# How to security enable a wireless network



## lottylee (Jun 19, 2004)

I'm a novice to this wireless networking. I finally am using my wireless network to two XP desktops and a laptop VISTA. They are working fine but I have been around the 'net trying to figure out how to get some security. I can see my neighbors' wireless networks so I know mine could be accessed easily. I found the network properties on my VISTA and tried changing them to a WPA-personal but I get an error saying these settings are not correct. I installed the router on my XP first but I cannot find the network connection in my network places and I have no idea how to access the router to change security settings. So just how do I get this network 'password protected' with this community of computers? In case it matters, only the laptop VISTA is actually a wireless connection.


----------



## TerryNet (Mar 23, 2005)

RTM. Your router's User Manual should be on CD or downloadable, or at least readable, on the web.

In outline form--open a command window and type

ipconfig

The resulting Gateway IP address is your router's address. Type that in your browser's address bar (use a wired computer) and login to the router. Find the wireless section and enable WPA-PSK encryption. For maximum security use a passphrase of 20+ letters, numbers and special characters mixed.

The next time you attempt to connect a computer via wireless you will be asked for the same WPA passphrase.


----------



## lunarlander (Sep 22, 2007)

Most routers have a web based configuration panel. So you just type the router's ip into a browser and it should come up. 

The first thing to do is to change the router's admin password to something long, use a passphrase with punctuation, not a password. 

Then enable WPA shared key. Again the key should be long. Then type this same key into Vista. This encrypts the traffic between Vista and the router, so that your network data traffic can't be sniffed. 

If you router has a feature to specify a whitelist of computers by MAC address, then put the Vista's MAC address there. This will then only allow your Vista laptop on your wireless network.

After everything is setup and running smoothly, if your router has the option to turn off the SSID broadcast, then do that. So that your router is invisible.


----------



## TerryNet (Mar 23, 2005)

Do not use any MAC address filtering and do not disable SSID broadcast. Wireless security means WPA or WPA2 encryption. Those other things just make your network harder to use and add nothing to the security you get from any encryption.


----------



## YaB (Dec 6, 2007)

TerryNet said:


> Do not use any MAC address filtering and do not disable SSID broadcast. Wireless security means WPA or WPA2 encryption. Those other things just make your network harder to use and add nothing to the security you get from any encryption.


Wha? MAC address filtering and do not disable SSID broadcast? Aren't those features helpful to secure your router?


----------



## lottylee (Jun 19, 2004)

I have seen that box. I have Trendnet. It asks for my user name and password. Is that "admin" or something like that? I was getting started with tech support but the tech said she was hanging up and calling back in two minutes. Still waiting for the call back. Apparently, India lost their phone lines....


----------



## TerryNet (Mar 23, 2005)

"Aren't those features helpful to secure your router?"

No. Anybody with the tools and knowledge to break WEP or break WPA with a weak passphrase surely knows how to break those other methods much quicker. See post #5 in this thread: http://forums.techguy.org/networkin...problem.html?highlight=dumbest+ways+to+secure

lottylee, if you are asking for somebody to read your User Manual and tell you the default user name and password you will need to post the router's brand and model (and version if appropriate).


----------



## YaB (Dec 6, 2007)

TerryNet said:


> "Aren't those features helpful to secure your router?"
> 
> No. Anybody with the tools and knowledge to break WEP or break WPA with a weak passphrase surely knows how to break those other methods much quicker. See post #5 in this thread: http://forums.techguy.org/networkin...problem.html?highlight=dumbest+ways+to+secure
> 
> lottylee, if you are asking for somebody to read your User Manual and tell you the default user name and password you will need to post the router's brand and model (and version if appropriate).


I see, so WPA is already using an 128 bit key? I think it uses TKIP which WEP doesn't use at all.


----------



## lottylee (Jun 19, 2004)

Thanks all for the feedback. I did find the users guide and it was 'admin'. So, out of this 63 pages of settings, what else should I be messing with (besides changing that 'admin')? I did the WPA-PSK, encypt. TKIP, and my key set up. And it sounds like I'm not going to disable the SSID broadcast? In my searches for info, it looks like that ended up causing problems for people. I'm using comcast if that matters as to what settings I need to change.


----------



## TerryNet (Mar 23, 2005)

All you needed to do was encrypt your network (DONE) and change the login password (DONE). Now, just in case you are like the rest of us and tend to forget things, write down your login password and WPA passphrase and keep them somewhere you, but not neighbors, will find them. On the bottom of the router is a good place. 

Unless something is not working, or not working the way you want it to, there are no other changes to make.

*EDIT*: you can mark this 'solved' using the Thread Tools at the upper right.


----------



## JohnWill (Oct 19, 2002)

If you have WPA-PSK enabled with a strong random key, there is no need to fool around with any other wireless security measures. I can assure you that you're quite secure, no reason to make your network harder for you to use.


----------



## YaB (Dec 6, 2007)

JohnWill said:


> If you have WPA-PSK enabled with a strong random key, there is no need to fool around with any other wireless security measures. I can assure you that you're quite secure, no reason to make your network harder for you to use.


Thanks for the quick info


----------



## dizzle_deasy (Jul 28, 2006)

TerryNet said:


> "Aren't those features helpful to secure your router?"
> 
> No. Anybody with the tools and knowledge to break WEP or break WPA with a weak passphrase surely knows how to break those other methods much quicker. See post #5 in this thread: http://forums.techguy.org/networkin...problem.html?highlight=dumbest+ways+to+secure
> 
> lottylee, if you are asking for somebody to read your User Manual and tell you the default user name and password you will need to post the router's brand and model (and version if appropriate).


Anyone with a special linux CD can change their MAC address in under a minute and Crack your WEP encryption in under 10 minutes.
WPA - PSK is crackable using a special tool ONLY IF you use a password under 20 characters. 21 character password will take a supercomputer somewhere around a year to crack with the current methods.


----------



## lottylee (Jun 19, 2004)

Yeah, that's some password! But after being able to see my neighbor's SSID, I was leary leaving my unsecure SSID up Friday night. Have written the key done numerous places. Thanks for all the great help. I can count on this site! One more thing, I run a System Suite firewall. Right now, I'm having to disable it for the laptop to access my other machines. Can anyone tell me if I should do an "allow" feature at the ISP (and HOW?) or is it not a big deal to have the firewall down with all this security?


----------



## TerryNet (Mar 23, 2005)

The WPA encryption will keep people off your LAN (local area network).

Your router's natural (NAT layer) firewall will prevent potential intruders from attacking you from the internet--provided that you have set a good login password on the router and/or set it to not allow logins from the internet (WAN).

Windows XP and Vista firewalls will also prevent incoming attacks.

That leaves only outgoing attacks (e.g., after you get infected with spyware and it decides to "call home") to consider. Some people want/need a firewall to protect against this; others rely on being careful to not get infected in the first place. I can't tell you what you need/want in this regard; nor do I know how to configure your firewall--I assume that you want to allow all communication on your LAN (e.g., if your router's IP is 192.168.1.x your LAN uses all private addresses 192.168.1.0 thru 192.168.1.255).

Of course, you always want an anti-virus running, and have a anti-spyware program running or at least ready to use periodically.

In short, you need a 3rd party firewall if and only if you want it to guard against outgoing attacks.


----------



## JohnWill (Oct 19, 2002)

dizzle_deasy said:



> Anyone with a special linux CD can change their MAC address in under a minute and Crack your WEP encryption in under 10 minutes.
> WPA - PSK is crackable using a special tool ONLY IF you use a password under 20 characters. 21 character password will take a supercomputer somewhere around a year to crack with the current methods.


Actually, it's not the length of the password (though larger is better) that makes WPA crackable. The only known "crack" is simply a dictionary attack. So, a password of *mydogiscute* is crackable, but *X8rls028zz4yq* is actually quite secure. The longer the better, but a random WPA password of a dozen characters will be a formidable barrier. remember, with WPA passwords, case also matters.


----------



## dizzle_deasy (Jul 28, 2006)

I found coWPAtty, and according to what I was reading on it, it captures the initial 4 packets that start the encryption prcoess, and then bruteforces the password out of that. The article I was reading stated that any password including ones with symbols that were under 21 characters in length were crackable (mydogiscute takes much less time than X8rls028zz4yq). 

Passwords like X8rls028zz4yq are good, but should be longer. they will take months to crack, but it is possible (or at least that is what the people commenting on the article said, I am still waiting for my antenna to show up so that I can test this for my self on my home network).

If I hear anything else or get this tested I will let you know.


----------



## JohnWill (Oct 19, 2002)

I'll have to see some factual data, because I doubt a truly random password is that vulnerable. Of course, I don't consider a password that would take someone months to crack all that vulnerable, who's going to go to that trouble to crack a home user's network?


----------



## jmwills (Sep 28, 2005)

The best way to secure a wireless network? Turn it off.

Seriously, set the DCHP scope to no more addresses than you have machines in addition to the other measures mentioned.


----------



## JohnWill (Oct 19, 2002)

Since the attacker can simply assign a static IP address, the DHCP scope doesn't do much for security.


----------



## jmwills (Sep 28, 2005)

If all addresses in the scope are assigned and in use, how can you assign a new static address?


----------



## JohnWill (Oct 19, 2002)

The DHCP scope of my router is 192.168.0.2 through 192.168.0.99. However, I have a bunch of addresses assigned above that for NAS units, print servers, and media servers. As long as they're in the correct class C subnet, a SOHO router will happily use them. There is no need to have them in the scope of the DHCP pool

While we're on the topic, there are other issues in restricting the size of the DHCP pool. What happens if you don't have all your machines connected, and a machine with a different MAC address connects and uses one of the DHCP slots. That slot will be lost until the lease time expires, and any attempt to connect with your machine will end up not getting a valid DHCP lease.

There is no upside to restricting the size of the DHCP address pool, but there is a downside. I maintain this is not a good idea, and it's not helpful in securing the network.


----------



## YaB (Dec 6, 2007)

JohnWill said:


> The DHCP scope of my router is 192.168.0.2 through 192.168.0.99. However, I have a bunch of addresses assigned above that for NAS units, print servers, and media servers. As long as they're in the correct class C subnet, a SOHO router will happily use them. There is no need to have them in the scope of the DHCP pool
> 
> While we're on the topic, there are other issues in restricting the size of the DHCP pool. What happens if you don't have all your machines connected, and a machine with a different MAC address connects and uses one of the DHCP slots. That slot will be lost until the lease time expires, and any attempt to connect with your machine will end up not getting a valid DHCP lease.
> 
> There is no upside to restricting the size of the DHCP address pool, but there is a downside. I maintain this is not a good idea, and it's not helpful in securing the network.


Correct me if i'm wrong...so what your saying is...if computer A is using 192.168.0.22 (for example) for several days and the user powered off computer A. Computer B is powered up and uses 192.168.0.22 from the router...the day after Computer A is powered up and it finds itself that 192.168.0.22 is taken, it would still use that IP address but the problem would prompt both Computer A and B that there is an IP conflict on the network right?


----------



## JohnWill (Oct 19, 2002)

Nope.

If the DHCP leases are setup for, say a week, the following can happen.

*Computer A* is using 192.168.1.22, and is turned off with five days remaining on the DHCP lease. In this scenario, let's say that's the last address in the DHCP pool that is available, all the others are actively connected. *Computer B* attempt to connect, but the DHCP server doesn't have any free IP addresses, and the connection fails. The address 192.168.1.22 will remain reserved until the lease expires.

If *Computer A* had sent the proper termination to close the connection, the IP address would have been released. However, that rarely seems to happen, even when Windows is correctly shutdown. Of course, when Windows crashes, the termination is never sent.


----------



## YaB (Dec 6, 2007)

JohnWill said:


> Nope.
> 
> If the DHCP leases are setup for, say a week, the following can happen.
> 
> ...


I see, so it totally depends on the DHCP lease and how its configured. Thanks for the info


----------



## JohnWill (Oct 19, 2002)

Yep, and also how the DHCP client is coded, and whether it was shut down normally, or aborted for some reason. Some clients issue the proper disconnect, some don't. Also, you have to actually tell the DHCP client to disconnect, sometimes that doesn't happen either.


----------

