[osxisfun]

Say i have the latest powerbook with airport.

Say i buy this wireless router and use it with my powerbook:

http://www.linksys.com/products/pro....5&prid=608

I then turn on WPA:

Quote:
To protect your data and privacy, the Wireless-G Access Point can encode all wireless transmissions with up to 256-bit encryption, and supports both Wired Equivalent Privacy (WEP) and the industrial-strength wireless security of Wi-Fi Protected Access™ (WPA).


Say someone cracks in...(somehow, from what i understand its easy to crack 48bit wep but much much harder for 128 bit and is 256bit breaking even possible?)

Since i have no filesharing (or when I do its password protected) they still really can only see my network traffic (which unfortunately, might be my email username and password but i am looking into tunneling)

true or false?

[ghporter]

Basically true. However, not using WPA is a mistake.

EVERY SINGLE PACKET of data between your wired network and your PowerBook can be intercepted and examined, so you should protect that traffic in some way.

Advantages of WPA:
There is NO PERCEPTIBLE CHANGE IN PERFORMANCE in using WPA.
WPA itself has NOT been cracked-though if you come up with a lame passphrase ("My Passphrase Here") the passphrase itself can be attacked, so use a VERY LONG and VERY COMPLEX passphrase, preferably in random characters. Avoid any words that can be found in a dictionary or other word list, as the only successful attack on WPA has been on the passphrase mechanism using a brute-force dictionary attack.

Disadvantages:
You have to set it up initially-an almost trivial task

WPA is superior to building your own tunneling network because you don't have to do anything but turn it on and enter the passphrase. No complex settings as are needed in any VPN or other types of wireless workarounds. WPA is secure, it's simple to use, and once set up it's usually so transparent that it is simply there.

If this reads as if I'm a WPA fan, you're right! But it is to your benefit! No extra hardware or software needed, simple to setup, effectively no maintenance...I can't think of a reason not to use it.

[osxisfun]

>WPA itself has NOT been cracked-though if you come up with a lame passphrase ("My Passphrase Here") the passphrase itself can be attacked, so use a VERY LONG and VERY COMPLEX passphrase, preferably in random characters.

i will since i can add it to the keychain.

thank you so much. I always here how WEP is easy to crack so i was stressed. i have a new powerbook and want to use airport. but was scared to a point.

thanks again!

may i ask which router you use?

I set up the linksys above for a friend (wep. eeks looks like i have to go back and fix it.) and it seemed to come with plenty of tools and a nice browser interface.

[ghporter]

WEP is worse than having no security because it gives some people a false sense that they've protected themselves. WPA, on the other hand, is strong and secure. No stress involved here!

Enjoy!

[selowitch]

Originally Posted by ghporter

Basically true. However, not using WPA is a mistake. There is NO PERCEPTIBLE CHANGE IN PERFORMANCE in using WPA.

I think you are overstating the case. Quite to the contrary, there are indeed performance differences between a WPA-encrypted network and non-WPA-encrypted networks. Sometimes it even spells the difference between the network being usable or unusable.

Just because it "works for you" doesn't mean there aren't people in the real world struggling to implement WPA in challenging environments where interference and the structure of a building can have a deleterious impact on wireless performance.

I have had many instances where a wireless network performs quite well unencrypted but quite poorly when WPA is enabled. That's proof enough to me of the fallaciousness of your contention.

[ghporter]

And just because you have problems-perhaps in several settings-does not mean that the vast majority of users will have those same problems. Far from it. Most people find WPA to be simpler and more easily established than other security solutions. On the other hand, when there are exceptional circumstances, many wireless systems just don't work well. In my experience, these situations are really not well suited for wireless networking anyway, at least not as the hardware is installed. In many cases, the customer wants wireless but is not willing to pay for the amount of equipment needed for effective coverage, thus effectively requesting a network that will have poor signal levels and performance problems.

[selowitch]

Originally Posted by ghporter

And just because you have problems-perhaps in several settings-does not mean that the vast majority of users will have those same problems. Far from it. Most people find WPA to be simpler and more easily established than other security solutions. On the other hand, when there are exceptional circumstances, many wireless systems just don't work well. In my experience, these situations are really not well suited for wireless networking anyway, at least not as the hardware is installed. In many cases, the customer wants wireless but is not willing to pay for the amount of equipment needed for effective coverage, thus effectively requesting a network that will have poor signal levels and performance problems.

Granted, but it's still not correct to say that there are "no perceptible differences" in performance under WPA compared to other forms of encryption or no encryption.

In my current case, I have no choice to do wireless because I rent two office suites in a building in which I cannot string wire through the walls. Under WPA, my colleagues get frequent timeouts. Without WPA, performance is near-perfect.

[ghporter]

In the vast majority of cases, there is not performance hit from using WPA. Again, you are in exceptional circumstances. Two separate office suites are not well suited to wireless coverage, particularly in a typical office building. In many office buildings, the offices are built with non-load bearing walls that are framed with steel studs, and the utilities are all run through the space between the drop ceiling and the physical ceiling of that floor. I have thrown MILES AND MILES of cable through drop ceilings! It's not fun, but once it's done it's done. If you are in such a building, that is a viable possibility, and your building management should be able to help you out. Another option is to put wireless bridges IN the ceiling above the shielding effect of the walls. (Often with this method you don't have to talk to the building management at all! They'll never even notice it.) There are ways around just about any network topology issue.

[selowitch]

You're right. I could probably benefit from adding a wireless access point in the other suite. And it's not like it would cost a lot. We're actually in a converted house, not a true "office building"; I'm not sure how that affects our interference situation or whether that's a good or a bad thing, though.

[Athens]

To have a secure network:
Use encryption to make sure your data isn’t read, but don’t go overkill with 256, 128 is enough, the more encrypted it is, generally the more data has to be sent it will affect your bandwidth if you are doing heavy stuff like downloading and uploading a lot of data.
disable broadcast, no one else needs to know you are using wireless
don’t use DHCP, set a manual IP address and don’t use the default gateway/ips your router has
change the routers password
use Mac filters so only your computer/s can use it

[selowitch]

Originally Posted by Athens

don’t use the default gateway/ips your router has

So if the IP of your router is 192.168.0.1, you should NOT use that IP as your default gateway? What should you use instead?

[macroy]

You can change it to any other network that's not routable.

10.0.0.0
172.16.0.0

You can even go a step further and change the mask so that your network is something like 172.16.45.33 - 172.16.45.47 with a mask of /28 (I think I did it right).

But to be honest, its not really going to matter if someone decides to sniff that traffic (remember, its floating around). They will easily know what mac and ip you're using. But as long as you have controls to protect your computers, you should be fine.

The bottom line, consider a wi-fi link as a voice conversation in a crowded room. Anyone can hear what you're saying... so use accordingly.

[selowitch]

Originally Posted by macroy

You can change it to any other network that's not routable.

10.0.0.0
172.16.0.0

You can even go a step further and change the mask so that your network is something like 172.16.45.33 - 172.16.45.47 with a mask of /28 (I think I did it right).

But to be honest, its not really going to matter if someone decides to sniff that traffic (remember, its floating around). They will easily know what mac and ip you're using. But as long as you have controls to protect your computers, you should be fine.

The bottom line, consider a wi-fi link as a voice conversation in a crowded room. Anyone can hear what you're saying... so use accordingly.

Forgive me, but I'm afraid I'm having some trouble understanding your instructions. You say I should change my default gateway to "any other network that's not routable" -- how does one change a default gateway to a network? Do you mean a "network address"? Which IPs are non-routable (I'm guessing 10.x.x.x, 127.x.x.x perhaps)?

[Mojo]

In the past I had problems enabling WPA when using Linksys routers; I've been told that things have improved with the latest routers/firmware but I switched to an Apple base station since I grew tired of messing around with the Linksys gear.

There is an alternative to enabling WEP/WPA that extends encryption protection to those times when a person is away from their home base: VPN.

It has been my experience that many people do not know that they are putting themselves at some risk when using public Internet access points, whether they are wireless or wired. Such networks are commonly available at coffeehouses,hotels and other public places.

When a person joins one of these usually unprotected networks it becomes possible for others to access their data, including passwords, e-mail, etc. There are easily acquired programs that allow the unscrupulous to view just about everything that passes along a LAN.

I was recently told about an (unconfirmed) incident where a traveler in Southern California was victimized in this way and lost $50,000 that he was legally obligated to cover (unlike most credit card theft.)

An easy and relatively inexpensive way to protect yourself while using public Internet access is to use a VPN server. Most large companies utilize VPN. Home computer users can also use VPN, but it requires a VPN-capable router.

Fortunately, Road Warriors have an excellent option: they can use a commercial VPN service for a nominal monthly fee.

I have looked at a couple of VPN services and I settled upon PublicVPN which comes highly recommend by the folks at TidBITS. For a monthly fee of $5.95 or a yearly fee of $59.95 (the best prices I have found) a person can connect to the Internet using the PublicVPN server and be assured of the security of their data no matter where he/she may roam.

There are two VPN protocols available through PublicVPN: PPTP or L2TP. L2TP is the more secure of the two but it isn't compatible with all networks. It is very easy to create connection options for both protocols and access them via a Finder Menu Bar icon. (Mac OS X has built-in VPN capability so no additional software is needed.) If L2TP doesn't work on a particular network it is easy to switch to PPTP. Setting up VPN took me around five minutes. Once connected you can use this connection status link to make sure that you are protected.

Once you set up an account at PublicVPN you can add time on a monthly basis, which is ideal for occasional travelers. Those who travel a lot or who may want VPN protection at home or work can opt for the discounted yearly plan (two months free).

I have been using PublicVPN without a hitch and now I do not feel restricted regarding my online activities when I am away from my encrypted home LAN.

[macroy]

Uh... don't take those as intructions. I was simply trying to answer your question regarding why you should change your gateway/ip from the default.

By default, most off the shelf gateways/routers use 192.168.0.0 as the internal network. Per RFC 1918, there are three addresses that are "reserved" for private use. "private" means that they are not routable on the internet. 192.168.0.0 is one, and the other 2 are 10.0.0.0 and a range between 172.16.0.0 to 172.31.0.0. So, since 192.168.0.0 is so popular, you can just utilize one of the other ones to make your network a bit more unique.

[ghporter]

Athens, I agree with all of your advice except for changing the router's default IP and disabling DHCP. Also changing the router's admin password (which you didn't mention) is VERY important, at least on a par with good encryption.

Since all of those IP ranges are non-routable, there should be no reason to avoid them; there is no way for an external agent to get data from them through your router-AS LONG AS YOU HAVE REMOTE ADMIN DISABLED. Without remote admin, there's no way for an intruder to do anything to your router.

Further, disabling DHCP is not as useful as it sounds; if you go entirely with manual IPs on your LAN, there's a lot more admin work when your ISP changes things like DNS servers. I go with a very limited DHCP pool, and change that from the default pool (Linksys, for example likes to default to the 192.168.1.100-149 range, but who has 50 computers on their home network?!) to something in a different range. A setting of say 192.168.1.20-29 would be totally adequate.

And note that a skilled intruder could monitor your traffic and find in-use IPs, then spoof them later. It's a level of effort that does not pay off in real security as far as I'm concerned.

[macroy]

Originally Posted by ghporter

Athens, I agree with all of your advice except for changing the router's default IP and disabling DHCP. Also changing the router's admin password (which you didn't mention) is VERY important, at least on a par with good encryption.

Since all of those IP ranges are non-routable, there should be no reason to avoid them; there is no way for an external agent to get data from them through your router-AS LONG AS YOU HAVE REMOTE ADMIN DISABLED. Without remote admin, there's no way for an intruder to do anything to your router.

Further, disabling DHCP is not as useful as it sounds; if you go entirely with manual IPs on your LAN, there's a lot more admin work when your ISP changes things like DNS servers. I go with a very limited DHCP pool, and change that from the default pool (Linksys, for example likes to default to the 192.168.1.100-149 range, but who has 50 computers on their home network?!) to something in a different range. A setting of say 192.168.1.20-29 would be totally adequate.

And note that a skilled intruder could monitor your traffic and find in-use IPs, then spoof them later. It's a level of effort that does not pay off in real security as far as I'm concerned.

While non-routable address are just that (which precludes you from being hit from the outside). You still have a risk of folks hijacking your wi-fi link if other controls are not in place. I know these things are easily discovered if you capture the packets. But it still decreases the risk. Of course whether or not the cost (in time) is worth it is up to each individual. But I've seen folks hit a wi-fi link, realize that they were not given an ip... so they just put in 192.168.0.80 or somethig like that.. and they're on. DNS servers you can just use ones that you know of.

As for DHCP, I would use a seperate DHCP server (i.e. a windows box) - this way, you can actually setup reservations (not sure if that's a function you have on the routers) and log who used which address. And as you mentioned, segment your network small enough so that you just have enought for your systems (you may still end up with extra spaces due to how subnets work). Which will also solve the issue above to some extent.

[ghporter]

Originally Posted by macroy

While non-routable address are just that (which precludes you from being hit from the outside). You still have a risk of folks hijacking your wi-fi link if other controls are not in place. I know these things are easily discovered if you capture the packets. But it still decreases the risk. Of course whether or not the cost (in time) is worth it is up to each individual. But I've seen folks hit a wi-fi link, realize that they were not given an ip... so they just put in 192.168.0.80 or somethig like that.. and they're on. DNS servers you can just use ones that you know of.

Excellent point-the precise reason why you should both change your SSID AND your admin password immediately on deploying any wireless router or access point. As for the random "I didn't get an automatic IP, so here's a manual one" possibility, that's what MAC address filtering is for. I can keep myself out of my wireless network using this if I want to.

As for DHCP, I would use a seperate DHCP server (i.e. a windows box) - this way, you can actually setup reservations (not sure if that's a function you have on the routers) and log who used which address. And as you mentioned, segment your network small enough so that you just have enought for your systems (you may still end up with extra spaces due to how subnets work). Which will also solve the issue above to some extent.

This step is reasonable if you have reason to expect the need to control your wireless network beyond the combination of a limited-and non default-DHCP pool and MAC address filtering. Otherwise, it's too much work, even in large networks.

[Big Mac]

I refuse to buy any Linksys product because they needlessly deny Mac users support.

[ghporter]

Originally Posted by Big Mac

I refuse to buy any Linksys product because they needlessly deny Mac users support.

Linksys doesn't really support ANYBODY. Their primary "support" is a "wizard" CD that lets brainless Windows users set up their products. I don't know ANYBODY that this is useful for. They do not know about the specifics of how you might configure your Mac to use their products, but there's not much to know. Macs are configured out of the box to use DHCP, and every Linksys router is configured out of the box to serve DHCP. The rest is really just minor details.

While I am a fan of Linksys products, I will readily admit that the company has gone downhill in customer service in general since Cisco bought them, but their equipment has improved. They aren't the cheapest boxes in town, but I have never had one crap out on me without a good reason-they like to be cool, for example. On top of that, they are leading the industry in marketing Linux-based products, giving customers a lot of options for what they can do with the equipment.

Limiting yourself by avoiding a particular vendor for the reason you state is really counterproductive. A big company like Cisco reads the writing on the wall, and if enough Mac users let them know that "Mac support" is important, they might change their ways. And the lack of this so-called support is NOT a major problem.

[Big Mac]

Mac users who patronize those companies that completely ignore the Mac without cause are not helping the platform. I would much rather buy from a company that acknowledges the Mac exists.

[selowitch]

Originally Posted by Big Mac

Mac users who patronize those companies that completely ignore the Mac without cause are not helping the platform. I would much rather buy from a company that acknowledges the Mac exists.

My router and access point are from Belkin, which is a very Mac-friendly company.

[Mojo]

When I bought my first Linksys router a few years ago the lack of Mac tech support was a major problem for ME. The Linksys/Mac combo did not magically communicate with each other and the steps required to fix the problem were not at all clear (the instructions that were provided seemed to assume that the purchaser had some experience in these matters, not to mention the fact that only Windows screenshots were provided as examples).

Fortunately, I happened upon a Linksys tech support person who knew a little about Macs and who didn't immediately dismiss me with "We don't support Macs" as the other Linksys employees did. Between the two of us we were able to get the router configured and running.

I resolved to never purchase another Linksys product, but I did, mainly because of the price. But after six months of hassling with the second router (WPA compatibility between the Airport card and the router was one problem) I bit the bullet and bought an Apple Extreme Base Station. No worries about lack of support, but then again I didn't need tech support because everything worked right out of the box. And no problems since then, unlike the sporadic connection glitches I had with the Linksys routers.

So I agree that it makes no sense to support a company that refuses to support Macs. Apparently we can wait until hell freezes over before Linksys will support Macs, so purchasing products from Linksys is really counter-productive...unless you like tilting at windmills.