
>
> May I crave your indulgences a little further? Grateful if you could
> clarify/amplify a few points taken in order from your most excellent
> replies:-
>
> (1) Firewalls etc: As mentioned previously, each of my 5 computers has
> Norton Internet Security. Windows Firewall is also enabled. Just read the
> manual on the DSL Modem (Actiontec GT704-WG……. our ISP uses PPPoA not PPPoE).
> Understood very little, because of the jargon/abbreviations, but have now
> realized that it is also a gateway with the following default settings: DMZ
> Hosting, UPnP & Remote Management are “off�. NAT is on. Firewall Security was
> set to basic. There are 3 other security levels and I have now set it to
> “Medium� (which allows all services “out� and leaves open ports 25,110, 7070,
> 1503, 163, 443, 983 & 885 in the “in� column.). I have deliberately not
> touched the Port Forwarding section…..yet (Presume I may have to if I get
> “access out� problems - have already lost “Remote Desktop� ability).
>
> Took the recommendation from one of the articles to install NetBEUI and
> unchecked TCP/IP in file & printer sharing. Also had IPX/SPX, which had to be
> unchecked before the computers lost their ability to connect to one
> another…now they all have NetBEUI and everything fine- except “Remote
> Desktop�. I assume that they are only now connecting with NetBEUI).
>
> Questions: (a) Do you now consider this arrangement sufficient for “normal
> home� use? If not, can you specifically (or generally) recommend any other
> programs/add-ons etc.?
> (b) Have just had a quick look in the Remote Desktop discussions…….phew!!!!!
> What is the best way to restore “Remote Desktop�? (enable Remote Management
> in the modem/gateway, open specific port(s) which? or do I have to do both?)
>
> (2) Local Tapping: Each computer on the network is connected via the router
> (not directly to the DSL modem) and identified by its unique MAC address. The
> router is set to “deny access to all others�. How can my neighbours or
> passers by connect locally to the router and hence to my network?
> This was my original concern. QUOTE: Wireless Network Connection box tells
> me that the network is "Unsecured" and "configured for open access". This, I
> guess, is because it is not encrypted. UNQUOTE.
>
> Questions: (a) Would you recommend encryption on top? Can you recommend a
> similar article to the others for “trouble free encryption for dummies� (The
> modem/gateway has options for WEP (up to 256bits), WEP+802.1x and WPA but the
> wireless adaptors/cards only for WEP 64/128? So am limited to WEP 128).
> Presume it would be best to use the wizard in XP SP2 and transfer the
> settings to the other computers with a flash drive and to the modem/gateway
> manually (as its USB connector is the “wrong end� to accept the flash drive).
>
>
> (3) Internet Infestation: I have Spybot and Norton Antivirus (within Norton
> Internet Security Pro) on each computer.
>
> Question: Considering that I would also like to avoid overkill, which of the
> other programs would you recommend, out of those in the article (StartUp,
> Process Explorer, Ad-Aware, a2-free) to best complement/supplement what I
> already have?
>
> Many thanks in advance, your advice is much appreciated.
>
>
>
> "Chris Gual [MSFT]" wrote:
>
> > Hi John,
> >
> > Jack answered a bunch of your questions in his followup post, but I
> > wanted to make a couple of points in addition.
> >
> > Entering the MAC addresses of your wireless cards into the router makes
> > use of a feature called 'MAC address filtering'. Ideally this should only
> > let the computers you own become active participants in your wireless
> > network. However, MAC address filtering is not a secure solution for a
> > wireless network. It can be defeated very easily, because:
> > 1) the data you are sending between your computers and router is still
> > unencrypted and anyone close enough can listen to it (it's just radio waves)
> > 2) it's fairly easy to spoof MAC addresses (here's a link to a product
> > that does this: http://www.klcconsulting.net/smac/ )
> >
> > If you want to improve the security of your wireless network, you have
> > to configure your computers and router for encryption.
> >
> > http://www.microsoft.com/hardware/broadbandnetworking/1...
> >
> > Thanks,
> > Chris Gual [MSFT]
> > --
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> >
> > "John TCI" <JohnTCI@discussions.microsoft.com> wrote in message
> > news:8415DF7C-6528-46DF-8EEF-9CA86DA801DA@microsoft.com...
> > >I am completely new to this issue and basically "computer illiterate", so
> > > please forgive my naivety. However, I am able to follow step-by-step
> > > instructions in user guides etc., as long as they do not use too much
> > > jargon.
> > >
> > > Have followed multifarious threads in these User Groups, over the past few
> > > days, trying to understand security and encryption etc of wireless
> > > networks
> > > (before I went ahead and tried anything myself). Unfortunately, I became
> > > totally confused and disillusioned.
> > >
> > > All my home PCs, laptops and peripherals (network router & wireless
> > > adaptors) are Dell and have XP with SP2. Initial setup was relatively
> > > simple
> > > and the network has been working great for over 18 months. However, I had
> > > not
> > > had the time (nor the courage, nor the inclination) to tackle
> > > encryption/security. Especially as we have no near neighbours. Therefore,
> > > I
> > > have simply relied on Norton Internet Security Pro 2002, Windows Firewall
> > > &
> > > Spybot.
> > >
> > > From the threads, and bearing in mind the numerous problems of hardware &
> > > software configuration & incompatibility and the SP2 issue etc., which so
> > > many people are experiencing, I had decided, over the weekend, that
> > > security
> > > was not a priority (at least for me). It was more important to keep a
> > > network
> > > that just worked.
> > >
> > > However, it occurred to me that inputting the MAC addresses of the network
> > > adaptors into the router (and nothing else) could possibly be much
> > > easier(?)
> > > than & just as secure(?) as encryption (and without signal strength
> > > loss(?)
> > > nor transmission speed loss(?)).
> > >
> > > This I have now done. In total it took less than 10 minutes, including the
> > > time to read the 5 MAC addresses on the adaptors/ cards, input them onto
> > > the
> > > router and reboot (took longer to find the router's original installation
> > > CD,
> > > which contained the User Guide).
> > >
> > > Now only the designated PC's can connect to my network. However, the
> > > Windows
> > > XP "Wireless Network Connection" box tells me that the network is
> > > "Unsecured"
> > > and "configured for open access". This I guess is because it is not
> > > encrypted.
> > >
> > > I am obviously deluding myself as I have not found absolutely any
> > > reference
> > > to it at all in any of the threads anywhere. So what basic facts am I
> > > missing? What are the dangers/weaknesses of this solution?
> > >
> >
> >
> >
Anonymous
a b 8 Security
October 29, 2004 5:43:03 AM

Archived from groups: (More info?)

Hi John,

I'm really struggling to get 128 bit WEP to work, using a Netgear DG834G
with latest firmware. After setting up my wireless laptop, I get a
'connection' ie max signal strength etc, but no data transfer. There seems
to be an attempt to send, but nothing coming back. When trying to access any
internet sites etc, absolutely nothing... Any ideas folks ?

"John TCI" wrote:

> Gentlemen,
> Quick update on Encryption (section 2 below): Your replies had confirmed the
> necessity to encrypt. So I ignored all the possible things that have gone
> wrong within the other threads and took the plunge with WEP128. Couldn't have
> been easier. All 5 computers working fine. Many thanks.
>
> Now only have to sort out "Remote Desktop" - section (1b) and whether to add
> anything else to address the "Infestation" issue - section (3).
>
> "John TCI" wrote:
>
> > Jack & Chris,
> >
> > Many thanks to you both. Think I understand.
> > Great articles and relatively easy to understand, even for me. Thanks again.
> > I was preparing a follow up to Jack when the response from Chris came in. He
> > must be psychic as he has already answered the first question in section 2.
> >
> > May I crave your indulgences a little further? Grateful if you could
> > clarify/amplify a few points taken in order from your most excellent
> > replies:-
> >
> > (1) Firewalls etc: As mentioned previously, each of my 5 computers has
> > Norton Internet Security. Windows Firewall is also enabled. Just read the
> > manual on the DSL Modem (Actiontec GT704-WG……. our ISP uses PPPoA not PPPoE).
> > Understood very little, because of the jargon/abbreviations, but have now
> > realized that it is also a gateway with the following default settings: DMZ
> > Hosting, UPnP & Remote Management are “off�. NAT is on. Firewall Security was
> > set to basic. There are 3 other security levels and I have now set it to
> > “Medium� (which allows all services “out� and leaves open ports 25,110, 7070,
> > 1503, 163, 443, 983 & 885 in the “in� column.). I have deliberately not
> > touched the Port Forwarding section…..yet (Presume I may have to if I get
> > “access out� problems - have already lost “Remote Desktop� ability).
> >
> > Took the recommendation from one of the articles to install NetBEUI and
> > unchecked TCP/IP in file & printer sharing. Also had IPX/SPX, which had to be
> > unchecked before the computers lost their ability to connect to one
> > another…now they all have NetBEUI and everything fine- except “Remote
> > Desktop�. I assume that they are only now connecting with NetBEUI).
> >
> > Questions: (a) Do you now consider this arrangement sufficient for “normal
> > home� use? If not, can you specifically (or generally) recommend any other
> > programs/add-ons etc.?
> > (b) Have just had a quick look in the Remote Desktop discussions…….phew!!!!!
> > What is the best way to restore “Remote Desktop�? (enable Remote Management
> > in the modem/gateway, open specific port(s) which? or do I have to do both?)
> >
> > (2) Local Tapping: Each computer on the network is connected via the router
> > (not directly to the DSL modem) and identified by its unique MAC address. The
> > router is set to “deny access to all others�. How can my neighbours or
> > passers by connect locally to the router and hence to my network?
> > This was my original concern. QUOTE: Wireless Network Connection box tells
> > me that the network is "Unsecured" and "configured for open access". This, I
> > guess, is because it is not encrypted. UNQUOTE.
> >
> > Questions: (a) Would you recommend encryption on top? Can you recommend a
> > similar article to the others for “trouble free encryption for dummies� (The
> > modem/gateway has options for WEP (up to 256bits), WEP+802.1x and WPA but the
> > wireless adaptors/cards only for WEP 64/128? So am limited to WEP 128).
> > Presume it would be best to use the wizard in XP SP2 and transfer the
> > settings to the other computers with a flash drive and to the modem/gateway
> > manually (as its USB connector is the “wrong end� to accept the flash drive).
> >
> >
> > (3) Internet Infestation: I have Spybot and Norton Antivirus (within Norton
> > Internet Security Pro) on each computer.
> >
> > Question: Considering that I would also like to avoid overkill, which of the
> > other programs would you recommend, out of those in the article (StartUp,
> > Process Explorer, Ad-Aware, a2-free) to best complement/supplement what I
> > already have?
> >
> > Many thanks in advance, your advice is much appreciated.
> >
> >
> >
> > "Chris Gual [MSFT]" wrote:
> >
> > > Hi John,
> > >
> > > Jack answered a bunch of your questions in his followup post, but I
> > > wanted to make a couple of points in addition.
> > >
> > > Entering the MAC addresses of your wireless cards into the router makes
> > > use of a feature called 'MAC address filtering'. Ideally this should only
> > > let the computers you own become active participants in your wireless
> > > network. However, MAC address filtering is not a secure solution for a
> > > wireless network. It can be defeated very easily, because:
> > > 1) the data you are sending between your computers and router is still
> > > unencrypted and anyone close enough can listen to it (it's just radio waves)
> > > 2) it's fairly easy to spoof MAC addresses (here's a link to a product
> > > that does this: http://www.klcconsulting.net/smac/ )
> > >
> > > If you want to improve the security of your wireless network, you have
> > > to configure your computers and router for encryption.
> > >
> > > http://www.microsoft.com/hardware/broadbandnetworking/1...
> > >
> > > Thanks,
> > > Chris Gual [MSFT]
> > > --
> > > This posting is provided "AS IS" with no warranties, and confers no rights.
> > >
> > > "John TCI" <JohnTCI@discussions.microsoft.com> wrote in message
> > > news:8415DF7C-6528-46DF-8EEF-9CA86DA801DA@microsoft.com...
> > > >I am completely new to this issue and basically "computer illiterate", so
> > > > please forgive my naivety. However, I am able to follow step-by-step
> > > > instructions in user guides etc., as long as they do not use too much
> > > > jargon.
> > > >
> > > > Have followed multifarious threads in these User Groups, over the past few
> > > > days, trying to understand security and encryption etc of wireless
> > > > networks
> > > > (before I went ahead and tried anything myself). Unfortunately, I became
> > > > totally confused and disillusioned.
> > > >
> > > > All my home PCs, laptops and peripherals (network router & wireless
> > > > adaptors) are Dell and have XP with SP2. Initial setup was relatively
> > > > simple
> > > > and the network has been working great for over 18 months. However, I had
> > > > not
> > > > had the time (nor the courage, nor the inclination) to tackle
> > > > encryption/security. Especially as we have no near neighbours. Therefore,
> > > > I
> > > > have simply relied on Norton Internet Security Pro 2002, Windows Firewall
> > > > &
> > > > Spybot.
> > > >
> > > > From the threads, and bearing in mind the numerous problems of hardware &
> > > > software configuration & incompatibility and the SP2 issue etc., which so
> > > > many people are experiencing, I had decided, over the weekend, that
> > > > security
> > > > was not a priority (at least for me). It was more important to keep a
> > > > network
> > > > that just worked.
> > > >
> > > > However, it occurred to me that inputting the MAC addresses of the network
> > > > adaptors into the router (and nothing else) could possibly be much
> > > > easier(?)
> > > > than & just as secure(?) as encryption (and without signal strength
> > > > loss(?)
> > > > nor transmission speed loss(?)).
> > > >
> > > > This I have now done. In total it took less than 10 minutes, including the
> > > > time to read the 5 MAC addresses on the adaptors/ cards, input them onto
> > > > the
> > > > router and reboot (took longer to find the router's original installation
> > > > CD,
> > > > which contained the User Guide).
> > > >
> > > > Now only the designated PC's can connect to my network. However, the
> > > > Windows
> > > > XP "Wireless Network Connection" box tells me that the network is
> > > > "Unsecured"
> > > > and "configured for open access". This I guess is because it is not
> > > > encrypted.
> > > >
> > > > I am obviously deluding myself as I have not found absolutely any
> > > > reference
> > > > to it at all in any of the threads anywhere. So what basic facts am I
> > > > missing? What are the dangers/weaknesses of this solution?
> > > >
> > >
> > >
> > >
Anonymous
a b 8 Security
October 29, 2004 8:16:03 PM

Archived from groups: (More info?)

Hi John,

Glad to see that you got encryption working, but I thought I would add a
couple of words to help clarify how encryption and MAC address filtering
relate to wireless security.

In answer to question #2 below concerning 'Local Tapping', it might be
useful to try to think of it as if your computer and router are
communicating through walkie-talkies (which use radio waves like wireless).
If you aren't using encryption, someone else who has a walkie talkie can
listen in on the conversation. Setting up the MAC address filtering might
keep them from joining you network, but they would still be able to
evesdrop. Furthermore, it is also theoretically possible for someone to
listen in on your computers, figure out what MAC addresses your computers
use, and pretend to use one of those MAC addresses (MAC address spoofing).

Using 128 bit WEP does a lot to help improve your networks security. I
should also point out that there *are* known security vulnerabilities with
WEP. It is also possible for someone to figure out the WEP key you are
using by listening to enough encrypted traffic to crack the key. I believe
they need to collect about 5-10 million packets. Gathering all these
packets will probably take quite a bit of time, but it is *theoretically*
possible. Chances are, WEP will probably be secure enough for your needs.
WEP encryption will make it a lot more difficult for someone malicious to
break into your network.

For anyone interested in more info about theoretical vulnerabilities in
802.11 security, Bernard Aboba has a good collection of links on this web
page: http://www.drizzle.com/~aboba/IEEE/

Thanks
Chris Gual [MSFT]
--
This posting is provided "AS IS" with no warranties, and confers no rights.


"John TCI" <JohnTCI@discussions.microsoft.com> wrote in message
news:9FEF162F-4AC8-4F55-9C96-117CA530DA3D@microsoft.com...
> Jack & Chris,
>
> Many thanks to you both. Think I understand.
> Great articles and relatively easy to understand, even for me. Thanks
> again.
> I was preparing a follow up to Jack when the response from Chris came in.
> He
> must be psychic as he has already answered the first question in section
> 2.
>
> May I crave your indulgences a little further? Grateful if you could
> clarify/amplify a few points taken in order from your most excellent
> replies:-
>
> (1) Firewalls etc: As mentioned previously, each of my 5 computers has
> Norton Internet Security. Windows Firewall is also enabled. Just read the
> manual on the DSL Modem (Actiontec GT704-WG... our ISP uses PPPoA not
> PPPoE).
> Understood very little, because of the jargon/abbreviations, but have now
> realized that it is also a gateway with the following default settings:
> DMZ
> Hosting, UPnP & Remote Management are "off". NAT is on. Firewall Security
> was
> set to basic. There are 3 other security levels and I have now set it to
> "Medium" (which allows all services "out" and leaves open ports 25,110,
> 7070,
> 1503, 163, 443, 983 & 885 in the "in" column.). I have deliberately not
> touched the Port Forwarding section...yet (Presume I may have to if I get
> "access out" problems - have already lost "Remote Desktop" ability).
>
> Took the recommendation from one of the articles to install NetBEUI and
> unchecked TCP/IP in file & printer sharing. Also had IPX/SPX, which had to
> be
> unchecked before the computers lost their ability to connect to one
> another.now they all have NetBEUI and everything fine- except "Remote
> Desktop". I assume that they are only now connecting with NetBEUI).
>
> Questions: (a) Do you now consider this arrangement sufficient for "normal
> home" use? If not, can you specifically (or generally) recommend any other
> programs/add-ons etc.?
> (b) Have just had a quick look in the Remote Desktop
> discussions...phew!!!!!
> What is the best way to restore "Remote Desktop"? (enable Remote
> Management
> in the modem/gateway, open specific port(s) which? or do I have to do
> both?)
>
> (2) Local Tapping: Each computer on the network is connected via the
> router
> (not directly to the DSL modem) and identified by its unique MAC address.
> The
> router is set to "deny access to all others". How can my neighbours or
> passers by connect locally to the router and hence to my network?
> This was my original concern. QUOTE: Wireless Network Connection box tells
> me that the network is "Unsecured" and "configured for open access".
> This, I
> guess, is because it is not encrypted. UNQUOTE.
>
> Questions: (a) Would you recommend encryption on top? Can you recommend a
> similar article to the others for "trouble free encryption for dummies"
> (The
> modem/gateway has options for WEP (up to 256bits), WEP+802.1x and WPA but
> the
> wireless adaptors/cards only for WEP 64/128? So am limited to WEP 128).
> Presume it would be best to use the wizard in XP SP2 and transfer the
> settings to the other computers with a flash drive and to the
> modem/gateway
> manually (as its USB connector is the "wrong end" to accept the flash
> drive).
>
>
> (3) Internet Infestation: I have Spybot and Norton Antivirus (within
> Norton
> Internet Security Pro) on each computer.
>
> Question: Considering that I would also like to avoid overkill, which of
> the
> other programs would you recommend, out of those in the article (StartUp,
> Process Explorer, Ad-Aware, a2-free) to best complement/supplement what I
> already have?
>
> Many thanks in advance, your advice is much appreciated.
>
>
>
> "Chris Gual [MSFT]" wrote:
>
>> Hi John,
>>
>> Jack answered a bunch of your questions in his followup post, but I
>> wanted to make a couple of points in addition.
>>
>> Entering the MAC addresses of your wireless cards into the router
>> makes
>> use of a feature called 'MAC address filtering'. Ideally this should
>> only
>> let the computers you own become active participants in your wireless
>> network. However, MAC address filtering is not a secure solution for a
>> wireless network. It can be defeated very easily, because:
>> 1) the data you are sending between your computers and router is
>> still
>> unencrypted and anyone close enough can listen to it (it's just radio
>> waves)
>> 2) it's fairly easy to spoof MAC addresses (here's a link to a
>> product
>> that does this: http://www.klcconsulting.net/smac/ )
>>
>> If you want to improve the security of your wireless network, you
>> have
>> to configure your computers and router for encryption.
>>
>>
>> http://www.microsoft.com/hardware/broadbandnetworking/1...
>>
>> Thanks,
>> Chris Gual [MSFT]
>> --
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "John TCI" <JohnTCI@discussions.microsoft.com> wrote in message
>> news:8415DF7C-6528-46DF-8EEF-9CA86DA801DA@microsoft.com...
>> >I am completely new to this issue and basically "computer illiterate",
>> >so
>> > please forgive my naivety. However, I am able to follow step-by-step
>> > instructions in user guides etc., as long as they do not use too much
>> > jargon.
>> >
>> > Have followed multifarious threads in these User Groups, over the past
>> > few
>> > days, trying to understand security and encryption etc of wireless
>> > networks
>> > (before I went ahead and tried anything myself). Unfortunately, I
>> > became
>> > totally confused and disillusioned.
>> >
>> > All my home PCs, laptops and peripherals (network router & wireless
>> > adaptors) are Dell and have XP with SP2. Initial setup was relatively
>> > simple
>> > and the network has been working great for over 18 months. However, I
>> > had
>> > not
>> > had the time (nor the courage, nor the inclination) to tackle
>> > encryption/security. Especially as we have no near neighbours.
>> > Therefore,
>> > I
>> > have simply relied on Norton Internet Security Pro 2002, Windows
>> > Firewall
>> > &
>> > Spybot.
>> >
>> > From the threads, and bearing in mind the numerous problems of hardware
>> > &
>> > software configuration & incompatibility and the SP2 issue etc., which
>> > so
>> > many people are experiencing, I had decided, over the weekend, that
>> > security
>> > was not a priority (at least for me). It was more important to keep a
>> > network
>> > that just worked.
>> >
>> > However, it occurred to me that inputting the MAC addresses of the
>> > network
>> > adaptors into the router (and nothing else) could possibly be much
>> > easier(?)
>> > than & just as secure(?) as encryption (and without signal strength
>> > loss(?)
>> > nor transmission speed loss(?)).
>> >
>> > This I have now done. In total it took less than 10 minutes, including
>> > the
>> > time to read the 5 MAC addresses on the adaptors/ cards, input them
>> > onto
>> > the
>> > router and reboot (took longer to find the router's original
>> > installation
>> > CD,
>> > which contained the User Guide).
>> >
>> > Now only the designated PC's can connect to my network. However, the
>> > Windows
>> > XP "Wireless Network Connection" box tells me that the network is
>> > "Unsecured"
>> > and "configured for open access". This I guess is because it is not
>> > encrypted.
>> >
>> > I am obviously deluding myself as I have not found absolutely any
>> > reference
>> > to it at all in any of the threads anywhere. So what basic facts am I
>> > missing? What are the dangers/weaknesses of this solution?
>> >
>>
>>
>>
Anonymous
a b 8 Security
October 29, 2004 8:27:13 PM

Archived from groups: (More info?)

Hi Pavel,

I don't know if SMAC actually works. I included the link as an
illustration that MAC address spoofing is an acutal vulnerability that does
exist.

If the person doing the MAC spoofing is using an open source OS they
will probably be able to modify the netcard driver.

Thanks,
Chris Gual [MSFT]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
it should also be possible to modify their driver as well.



"Pavel A." <pavel_a@NOwritemeNO.com> wrote in message
news:7139CEDE-E498-4E8B-AF9D-29DD72AEC025@microsoft.com...
> "Chris Gual [MSFT]" wrote:
>> 2) it's fairly easy to spoof MAC addresses (here's a link to a
>> product
>> that does this: http://www.klcconsulting.net/smac/ )
>
> I doubt that SMAC really does what it claims.
> From the description on their site, it seems to detect that adapter
> supports overriding MAC address, but does not expose this to user -
> then it simply employs this feature.
>
> However, this trick will fail if the netcard driver or firmware don't
> allow
> overriding MAC address. The wireless router will see the original MAC
> address,
> no matter what address Windows sees.
> In this case only modification of the driver and/or firmware can help,
> and it is possible.
>
> Regards,
> --PA
>
Anonymous
a b 8 Security
November 1, 2004 12:57:48 PM

Archived from groups: (More info?)

On Fri, 29 Oct 2004 01:43:03 -0700, "MarkG 30" <MarkG
30@discussions.microsoft.com> wrote:

>I'm really struggling to get 128 bit WEP to work, using a Netgear DG834G
>with latest firmware. After setting up my wireless laptop, I get a
>'connection' ie max signal strength etc, but no data transfer. There seems
>to be an attempt to send, but nothing coming back. When trying to access any
>internet sites etc, absolutely nothing... Any ideas folks ?

This SHOULD be a piece of cake - but isn't always. Tell us how you're
implementing the encryption and what equipment you are using on the
client machine (i.e. Intel Centrino built in wireless or PCMCIA / USB
card and if so which manufacturer and model)

For example, typically on the DG834G the easiest way to enable 128bit
WEP is to type in a pass phrase, eg "fastfish", and the router
automatically generates the key for you. It will be a string of
apparently meaningless numbers and letters.

Now you have to connect your laptop to the encrypted network. Are you
using a Netgear card and if so, are you using the native GUI (i.e. the
wireless smart configuration utility which ships with the card) or are
you using the Windows configuration (WZC)? The reason this is
important is because the way you input the key will vary.

If you are using the Netgear GUI then you would select 128bit WEP and
generate the key automatically. However if you are using hardware
from a different vendor (e.g. US Robotics) and try to generate the key
automatically it will fail as the software is proprietry (resulting in
a different key being generated from the same passphrase). Similarly
if you are using WZC then no key at all will be generated if you
simply enter "fastfish" and authentication will still fail.

Basically, to get around this, you would need to copy down the key
generated by the router, character by character, and enter it exactly
into the WZC. If you are indeed using a different hardware vendor (as
in our e.g. of US Robotics) and you are using their native GUI then
you'd need to turn off the "generate key" option and again type it in
character by character. Do it any other way and the key will not
match, authentication will fail and, although Windows will report that
are connected, the IP will totally different from the ones issued by
your router and the connection will dead as a dornail.
!