how to cheat at securing a wireless network phần 2 pps

Filtering by Media Access Control MAC Address After you have set a unique SSID, disabled SSID broadcast, and enabled WEPencryption, you need to filter access to the WRT54G by MAC address

Figure 2.4Enable WEP on the WRT54G

Figure 2.5The WEP Keys Window

SOME INDEPENDENT ADVICE

Some people will argue that WEP is a “broken” standard and should not

be used Yes, WEP is an easy protocol to hack and allows intruders togain the encryption key to your wireless network using tools included inthe Aircrack suite However, due to wireless connections by other devices(game consoles, PDAs, and the like), you may be forced to use WEPinstead of the more secure WPA

Remember that no security is bad security, and that something is

always better than nothing Enabling WEP encryption on your networkmay be the difference between your network or your unencrypted

neighbor’s being hacked

Enabling Wi-Fi Protected Access

An alternative and more secure approach to wireless security on an access point is to

use Wi-Fi Protected Access, or WPA WPA uses an improved encryption process based

on the Temporal Key Integrity Protocol (TKIP).TKIP jumbles the keys and porates an integrity-checking feature to ensure that the keys have not been tamperedwith

incor-WPA also includes client authentication via the Extensible AuthenticationProtocol (EAP) EAP uses a public key encryption mechanism to ensure that onlyauthorized systems have access to the access point

In late 2004, the Institute of Electrical and Electronics Engineers (IEEE) ratifiedthe 802.11i specification, more commonly referred to as WPA2 WPA2 uses AES asthe encryption standard, whereas WPA uses the TKIP standard.This is not to say thatWPA is not secure but to acknowledge that wireless security is ever changing.WPA2 also supports a personal authentication implementation (PSK) and an enter-prise authentication implementation (RADIUS).This chapter focuses on the WPAstandard

Log in to the WRT54G and click the Wireless tab Click the Wireless

secu-rity subtab to enable WPA From the drop-down list, choose WPA-Personal, as

shown in Figure 2.6

Figure 2.6The WRT54G WPA Setup Screen

Leave the WPA algorithm as TKIP Enter a shared key of between 21 and 63

characters in the WPA Shared Key: text box Leave the Group Key Renewal at

its default of 3600 seconds (see Figure 2.7).

Figure 2.7WPA Shared Key

the SSID broadcast Be careful not to set the SSID to anything personal to you, such

as your phone number, home address, or name

Filtering by Media

Access Control (MAC) Address

After you have set a unique SSID, disabled SSID broadcast, and enabled WEPencryption, you need to filter access to the WRT54G by MAC address Filteringaccess to the access point allows only those MAC addresses specified in the list theability to access the wireless network

First, from the main Wireless tab, click the Wireless MAC Filter tab to display

the option to enable or disable Wireless MAC filtering (see Figure 2.8)

Figure 2.8 The Wireless MAC Filter screen

Next select Enable from the Wireless MAC Filter radio buttons.This will

reveal the MAC filter options, as shown in Figure 2.9

Figure 2.9The Wireless MAC Filter Options

Choose the Permit Only PCs listed to access the wireless network radio

button, and click the Edit MAC Filter List button to display the MAC Address

Filter Listwindow (see Figure 2.10)

Figure 2.10The MAC Address Filter List Window

In the provided text boxes, enter the MAC addresses of wireless clients that are

allowed to access your wireless network, and then click Apply, as shown in

Figure 2.11

Figure 2.11Enter Allowed MAC Addresses

Finally, click Save Settings in the Advanced Wireless window to save your

settings and enable filtering by MAC address Keep in mind that this should not bethe only security measure implemented Using various tools in Windows and/orLinux, it is easy for an attacker to spoof his or her local MAC address to gain access

to your wireless network

SOME INDEPENDENT ADVICE

Finding your MAC address is a simple process with any operating

system Using Windows XP, from a command line, you can type:

ipconfig /all

to show the MAC address of the installed network devices

Linux makes the process just as simple From a terminal window,type:

ifconfig –a

And find the HWaddr for the requested network interface This is the

MAC address

Enabling Security Features on a

D-Link DI-624 AirPlus 2.4GHz Xtreme G Wireless Router with Four-Port Switch

Although Linksys has a sizable share of the home access point market, D-Link alsohas a large market share D-Link products are sold at most big computer and elec-tronics stores such as Best Buy and CompUSA.This section details the steps youneed to take to enable the security features on the D-Link 624 AirPlus 2.4GHzXtreme G Wireless Router with Four-Port Switch.The DI-624 is an 802.11g accesspoint with a built-in router and switch, similar in function to the Linksys WRT54G

Setting a Unique SSID

The first security measure to enable on the D-Link DI-624 is setting a unique SSID.First you need to log into the access point Configure your local workstation with astatic IP in the 192.168.0.0/24 subnet and point your browser to 192.168.0.1 Use

the username admin with a blank password to access the initial setup screen (see

Figure 2.12The D-Link DI-624 Initial Setup Screen

Next click the Wireless button on the left side of the screen to bring up the

Wireless Settingsscreen, as shown in Figure 2.13

Figure 2.13 The Wireless Settings Screen

Figure 2.14Set a Unique SSID

Disabling SSID Broadcast

After you have set a unique SSID, enabled 128-bit WEP, and filtered access by MACaddress, you need to disable SSID broadcast

From the Advanced Features screen, click the Performance button, as shown

in Figure 2.15

Figure 2.15The Advanced Performance Options

Select the Disabled radio button next to SSID Broadcast, and click Apply to

save your settings, as shown in Figure 2.16

Figure 2.16Disabling SSID Broadcast

Enabling Wired Equivalent Privacy

After you have set a unique SSID, you will need to enable 128-bit WEP encryption

First, choose the Enabled radio button next to WEP, as shown in Figure 2.17.

Figure 2.17Enable WEP

Next choose 128Bit from the WEP Encryption drop-down box, as shown in

Figure 2.18

Figure 2.18Require 128-Bit WEP Encryption

Then you need to assign a 26-character hexadecimal number to at least Key1(see Figure 2.19) A 26-digit hexadecimal number can contain the letters A–F andthe numbers 0–9

Figure 2.19Assign WEP Keys

Finally, after you have assigned your WEP keys, click Apply to save your

set-tings Any wireless clients that connect to the DI-624 must be configured to use this

WEP key

Enable Wi-Fi Protected Access

To enable WPA on the access point, on the left side of the screen click the Wireless

button.To enable WPA, click the radio button labeled WPA-PSK next to the

Authenticationoption (see Figure 2.20)

Figure 2.20Enabling WPA

Enter a passphrase into the Passphrase text box, and retype the passphrase in the

Confirmed Passphrase text box to verify it, as shown in Figure 2.21

Click Apply to confirm the settings and enjoy added wireless security

protection!

Figure 2.21WPA Passphrase

Filtering by Media Access Control Address

After you have set a unique SSID and enabled 128-bit WEP encryption, you shouldfilter access to the wireless network by Media Access Control (MAC) address

First click the Advanced tab, as shown in Figure 2.22.

Figure 2.22The Advanced Options Screen

Next click the Filters button on the left side of the screen, as shown in

Figure 2.23

Figure 2.23The Advanced Filters Options

Then choose the MAC Filters radio button.This makes the MAC filtering

options visible, as shown in Figure 2.24

Figure 2.24The MAC Filtering Options

Finally, select the Only allow computers with MAC address listed below

to access the network radio button and enter the MAC address of each clientcard that is allowed to access the network.You must also enter a descriptive name of

your choice for each client in the Name text box (see Figure 2.25) Note that you must click Apply after each MAC address entered.

Figure 2.25Filter by MAC Address

Enabling Security Features on Apple’s Airport Extreme 802.11g Access Point

In early 2003, Apple released the Airport Extreme base station to the masses, porting the 802.11b and 802.11g protocols Even though this access point wasreleased as an Apple product, it fully supports Apple, Windows, and Linux clientsrunning WEP or WPA encryption

sup-Configuring the Airport Extreme is usually done from an Apple, whether aPowerbook, iBook, or MacBook Apple provided applications for configuring theAirport for Windows-based operating systems, but it is a much easier process from

an Apple workstation.This section focuses on configuring the Airport Extreme from

a Apple Powerbook G4

Connecting to the AirPort

Extreme and Setting a Unique SSID

The easiest way to connect to the Airport is via the wireless connection Ensure that

your wireless card is enabled by clicking the wireless symbol at the top right of the

screen and clicking Turn AirPort On, as shown in Figure 2.26.

Figure 2.26Enabling the AirPort Card on the Apple PowerBook

Once you enable the Airport card, you can reclick the wireless symbol and see

any access points broadcasting in your area We want to click the Apple Network

######listing to connect to our AirPort (see Figure 2.27)

NOTE

To ensure that you are connecting to the correct access point, verify that

the network number listed in the drop-down list matches the last six

characters of your Airport ID, located on the access point itself

Figure 2.27Connect to the Appropriate Airport Access Point

Once you have connected to the Airport, you will use the AirPort AdminUtility in Mac OS X to configure the Airport Launch the AirPort Admin Utility

by clicking the Finder, then Applications | Utilities | AirPort Admin Utility (see Figure 2.28).This series of clicks will open the AirPort Admin Utility Click

Rescan to locate the Airport if it does not automatically populate the windowafter a few seconds

Figure 2.28Launching the Admin Utility and Finding the Airport BaseStation

Click the appropriate base station, and click Configure to enter the base station

properties (see Figure 2.29)

Setting a Unique SSID

At the main properties screen, we will set the SSID by changing the Name text box, under the AirPort Network heading.Type in the SSID, remembering not to

include any personal information such as address as part of the SSID At this point, it

would also be a good idea to change the Name of the Airport under the Base

Stationheading, to obfuscate the fact that this is an Apple Airport product (see

Figure 2.30) Click Update to save the SSID.

Figure 2.29Airport Default Properties

Figure 2.30Setting the SSID

client authorized to connect to the Airport must know the SSID beforehand tomake the connection (see Figure 2.31).

Figure 2.31Disabling the SSID Broadcast

Setting a Password on the Airport

Because the Airport is in a default configuration, it is wise to set a password on theAirport to disable the ability of anyone making unauthorized changes From the

main base station properties windows, click the Change Password… button and enter and confirm a password for the Airport Click OK to set the password Click

Updateto save the changes to the Airport (see Figure 2.32)

Figure 2.32Setting a Password on the Airport

Enabling Wired Equivalent Privacy

To enable WEP on the Airport, click the Change Wireless Security… button to

open the Properties dialog box (see Figure 2.33)

Figure 2.33WEP Default Setting

Click WEP from the drop-down menu.You will be presented with the options

to add your encryption key.Type in an encryption key that is not easily guessable,

and retype the key to confirm Ensure that the Encryption Type: is set to 128 bit

WEP , and click OK to enable WEP encryption (see Figure 2.34).

Figure 2.34Configuring a WEP Encryption Key

Anyone who attempts to this access point will now be required to enter the

encryption key to make the connection

Enabling Wi-Fi Protected Access

Figure 2.35WPA Settings

Ensure that the Password option is set, and enter a password or passphrase of between 8 and 63 ASCII characters.The Encryption Type: may be left at the

default WPA and WPA2 option to allow both WPA and WPA2 connections If onlyWPA clients or only WPA2 clients will be connecting, you may change this option

to reflect that fact Leave the Group Key Timeout: at its default of 60 minutes Click OK to save the settings and enable WPA (see Figure 2.36).

Figure 2.36Entering the WPA Password

Filtering by Media Access Control Address

To prevent connections to the Airport by workstations not authorized to do so,

network card will need to be entered manually From the main options screen, click

Access Controlto view the settings (see Figure 2.37)

Figure 2.37The Access Control Options

Click the + (plus) sign next to the main dialog box to enter the MAC address

of the client A dialog box will open, requesting the Airport ID (MAC address) and

the Description (see Figure 2.38)

Figure 2.38Default MAC Address Filter Window

Figure 2.39Entering the MAC Address

Figure 2.40Confirming the List

Click Update to save the settings to the Airport.

Enabling Security Features

on a Cisco 1100 Series Access Point

The Cisco Aironet series of access points are used largely by businesses and localhotspots that need the robustness of a Cisco product and the ease of use of a smalloffice/home office (SOHO) product.The Cisco 1100 Series Access Point provides802.11b/g services, operating on the 2.4GHz band Unlike most SOHO router/APproducts, the Cisco 1100 does not include a built-in switch and can only be used as

a standalone wireless access point

with a subnet mask of 255.255.255.0 and a default gateway of 10.0.0.1.You may use

either a straight-through Ethernet cable or a cross-over cable from your host

com-puter to the Ethernet port on the access point

When you power up the access point, it will attempt to connect to a DHCP

server If none exists, after a few moments the access point will default to the static

IP of 10.0.0.1 If no connection is made within five minutes, it will default back to

searching for a DHCP server indefinitely.To restart the process, unplug the access

point for a few seconds, and retry the connection

Setting a Unique SSID

The first step to configuring the Cisco 1100 is to set a unique SSID Upon initial

connection to the access point, you will be greeted with the initial setup screen (see

Figure 2.41)

Figure 2.41The Cisco 1100 Initial Setup Screen

Figure 2.42Cisco 1100 Security Settings

Because the Cisco 1100 does not come by default with an administrator

pass-word, it would be wise to set one now Click the Admin Access option Enter and confirm a Default Authentication Password (see Figure 2.43).

Figure 2.43The Admin Access Screen to Enter a Default AuthenticationPassword

Once you click Apply, the password will be saved and you will now be required

to authenticate back to the access point Leave the Username: blank, and enter

your new password in the Password: field (see Figure 2.44).You will be returned to

the Admin Access screen

Figure 2.44The Authentication Request

Once you are back to the Admin Access screen, click the SSID Manager

option on the left side of the screen (see Figure 2.45)

Figure 2.45The SSID Manager