Archived from groups: (
More info?)
Hi John,
Glad to see that you got encryption working, but I thought I would add a
couple of words to help clarify how encryption and MAC address filtering
relate to wireless security.
In answer to question #2 below concerning 'Local Tapping', it might be
useful to try to think of it as if your computer and router are
communicating through walkie-talkies (which use radio waves like wireless).
If you aren't using encryption, someone else who has a walkie talkie can
listen in on the conversation. Setting up the MAC address filtering might
keep them from joining you network, but they would still be able to
evesdrop. Furthermore, it is also theoretically possible for someone to
listen in on your computers, figure out what MAC addresses your computers
use, and pretend to use one of those MAC addresses (MAC address spoofing).
Using 128 bit WEP does a lot to help improve your networks security. I
should also point out that there *are* known security vulnerabilities with
WEP. It is also possible for someone to figure out the WEP key you are
using by listening to enough encrypted traffic to crack the key. I believe
they need to collect about 5-10 million packets. Gathering all these
packets will probably take quite a bit of time, but it is *theoretically*
possible. Chances are, WEP will probably be secure enough for your needs.
WEP encryption will make it a lot more difficult for someone malicious to
break into your network.
For anyone interested in more info about theoretical vulnerabilities in
802.11 security, Bernard Aboba has a good collection of links on this web
page: http://www.drizzle.com/~aboba/IEEE/
Thanks
Chris Gual [MSFT]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"John TCI" <JohnTCI@discussions.microsoft.com> wrote in message
news:9FEF162F-4AC8-4F55-9C96-117CA530DA3D@microsoft.com...
> Jack & Chris,
>
> Many thanks to you both. Think I understand.
> Great articles and relatively easy to understand, even for me. Thanks
> again.
> I was preparing a follow up to Jack when the response from Chris came in.
> He
> must be psychic as he has already answered the first question in section
> 2.
>
> May I crave your indulgences a little further? Grateful if you could
> clarify/amplify a few points taken in order from your most excellent
> replies:-
>
> (1) Firewalls etc: As mentioned previously, each of my 5 computers has
> Norton Internet Security. Windows Firewall is also enabled. Just read the
> manual on the DSL Modem (Actiontec GT704-WG... our ISP uses PPPoA not
> PPPoE).
> Understood very little, because of the jargon/abbreviations, but have now
> realized that it is also a gateway with the following default settings:
> DMZ
> Hosting, UPnP & Remote Management are "off". NAT is on. Firewall Security
> was
> set to basic. There are 3 other security levels and I have now set it to
> "Medium" (which allows all services "out" and leaves open ports 25,110,
> 7070,
> 1503, 163, 443, 983 & 885 in the "in" column.). I have deliberately not
> touched the Port Forwarding section...yet (Presume I may have to if I get
> "access out" problems - have already lost "Remote Desktop" ability).
>
> Took the recommendation from one of the articles to install NetBEUI and
> unchecked TCP/IP in file & printer sharing. Also had IPX/SPX, which had to
> be
> unchecked before the computers lost their ability to connect to one
> another.now they all have NetBEUI and everything fine- except "Remote
> Desktop". I assume that they are only now connecting with NetBEUI).
>
> Questions: (a) Do you now consider this arrangement sufficient for "normal
> home" use? If not, can you specifically (or generally) recommend any other
> programs/add-ons etc.?
> (b) Have just had a quick look in the Remote Desktop
> discussions...phew!!!!!
> What is the best way to restore "Remote Desktop"? (enable Remote
> Management
> in the modem/gateway, open specific port(s) which? or do I have to do
> both?)
>
> (2) Local Tapping: Each computer on the network is connected via the
> router
> (not directly to the DSL modem) and identified by its unique MAC address.
> The
> router is set to "deny access to all others". How can my neighbours or
> passers by connect locally to the router and hence to my network?
> This was my original concern. QUOTE: Wireless Network Connection box tells
> me that the network is "Unsecured" and "configured for open access".
> This, I
> guess, is because it is not encrypted. UNQUOTE.
>
> Questions: (a) Would you recommend encryption on top? Can you recommend a
> similar article to the others for "trouble free encryption for dummies"
> (The
> modem/gateway has options for WEP (up to 256bits), WEP+802.1x and WPA but
> the
> wireless adaptors/cards only for WEP 64/128? So am limited to WEP 128).
> Presume it would be best to use the wizard in XP SP2 and transfer the
> settings to the other computers with a flash drive and to the
> modem/gateway
> manually (as its USB connector is the "wrong end" to accept the flash
> drive).
>
>
> (3) Internet Infestation: I have Spybot and Norton Antivirus (within
> Norton
> Internet Security Pro) on each computer.
>
> Question: Considering that I would also like to avoid overkill, which of
> the
> other programs would you recommend, out of those in the article (StartUp,
> Process Explorer, Ad-Aware, a2-free) to best complement/supplement what I
> already have?
>
> Many thanks in advance, your advice is much appreciated.
>
>
>
> "Chris Gual [MSFT]" wrote:
>
>> Hi John,
>>
>> Jack answered a bunch of your questions in his followup post, but I
>> wanted to make a couple of points in addition.
>>
>> Entering the MAC addresses of your wireless cards into the router
>> makes
>> use of a feature called 'MAC address filtering'. Ideally this should
>> only
>> let the computers you own become active participants in your wireless
>> network. However, MAC address filtering is not a secure solution for a
>> wireless network. It can be defeated very easily, because:
>> 1) the data you are sending between your computers and router is
>> still
>> unencrypted and anyone close enough can listen to it (it's just radio
>> waves)
>> 2) it's fairly easy to spoof MAC addresses (here's a link to a
>> product
>> that does this: http://www.klcconsulting.net/smac/ )
>>
>> If you want to improve the security of your wireless network, you
>> have
>> to configure your computers and router for encryption.
>>
>>
>>
http://www.microsoft.com/hardware/broadbandnetworking/10_concept_wireless_security.mspx
>>
>> Thanks,
>> Chris Gual [MSFT]
>> --
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "John TCI" <JohnTCI@discussions.microsoft.com> wrote in message
>> news:8415DF7C-6528-46DF-8EEF-9CA86DA801DA@microsoft.com...
>> >I am completely new to this issue and basically "computer illiterate",
>> >so
>> > please forgive my naivety. However, I am able to follow step-by-step
>> > instructions in user guides etc., as long as they do not use too much
>> > jargon.
>> >
>> > Have followed multifarious threads in these User Groups, over the past
>> > few
>> > days, trying to understand security and encryption etc of wireless
>> > networks
>> > (before I went ahead and tried anything myself). Unfortunately, I
>> > became
>> > totally confused and disillusioned.
>> >
>> > All my home PCs, laptops and peripherals (network router & wireless
>> > adaptors) are Dell and have XP with SP2. Initial setup was relatively
>> > simple
>> > and the network has been working great for over 18 months. However, I
>> > had
>> > not
>> > had the time (nor the courage, nor the inclination) to tackle
>> > encryption/security. Especially as we have no near neighbours.
>> > Therefore,
>> > I
>> > have simply relied on Norton Internet Security Pro 2002, Windows
>> > Firewall
>> > &
>> > Spybot.
>> >
>> > From the threads, and bearing in mind the numerous problems of hardware
>> > &
>> > software configuration & incompatibility and the SP2 issue etc., which
>> > so
>> > many people are experiencing, I had decided, over the weekend, that
>> > security
>> > was not a priority (at least for me). It was more important to keep a
>> > network
>> > that just worked.
>> >
>> > However, it occurred to me that inputting the MAC addresses of the
>> > network
>> > adaptors into the router (and nothing else) could possibly be much
>> > easier(?)
>> > than & just as secure(?) as encryption (and without signal strength
>> > loss(?)
>> > nor transmission speed loss(?)).
>> >
>> > This I have now done. In total it took less than 10 minutes, including
>> > the
>> > time to read the 5 MAC addresses on the adaptors/ cards, input them
>> > onto
>> > the
>> > router and reboot (took longer to find the router's original
>> > installation
>> > CD,
>> > which contained the User Guide).
>> >
>> > Now only the designated PC's can connect to my network. However, the
>> > Windows
>> > XP "Wireless Network Connection" box tells me that the network is
>> > "Unsecured"
>> > and "configured for open access". This I guess is because it is not
>> > encrypted.
>> >
>> > I am obviously deluding myself as I have not found absolutely any
>> > reference
>> > to it at all in any of the threads anywhere. So what basic facts am I
>> > missing? What are the dangers/weaknesses of this solution?
>> >
>>
>>
>>