Wireless networks - secure or not to secure?

[Kilawa]

Wireless networking is becoming all the rage recently, it certainly makes thinks easier for people like me who administer networks, no more climbing through ceilings or falling through them:)Stick a couple of boxes a wall, fir a wireless card and your done right?

Personally the answer is no, I want my networks secure and dont want anybody stealing my bandwidth, ok so I don't personally pay for it, but it's my phone that rings if the network crawls.

I bought a new toy recently so when I'm wandering about the building I can still use MSN to communicate with the other staff (especially when I go for that fresh air break ;) )and I thought I would drive around around and see how many networks were open and what type.

To be honest I wasn't shocked at the number, but I was shocked at the type, hospitals, lawyers offices all wide open.

So to my Question, how many other people out there have secured their wireless network or does it not matter?

[sellportal]

Hi Kilawa,

Wireless networks are no more unsecure then any other traditional network when transporting data.

You normally use tcp/ip on it and it is the same standard as when using coax/utp(tp) networks cabling.

As you have noted, the biggest difference here is the possibility of someone not in your office to use your network.

When using the normal (cabling) network someone breaking in or "listening" to your network traffic must get into the building and get access to the cabling, hardware or a connection point into your network.

With the wireless network anyone inside the transmition range of the network can connect and use it, unless to make sure they can't!

So, always the best "encryption" offered by your wireless equipment. Be sure to create a zone in the configuration (to wich all user must belong, by setting it in their configuration) and if there are a reasonable amount of mobile equipment walking around, hard code the access allowed to the net on the mac (hardware) addresses of each nic (network card).

Ontop of this are there "real" security measurements you can make if you handle more sensitive information on your network.

But running it out of the box is not something one should do!

Saludos

Kenth

[blackbird177]

I can only tell you of my own experience. I have installed three wireless networks. Two in school, and other in an office. All of theem was secured. I used the WEP for all of them then I limited the distant and the channels of each access point. Finally I wrote down the MAC and IP of each access point just in case they when down. Then finally I took a secuirty tour with a handheldto make sure the lock out worked. This system has been up an secure for two years. It takes work but wireless can be secured.

[sellportal]

Kilawa,

I don't know where you are located but you might get help by blackbird if needed.

When you use a wireless lan the basic setup would be,

set an ssid (in the base station). Then all clients will need to set the same ssid to connect.

Use wep (with no less then 128Bit encryption)

This two steps will give you kindergarden security. No one playing with a computer will stumble in.

To make it secure will you need to use a dualhomed net on the base station with dynamic routing. On connect and login will you only have access to a login server (on lan1, nothing more exists on that lan). If you log in correctly to this server (using ipsec and certificates) then the server will allow the router to switch lan on your connection giving you the access granted to your log in user in the server.

From then on will all traffic use a combination of ssl, https, vpn tunnels and ipsec.

Of course will only pre registered mac addresses (of nics) be allowed.

This is costly and time demanding so one should do an security assesment of traffic content first to see if all of this is needed.

Most often in a normal company will it not be needed to secure the traffic, the thing to prevent is people on the street being able to use the wireless lan as they can do many naughty things without being caught that way!

saludos

Kenth

[ControlSee]

That is quite a strategy. I am part of a business that deals with DSL Installations and Wired/Wireless Networks. I have a laptop with built in wireless access but the max encryption is 64 bit.

I take it 64-bit is worthless nowadays. How would I go about setting up a auth server for a private wireless network? Or is it necessary? Would it have to be a dedicated server or a just another process on an existing server.

My server is running windows 2000 server. Any suggestions?

Also, what's the easiest way to setup ipsec? Thanks!

[sellportal]

Hi ControlSee,

Visit this page
http://bifrost.slu.se/index.en.html

Here can you read about a software sollution with free downloadable distributions of the software.

This produkt is a joint project among the universities in Sweden and is widely used to secure logins in networks (as well as wireless).

And on how tu configre an duse ipsec go to,
http://www.microsoft.com/windows2000...ec/default.asp

And you'll find "everything you always wanted to know about ipsec, but was afraid to ask".

But as I said before, it all depends on if you wish to keep people out from your network (only) and/or to keep the content (traffic) secure.

This creates a 2 level approach and should be measured from the traffics content point of view.

But if you use ssid on the access point and client, turn on wep as high as possible AND use hard coded mac address accesslists in the access point only allowing known mac addresses connect, will you have a normal security for a network with low risk content (i.e normal office work, private and similar). If you run company secrets (big secrets, military or police type of traffic, then encrypted traffic ontop of the wireless is a must).

Saludos

Kenth

[ControlSee]

Cool! Thanks for the information. Basically, our network has a few pages that cannot be shared with just anyone.

I probably won't need to go as far as encrypting all traffic, but I don't want intruders. I still need to maintain high performance and I know the higher the encryption the slower the connection.

I will definitely invoke the MAC address filtering. I will also look more into this bifrost network project. Thanks again!

[Kilawa]

Hi Sellprotal, I think you may have misunderstood, I don't actually require any help with my network (thanks for the info though) I was more curious on what other people thought.

Do they care if anyone uses their bandwidth or not?

Regards

Paul

[sellportal]

Paul,

Oki ...

And I think the worries are two fold.

1. What can someone on "my" wireless net do?
2. What do I have, they want.

And most people will not have much from number 2 actually (home users and some small companies). But the lawyers, police, financial companies and so on, not only worry about what people gan "grab and run" from their net, but also what someone could do, coming from their net.

Making it look like company X hacked a bank, planted a backdoor or spammed.

/Kenth

[computergenius]

...total newbie to wireless....

I have a small, old, house in the mountains of Spain, with nowhere to put cables. The dialup cable stretches across the floor right now. So wireless would be cool. I could use it outside the house as well, by the pool, by the barbeque, in the shade under the trees.... but what else can I use it for? Can I get my phone calls over it somehow? Can I get my music / radio over it somehow? I was thinking more of transferring the output from the radio, than of streaming a station over the internet. Would I even need a computer by the pool? Or could I use some other kind of device?

[proficient]

It would seem absurd that anyone would install and operate a wireless network that is in secure. Do the users know when entering sensitive company infomation or even a credit card purchase for a personal ot family gift! Since many of the good wireless routers ie. LinkSys, Belkin etc. offer encryption why has it not been turned on and setup? The network admin or installer is to blame! Using WEP and creating a unique encrypton scheme keeps nosey neighbors off the network. It also preserves bandwidth! Just where is that consultant anyway!!

[Kilawa]

Quote:

Originally Posted by proficient

The network admin or installer is to blame! Using WEP and creating a unique encrypton scheme keeps nosey neighbors off the network. It also preserves bandwidth! Just where is that consultant anyway!!

Your obviously not a Network Admin, the decision to install WEP or any other type of encryption is usually decided by management, who have a hard enough time remembering a password that is anything but their birthdate, wifes name, pets name, favourite colour etc.

Also the consultants & sales guys are exactly the same, "why do we have to click X first before we click Y? it takes us an extra 5 seconds of our precious time that way" this is the typical response to an Admin who suggests things should be secure.

I could go on & on with reasons that the suits don't want things changed but I won't.

But please remember to be nice to the poor admins out there, their hands are tied more than you know, plus they usually set the limits on your password length. ;0)

Regards

Paul

[forrest0177]

I also am in need of help with a wireless situation. Please goto: www.webproworld.com/viewtopic.php?t=14193. Thanx!

[tammster37601]

I have read so many of the postings here and I must say, With what I am learning in school as a Net Admin is this is a very hard feild to get into and you have to love the work you are doing. I myself am learning and see just what it takes to become a Net Admin. Oh beleive me I have thought about slapping some topologies around but The computer is something I love and someone has to do it. Thanks to all the hard working Admins out there Muah! to each of you
Tammy