(NETWORKING) D-Link 524 Wireless Secruity

DannyNSandy · #1 04-10-2007, 07:44 PM

Hello folks! Would like your awesome help again [img]/images/graemlins/laugh.gif[/img] Right now have 1 desktop and 2 laptops on my wireless network on my secruity of WPA-PSK,MAC FILTERING and a good Passphrase. My question is what other secruity features can I enable on my router? All help would be appercaited. Thanks again in advance

PS.1 desktop that is wired to the wireless router.

buckslayer80 · #2 04-10-2007, 07:49 PM

That should be plenty, especially with the MAC filtering. Why do you need any more security than that?

BiPolar_Nut · #3 04-10-2007, 07:56 PM

Not sure what capabilities your router has, but a few steps up in security would work as folows:

Wireless clients connect to a mac-filtered access point that authenticates users via a separate RADIUS server and isolates wireless clients from seeing other wireless clients that are connected. This would be a dedicated wireless zone in it's own subnet. From there, wireless clients would VPN in to the "real" local network.

That pretty much covers the wireless side. Depending on your environment, you may wish to take further steps on the LAN.

edit for clarity: The Access Point would have the capability to do the RADIUS authentication of clients as well as having the clients not see other client's network traffic. Most (all?) $80 off the shelf SOHO wifi gear won't have this capability. Buffalo used to make one for about $200 but that model was discontinued (not sure what replaced it as I haven't needed to order any lately).

Also, the private subnet containing the wireless traffic would have no gateway, no DNS, no route to anywhere except the VPN server address, port(s), and protocol(s).

DannyNSandy · #4 04-10-2007, 08:37 PM

Is there a chance you can give me step's to set that up? Thanks Bipolar

buckslayer80 · #5 04-10-2007, 08:49 PM

[ QUOTE ]
Not sure what capabilities your router has, but a few steps up in security would work as folows:

Wireless clients connect to a mac-filtered access point that authenticates users via a separate RADIUS server and isolates wireless clients from seeing other wireless clients that are connected. This would be a dedicated wireless zone in it's own subnet. From there, wireless clients would VPN in to the "real" local network.

That pretty much covers the wireless side. Depending on your environment, you may wish to take further steps on the LAN.

edit for clarity: The Access Point would have the capability to do the RADIUS authentication of clients as well as having the clients not see other client's network traffic. Most (all?) $80 off the shelf SOHO wifi gear won't have this capability. Buffalo used to make one for about $200 but that model was discontinued (not sure what replaced it as I haven't needed to order any lately).

Also, the private subnet containing the wireless traffic would have no gateway, no DNS, no route to anywhere except the VPN server address, port(s), and protocol(s).

[/ QUOTE ]

Would you really recommend all that for a regular user? That's a good bit of setup. Or were you just telling the OP what to do if he really wanted to max out his security?

I ask the OP my original question, why do you need so muchsecurity, or do you want it just to have it?

BiPolar_Nut · #6 04-10-2007, 09:41 PM

[ QUOTE ]
Would you really recommend all that for a regular user?

[/ QUOTE ]

No. To regular users I recommend wired networks. If they insist on wireless, I'll give them a few more horror stories and make another push for wired. the few that *still* insist on wireless, yes. I state something like "the only way I would personally consider running wireless is to blah blah blah as above.

[ QUOTE ]
That's a good bit of setup.

[/ QUOTE ]

Yes. It is.

[ QUOTE ]
Or were you just telling the OP what to do if he really wanted to max out his security?

[/ QUOTE ]

Yes. I was.

As for OP's question:
[ QUOTE ]
Is there a chance you can give me step's to set that up?

[/ QUOTE ]

General steps? yes. Specific step-by-step w/ brands, models, prices, links, instructions, sample config files, the recipe for coca cola, screenshots of a walkthrough, etc? No.

General steps:

1. Configure or add a machine to your private LAN to act as a RADIUS server, and the same (or preferably a separate) server to act as the VPN server for the LAN.

2. Use a wireless router capable of authenticating users to an external RADIUS server as well as isolating wireless clients so that they cannot communicate w/ each other.

The VPN server would have a network interface on the LAN and a second network interface on the hostile wireless subnet (where unknown/untrusted users can attempt to authenticate).

The RADIUS server would only have a LAN address.

The WiFi router would obv have hostile and LAN-facing network addresses.

From there it's just a matter of configuring each step...instructions for which will vary according to software used and experience.

If that's not detailed enough, go wired [img]/images/graemlins/wink.gif[/img]

Edit: My main gripe w/ WPA is people very often claim to have a "good passphrase" and think 1970AxLiNg_ is insanely un-guessable. That particular password would be guessed very shortly into the first guesses after a dictionary has been exhausted and well before random attempts by a good/determined brute force attempt. °Þê(s:ERöX^4+jª&#9827;Üš is orders of magnitude more secure than the 1970AxLiNg_ hypothetical password when it comes to brute forcing.

buckslayer80 · #7 04-10-2007, 10:13 PM

1970AxLiNg_

That's your passphrase isn't it? Don't lie. [img]/images/graemlins/tongue.gif[/img]

DannyNSandy · #8 04-10-2007, 10:29 PM

It's hard to go wired since I have 4 computers I use all the time. I have 1 wired 3 wireless as thats the only way. [img]/images/graemlins/smile.gif[/img] thanks for the help

BiPolar_Nut · #9 04-10-2007, 10:46 PM

[ QUOTE ]
1970AxLiNg_

That's your passphrase isn't it? Don't lie.

[/ QUOTE ]

Actually, 1970 is the year of human flesh I am, and I was trying to think of something enunciable yet not a word, and axling came to mind, then I figured I'd need to throw in a symbol to spice it up a notch (and alternating the shift key on the letters to make it look even more l33t). That's what I came up with as my best example of a "not so great" password that the average Joe may think is very strong.

My throwaway passwords for single-use email accounts are stronger than that lol.

(My passowrd for everything is actually 1970AxLzNg_ )

Oh, yeah...don't use the same password for a bunch of stuff, don't write it on a post-it note and stick it on your monitor, don't save it in a file called passwords.txt, don't log on/in anywhere that sends passwords in clear text (like checking your email via POP or using ps_exec to fire up a process on your buddy's machine for comic relief during the workday or using FTP (besides anonymous/passwordless sites) for anything, even passwords sent via email are potentially opening doors/holes...which again is why I push wired over wireless: no extra security exposure over what you had before adding a client to your wired netework)

Wow...I haven't soapboxed in CTH in a while [img]/images/graemlins/wink.gif[/img].