Log in

View Full Version : Securing Wireless LANs


Ed Hansberry
05-08-2003, 08:00 PM
Microsoft has created a package that will help system administrators secure their wireless LANs. It is a self-extracting zip file with several PDF documents, batch files, VB Script files, Excel spreadsheets and a few other goodies to help with the task. The full package is over 6MB. You can <a href="http://download.microsoft.com/download/4/0/c/40c9903b-51fd-4688-a1ad-b90c9dd34316/securing_wireless_lans.exe">download it here.</a><br /><br />On my home system, I just enable WEP and keep the ceiling fans going to provide some extra scrambling of the air waves. :lol:

trachy
05-08-2003, 08:12 PM
Microsoft has created a package that will help system administrators secure their wireless LANs.

I'm of the opinion MicroSloth should learn how to secure their own goods before handing down this type of advice to the masses.

Color me cynical...

Ainvar
05-08-2003, 08:21 PM
I agree with you on that... Also how hard can it really be to secure your AP??? Most of it is common sense and the rest is in the manual and on google seraches.

lurch
05-08-2003, 08:21 PM
Just because microsoft doesn't practice what they preach doesn't mean what they're preaching is off the mark, it just means I won't buy any of their products to "do it for me" :)

I think I'll take a look at this at home, but I don't exactly live in a "high-risk" area.. this is probably more for business sys-admins?

Ed Hansberry
05-08-2003, 08:23 PM
Microsoft has created a package that will help system administrators secure their wireless LANs.

I'm of the opinion MicroSloth should learn how to secure their own goods before handing down this type of advice to the masses.

Color me cynical...

MS has unsecure WLANs at their office? I hadn't realized that.

Also, most of the bugs/worms that hit MS corporate are from MS employees not applying MS patches. They got totally hammered by slammer because people were throwing up SQL Server 2000 or the MDSE on machines and not applying 9 month old patches. Now, if you want to talk bugs.....

So far this year MS has released 17 security related patches. Sun? 33. Redhat? 57. OpenBSD? 7.

I'd say MS is certianly not the worst out there and has one of the better track records. In fact, Redhat has released nearly as many security patches for Shrike (RH-9) since March 31 (16 fixes) that MS has since Jan 1 for Windows 98/ME/NT4/XP/2K combined. https://rhn.redhat.com/errata/rh9-errata-security.html

Color me sick of the baseless slams on MS because they are the big guy on the block and fun to pick on.

marlof
05-08-2003, 08:31 PM
Since I'm on OS X from January 2003, I've gone to 10.2.4, 10.2.5 and now 10.2.6. It seems MS is not alone in applying fixes to cool OSes. I'm so glad that I don't let the coolness of the Unix based OS X or the standardized fun of Win XP get in the way of me enjoying both OSes without having prejudices against one or the other company. ;)

aroma
05-08-2003, 08:33 PM
[quote="trachy"][quote=Ed Hansberry]
Color me sick of the baseless slams on MS because they are the big guy on the block and fun to pick on.

I second that motion! :bangin:

JoeMoon
05-08-2003, 08:48 PM
On my home system, I just enable WEP and keep the ceiling fans going to provide some extra scrambling of the air waves. :lol:

I have a few questions about the fan scrambling...

1) Does that really work? :twak:
2) Does the fan have to be in the room or over the router? :bangin:
3) Does the speed of the fan make a difference? :silly:
4) In the summer, when the room tempature rises, will the lighter packets float with the warmer air packets?
Would that be considered hieghtened security? :scatter:
5) Does your fan have to be XP compatible? :deal:


Joe...

Paragon
05-08-2003, 08:57 PM
duh!!

fans only work if you are using one of those antenna extenders made a chunk of wire and a soup can. :)

dave

Jonathan1
05-08-2003, 09:29 PM
I have WEP set to its highest level, MAC address filtering turned on, and a firewall on each system.
Its by no means foolproof. In a perfect world I would like to get Kerberos setup but I have a serious lack of knowledge when it comes to setting up encryption in the NOS and on the desktop side of things. :? Gotta break out the tech books.
Its kinda pointless, but fun, since I highly doubt someone is going to spend more then 60 seconds getting into my network. Its not like I'm hiding those REAL alien autopsy films on my server. 0X :wink: Still it would be something I would like to learn how to setup if for no other reason then W?BIC!

Jonathan1
05-08-2003, 09:48 PM
So far this year MS has released 17 security related patches. Sun? 33. Redhat? 57. OpenBSD? 7.



OK one note I would like to put forth on patches. Let me know if this makes sense because I've always thought so. If one OS is open source and everyone on planet earth can look at its source code and another OS is only available to the limited (Relatively speaking mind you.) resources of one company who do you think is going to find the most bugs? I'd be willing to bet the one available to the masses. Just because you don't initially sense a broken wire in your car doesn't mean there isn't a problem under the hood.

That being said in my history with Windows. 3.11, 95, 98, 98SE, NT, 2K, XP I have yet to get hacked. Have yet to get a virus. I stand fast with my estimates that: 30% of security problems are OS related. 60% is user related. If someone doesn't take due care to secure his or her OS that ain't MS's fault. It’s the users.

Sorry Ed that wasn't pointed at you. I sort of bounced my post off yours.

ajgray
05-08-2003, 10:04 PM
In the summer, when the room tempature rises, will the lighter packets float with the warmer air packets?

In the summer months, you should reverse the direction of your fan. An important criteria for anyone evaluating fans for wireless security purposes is reversability.

Certainly lightening packets is a great way to heighten security. One of the best ways to do this is to make sure that they don't contain too much data. For example, using "light" IP addresses like 127.0.0.1 would be much more secure than those data-rich, "heavy" IP addresses that your ISP might assign you.

trachy
05-08-2003, 10:04 PM
Color me sick of the baseless slams on MS because they are the big guy on the block and fun to pick on.

Baseless???

C'mon, Ed! Don't get your panties in a bunch! ;-)

I know, I know. Microsoft is not the only megacorporation out there with troubles. But why do any of these companies create software with such wide-open holes? Over and over again we see crackers expose weaknesses that shouldn't exist in the first place. Once in a while it's understandable that something will slip through the cracks, but even 7 security related patches in 4 months is unacceptable.

All that said, are Sun, Red Hat, or OpenBSD handing down advice on how to secure wireless networks? If so, then I'm cynical about that too.

kcchesnut
05-08-2003, 10:09 PM
hopefully my apartment neighbor doesnt find out about this.
i've been using his connection for several months now :)

[Cruzer]
05-08-2003, 10:14 PM
I'm not sure how secure this is but its better than WEP, IMHO.

way I do my wifi at home is to connect to the internet:


* smc barricade router
barricade setup to allow associated connection but not connect.
* spare machine that is running ms vpn
* mobile device auth. to vpn then has secure connection across wifi when surfing.
* and all other home machines only allow confirmed ip to talk to each
other via personal firewall.

So is my above setup better then wep?? is it secure enough for home use??

Thanks

RC

daveshih
05-08-2003, 11:03 PM
Source: One of the security conscience MVPs


Is this some kind of hint? :wink:

Dave

Brad Adrian
05-08-2003, 11:44 PM
1) Does that really work?
Not only does it work, but I've found that if I turn my fan on HIGH, blowing up, the reception of my upstairs notebook PC in much better.

Abba Zabba
05-09-2003, 01:36 AM
hopefully my apartment neighbor doesnt find out about this.
i've been using his connection for several months now :)

That's just wrong dude :twak: AND not to mention illegal unless you live in New Hampshire

Janak Parekh
05-09-2003, 01:59 AM
But why do any of these companies create software with such wide-open holes?
Partially, it's hard to retrofit old code and old thinking into the modern Internet era, and partially it's hard to write truly robust code. About the only guys who know how to write secure operating systems are the OpenBSD (www.openbsd.org) folks, or perhaps Dan Bernstein (cr.yp.to). Take a look at your typical UNIX tools, like sendmail and BIND; they've historically been riddled with holes as well.

That said, I'd suggest to Microsoft that they take some of their most insecure code, like their URL and HTML parsing code, and write it from the ground up. There have been too many holes in those modules, and maybe patching isn't sufficient. Anyone who uses gets() or scanf() today should be shot. ;)

All that said, are Sun, Red Hat, or OpenBSD handing down advice on how to secure wireless networks? If so, then I'm cynical about that too.
Why? Just because code has bugs doesn't mean people know nothing. I wouldn't take advice from just one vendor, but it won't necessarily hurt.

--janak

Ed Hansberry
05-09-2003, 02:01 AM
Source: One of the security conscience MVPs


Is this some kind of hint? :wink:
Heh heh. yeah. I rarely venture beyond Windows Update for my security fixes. I payed attention when Slammer hit, but that was a big media event.

Security stuff is just too cumbersome for people that don't live IT. There should be Microsoft Update that just updates all apps installed on your device, not just Windows. So, as a result, I and many don't update until we are hacked or see a vunerability on CNet. :?

Janak Parekh
05-09-2003, 02:02 AM
Security stuff is just too cumbersome for people that don't live IT. There should be Microsoft Update that just updates all apps installed on your device, not just Windows. So, as a result, I and many don't update until we are hacked or see a vunerability on CNet. :?
Agreed. Moreover, I'd like to see more cumulative patches. Patching a new XP box now takes forever -- install SP1, then install 20 or 30 or somesuch more patches. It takes too darn long! ;)

--janak

GoldKey
05-09-2003, 02:18 AM
Security stuff is just too cumbersome for people that don't live IT. There should be Microsoft Update that just updates all apps installed on your device, not just Windows. So, as a result, I and many don't update until we are hacked or see a vunerability on CNet. :?
Agreed. Moreover, I'd like to see more cumulative patches. Patching a new XP box now takes forever -- install SP1, then install 20 or 30 or somesuch more patches. It takes too darn long! ;)

--janak

Agreed, just got a new laptop today with a fresh XP install and Windows update had like 20 critical updates for it. Plus, my connection was really slow. After like 15 minutes I had 1 meg of 25 for the first of the 20 patches. I have cable, so I just cancelled it and figured I would try again at an off peak hour and hope for better luck.

qmrq
05-09-2003, 05:18 AM
Agreed, just got a new laptop today with a fresh XP install and Windows update had like 20 critical updates for it. Plus, my connection was really slow. After like 15 minutes I had 1 meg of 25 for the first of the 20 patches. I have cable, so I just cancelled it and figured I would try again at an off peak hour and hope for better luck.

Time to find a new isp maybe . . .

rlobrecht
05-09-2003, 01:26 PM
Agreed. Moreover, I'd like to see more cumulative patches. Patching a new XP box now takes forever -- install SP1, then install 20 or 30 or somesuch more patches. It takes too darn long! ;)

--janak

The same goes for Win2K. I just rebuilt 2 new servers, and I think it was 6 more reboots after the SP3 install to get it current. Come on SP4!

trachy
05-09-2003, 01:33 PM
Just because code has bugs doesn't mean people know nothing. I wouldn't take advice from just one vendor, but it won't necessarily hurt.

Point well made, Janak. The voice of reason strikes again. :-)

Jhokur2k
05-09-2003, 05:18 PM
I know in this day and age there's no reason to, but try a fresh install of 98SE - there was 65 patches the last time I checked a couple weeks ago, and about 20 language based ones that opened up after installing just IE6 SP1 :twisted:

On the other hand, I just built up a machine for my gf's dad with XP, and while it had a few :roll: patches to do, it was relatively painless *kisses his 5MB DSL * :mrgreen:

Kati Compton
05-09-2003, 05:33 PM
Security stuff is just too cumbersome for people that don't live IT. There should be Microsoft Update that just updates all apps installed on your device, not just Windows. So, as a result, I and many don't update until we are hacked or see a vunerability on CNet. :?

I don't like the idea of Microsoft knowing what's on my computer and having the power to modify those programs....

Ed Hansberry
05-09-2003, 05:36 PM
Security stuff is just too cumbersome for people that don't live IT. There should be Microsoft Update that just updates all apps installed on your device, not just Windows. So, as a result, I and many don't update until we are hacked or see a vunerability on CNet. :?

I don't like the idea of Microsoft knowing what's on my computer and having the power to modify those programs....
Me neither. The way WU works is it gathers local application data and then queries the WU update at MS. You can then configure it to notify you, download and notify or download and install. MS doesn't keep track of who has what through this. They do that with Product Activation. :evil:

If you had to keep a SQL Server up to date, you'd know how much of a pain that is.

Janak Parekh
05-09-2003, 05:45 PM
On the other hand, I just built up a machine for my gf's dad with XP, and while it had a few :roll: patches to do, it was relatively painless *kisses his 5MB DSL * :mrgreen:
... but even if the download is fast, the install takes forever on anything but the newest machines. Unfortunately, I administer a few customers who aren't big enough for solutions like SMS (or IntelliMirror?) but are large enough that updating all the machines manually is a royal pain. MS used to be better with NT3.51 and NT4, for which they regularly released service packs (excepting NT4SP2, of course, which was the worst of all time).

--janak

Kati Compton
05-09-2003, 05:50 PM
Me neither. The way WU works is it gathers local application data and then queries the WU update at MS. You can then configure it to notify you, download and notify or download and install. MS doesn't keep track of who has what through this. They do that with Product Activation. :evil:

I don't care if they know what MS products I have on my computer. Well, I do, but I'm less bothered by that. It's the Windows Update to update all my software that you were mentioning. If by "all" you were including non-MS products. If you meant all MS stuff, then sure.

And BTW - they know what's on your computer even if you don't activate it, use it for one day and then get rid of it. See my post here (http://www.pocketpcthoughts.com/forums/viewtopic.php?p=75772&highlight=activation#75772)

Kati