[tioga]

I have a new linksys wireless access point/router with an ethernet connection to a iMac 350 running OS 9.2.2., and a wireless connection to a windoze 98 PC.

Before I start changing the security stuff on this network I have some questions:

1. Do I want or need the ZoneAlarm Pro software and PC Cillin offered on the linksys site? If so, is it compatible with both the Mac and PC?

2. Do I want to enable WEP and, if so, what settings would be reasonable? Though not obsessed with security, I'd like to minimize unauthorized intrusions and hacking.

3. Any other security measures/considerations for a new network (run by an utterly inexperienced administrator)?

Thanks in advance for the advice, concerns, recommendations, etc.

[Brit Ben]

Originally posted by tioga:
I have a new linksys wireless access point/router with an ethernet connection to a iMac 350 running OS 9.2.2., and a wireless connection to a windoze 98 PC.

Before I start changing the security stuff on this network I have some questions:

1. Do I want or need the ZoneAlarm Pro software and PC Cillin offered on the linksys site? If so, is it compatible with both the Mac and PC?

2. Do I want to enable WEP and, if so, what settings would be reasonable? Though not obsessed with security, I'd like to minimize unauthorized intrusions and hacking.

3. Any other security measures/considerations for a new network (run by an utterly inexperienced administrator)?

Thanks in advance for the advice, concerns, recommendations, etc.

I'm starting by assuming that you are a home user, at home. If you're running this on a corporate lan, err, you deserve whatever happens (job-wise)

1. Skipped, I see no use in either of these.

2. Yes, its there, and if nothing else will help deter the casual stumbler from accessing your network. If a hacker wants in, they're in regardless of WEP. There are plenty of tools on the internet to assist, and I have demonstrated these at meetings to prove they work, complete with reading someone else's email out loud to much laughter.

3. If you're parranoid, and money is irrelevant, get a small firewall/vpn devide, phyically attached to the service provider ethernet port, and then run absolutely everything wireless on the "insecure" side, with a VPN client running on your PC. This part stops people sniffing your traffic on the wireless lan. You then need to tell your router, or the firewall not to forward any traffic that doesn't originate from a VPN client. This stops someone stealing your bandwidth. Finally, you need to configure the firewall to prevent people doing bad things to your network. These boxes will set you back about $300, and a good start is sofaware (www.sofaware.com). I am truly paranoid, and run a full blown checkpoint firewall-1 implementation at home. The logs from this device alone make for all the reference I need when presenting on network security. (I'm biased since I am a Checkpoint Certified Security Engineer)

Just because you think you're paranoid, doesn't mean that they *aren't* watching you.
Ben.

[tioga]

Brit Ben:
Thanks for the reply. I am a home user at home. I did the tests at GRC.com and my system did fine, but I don't know how aggressive or imaginative their attack was.

Re the WEP, can you recommend specific settings, ie 128 bit encryption and some of the other choices they offer?

I'm not sure if I can afford the $300 box at this point. I would peg my paranoia level at 3 or 4 on a scale of 1-10.

I'd like to take reasonable measures without spending a bundle.

[derien]

It might also be wise to limit access through the router to the specific MAC addresses of the computers you are using. Each network card (whether wired or wireless) has its own unique ID, so in theory (and pretty much in practice, I would guess), that would prevent unauthorized access--but the encryption would still be necessary to prevent evesdropping on the wireless connection.

The process for setting this up will be specific to the router, so you should have a look at the manual or documentation.

I should note that I'm not an expert in this area, so someone correct me if I'm wrong on any of these points.

[ghporter]

Go with 128-bit WEP. BritBen is quite sophisticated, unlike the vast majority of those who would call themselves "hackers" (who even give the bad guys a bad name), so using what's available will repel most of these "script kiddies" and their ilk. Setting it up between a Linksys access point and an AirPort system isn't even really difficult, though you need to put "$" in front of the hexidecimal characters if you copy them from the Linksys settings to the AirPort settings; this tells the AirPort system to interpret the characters as hex, and without it the characters are interpreted as plain text.

Darien mentioned restricting your wireless network to specific MAC addresses-great idea. You set this up using the configuration software that came with the router/access point-I think you can do it through its HTML interface, just like the rest of its setup.

Zone Alarm is good if you're both paranoid and an experienced network geek. It will tell you of every instance of an outside request, ping, etc. The logs get to be really long, and they don't do you a lot of good if you don't mess with the router every day. I haven't checked lately, but I don't think that these tools are in a Mac format.

On the Linksys router settings you should tell it to block outside requests (unless you're trying to host games, etc., but I don't think you are), and let the built in Network Address Translation (NAT) give you a bit more camoflage from the outside.

Finally, make sure you have a good antivirus program on each computer you use. There aren't as many bugs that hurt Macs as there are that hurt Windows (and even Linux is getting hit nowadays), but protect yourself, just the same.

Enjoy!

[howardm4]

if the wireless router has the option
to create a 'closed network', DO IT.

In addition to everything else mentioned,
(all great ideas), the closed network
prevents broadcasting the networks
presence to any machine that happens to
be within range. The machine would be
required to apriori know the network
identifier. That prevents a bunch of
'drive-by' scanning.

[Brit Ben]

Originally posted by derien:
It might also be wise to limit access through the router to the specific MAC addresses of the computers you are using. Each network card (whether wired or wireless) has its own unique ID, so in theory (and pretty much in practice, I would guess), that would prevent unauthorized access--but the encryption would still be necessary to prevent evesdropping on the wireless connection.

The process for setting this up will be specific to the router, so you should have a look at the manual or documentation.

I should note that I'm not an expert in this area, so someone correct me if I'm wrong on any of these points.

Yes, this is a very good suggestion too. It is relatively easy to clone a MAC address and then muck around on a network, but once again it is a deterrence. If you look at network security much like home security, you're heading in the right direction.

If someone really wants in, only a pro is going to stop them. On the other hand, if you can make your network far less attractive, they'll go hack someone else's down the street.

Specifics :

If you have 128 bit WEP available on every machine, then use it, it does take relatively longer to crack than 40 bit. If you don't 40 bit is fine, it's still better than nothing, and means someone over the corridor in a dorm, or in the next townhouse along or whatever can't accidentally use your network.

Howard makes a great point about turinging of the SSID broadcast, creating a closed network etc. If there are any options on the setup of any wireless kit that look similar to these, set them. Another obvious basic step, is to change the default SSID. Quite often, it's "airport" or "default" or another well known string. There's no point turning this off without changing it. Don't use your street name or house number here either, because that will tell drive by sniffers exactly where they can get the best signal

I think tech.tv are planning on doing a series on security of home wireless networks sometime soon, so have a looksee at their website.

Cheers,
Ben.

[tioga]

I really like the idea of a closed network where I can restrict access to specific MAC addresses. Now the linksys product manual talks about MAC address filtering but I'm not sure if this is the same thing. Anyone familiar with that term?

Also, when I tried to setup WEP encryption the router lost comms with both the ethernet-connected iMac, and the wireless-connected PC. I had to do a hard reset on the router to get things going again. I must have screwed up something, ya think?

Oh well, enough frustration for one night.

Sooner or later I'll get it with everyone's help.

Still not as secure as I'd like, but getting there!

[Brit Ben]

Originally posted by tioga:
I really like the idea of a closed network where I can restrict access to specific MAC addresses. Now the linksys product manual talks about MAC address filtering but I'm not sure if this is the same thing. Anyone familiar with that term?

Also, when I tried to setup WEP encryption the router lost comms with both the ethernet-connected iMac, and the wireless-connected PC. I had to do a hard reset on the router to get things going again. I must have screwed up something, ya think?

Oh well, enough frustration for one night.

Sooner or later I'll get it with everyone's help.

Still not as secure as I'd like, but getting there!

Mac address filtering sounds very similar to access lists. I'm not familiar with the linksys. If you turn on WEP, you WILL lose connectivity over the wireless link. set up the WEP key, turn it on, then enter the same wep key into the Apple networking config pane in the "password" box, then you'll regain access to the network.

As someone else already pointed out, you should note the hexadecimal value for the WEP key, since apple use a proprietary method to calculate the hex values from the plain text you enter in the password prompt.
You tell the mac that you are entering a hex string by using "0x" or "$" in front ot the hex values. I don't know how the linksys calculates strings, or how you enter them, perhaps someone else can tell you here.

Similarly if you plan on using MAC filtering, take a note of the MAC address from the airport interface in terminal - type this :

Code:
ifconfig en1 | grep ether | awk '{ print $2}'

Enter this MAC address into the accepted address list *BEFORE* you turn on MAC filtering.

Cheers,
Ben.

[edit: forgot about the MAC address]

[tioga]

Ben: Sorry if I'm confusing things but my wireless connection is to a windoze PC. The iMac is cabled directly to the access point/router, so I presume it isn't affected at all by the WEP part.

[Brit Ben]

Originally posted by tioga:
Ben: Sorry if I'm confusing things but my wireless connection is to a windoze PC. The iMac is cabled directly to the access point/router, so I presume it isn't affected at all by the WEP part.

Reread original post. D'Oh!

Similar things apply for the Windows PC, get it's ethernet MAC address, put that into the basestation, Figure out where you put the WEP key, and enter it on both the base and the Windows client.

My bad.
Ben.