If you still think wireless security is useless because you have nothing to hide ...

Ira said:
Anyone have any links to documentation on how to use some of the more advanced techniques mentioned here, e.g., VLANs, VPN, etc. in a pure Windows environment using off-the-shelf LAN hardware?

My wife often works from home. She has a wireless adapter in her Windows laptop (provided by her employer), so she gets on our home LAN via the wireless, then VPN's into her work network. Since other people at her company have access to her laptop, I'm not sure what the most secure setup for my home network is that will still allow her to connect wirelessly so she can VPN to her office. It's got to be relatively simple to use once everything is set up. Any ideas?

And I understand that nothing is 100% secure, but I still lock the doors on my home when I leave.
Click to expand...
For your case you're already connecting to the corporate LAN via VPN so just make sure her wireless is secured with at least WPA and a long password/passphrase.
 
Work2Play said:
thbeat-dead-horsez.gif
Click to expand...
:hesaid:
If anyone has anything further to ask, feel free to PM me as this thread is done.
 
when I make my passwords I do it monkey style.:nutz: I just start pounding randomly on the keyboard.

This I bet is true however.

The guy who got his door busted in by the FBI probably was
1) broadcasting his ssid
2) had no security turned on at all.

It is my speculation that if he had done either of those two things, he would not have had his pervert neighbor jump on his router. I think this was a crime of opportunity and the smallest measure closes the opportunity door.
 
video321 said:
For your case you're already connecting to the corporate LAN via VPN so just make sure her wireless is secured with at least WPA and a long password/passphrase.
Click to expand...
I understand that she is secure from my wired network to her corp LAN. But I'm still curious as to how to better secure my wireless LAN in general using some of the more advanced techniques mentioned in the thread, e.g., VLANs, in a pure Windows environment. I'm not opposed to buying better hardware if it offers something extra for the money. For example, I use Netgear's "business class" SSL VPN router so that I can VPN into my home LAN.
 
Ira said:
I understand that she is secure from my wired network to her corp LAN. But I'm still curious as to how to better secure my wireless LAN in general using some of the more advanced techniques mentioned in the thread, e.g., VLANs, in a pure Windows environment. I'm not opposed to buying better hardware if it offers something extra for the money. For example, I use Netgear's "business class" SSL VPN router so that I can VPN into my home LAN.
Click to expand...
Is your goal to isolate her from the rest of the home traffic - in case, say, someone from her work infects her computer in some way? Or to keep someone from tunneling from her computer back through the rest of your network while she's on the VPN, or what?

Depending on how large a company she works for - there's a good chance that the VPN client she uses actually blocks all her access to the home network while she's VPN'd in; she wouldn't be able to print to a local network printer, etc. Others do allow network mixing - that generally is a topic in itself for the kinds of things that could allow.

If you want to isolate her from your network, your best bet is going to be doing something via separate VLAN's and likely separate SSID's. You'd need a router capable of getting a single IP address and doing multiple VLAN's and routing between them based on rules. I can do all this via my Cisco router but I'm not sure about things like DD-WRT or other more available routers. Cisco isn't a beast worth tackling without a good reason and these routers cost several hundred $$.

Of course sometimes you can get away with a double-nat type scenario using two routers - but that's really bad practice... or if you can get two IP's from your ISP, you can do things like - use a switch at the head end, with two routers behind it - one on each IP, etc.. but there's a lot of variables and it's probably more trouble than it's worth.

If you're adamant about it, find a router that can support multiple VLAN's and multiple SSID's and route between them via ACL's as needed. You're generally talking about higher end equipment at that point.
 
Everything Work2Play just mentioned is available, and I'm doing, via DD-WRT - VLANs, BSSIDs, DNS, SSH, and more.
And, yes, stay away from double NAT - been there, done that for many years, but issues crop up.

ok...that was my last post :unsure:
 
video321 said:
And do you really think using $ for S or ! for I is fooling anyone's tables???
Click to expand...

Minor quibble - there's no way that something like #Random@Passphrase!Text$Goes%Here^To&Prevent*Malicious~Activity is in someone's speedcrack rainbow table. P@ssw0rd, pa$$word, and the like for sure... but if you do something dumb and lazy like that then you're sort of asking for it in the first place.

Point of the story: be bizarre and unpredictable in your security phrases.
 
video321 said:
You're kidding me, right? I have a minimum amount of wireless devices on my network and once they're setup, they're done. I've also stated I have a 2nd SSID for visitors that makes it easy for them to get Internet access only. And do you really think using $ for S or ! for I is fooling anyone's tables???
Click to expand...

It's not fooling a table. It's increasing the size that is needed.
 
Lou Apo said:
when I make my passwords I do it monkey style.:nutz: I just start pounding randomly on the keyboard.

This I bet is true however.

The guy who got his door busted in by the FBI probably was
1) broadcasting his ssid
2) had no security turned on at all.

It is my speculation that if he had done either of those two things, he would not have had his pervert neighbor jump on his router. I think this was a crime of opportunity and the smallest measure closes the opportunity door.
Click to expand...

+1
 
Sacarino said:
Minor quibble - there's no way that something like #Random@Passphrase!Text$Goes%Here^To&Prevent*Malicious~Activity is in someone's speedcrack rainbow table. P@ssw0rd, pa$$word, and the like for sure... but if you do something dumb and lazy like that then you're sort of asking for it in the first place.

Point of the story: be bizarre and unpredictable in your security phrases.
Click to expand...

Thank you for understanding what I was trying to get across.
 
I do agree about the beating dead horse.

I guess I couldn't get across that I was not advocating anything I said as "secure" or "perfect". Just adding those things adds an extra step to things. I was trying to get across, in my area it is harder to get on my network. If someone TARGETS my system, they can get in. BUT why go through extra effort when there are 20+ networks in my area, 2-3 of which are OPEN. So...yeah...

As was pointed out, if someone WANTS in the house, you can bolt / lock / etc. your doors. Breaking a window is a LOT easier. So...there's a "window of opportunity" (haha, couldn't help myself).

--Dan
 
What everyone is trying to tell to is that if you have wpa you are just as safe as with or without ssid broadcast. If I wanted to crack your network I would use something like airsnort and this tool will see every network in the area regardless of ssid broadcast without any extra work on my part. So how in this setup would your network look less appealing to me than your neighbor who has wpa but is broadcasting his ssid? Heck unless I look closely at the packets I would not even notice you were not broadcasting the ssid.
 
True, that's IF I am home and on the network. If no one is on my router (I am the only one that uses it), it doesn't do anything, right? I am no expert...so, correct me if I am wrong...
If I am not on the router the 1-2 hours a week I use it, by having it not transmit anything, it wouldn't show up in Airsnort, right? That is why I say it's better for me. SURE, if there is traffic out there, and you are picking it up, the packets surely have the routing information. They have to.

--Dan
 
drozwood90 said:
True, that's IF I am home and on the network. If no one is on my router (I am the only one that uses it), it doesn't do anything, right? I am no expert...so, correct me if I am wrong...
If I am not on the router the 1-2 hours a week I use it, by having it not transmit anything, it wouldn't show up in Airsnort, right? That is why I say it's better for me. SURE, if there is traffic out there, and you are picking it up, the packets surely have the routing information. They have to.

--Dan
Click to expand...
Nope every client needs to send a handshake every so often to keep the connection alive regardless of traffic. As long as one client is associated to the router it is viewable. Some of us are experts on this subject and can tell you it adds no security at all not even a layer. Since you are using WPA you are well protected against most attacks, the attacks you are not protected from would not even notice SSID broadcast. Companies really should never had made that as an option to their routers since it clearly breaks the wifi spec but they wanted to have that feature checkbox. I recommend you reenable since it could cause you issues with some clients.

EDIT: Assuming you are using a "good" passphrase for your WPA key.
 
"Nope every client needs to send a handshake every so often "

Right, but I am not sure I am understanding, or you are not understanding my question. I have ONE laptop that connects to ONE wireless router, a few hours a week. If that laptop is turned off, then the router won't be doing anything, and there will be no clients, so no traffic to pick up on, right?

Just trying to be clear, as I do not want to have misunderstandings about security.

--Dan
 
You must log in or register to reply here.

Similar threads

electron
Chat Transcript - Securifi (Almond+) - 02/22/2013
Replies
0
Views
3K
electron
electron
electron
[Guide] Gordon's guide to secure computing, part 1
2
Replies
21
Views
7K
MeSteve
M
Back
Top