Thread: Wireless Security Primer - II

Hi 1st many many thanks to just4kix,this is a very useful thread..keep it up


I am very worried about my newly installed bsnl broadband connection security.My problem is my modem is nokia siemens SL1_141,and it is in PPPoE mode with the passward and id installed in it (done by bsnl agent).some of my neighbours are accessing my net through the wireless,and I can see them in network & sharing centre but I can not do anything as I also dont need to type the passward & id everytime I open it...it is installed in modem itself.
I was looking for any way to switch off the wireless facility as it seemed t be simplest...but could not. IS THERE ANY WAY TO DO THAT?
So that only 2 or 3 comp can surf through wire?

or..


Can u please help me to use any security options (and how to)

Nicely laid out article JFK. The information gathered from wikipedia has been edited to suit the end user and at the same time not compromising on the technical details.

I can add my two bits from the experience that I had:

1. Some modems/routers come with a set of different users : admin, user, etc. As you pointed out most of the users do not change the default admin password and some of them who do, do not bother to change the passwords of other users as they are not superusers.

But I just discovered a fatal security flaw in BSNL's ZTE ZXDSL 531B - I have reported it in the bsnl broadband forum. In that the user "user" can access all admin rights while using tftp - telnet modem_ip 23.

So when you are changing passwords - change them for all the available users.

2. In the access control portion of the configuration, add IP access control rules specifying which workstation's IP should be allowed to access the UI. Of course, anyone can change the IP if the mgmt workstation is down - but we can only raise the bar - there is no such thing as 100% security.

3. Most of the routers have various services enabled like - ftp, http, telnet, etc. Enable only the ones that you need. A good rule to follow is - block all, open few.

4. Change the IP of the router to an entirely different series from 192.168.1.1

5. If you do not know how to secure you wireless - do not turn it on.

6. Once you are done with these things, take a backup of your changes so that the next time you need to restore stuff from default - you don't have to do all these things all over again. The backup can easily be taken from the management section, which allows you to upload and download backup files.

Thank for the useful and nice info..

How do I turn a wireless on when it is already on automatically?Is there any way to turn it off?

Some (actually most) wi-fi modems/routers have an option to enable or disable wireless. Check if your modem's wireless basic settings.

thank u again
I have opted for wpa2 psk,its working for blocking wireless,my comp shows ur comp settings are not matching the requirement 4 the coonection when i opt for wireless, its working 4 only wired connection

my question is, is there further modification to secure my network?
or how do I change my I.P address?

A simple Query -

I have turned Access control on in my wifi setup...that means any other hacker would not be able to connect to my wifi network at all....unless n until that fellow somehow manages to get my mac address....but even for accessing the wifi routers login page be it default 192.168.1.1, he ought to be connected to the network...right...or can the hacker without getting an ip address from my network still log on the router page..?

I still believe turning access control on is one of the simplest and the first securtiy measures to be taken along with switching on of WEP / WPA / IP changes etc.

Originally Posted by gg_bti

A simple Query -

I have turned Access control on in my wifi setup...that means any other hacker would not be able to connect to my wifi network at all....unless n until that fellow somehow manages to get my mac address....but even for accessing the wifi routers login page be it default 192.168.1.1, he ought to be connected to the network...right...or can the hacker without getting an ip address from my network still log on the router page..?

I still believe turning access control on is one of the simplest and the first securtiy measures to be taken along with switching on of WEP / WPA / IP changes etc.

It is almost impossible to duplicate MAC address. If you feel threatened still, do the following:

a) Turn on Mac Address filtering (already done by you)
b) WPA-PSK with TKIP and use a really long key as suggesting in my guide
c) Secure router's admin password to a very strong pwd
d) Change router's LAN IP address
e) After your wi-fi SSID is stored on your laptop (this is done after the first time connect and stays stored till you delete it or format the OS), turn SSID broadcast off.

From what I have seen of the pointers to thwart active attacks, you can do the following:

When using wireless

1. Go for an encryption protocol like WPA, preferably WPA2 + AES encryption.

2. Stop your modem from broadcasting your SSID.

3. Enter MAC filter rules to limit the addresses which can access your wireless network.

4. In the access control section, enable the rule for allowing only a specific IP to be a management station of the modem.

5. If possible, do not keep your modem near open areas like gallery, windows etc - this will limit the access domain to your home only.

Of course a mind determind to break the locks will bang his heads until he succeeds - We cannot prevent the inevitable but we can always ensure that the bars are raised high enough and the headaches to the crackers are of premium quality.

JFK has already discussed the pointers in his well written primer. And of course both us were typing a reply at the same time so both of our posts having a few things in common.

Talk about getting quick answers : )

Originally Posted by just4kix

b) WPA-PSK with TKIP and use a really long key as suggesting in my guide

If your OS permits you and respects WPA2 + AES go for it. Vista and Ubuntu 's networking programs support them.

The wifi alliance (the guys who are supposedly maintaining wi fi standards) came up with TKIP to solve the limitations of WEP - longer key length, static keys, etc. However the encryption algorithm is the same as used in WEP.

In case of WPA2 - the encryption algo is AES - harder to crack than the earlier ones.

But if your OS cribs, cries, cringes and holds it breath till its face turns blue - at least go for WPA

this is good information, I'll give a try for some of those tricks

The problem with WPA2-PSK-AES is that some mobile handheld devices do not support it. Also old generation wi-fi does not support it. Hence WPA-PSK-TKIP is suggested.

I have already said in the two primers that WPA2-PSK-AES is the best.

hello everybody,
I have recently got my bsnl broadband connection. my modem is wa3002g4 type II. my computer is pentium III in which there is no LAN card so i decided to go for wireless lan. for that i purchased Netgear USB Adapter.
one friend of mine has done the setup and now i am able to connect to net. problem was I was not able to login router login page using 192.168.1.1 so as per the suggestion given in this forum, i assigned static ip address 192.168.1.3 by right clicking Wireless Network Connection 2 Netgear 111v3 and then selecting TCP/IP option. after that i was able to login 192.168.1.1
Now the problem is in the router setting i changed router ip address from 192.168.1.1 to something like 240.25.200.215 for the security reasons. it's subnet mask was 255.255.255.0. and then without configuring anything i save and reboot it. now i am not able to login to 192.168.1.1 or 24.25.200.215. what is the problem?
another thing is when i try to assign static ip address to Wireless Network Connection 2 Netgear 111v3, it does not take value greater than 223.
so plz somebody could tell what is the problem and how can i login my router login page. plz note that i am able to connect the net.
thanks in advance
regards
arvind

JFK, thank for the info..

But my question remains unanswered.... can the hacker without getting an ip address from my network still log on the router page..? even if my router is 192.1681.1.1 with default login name and password....

Of course as said in later post, if hacker wants to get in, in that case no amount of security is secure enough..

Originally Posted by gg_bti

JFK, thank for the info..

But my question remains unanswered.... can the hacker without getting an ip address from my network still log on the router page..? even if my router is 192.1681.1.1 with default login name and password....

Of course as said in later post, if hacker wants to get in, in that case no amount of security is secure enough..

To login to http://192.168.1.1, the hacker must first be connected to your network. To connect to your network, he/she needs to be connected to the wi-fi router first. So if your wi-fi security prvents this connection, there is nothing the hacker can do except keep trying to login by trying to guess the key.

By having WPA + Mac address filtering, it will be almost impossible to connect.

On the other hand if your telnet port is open and you do not have a good firewall, a hacker can remotely connect to your network/pc from the real IP address.

Originally Posted by arvind296

hello everybody,
I have recently got my bsnl broadband connection. my modem is wa3002g4 type II. my computer is pentium III in which there is no LAN card so i decided to go for wireless lan. for that i purchased Netgear USB Adapter.
one friend of mine has done the setup and now i am able to connect to net. problem was I was not able to login router login page using 192.168.1.1 so as per the suggestion given in this forum, i assigned static ip address 192.168.1.3 by right clicking Wireless Network Connection 2 Netgear 111v3 and then selecting TCP/IP option. after that i was able to login 192.168.1.1
Now the problem is in the router setting i changed router ip address from 192.168.1.1 to something like 240.25.200.215 for the security reasons. it's subnet mask was 255.255.255.0. and then without configuring anything i save and reboot it. now i am not able to login to 192.168.1.1 or 24.25.200.215. what is the problem?
another thing is when i try to assign static ip address to Wireless Network Connection 2 Netgear 111v3, it does not take value greater than 223.
arvind

When 2 machines are connected in a LAN - example - your machine and your router - they can communicate with each other only if both of them are having an IP in the same subnet.

e.g. if router IP is 192.168.1.X (where X is no. from 1 to 254) your computer's IP should be 192.168.1.Y (where Y is not equal to X and is in the range 1 to 254).

So in this case you changed your router's IP to 24.25.200.215 - you need to be in the same range - give your comp an IP like 24.25.200.X where X is not equal to 215. Keep both the subnet masks same.

When you change stuff for security reasons - know the implications - otherwise you will end up locking yourself out.

By having WPA + Mac address filtering, it will be almost impossible to connect.

On the other hand if your telnet port is open and you do not have a good firewall, a hacker can remotely connect to your network/pc from the real IP address.

Thanks a lot JFK once again

I do have MAC address filtering and WPA done to my wifi...I believe that amount of security is good enough... and as well another measure, I do SWITCH OFF my wifi when not in use....I guess technology is still not that advanced that hacker can remotely switch on my wifi...

Regarding telnet port being open - how to close the same...will any other services be affected if the same is closed...?

I do have the default Windows XP firewall ON as well as Norton Internet Security 2006 edition working, however at times I do receive a message from Norton that there has been an attampt to hack the computer which was blocked by Norton...

You are OK then. Norton will protect port 23 (telnet) intrusion.

Apart from the above security issues where hacker can logon to your wifi and use your net connection or hack into your computer, are their any other issues with using wifi.. when I was in US couple of years ago, my room mate used to do some kind of sniffing...and he always said that it is possible to catch the packets floating around the air...whatever data is sent by laptop to the wifi ....

is it possible that some other hacker can also get the same and decrypt it...??

would that mean accessing your bank accounts / financial information is not safe over wifi at all....?

IS WPA / WEP etc ways to encrypt data or only security measures to connect to wifi network....?? do they further encrypt the data sent over wifi??

Just some layman questions / thoughts...

JFK,

Just read through your wireless security primer - 1 post...I believe it has answered most of my questions above.....that was indeed very helpful

Hi Just4kix. I am using a dlink DI524 wireless router. i have forgotten the admin password for the same. However, i have not changed it from the default password. Is there anyway i can recover this password? Is there a dlink support center or some other way.
I have a network ID password to protect my wireless network currently. Without the admin password i am not able to change my network passowrd. Do you think that is a big issue?

If you did not change the password, it is still the same, i.e., admin.

All your security is useless if you do not change the password.

You can also reset the router to the factory settings using the RESET button at the back panel.

thanks for that just4kix. But if admin is the default password, what is the default username? Im sorry but i dont remember this and it will be good if you can help me out so that i can change the same.

Have you not read the numerous guides? Do you not have the user manual? The default user name is admin and password is also admin.

Please do make enough effort to search the web, read manuals, etc.

need to know if i can use all letters & numders to make a key.pl help

You can use any combination of letters (lowercase/uppercase), numbers or special characters.

Originally Posted by gg_bti

[I]
By having WPA + Mac address filtering, it will be almost impossible to connect.

I dont think its impossible to connect, any hacker can easily get the mac address (both of the router & the laptop or pc) by reading data packets. WPA security can be broken by using a Dictionary attack. Also you can easily change your systems mac address. How come you tell its safe ?

Originally Posted by just4kix

If you did not change the password, it is still the same, i.e., admin.

All your security is useless if you do not change the password.

All the security is still use less if you change the password & login to the router & then forget to logout or just close the browser. Any router can be fooled using simple java scripts.

I am using BSNL DataOne conn. with ITI DNA-A211-l wireless modem/router.
I want to use Nokia Communicator to access internet through wi-fi.
Can anyone tell how to set up wifi.Do i need to buy additional h/w.