Wireless Network Security for Dummies, Please

Discussion in 'Wireless Networking' started by Guest, Oct 27, 2004.

  1. Guest

    Guest Guest

    I am completely new to this issue and basically “computer illiterateâ€, so
    please forgive my naivety. However, I am able to follow step-by-step
    instructions in user guides etc., as long as they do not use too much jargon.

    Have followed multifarious threads in these User Groups, over the past few
    days, trying to understand security and encryption etc of wireless networks
    (before I went ahead and tried anything myself). Unfortunately, I became
    totally confused and disillusioned.

    All my home PCs, laptops and peripherals (network router & wireless
    adaptors) are Dell and have XP with SP2. Initial setup was relatively simple
    and the network has been working great for over 18 months. However, I had not
    had the time (nor the courage, nor the inclination) to tackle
    encryption/security. Especially as we have no near neighbours. Therefore, I
    have simply relied on Norton Internet Security Pro 2002, Windows Firewall &

    From the threads, and bearing in mind the numerous problems of hardware &
    software configuration & incompatibility and the SP2 issue etc., which so
    many people are experiencing, I had decided, over the weekend, that security
    was not a priority (at least for me). It was more important to keep a network
    that just worked.

    However, it occurred to me that inputting the MAC addresses of the network
    adaptors into the router (and nothing else) could possibly be much easier(?)
    than & just as secure(?) as encryption (and without signal strength loss(?)
    nor transmission speed loss(?)).

    This I have now done. In total it took less than 10 minutes, including the
    time to read the 5 MAC addresses on the adaptors/ cards, input them onto the
    router and reboot (took longer to find the router’s original installation CD,
    which contained the User Guide).

    Now only the designated PC’s can connect to my network. However, the Windows
    XP “Wireless Network Connection†box tells me that the network is “Unsecuredâ€
    and “configured for open accessâ€. This I guess is because it is not

    I am obviously deluding myself as I have not found absolutely any reference
    to it at all in any of the threads anywhere. So what basic facts am I
    missing? What are the dangers/weaknesses of this solution?
    Guest, Oct 27, 2004
    1. Advertisements

  2. Guest

    Jack Guest


    Bear in mind that though the same word Security is used to describe secure
    Internet Connection and Secure Wireless, there is No real relation between
    the two

    Norton Internet Security is a Firewall; Wireless Security has Nothing to do
    with Firewalls.

    Wireless is just a replacement for a Wire and thus can be intercepted by
    people in the neighborhood attaching then self to your LAN. That why there
    is Wireless Security measures to avoid Local Tapping. These measure are
    unique only the Wireless itself, and has to be used even if there is No
    Internet Connection.

    Link to: http://www.ezlan.net/Wireless_Security.html

    The Firewall "Job" is to protect the Internet connection from being
    invaded, and to prevent your LAN computers from transmitting out to the
    Internet privileged information.

    Each computer on your Network that has access to the Internet should have
    its own Firewall regardless of whether you use Wire or Wireless.

    Internet -Basic protection: http://www.ezlan.net/firewall.html

    In addition you should have tools available if your computers get Infested.

    Internet Infestation: http://www.ezlan.net/infestation.html

    Jack (MVP-Networking).
    Jack, Oct 28, 2004
    1. Advertisements

  3. Hi John,

    Jack answered a bunch of your questions in his followup post, but I
    wanted to make a couple of points in addition.

    Entering the MAC addresses of your wireless cards into the router makes
    use of a feature called 'MAC address filtering'. Ideally this should only
    let the computers you own become active participants in your wireless
    network. However, MAC address filtering is not a secure solution for a
    wireless network. It can be defeated very easily, because:
    1) the data you are sending between your computers and router is still
    unencrypted and anyone close enough can listen to it (it's just radio waves)
    2) it's fairly easy to spoof MAC addresses (here's a link to a product
    that does this: http://www.klcconsulting.net/smac/ )

    If you want to improve the security of your wireless network, you have
    to configure your computers and router for encryption.


    Chris Gual [MSFT]
    Chris Gual [MSFT], Oct 28, 2004
  4. Guest

    Guest Guest

    I doubt that SMAC really does what it claims.
    From the description on their site, it seems to detect that adapter
    supports overriding MAC address, but does not expose this to user -
    then it simply employs this feature.

    However, this trick will fail if the netcard driver or firmware don't allow
    overriding MAC address. The wireless router will see the original MAC address,
    no matter what address Windows sees.
    In this case only modification of the driver and/or firmware can help,
    and it is possible.

    Guest, Oct 28, 2004
  5. Guest

    Guest Guest

    Jack & Chris,

    Many thanks to you both. Think I understand.
    Great articles and relatively easy to understand, even for me. Thanks again.
    I was preparing a follow up to Jack when the response from Chris came in. He
    must be psychic as he has already answered the first question in section 2.

    May I crave your indulgences a little further? Grateful if you could
    clarify/amplify a few points taken in order from your most excellent

    (1) Firewalls etc: As mentioned previously, each of my 5 computers has
    Norton Internet Security. Windows Firewall is also enabled. Just read the
    manual on the DSL Modem (Actiontec GT704-WG……. our ISP uses PPPoA not PPPoE).
    Understood very little, because of the jargon/abbreviations, but have now
    realized that it is also a gateway with the following default settings: DMZ
    Hosting, UPnP & Remote Management are “offâ€. NAT is on. Firewall Security was
    set to basic. There are 3 other security levels and I have now set it to
    “Medium†(which allows all services “out†and leaves open ports 25,110, 7070,
    1503, 163, 443, 983 & 885 in the “in†column.). I have deliberately not
    touched the Port Forwarding section…..yet (Presume I may have to if I get
    “access out†problems - have already lost “Remote Desktop†ability).

    Took the recommendation from one of the articles to install NetBEUI and
    unchecked TCP/IP in file & printer sharing. Also had IPX/SPX, which had to be
    unchecked before the computers lost their ability to connect to one
    another…now they all have NetBEUI and everything fine- except “Remote
    Desktopâ€. I assume that they are only now connecting with NetBEUI).

    Questions: (a) Do you now consider this arrangement sufficient for “normal
    home†use? If not, can you specifically (or generally) recommend any other
    programs/add-ons etc.?
    (b) Have just had a quick look in the Remote Desktop discussions…….phew!!!!!
    What is the best way to restore “Remote Desktop� (enable Remote Management
    in the modem/gateway, open specific port(s) which? or do I have to do both?)

    (2) Local Tapping: Each computer on the network is connected via the router
    (not directly to the DSL modem) and identified by its unique MAC address. The
    router is set to “deny access to all othersâ€. How can my neighbours or
    passers by connect locally to the router and hence to my network?
    This was my original concern. QUOTE: Wireless Network Connection box tells
    me that the network is "Unsecured" and "configured for open access". This, I
    guess, is because it is not encrypted. UNQUOTE.

    Questions: (a) Would you recommend encryption on top? Can you recommend a
    similar article to the others for “trouble free encryption for dummies†(The
    modem/gateway has options for WEP (up to 256bits), WEP+802.1x and WPA but the
    wireless adaptors/cards only for WEP 64/128? So am limited to WEP 128).
    Presume it would be best to use the wizard in XP SP2 and transfer the
    settings to the other computers with a flash drive and to the modem/gateway
    manually (as its USB connector is the “wrong end†to accept the flash drive).

    (3) Internet Infestation: I have Spybot and Norton Antivirus (within Norton
    Internet Security Pro) on each computer.

    Question: Considering that I would also like to avoid overkill, which of the
    other programs would you recommend, out of those in the article (StartUp,
    Process Explorer, Ad-Aware, a2-free) to best complement/supplement what I
    already have?

    Many thanks in advance, your advice is much appreciated.

    Guest, Oct 28, 2004
  6. Guest

    mikeBNF Guest

    only one thing i would change.disable all windows firewalls, as they only
    protects against incoming stuff & install ZA free on ALL machines.
    this protects bothways so will stop said 'phone-home' virus stuff or mailer


    mikeBNF, Oct 28, 2004
  7. Guest

    Guest Guest

    Quick update on Encryption (section 2 below): Your replies had confirmed the
    necessity to encrypt. So I ignored all the possible things that have gone
    wrong within the other threads and took the plunge with WEP128. Couldn't have
    been easier. All 5 computers working fine. Many thanks.

    Now only have to sort out "Remote Desktop" - section (1b) and whether to add
    anything else to address the "Infestation" issue - section (3).

    Guest, Oct 29, 2004
  8. Guest

    Guest Guest

    Hi John,

    I'm really struggling to get 128 bit WEP to work, using a Netgear DG834G
    with latest firmware. After setting up my wireless laptop, I get a
    'connection' ie max signal strength etc, but no data transfer. There seems
    to be an attempt to send, but nothing coming back. When trying to access any
    internet sites etc, absolutely nothing... Any ideas folks ?

    Guest, Oct 29, 2004
  9. Hi John,

    Glad to see that you got encryption working, but I thought I would add a
    couple of words to help clarify how encryption and MAC address filtering
    relate to wireless security.

    In answer to question #2 below concerning 'Local Tapping', it might be
    useful to try to think of it as if your computer and router are
    communicating through walkie-talkies (which use radio waves like wireless).
    If you aren't using encryption, someone else who has a walkie talkie can
    listen in on the conversation. Setting up the MAC address filtering might
    keep them from joining you network, but they would still be able to
    evesdrop. Furthermore, it is also theoretically possible for someone to
    listen in on your computers, figure out what MAC addresses your computers
    use, and pretend to use one of those MAC addresses (MAC address spoofing).

    Using 128 bit WEP does a lot to help improve your networks security. I
    should also point out that there *are* known security vulnerabilities with
    WEP. It is also possible for someone to figure out the WEP key you are
    using by listening to enough encrypted traffic to crack the key. I believe
    they need to collect about 5-10 million packets. Gathering all these
    packets will probably take quite a bit of time, but it is *theoretically*
    possible. Chances are, WEP will probably be secure enough for your needs.
    WEP encryption will make it a lot more difficult for someone malicious to
    break into your network.

    For anyone interested in more info about theoretical vulnerabilities in
    802.11 security, Bernard Aboba has a good collection of links on this web
    page: http://www.drizzle.com/~aboba/IEEE/

    Chris Gual [MSFT]
    This posting is provided "AS IS" with no warranties, and confers no rights.

    Chris Gual [MSFT], Oct 30, 2004
  10. Hi Pavel,

    I don't know if SMAC actually works. I included the link as an
    illustration that MAC address spoofing is an acutal vulnerability that does

    If the person doing the MAC spoofing is using an open source OS they
    will probably be able to modify the netcard driver.

    Chris Gual [MSFT]
    This posting is provided "AS IS" with no warranties, and confers no rights.
    it should also be possible to modify their driver as well.
    Chris Gual [MSFT], Oct 30, 2004
  11. On Fri, 29 Oct 2004 01:43:03 -0700, "MarkG 30" <MarkG
    This SHOULD be a piece of cake - but isn't always. Tell us how you're
    implementing the encryption and what equipment you are using on the
    client machine (i.e. Intel Centrino built in wireless or PCMCIA / USB
    card and if so which manufacturer and model)

    For example, typically on the DG834G the easiest way to enable 128bit
    WEP is to type in a pass phrase, eg "fastfish", and the router
    automatically generates the key for you. It will be a string of
    apparently meaningless numbers and letters.

    Now you have to connect your laptop to the encrypted network. Are you
    using a Netgear card and if so, are you using the native GUI (i.e. the
    wireless smart configuration utility which ships with the card) or are
    you using the Windows configuration (WZC)? The reason this is
    important is because the way you input the key will vary.

    If you are using the Netgear GUI then you would select 128bit WEP and
    generate the key automatically. However if you are using hardware
    from a different vendor (e.g. US Robotics) and try to generate the key
    automatically it will fail as the software is proprietry (resulting in
    a different key being generated from the same passphrase). Similarly
    if you are using WZC then no key at all will be generated if you
    simply enter "fastfish" and authentication will still fail.

    Basically, to get around this, you would need to copy down the key
    generated by the router, character by character, and enter it exactly
    into the WZC. If you are indeed using a different hardware vendor (as
    in our e.g. of US Robotics) and you are using their native GUI then
    you'd need to turn off the "generate key" option and again type it in
    character by character. Do it any other way and the key will not
    match, authentication will fail and, although Windows will report that
    are connected, the IP will totally different from the ones issued by
    your router and the connection will dead as a dornail.
    Simon Pleasants, Nov 1, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.