#53449 - 03/01/2002 13:55
Re: Wired or Wireless? Networking advice required
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
It's actually pretty easy to set up the encryption that comes with these things, which is called WEP (Wired Equivalence Protection). You have to make up your own key, so it's not on by default, but it's easy to do. It's not the best encryption ever, but it'll keep your neighbors out. The Orinoco Gold cards have even better encryption available, if you're concerned, though.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#53450 - 03/01/2002 14:00
Re: Wired or Wireless? Networking advice required
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
|
It's actually pretty easy to set up the encryption that comes with these things, which is called WEP (Wired Equivalence Protection).
http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2803615,00.html
So which is easier, hacking the WEP key, or spoofing a card's MAC address? Is the latter even possible?
|
Top
|
|
|
|
#53451 - 03/01/2002 14:05
Re: Wired or Wireless? Networking advice required
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
It's much easier to spoof a MAC address. The Orinoco cards don't allow you to do it by default, but it's pretty much a requirement for bridging. All operating systems I've seen other than Windows have a very easy interface for modifying MAC addresses for most NICs. And no one said it was perfect, but it'll keep Grampa Jones next door from snooping on your network.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#53452 - 03/01/2002 14:09
Re: Wired or Wireless? Networking advice required
[Re: wfaulk]
|
carpal tunnel
Registered: 27/06/1999
Posts: 7058
Loc: Pittsburgh, PA
|
Yeah my Linksys BEFSR41 router can do it as well. MAC's were designed to be globally unique, but nobody really enforced that.
|
Top
|
|
|
|
#53453 - 03/01/2002 14:17
Re: Wired or Wireless? Networking advice required
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
|
And no one said it was perfect, but it'll keep Grampa Jones next door from snooping on your network.
I'm not worried about Grampa Jones, it's that slacker teenage grandson of his with the funny haircut.
|
Top
|
|
|
|
#53454 - 03/01/2002 14:17
Re: Wired or Wireless? Networking advice required
[Re: tonyc]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
That's not entirely true, either. There is a bit in the MAC address that indicates whether it is a globally unique address or not. If it's not set, you can set the MAC address to whatever you desire. Of course, no one ever really enforced the rest of the spec, other than manufacturers do ship with only their assigned prefixes.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#53455 - 03/01/2002 15:06
Re: Wired or Wireless? Networking advice required
[Re: tfabris]
|
enthusiast
Registered: 20/02/2001
Posts: 345
|
In reply to:
And no one said it was perfect, but it'll keep Grampa Jones next door from snooping on your network.
I'm not worried about Grampa Jones, it's that slacker teenage grandson of his with the funny haircut.
Oh HIM...
IPSEC.
Your guy rolls his own routers, it should be (almost) trivial for him to just encapsulate all legitimate traffic in an IPSEC packet, and then reject any wireless traffic that is not ipseced, with the right key.
He's probably already doing it. If he's not, then he should be.
IPSEC really makes WEP and MAC locking look.... pathetic.
_________________________
Synergy
[orange]mk2, 42G: [blue] mk2a, 10G[/blue][/green]
I tried Patience, but it took too long.
|
Top
|
|
|
|
#53456 - 03/01/2002 15:48
Re: Wired or Wireless? Networking advice required
[Re: wfaulk]
|
pooh-bah
Registered: 13/09/1999
Posts: 2401
Loc: Croatia
|
...other than manufacturers do ship with only their assigned prefixes.
Not even that. I was once troubleshooting a small network for a friend. Nothing worked. It turned out that all of 3 or 4 ultracheap no-name Ethernet cards he bought had the same MAC address. Perhaps it was possible to reassign them, but there was not a sheet of documentation, drivers, nothing (they emulated some popular card, I don't remember which). We just tossed them. Serves him right.
_________________________
Dragi "Bonzi" Raos
Q#5196
MkII #080000376, 18GB green
MkIIa #040103247, 60GB blue
|
Top
|
|
|
|
#53457 - 03/01/2002 15:55
Re: Wired or Wireless? Networking advice required
[Re: bonzi]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Funny. But I would still be surprised if they didn't use that no-name manufacturer's IEEE assigned ID as the first few digits of the MAC address, even if the rest of the address was the same as well.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#53458 - 03/01/2002 15:59
Re: Wired or Wireless? Networking advice required
[Re: Roger]
|
journeyman
Registered: 22/12/2001
Posts: 56
Loc: San Jose, CA
|
In reply to:
So, let me get this straight -- if I get a pair of Linksys WAP11 boxes, I can configure them to do bridging? Ethernet level bridging, or IP routing?
Also, is the security in these things adequate? If I was running another PC downstairs, I could route PPP over an ssh tunnel over the wireless, which would be a cool hack, but slightly overkill.
Yes, two LinkSys WAP11's will do Ethernet (i.e., layer 2) bridging via 802.11b.
The security is 128-bit WEP. And since WEP has been completely cracked, you'll want to limit access by MAC address, use host and user-based RADIUS authentication, and use something like ssh or similar strong encryption for anything you don't want sniffed. There are evil people running around with homebrew directional Yagis (*sound of skritch hiding that threaded rod, Pringles can, and length of PVC piping next to his desk*).
|
Top
|
|
|
|
#53459 - 03/01/2002 16:01
Re: Wired or Wireless? Networking advice required
[Re: tfabris]
|
journeyman
Registered: 22/12/2001
Posts: 56
Loc: San Jose, CA
|
In reply to:
One of his tricks is to lock out all MAC addresses except the ones he specifies. So only a given set of cards will be able to access the router. I don't know if that would be possible to do on the off-the-shelf routers, but if it is, that would be adequate security for your home LAN, I think.
All commercial access points have this functionality, including the LinkSys and Apple models.
|
Top
|
|
|
|
#53460 - 03/01/2002 16:03
Re: Wired or Wireless? Networking advice required
[Re: wfaulk]
|
journeyman
Registered: 22/12/2001
Posts: 56
Loc: San Jose, CA
|
In reply to:
It's actually pretty easy to set up the encryption that comes with these things, which is called WEP (Wired Equivalence Protection). You have to make up your own key, so it's not on by default, but it's easy to do. It's not the best encryption ever, but it'll keep your neighbors out. The Orinoco Gold cards have even better encryption available, if you're concerned, though.
Actually, the Gold cards do 64-bit and 128-bit WEP. The Silver cards do only 64-bit WEP.
Cisco cards and access points can use EAP/LEAP, which is basically RADIUS authentication and a bit of added trickery.
And, as I mentioned earlier, WEP has been completely cracked. I'm giving a talk in April on a handheld device I put together that is trivially concelable and can crack WEP.
|
Top
|
|
|
|
#53461 - 03/01/2002 16:09
Re: Wired or Wireless? Networking advice required
[Re: skritch]
|
old hand
Registered: 12/01/2000
Posts: 1079
Loc: Dallas, TX
|
Ok, within reason, what can I use to supplement WEP?
|
Top
|
|
|
|
#53462 - 03/01/2002 16:16
Re: Wired or Wireless? Networking advice required
[Re: Terminator]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Well, what are you looking to do? Prevent people from seeing your traffic? Prevent people from using your network without your knowledge? And what are you doing with your network? Just web-based stuff? All external access? Or do you access local machines on that network?
_________________________
Bitt Faulk
|
Top
|
|
|
|
#53463 - 03/01/2002 17:07
Re: Wired or Wireless? Networking advice required
[Re: wfaulk]
|
old hand
Registered: 12/01/2000
Posts: 1079
Loc: Dallas, TX
|
For now, I am using WEP and the mac addresses to limit access. I use the wap to access local machines on the network, print, surf the web, that sort of thing. Theres nothing extremely important going on, but I don't want people seeing my traffic. I don't want people to be able to use my network with me knowing about it.
Sean
|
Top
|
|
|
|
#53464 - 03/01/2002 17:12
Re: Wired or Wireless? Networking advice required
[Re: wfaulk]
|
carpal tunnel
Registered: 18/01/2000
Posts: 5683
Loc: London, UK
|
I dunno about him, but I'm planning on bridging from the upstairs LAN to the living room, which will _not_ have a PC in it, but will have a couple of empeg-compatible devices.
All of the obvious things (a VPN or PPP over SSH) require a PC at both ends, so that's out.
So, unless I can beef up the encryption provided by the access points (given that they'll be running as peer-to-peer), I'll have to put up another set of rules in my firewall, and park the wireless gear outside it. This is a pain.
Also, both of these solutions mean that the Ethernet-level bridging no longer works, which is less than ideal, because of the need to get subnet-local IP broadcasts over this thing.
_________________________
-- roger
|
Top
|
|
|
|
#53465 - 03/01/2002 17:20
Re: Wired or Wireless? Networking advice required
[Re: Roger]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Are you sure that you can't get a cable run in the walls? I've run cables hundreds of yards and been able to find it. The trick is to use the fish tape to start as far back as possible and then tie the end of the cable to it before pulling back. Then repeat as many times as necessary. Or did we cover that implicitly in our stick-frame/masonry discussion? How are your electrical wires run now?
_________________________
Bitt Faulk
|
Top
|
|
|
|
#53466 - 03/01/2002 17:42
Re: Wired or Wireless? Networking advice required
[Re: wfaulk]
|
carpal tunnel
Registered: 18/01/2000
Posts: 5683
Loc: London, UK
|
They're most likely run in channels cut in the plaster. At least, I think that this is how it's usually done.
_________________________
-- roger
|
Top
|
|
|
|
#53467 - 03/01/2002 17:47
Re: Wired or Wireless? Networking advice required
[Re: Roger]
|
old hand
Registered: 12/01/2000
Posts: 1079
Loc: Dallas, TX
|
I think that sounds right. Sometimes you can see it on some older houses in the US. The electricity must have been added after the house was built. Wireless sounds like the only way unless you want to run cables out windows and down the side of the house.
|
Top
|
|
|
|
#53468 - 03/01/2002 18:50
Re: Wired or Wireless? Networking advice required
[Re: Roger]
|
journeyman
Registered: 22/12/2001
Posts: 56
Loc: San Jose, CA
|
In bridge mode, nobody else will be able to use the access points, so that takes care of that problem. With 128-bit WEP, and assuming you're sensible about the data you push over the bridge (everything encrypted that should be encrypted), it's fairly secure.
|
Top
|
|
|
|
#53469 - 04/01/2002 02:32
Re: Wired or Wireless? Networking advice required
[Re: skritch]
|
pooh-bah
Registered: 13/09/1999
Posts: 2401
Loc: Croatia
|
You don't think RIAA is going to sue him for broadcasting MP3s to hordes of pirates on 'wardriving' path?
BTW, how easy is it now to actually break through WEP protection? I mean, is it broken in the sense that an attack is described which still needs sophisticated algorithm and weeks of processor time, or is it more like DeCCS? (The link to Shamir et al paper on your site does not work and I don't have ghostscript on this #@!% machine...)
Edited by bonzi (04/01/2002 02:39)
_________________________
Dragi "Bonzi" Raos
Q#5196
MkII #080000376, 18GB green
MkIIa #040103247, 60GB blue
|
Top
|
|
|
|
#53470 - 04/01/2002 11:50
Re: Wired or Wireless? Networking advice required
[Re: bonzi]
|
journeyman
Registered: 22/12/2001
Posts: 56
Loc: San Jose, CA
|
Hm. Thanks for the heads up. I just fixed that link. It now points to an HTML version of the paper.
As to difficulty, it can be cracked in hours. In certain circumstances, it can be cracked in minutes. Horsepower isn't necessary. What's needed is a good sampling of the traffic, including the initialization vectors (IVs).
This is difficult to get in a mobile scenario, unless you're on a busy network (e.g., a company network). In a home scenario, the frequency of computers establishing a session with the AP will be low, and it will take much longer to collect the necessary data. This is bad for people trying to hack WEP by strolling or driving by, but of no consequence to neighbors, who have as much time as necessary to collect the data.
So, it's not like you need to go build Deep Crack ($10,000 homebrew kit for breaking DES in real time), but it's not as simple as ROT13ing the data stream, either.
Edited by skritch (04/01/2002 11:51)
|
Top
|
|
|
|
#53471 - 10/01/2002 07:01
Re: Wired or Wireless? Networking advice required
[Re: skritch]
|
addict
Registered: 08/08/2001
Posts: 452
Loc: NZ
|
Update all devices using WEP to the latest firmware, and make sure it's been released after DEC 2001, the solution to the WEP security was only made in DEC '01.
So new firmware should be Rolling out for all devices.
|
Top
|
|
|
|
#53472 - 10/01/2002 12:01
Re: Wired or Wireless? Networking advice required
[Re: Roger]
|
carpal tunnel
Registered: 30/04/2000
Posts: 3810
|
If you want to go wireless and you can't have a dedicated PC downstairs to be your VPN bridge, then you might be able to buy a dedicated IPsec bridge which you put behind your wireless gateway. This is serious overkill.
Probably the right answer for the home network is to have the wireless be outside the firewall, and limit the incoming connection to the specific IP address and destination ports. That would mean that a dedicated outsider would be able to run emplode and see your car stereo, which is probably an acceptable (if humorous) risk.
Think of the possibilities for mischief, particularly from your friends who now know all about your potential home setup. Drive by with a laptop and a wireless Ethernet, and they can add new music, delete old music, relabel tracks, and heaven knows what else...
Maybe you really should have a PC downstairs. Rather than the WAP11 gateway, just get an old laptop or get one of those micro-case PCs. PC Power and Cooling (the Silencer folks) sell a 1GHz P3 computer in a 1U box for $1000.
|
Top
|
|
|
|
#53473 - 10/01/2002 13:13
Re: Wired or Wireless? Networking advice required
[Re: DWallach]
|
carpal tunnel
Registered: 18/01/2000
Posts: 5683
Loc: London, UK
|
sell a 1GHz P3 computer in a 1U box for $1000
Yeah, but it doesn't really need to be 1Ghz, though, does it? I've already got plenty of horsepower in the server^H^H^H^H^H^Hspare room .
Personally, I've been looking for an excuse to buy one of those Shuttle SV24 boxes (about £169 plus CPU, RAM, HD, CD, FDD), although I'd probably just network boot it -- quieter that way.
_________________________
-- roger
|
Top
|
|
|
|
|
|