«

I've been volunteered to set up a wireless network for DD and her
college roommates. I have no idea what kind of computers the other
girls have, and I won't find out in time (I'll be 1200 miles away by the
time half of them get back to campus) DD has a 2-year-old Mac, and I
have a Linux netbook and several PC's running WinXP and Win2K. I can
use those to test it here before I go install it. I don't know if they
are going to have DSL or Cable or what. That's not my problem. DD says
they'll rent a modem.

Here's what I've done, (plan to do, with a couple of the steps) do y'all
see any problems?

I bought a $50 Belkin 'N' wireless router. It also has 4 wired LAN
ports on the back. I assume everyone will have 'G' or maybe 'B'
wireless adapters, but if someone does have 'N' they'll be able to take
advantage of it. I set everything up manually instead of using the
configuration CD.

1) I gave it the SSID that they wanted, and I'm having it broadcast to
make it easier for them to set up their connections.

2) I set the encryption to WPA-2, and gave it a nasty, long, and totally
random key. Something just like (but different):
'o^;IpW4a[-HWD]]o'"aQ&rl9O.t.geg<TEec=4;IHhBm:]C@Lndw*Fu+bo5WH,
....and had DD email the key to everybody, also to store it on her
computer in a text file in case somebody loses it.

3) I've left the administrator password blank. Not sure if that's a
good idea. The other thing I could do is set a password and then write
it on a label attached to the router. I don't want to get calls at
3:00AM asking me what the password is.

4) I turned off remote configuration, so the settings can't be changed
over the WAN port. I'm going to see if I can turn off configuration via
wireless, so someone would have to use an Ethernet cable on a LAN port
to change anything. (physical security)

I know if I lock things down too tight, they'll just reset it back to
factory defaults and probably run with it unsecured. WEP vs. WPA was
the toughest choice, because I don't know how old the computers are that
will be connected and what OS's they will have.

Have I overlooked anything (or screwed up somewhere)?

Thanks,
Bob

On Thu, 06 Aug 2009 09:52:35 -0500, zxcvbob wrote:

> I've been volunteered to set up a wireless network for DD and her
> college roommates. I have no idea what kind of computers the other
> girls have, and I won't find out in time (I'll be 1200 miles away by the
> time half of them get back to campus) DD has a 2-year-old Mac, and I
> have a Linux netbook and several PC's running WinXP and Win2K. I can
> use those to test it here before I go install it. I don't know if they
> are going to have DSL or Cable or what. That's not my problem. DD says
> they'll rent a modem.
>
> Here's what I've done, (plan to do, with a couple of the steps) do y'all
> see any problems?
>
> I bought a $50 Belkin 'N' wireless router. It also has 4 wired LAN
> ports on the back. I assume everyone will have 'G' or maybe 'B'
> wireless adapters, but if someone does have 'N' they'll be able to take
> advantage of it. I set everything up manually instead of using the
> configuration CD.
>
> 1) I gave it the SSID that they wanted, and I'm having it broadcast to
> make it easier for them to set up their connections.

Good.

> 2) I set the encryption to WPA-2, and gave it a nasty, long, and totally
> random key. Something just like (but different):
> 'o^;IpW4a[-HWD]]o'"aQ&rl9O.t.geg<TEec=4;IHhBm:]C@Lndw*Fu+bo5WH,
> ...and had DD email the key to everybody, also to store it on her
> computer in a text file in case somebody loses it.

Good.

> 3) I've left the administrator password blank. Not sure if that's a
> good idea. The other thing I could do is set a password and then write
> it on a label attached to the router. I don't want to get calls at
> 3:00AM asking me what the password is.

Not good. You gave them a "nasty long" WPA2 key; what would be so hard about
a 10 character to 12 character admin password?

> 4) I turned off remote configuration, so the settings can't be changed
> over the WAN port. I'm going to see if I can turn off configuration via
> wireless, so someone would have to use an Ethernet cable on a LAN port
> to change anything. (physical security)

Good.

> I know if I lock things down too tight, they'll just reset it back to
> factory defaults and probably run with it unsecured. WEP vs. WPA was
> the toughest choice, because I don't know how old the computers are that
> will be connected and what OS's they will have.
>
> Have I overlooked anything (or screwed up somewhere)?

If any one of them has a device which is only capable of WEP, they likely
will loosen up the security. When it comes to computers, even when a user
has been hit with a hostile takeover of their computer, they usually still
prefer convenience over security.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

NormanM wrote:
> On Thu, 06 Aug 2009 09:52:35 -0500, zxcvbob wrote:
>
>> 3) I've left the administrator password blank. Not sure if that's a
>> good idea. The other thing I could do is set a password and then write
>> it on a label attached to the router. I don't want to get calls at
>> 3:00AM asking me what the password is.
>
> Not good. You gave them a "nasty long" WPA2 key; what would be so hard about
> a 10 character to 12 character admin password?


Yeah, I know; it's not hard at all. I was wondering if this one should
be a strong password or a weak one? (even a weak password is a lot
better than nothing) But remember, I'm planning to lock out all
administrative functions except thru the wired LAN ports -- I was
thinking that would take the place of an admin password. If they forget
the password, they *will* do a hardware reset -- they are kids, that's
what they do

Thanks again,
Bob

On Thu, 06 Aug 2009 10:38:59 -0500, zxcvbob <> wrote:

>NormanM wrote:
>> On Thu, 06 Aug 2009 09:52:35 -0500, zxcvbob wrote:
>>
>>> 3) I've left the administrator password blank. Not sure if that's a
>>> good idea. The other thing I could do is set a password and then write
>>> it on a label attached to the router. I don't want to get calls at
>>> 3:00AM asking me what the password is.
>>
>> Not good. You gave them a "nasty long" WPA2 key; what would be so hard about
>> a 10 character to 12 character admin password?
>
>
>Yeah, I know; it's not hard at all. I was wondering if this one should
>be a strong password or a weak one? (even a weak password is a lot
>better than nothing) But remember, I'm planning to lock out all
>administrative functions except thru the wired LAN ports -- I was
>thinking that would take the place of an admin password. If they forget
>the password, they *will* do a hardware reset -- they are kids, that's
>what they do
>
>Thanks again,
>Bob

Set the password. If you leave it blank, you're a wide-open target. Once
crackers have access to your router through either a blank or the default
password (there are lists of those online) it's going to be the router owner
that pays the price, not the cracker.

--
Why can't people set their clocks, reply to the correct poster, test in
a test group, write a coherent question, or keep a question to one thread?
Some people are so far from hitting the nail, it doesn't matter if they
have a hammer or a banana. --trout, 24hshd, c.2002

>>>> 3) I've left the administrator password blank. Not sure if that's a
>>>> good idea. The other thing I could do is set a password and then write
>>>> it on a label attached to the router. I don't want to get calls at
>>>> 3:00AM asking me what the password is.
>>>
>>> Not good. You gave them a "nasty long" WPA2 key; what would be so hard about
>>> a 10 character to 12 character admin password?

>>Yeah, I know; it's not hard at all. I was wondering if this one should
>>be a strong password or a weak one? (even a weak password is a lot
>>better than nothing) But remember, I'm planning to lock out all
>>administrative functions except thru the wired LAN ports -- I was
>>thinking that would take the place of an admin password. If they forget
>>the password, they *will* do a hardware reset -- they are kids, that's
>>what they do

>Set the password. If you leave it blank, you're a wide-open target. Once
>crackers have access to your router through either a blank or the default
>password (there are lists of those online) it's going to be the router owner
>that pays the price, not the cracker.

The WPA2 key will keep most crackers away from the router. The router
password will keep those who have physical access to the computers
from changing router settings unless authenticated.

"zxcvbob" <> wrote in message
news:...
> I've been volunteered to set up a wireless network for DD and her college
> roommates. I have no idea what kind of computers the other girls have,
> and I won't find out in time (I'll be 1200 miles away by the time half of
> them get back to campus) DD has a 2-year-old Mac, and I have a Linux
> netbook and several PC's running WinXP and Win2K. I can use those to test
> it here before I go install it. I don't know if they are going to have
> DSL or Cable or what. That's not my problem. DD says they'll rent a
> modem.
>
> Here's what I've done, (plan to do, with a couple of the steps) do y'all
> see any problems?
>
> I bought a $50 Belkin 'N' wireless router. It also has 4 wired LAN ports
> on the back. I assume everyone will have 'G' or maybe 'B' wireless
> adapters, but if someone does have 'N' they'll be able to take advantage
> of it. I set everything up manually instead of using the configuration
> CD.
>
> 1) I gave it the SSID that they wanted, and I'm having it broadcast to
> make it easier for them to set up their connections.
>
> 2) I set the encryption to WPA-2, and gave it a nasty, long, and totally
> random key. Something just like (but different):
> 'o^;IpW4a[-HWD]]o'"aQ&rl9O.t.geg<TEec=4;IHhBm:]C@Lndw*Fu+bo5WH,
> ...and had DD email the key to everybody, also to store it on her computer
> in a text file in case somebody loses it.
>
> 3) I've left the administrator password blank. Not sure if that's a good
> idea. The other thing I could do is set a password and then write it on a
> label attached to the router. I don't want to get calls at 3:00AM asking
> me what the password is.
>
> 4) I turned off remote configuration, so the settings can't be changed
> over the WAN port. I'm going to see if I can turn off configuration via
> wireless, so someone would have to use an Ethernet cable on a LAN port to
> change anything. (physical security)
>
> I know if I lock things down too tight, they'll just reset it back to
> factory defaults and probably run with it unsecured. WEP vs. WPA was the
> toughest choice, because I don't know how old the computers are that will
> be connected and what OS's they will have.
>
> Have I overlooked anything (or screwed up somewhere)?
>
> Thanks,
> Bob



Bob

Do set the admin password, I have personal knowledge of a hacked wireless
router when the owner initially left wifi security off.
Even after putting WPA on with a good long password the router continued to
provide upload services for the cracker until the router was fully reset.
To be doubly sure change the admin name from 'admin' to something else.

I've generally found WPA - PSK more accessable than WPA2.
I personally would be quite resolute about WEP 'not' being used.
WEP was cracked a long time ago and in your DD environment there is bound to
be a few cretins willing to show their 'prowess' by cracking your DD's WiFi.
Laptop's with WEP are be pretty old now and I would guess most, if not all
will have a Laptop less than a couple of years old.

BTW the most common problem I've found when a new Laptop is trying to
connect is the Firewall's in the likes of McAfee or Norton.

As for avoiding 3am calls try putting a sticker with the local IT shop on
the top.
The one thing that makes teenagers 'learn' is when it costs them $$$ to
ignore parental advice/standards.

Best
Paul.