simonrex22

If you have no security on your wireless router, is there a way to monitor if anyone is using my connection? Would someone using my connection slow down my internet speed?

j8ear

I'm gonna say, probably (although I could also probably say, most definately) to your first question, and to your second question, yes, although you might not actually feel the slowing down, since your probably not at full capacity anyway.

Remember your actual bandwidth is only as fast as your slowest hop.

-bear

__________________
It's alot easier to ask for forgiveness then it is to ask for permission.

goddfather40

Most routers will show the IP and MAC addresses of all devices connected to a network. Look in the "Status" screen or something like that. If you notice a device that is connected that doesn't belong, then bingo. As for determining who that person is, that's a different story. I suppose you could see if their computer name gives you any clues, or if they are stupid enough to be sharing files, etc. would could provide clues.

There are ways to keep your network kind of secure without WEP or WPA.

- Don't broadcast your SSID
- Assign static IP addresses to the devices on your network and then disable DHCP. That way if someone tries to connect, but has their network settings with DHCP enabled, they won't be able to.
- Reduce the transmit power on your router so that only your property is in range. This is tricky, and most of the time certain areas of a property don't have enough signal strength.

__________________
My name is goddfather40 and I approved this message.

I got ho's and I got bitches,
In C++ I branch with switches
-MC Plus+

Ch'i

When my wireless internet was down a few weeks ago my computer was inadvertently able to link itself to a neighbor's wireless setup across the street. With the apple airport setup, and most likely many other wireless systems, it asks if you would like to assign a password to allow access, though I am not sure how effective the security is.

Dilbert1234567

if they are actively using the connection yes, the only way to know for sure is to sniff the traffic and see something you are not doing. if they are passively listening, there is no way to detect it, period.

goddfather, i have to disagree fully.
the SSID is easy to sniff out of the air, you don't actually need the SSID to join the network anyways, just the channel and the MAC of the wireless router all of which is easily obtainable, this is in addition to the problems caused by several networks being on the same channel with the ssid 'linksys' causes.

Static ip's are just a bad idea, for several reasons, first, it is easy for someone else to assign them self a static ip and join the network, again by sniffing the traffic and getting the ip range information, second, you must manually set the DNS, and if your ISP changes the DNS on you, you have to set it again.

Reducing the power is just a crap shoot, you may make parts of your house unavalible, and others out side your house available.


if you want to secure your network, login to your router and configure it properly, change the default password, and apply encryption, WPA preferable, WEP if nothing else. don't forget mac filtering is worthless. use a complicated pass phrase, nothing simple.

__________________
Donate Blood!

"Love is not finding the perfect person, but learning to see an imperfect person perfectly." -Sam Keen

cyrnel

Yes, but you would probably find it more annoying than just using security methods people have already mentioned.

Why do you ask? Are you trying to protect your connection, or trying to provide access and monitor who's using it?

Of course. Maybe a little, maybe a lot.

Dilbert, I agree with what you said in principle but security in depth includes signal strength. Used alone it would be weak obscurity. Definitely, encrypt and do the other things, but don't forget to minimize your radio footprint. Not only is it responsible use of the spectrum, but it contains the range of attacks.

The assumption should be that the semi-skilled can hear you and intercept at least twice as far as you can connect. At least. Make use of directional antennas (or simple reflectors) and reduce output power to contain your footprint and minimize exposure.

Of course, you're right, simply turning down power can cause its own problems. Better to focus, then reduce within reason.

Sometimes though, you can't win. I think we need security drivers licenses. I had a customer the other day - an insurance brokerage owner - ask to get their customer database online so they could work from home. "Yes, all customer data." A VPN would be too difficult. But encryption means family will have to reconfigure their laptops. Can I still use AOL? Boo hoo. Cry me a river. It took all the liability warnings I could muster to slow things down. The "it won't happen to me" attitude I see every day tells me the baddies are having a ball.

__________________
There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195

Dilbert1234567

oh i know the pain of ignorance, yesterday at work, i spent most of the day tracking down a rouge access point 'linksys', after about an hour of finding the general location so i could get a stable connection, i sweeped through the local switches for a ''linksys or sysco' max address, finding none i tried to connect to a known host to track which port the device was on, again met with failure. i eventually guessed a few passwords on the router and got it (second try actually) and was able to find it's external IP and thus track it to a port, and then to a room, they managed to change the default password, but changed it to my second guess. bassicly, it let any student on campus onto our administrative LAN.

people don't understand security, and the need to. when i find the time, I'll write up a basic home computer security thread.

__________________
Donate Blood!

"Love is not finding the perfect person, but learning to see an imperfect person perfectly." -Sam Keen

guthmund

That would be very much appreciated, Dilbert.

You mention "configuring [wireless] properly," but what does that really mean? Is it just setting up the encryption with complicated pass phrases and changing default passwords?

__________________
No signature. None. Seriously.

bendsley

Ok, first off....Dilber1234567: VLANs? Also, filter any administrative device by MAC. How could a rogue access point access your administrative lan. Poor planning? Sorry, I'm not trying to sound harsh or rude. I know that there are always mistakes on a large network. I work for a Fortune 200 company that owns 760+ subsidiaries. We have to allow them on to our network via VPN for HR, payroll, etc. I have had to go to numerous companies and literally redo their internal networks because they were so shitty concerning security. I do have both my CISSP and CCSP, so I know a little about what I'm talking about.

Concerning people accessing your wireless router, as others have mentioned, there should be something on the router that allows you to see who has leased IP addresses. It should give you their MAC address, the IP they have leased and if your router is intuitive enough, the name of their workstation. If you're using a linksys router of some sorts, you might consider upgrading the firmware to something like DD-WRT. It gives you much more control over the equipment then what the default linksys firmware gives you access to.

I know on Cisco equipment, there is a lot that a wireless access point can tell you about a connection on your network. If you decide its something that you don't want on your network, Cisco uses NAC to block connections to the port (such as an access point), but could still allow other devices to connect.

You don't have to use static IPs on your internal network. I would recommend using a minimum of WEP, but WPA/WPA2 with EAP or TKIP if you have devices that will work with it. Make sure you change your SSID to something that is not the default, and that you do not broadcast it. Make sure that you change the admin password to the router and disable access from outside of your network. On Cisco devices, you can setup the access list so that only people within specified IP ranges can connect to your router via SSH or Telnet. I say this because I believe DD-WRT can do this too.

__________________
"You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane."

cyrnel

While I'm lunching...

Aye, change the SSID. Pre-built hashes are easily available to make dictionary WPA cracking a breeze.

MAC filtering is almost useless, but it adds a small layer. The downside is tracking the equipment vs. MAC if your equipment changes much. Most WAPs don't provide a name field for the address so you have to track it separately.

Disabling SSID broadcast is another barely useful security measure. Tools that watch for the packets expose them automatically. Disabling broadcast can also cause problems with crappy client code. If you're having troubles associating new equipment with a WAP try enabling the broadcast temporarily.

Use WPA with AES if your stuff supports it, TKIP otherwise. Don't trust anything important over WEP. Certainly don't shackle a net with it because of a few dinosaurs. Replace the ancient equipment, update your drivers, and move forward.

DHCP doesn't help security. While it can show unauthorized users in the lease table, for consumer equipment, enabling DHCP doesn't mean someone can't assign a static and stay out of the table. It does make casual connections very simple. Neighbors do this to each other all the time without even knowing. (until they can't print - hey, why isn't my printer showing up?)

If you need to track users without DHCP or with the useless tools provided by most WAPs, use external tools that work by tracking associations. It's much more reliable, and shows who's trying to get in as well as who's already inside.

Off again...

__________________
There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195

goddfather40

I agree with your disagreement

I think it is a matter of what the original poster was trying to ask.

My interpretation of the OP is that he just didn't want "normal" users accidentally logging on to his network...i.e. someone whose own wireless network is not functional, so their device goes to the next one it could find. Therefore, the suggestions I provided, though a poor excuse for a security strategy, are sufficient enough to keep the "normal" user off his network.

I think the question to ask is:
Is there something wrong with his router where the security settings are not working or does he just not want to implement the security measures? I guess the moral of the story is if he is not able to set up at least WEP, then you are taking a huge risk, and probably shouldn't have your network up and running until you do set it up.

__________________
My name is goddfather40 and I approved this message.

I got ho's and I got bitches,
In C++ I branch with switches
-MC Plus+

Dilbert1234567

We do have several VLAN's, and we do filter the student LAN by MAC, however, I was mistaken which VLAN the device was attached to, it was actually located on a quarantine LAN we gave to some outside contractors, they set it up. I'm sure you know what your doing, as do the employees actually responsible for network security.

__________________
Donate Blood!

"Love is not finding the perfect person, but learning to see an imperfect person perfectly." -Sam Keen

hagatha

Okay, so in addition to slowing down the internet, if your router isn't secure, can your computer be hacked into?
Please consider the fact that most of what was written in previous posts is incomprehensible to me. Not a computer person, at all.
Thanks.

__________________
Thats the last time I trust the strangest people I ever met....H. Simpson

Dilbert1234567

yes technically, but your biggest risk with an open wifi is viewing your network traffic. most email traffic is sent in plane text (easily viewable) so an attacker could sniff your email password out of the air the next time you log in, then search through it for sensitive information, ie online banking, request a pin change, and go from there.

__________________
Donate Blood!

"Love is not finding the perfect person, but learning to see an imperfect person perfectly." -Sam Keen

hagatha

Thanks Dilbert.

__________________
Thats the last time I trust the strangest people I ever met....H. Simpson

Cynthetiq

My issue with wireless security which is why I turned mine off, is that as my computer idles, which it does for long periods of time many times a day, I have to reset the wifi connection to reauthenticate.

Because of this I disabled all but the simplest security layers, meaning I don't broadcast my SSID, changed my DHCP subnet and range, enabled MAC filtering, all things to stop the casual neighbor/user from accessing my network.

Now, yes, I understand security risks, but do you walk around your house with your house keys in your pocket so that each time you walk out the front door, side door, open window, you have to use your key? It would get very annoying I'm sure you understand in that case.

I figure if you have enough skills to not be the casual intruder, you're going to get into my network or get my data, even if I had all the WEP/WPA and security I could muster up.

Has this reauthencating process changed in the past couple of years? I'm going to be buying a new cable/router once they gigabits get more stable.

__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not.

Dilbert1234567

yes i do lock all my doors, and do carry a set of keys when i leave, unless i am going to my car and back, i lock my front door...

however, the authentication's process is much better with XP SP 2 you can save the settings and have it detect when the network is in range, then it will join with the settings you provided.

just remember, i can sit next door to you, sniff all your wireless traffic with out you knowing. i can also arp poison you and sniff the wired as long as the internal traffic does not exceed 54 mb/s, if it does, then you will notice the dropped packets.

WPA is hard to break as long as you have a long pass phrase, its not really worth the time to crack, WEP is easy, either way, but it is still harder then an open access point. furthermore, some people have standards and will not enter a locked network, but have no issues with entering an unlocked one.

__________________
Donate Blood!

"Love is not finding the perfect person, but learning to see an imperfect person perfectly." -Sam Keen

Cynthetiq

I'm not referring to LEAVING the house, I'm referring to being IN the house having to carry your keys for everything you do inside your house. I don't like feeling like a prisoner in my own home, doublekeyed deadbolt and in order ot make sure that if there was an exit in a fire, I carried my keys in my pockets ALL the time.

my point is that there is a point where I'm not going to worry about getting run over when walking down the street. I don't buy into the fear mongers. I just don't. Obviously if I had to worry about it from the 5 neighbors that are directly next to my apartment, only 1 can see my network because of the concrete walls.

i thought i had all the authenication problems post SP2, one day I'll doublecheck.

__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not.

Dilbert1234567

well i do lock my systems when i leave them, but that's habit from work.

i don't buy into fear mongering either, to me, this is common sense safety, like a seat belt. sure it may not save you, but it probably will. i live in a college town, I've caught at least one person arp poisoning my neighbors open wifi.

__________________
Donate Blood!

"Love is not finding the perfect person, but learning to see an imperfect person perfectly." -Sam Keen

Cynthetiq

and see that I can agree. I wouldn't leave my doors unlocked if some intruder came in once before.

I've caught one person on my network, and dutifully removed them over time and set up the simple stuff I did. Other than that, I'm not really all that worried, nor will I let it let me lose sleep at night.

I'll try the SP2 stuff another time.

__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not.