cokelvr

I am finally going to go wireless at home. I am looking for advice on which brands are good and which are bad. Also b vs g. What is real difference?
I am currently using cable internet. My main computer is located in my basement will this cause issues with the signal? Also any thouhgts on pci cards vs usb adapters?

Thanks in advance!

kurt

bendsley

I use Cisco Aironet at home and they're great, but most likely a bit much $$ for what you would want to spend. I would suggest Linksys. I have used them and not found any problem with them, and updates for the firmware come quite regular with new features being added to them.

Difference between 802.11b and 802.11g is speed. You go from 11 to 54mbs, but do remember, this will only affect your internal network, as your speed to the internet would not increase, because you are limited by your cable company. If you get 802.11g, everything in your home that has "g" will send/receive at 54mbs, but only 1,3 or 5mb (or whatever your cable modem speed is) to the outside world.

The nice thing about USB adapters is that if you have to move or change adapters, they are extremely easy to do so with. No unscrewing a pci card. Also, USB wireless equipment usually has a long enough cable to put the adapter higher up so that the signal is increased, whereas the PCI cards are just directly behind your computer and if it's beneath a desk, the signal can degrade.

As far as your computer being in the basement, I might suggest a wireless access point in addition to your wireless router. That way, your whole house would have better coverage. The access points themselves are usually quite cheap.

Whatever hardware you end up getting, as long as they support 802.11x (x being the same on all of them), then they should inter-operate with ease.

I might also suggest going with 802.11g, as it's price is barely higher, if any, than the 802.11b equipment, and the "g" will handle both the "g" and the "b" specifications (as long as your router is set to mixed mode).

__________________
"You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane."

Dragonlich

You might want to check for WPA security (Wi-fi Protected Access). Most good 11g routers support it, and it'll add security. With normal WEP encryption, one could theoretically crack the code in a few weeks; with WPA, it's years (at the very least).

In my experience, 11g tends to connect faster, which means you won't have to wait as long for your net connection to start. My 11b router (from SMC) tends to take about a minute, which was annoying enough for me to go back to a good ol' wired network. At work, I've seen 11g routers take only a few seconds to connect.

bendsley

WEP is actually pretty good if you use 128bit hash for it.

__________________
"You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane."

Mephisto2

Good advice from Bendsley, apart from the comment about WPA weakening signal strength. Signal strength is only affected by the radio and the local environment. A software setting does not affect the RF. WPA can have a CPU impact, and in theory this could manifest itself in lost connectivity in some unusual circumstances, but I've never seen it. The addition of the security overhead to the packets doesn't affect the underlying RF signal. That's like saying software physically affects your computer hardware.

If you want specific details on WPA or wireless in general just ask some more questions. I'll be happy to help.

BTW, selecting WPA is highly recommended. It secures your WLAN and mitigates all known attacks. Of course, if you do find it affects your signal quality, then you could always go with static WEP. Much much less secure, but an option none the less.

I can post a step by step guide on how to secure your WLAN if you want.


Finally, the recommendations on Cisco or Linksys kit are right on. Both excellent companies. Linksys is now a wholly owned subsidiary of Cisco by the way...


Mr Mephisto


Mr Mephisto

zero2

Things that you should be concerned with are:
*How far is your access point going to be with other computers
*WPA, WEP 64 and 128 Encryption
*SPI (Stateful Packet Inspection)
*What types of classes does router support, so far there is three A, B, G

When you set up your wireless router make sure to do the following:

1. Change the SSID, do not use the default name.
2. Change the Administrator's Password.
3. Make sure to use if available MAC Filtering you can find these details by going to each computer and going to the command prompt and typing ipconfig /all
4. Make sure to filter by class if available, such as only A devices or only A & B or only G or mixed mode.
5. Use WEP 128 bit encryption, choose a difficult passphrase, the weakness in WEP encryption is that the network key never changes, however, if you make a long passphrase, it will be harder for hackers to break in. You should also change the passphrase frequently.

Mephisto2

You're confusing WEP and WPA.

WEP uses a single 128bit or 40bit key. You define it once on the AP and client.

WPA uses pass-phrases (also defined on the AP and client) to dynamically and regularly calculate a new WEP key.


Mr Mephisto

pottsynz

Personally I don't think security will be a big issue, if the AP is in the basment the density of the surrounding conrete/earth would be good enough security. I'm guessing (we don't have basements in Middle Earth) what seperates your basement and upper levels is wooden floors) so you shgouldn't have too much trouble getting a signal within the house as long as your equipment is good.

cokelvr

Yes, I would greatly appreciate that.

HGClown

Also if you have the option dont broadcast your SSID, not point in shouting that you have a wireless network up.

I read an article recently that some wireless cards have had problems operating on channel 11 so dont use channel 11, also you might want to do some tests when you get it up and running, like starting the microwave and seeing if you get interference.

If you get a g access point I belive that if you have any b clients connect to it then it will automatically force all clients to b speeds ( cisco works this way ).

Mephisto2

Here you go. This is a repost of an article I posted before.



1 - Enable WPA if at all possible
Background
WPA (WiFi Protected Access) greatly increases WLAN security. It introduces several new enhancements, including TKIP (Temporal Key Integrity Protocol) that mitigates against so-called AirSnort or Wardriving attacks, and MIC (Message Integrity Check) that protects against Man in the Middle attacks. It also increases the WEP Initialization Vector from 24bits to 48bits, which is a huge improvement, as this makes the statistical likelihood of a weak IV being captured much lower. Finally, WPA introduces a dynamic key management feature, which allows for regular and automatic regeneration of WEP keys.
Implementation
WPA for most home wireless kit will run in WPA-PSK mode. The PSK stands for Pre Shared Key. This is effectively a password that you enter in your Access Point and your client that is used to independently generate new WEP keys on a regular basis. Ensure your passphrase is at least 20 characters long!
Caveats
Not all Access Points support WPA. This is unfortunate, but is not the end of the world. See below...



2 - Change default SSID
Background
SSID (Service Set Identifier) can be considered analogous to a network name. All Access Points come "out of the box" with a default SSID. Every hacker worth his salt will know the most common SSIDs. Common examples are "Linksys" (for Linksys kit), "Netgear" (for Netgear kit), "Tsunami" (for Cisco kit) etc.
Implementation
Change the SSID to something more appropriate to you. Your name, favourite band, pet... whatever. Just don't use the default.
Caveats
None. There is no reason this should not be done.



3 - Disable SSID Broadcast
Background
SSID (Service Set Identifier) can be considered analogous to a network name. Most Access Points "broadcast" this by default. That is, they advertise the SSID to any listening client devices. This is fine for enterprise networks or "hotspots", but there is no reason to advertise your network to your neighbours. You will know the SSID anyway as you have defined it (see above), so you don't need to broadcast it.
Implementation
Different for all manufacturers, but it should be pretty obvious. Just look for "SSID Broadcast" and disable it.
Caveats
This should not be considered a security improvement, as it's still possible to ascertain the SSID of a network that is not broadcasting, but it IS best practice. Just do it.



4 - Enable MAC filtering
Background
All Ethernet devices, including WLAN interfaces, have a MAC address. This is a 6-byte hexadecimal address that a manufacturer assigns to the Ethernet controller for a port. MAC addresses are "lower level" that IP addresses and are on the Data layer. You can setup your Access Point to only allow certain MAC addresses (ie, certain devices) use your WLAN. In other words, you configure it to only allow your computer (laptop, sister/brother's etc) to associate to the WLAN. This will prevent unwanted visitors from hitching a free ride...
Implementation
Search for MAC Filter in your Access Point config guide. You will have to go to each computer you will use on your WLAN and note down their MAC address. Make sure you note down the WIRELESS adaptor, and not the wired network card! It's a bit tedious (as a MAC address is a long sting of hex), but it's worth it.
Caveats
Not entirely foolproof, as experienced hackers can spoof MAC addresses. But it certainly adds to security and makes it more difficult for kiddie-hackers.



5 - Turn down transmit power
Background
Most Access Points can transmit at up to 100mW; some even more. Why bother covering more area that you need? There's no point is offering temptation to the people across the street, so you should turn down your transmit power to the lowest level that sufficiently covers your house/apartment.
Implementation
Different for every manufacturer. Check your user guide.
Caveats
You may need some tweaking to get it right. If you do, then congratulations. You just carried out what is called a "Site Survey" in the industry. Soon, you'll be doing this for a living!


6 - Change the admin password
Background
All Access Points come with an Admin account and password. You would be surprised at how many people leave these as the default ("Admin" and "Admin" for Linksys kit for example). You should change the password to something only you know as soon as you can.
Implementation
There shouldn't be any problem doing this. Just look for the Admin or Account Management section on your configuration page.
Caveats
Make sure you note down what you change the Admin password to!!


NOTE
What happens if my Access Point doesn't support WPA?!!!

WPA is highly recommended. It remains unbroken and, along with the new 802.11i standard that replaces WEP entirely (ask for more details if you want), it is the best security you can get. However, not all access points support WPA. If you have older models and haven't updated their firmware, it might turn out your access point has not WPA option. I would recommend updating the firmware, but if you can't do that then at least make sure you perform as many of the steps above (steps 2 to 6 for example) as possible.

Also, as you can't implement WPA, you should at least use 128bit WEP and manually change the key on a regular basis. You will have to manually setup a WEP key on your Access Point and your client devices. This is a pain, but ABSOLUTELY NECESSARY. And remember to change this regularly; at least once every few months (if not every few weeks).



Finally, if your computer is in the basement I'm assuming it's below where the AP will be. Most antennas on access points are what are called "omni-directional". This means they transmit in all directions around the antenna, at right angles to the antenna's alignment. That means that if your antenna is vertical, then most of the "power" will be radiated horizontally. If you are experiencing poor signal strength, try rotating your access point (or antenna if it is on a joint) by a few degrees (try 45, then 90 degrees).

That should help. Any more questions, just ask. I'm more than happy to help.


Mr Mephisto

Mephisto2

I hope you're kidding.

Security IS a big issue on WLANs. Trust me. It's my job to design, deploy and manage wireless networks. Without properly implemented wireless security it is trivial to hack. However, if you follow some simle steps, it's current impossible to do so.

All it takes is a little understanding and a few minutes time and effort. Then your WLAN will be impervious to all currently known hacking attacks.


Mr Mephisto

itlain

Just to add a little bit. I would personally recommend the WRT54G series of linksys routers. They are pretty much dirt cheap and their versatality is extraordinary. Linksys has the source code available for d/l and this has fostered a large amount of aftermarket firmwares. I would recommend Sveasoft as an aftermarket firmware if you were so inclined. It includes some aftermarket additions that I have found very useful including ssh access, telnet access, increase radio xmt and rcv power from 28mw to 251mw which is useful to increase range a bit. Another really useful addition is the addition of Chilispot to set up wireless hotspots and WDS which almost sets up a wireless mesh network. Extremely easy to set up and you can blanket large areas for a relatively cheap amount. People have deployed 30 - 40 of these routers and covered a large amount of area. The downside however is that its about a 20$ / yr subscription to get ahold of the firmware but I believe it is worth it. for 60$ I don't think you could go better.

__________________
Support the troops, if not the war.

bendsley

Actually, you can find the latest Sveasoft firmware on several websites for free. Search on google for "sveasoft gpl" and see what you get. The reason there are sites giving it away for free is that they clam Sveasoft is violating the GPL. Linksys came under heavy scrutiny when they didn't release source code to the WRT54G and even more scrutiny when they release some source, but not all. People who are advocates of the GPL will usually do what it takes to make sure that the license is strictly followed.

__________________
"You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane."

AxelF

I want to confirm what Mr Mephisto has been saying and think his guide is VERY good.

Step 2, 3 and 6 are something you NEVER skip.

Step 5 and 4 is to go an extra mile, and you do it if you like and care to fiddle with it.

Step 1 is for me that on your home network you MUST set it to one of the variants of WEP-64, WEP-128 or WPA. But as long as you don't run without you are probably fine. That said, they are just as easy to turn on so you choose the best that all your equipment can do. I have been tought that your net is only as secure as your weakest link. So if you mix (wich you can) WPA with WEP your net is only WEP secure.

Why security:
I live in a city, and all around me are networks with nothing of this done. This means, for you who are new to this, that I could select to connect to internet through the one of those that has the fastest internet connection. And there is no hacking involved at all. I could skip to pay for connection myself. Actually when I bought my stuff and installed it, my PC connected not to my AP but to some neighbors. This is done automatically. And it is not only about someone using your internet connection. Since the AP is unprotected I can log in to my neighbors router and configure it. I could mess it up and then change the password, which he never did himslef. I can even turn on remote administration of the router and let anyone of you guys log in to it from where you are. Scary!

Since the lack of security is widespread I think the risk of someone trying to hack your 128-bit key is rather small. It does exist but so does plane crashes. People drive around for fun with laptops in their car and use open networks. They don't need to hack the secure ones.

So follow Mr Mephisto's excellent guide and if you do not have support for WPA then use WEP and you can sleep well.

__________________
Coffee

Dragonlich

Actually... My SMC router uses mere WEP encryption, and uses a pass-phrase to calculate a one-time WEP key. So he might not be confusing the two at all.

Oh, and I'd say the MAC adress filter is pretty much a false security - it's relatively easy to spoof a MAC adress, so once you find out what it needs to be, you can hack it. Encryption is much better.

Mephisto2

Not entirely true.

WPA is a set of standards that is layered on top of WEP.
It adds to the security of WEP.

So, by definition, if you use WPA you are using WEP "underneath", as the underlying encryption. But you get the dramatically improved security that WPA offers.


Mr Mephisto

Mephisto2

That passphrase is just an "easy way" for you to calculate your WEP key for the access point and the client. The length and complexity of the pass-phrase has NOTHING to do with the underlying strength of the key itself. It's still a 128bit key based upon the flawed RC4 block cipher standard. And you kind of answered the original question anyway. The so-called pass-phrases used by some manufacturers for WEP key calculation (Linksys and SMC etc), are used to define a one time WEP key. It has nothing to do with the key strength or any dynamic key management features.

That's where WPA comes in. The true pass-phrases used by WPA are conceptually like shared secrets that are concurrently used to regularly regenerate new WEP keys on a periodic basis. Now, if that pass-phrase is not long enough then you can actually be vulnerable, but that's a different matter.

I can understand why there's some confusion, but there is a difference. Trust me.


Absolutely not.

MAC filtering should be used only as one part of a set of security settings. Seeing as 99% of hacking attempts on home wireless are by opportunistic kiddie-hackers or war-walkers, then having MAC filtering enabled will significantly improve your security against those "amateur" attacks.

Of course, any professional or even experienced hacker knows how to spoof MAC addresses, but I specifically noted that in my post. Let me quote myself "Not entirely foolproof, as experienced hackers can spoof MAC addresses. But it certainly adds to security and makes it more difficult for kiddie-hackers."

MAC filtering alone is not really good security. But as part of a set of features and steps, it does add significantly to the strength of your wireless network; especially for home networks where most attacks will be by opportunistic amateurs.

Mr Mephisto

Mephisto2

This is a very good point that most people overlook.

99% of attacks on home networks are opportunistic. If the hacker has to do some actual "cracking", most of the time they move on.

That's why SOME security is absolutely better than NO security.

And LOTS of security is the best of all.


Mr Mephisto

AxelF

I think in WPA the encryption done by WEP is replaced with TKIP which is an enhanced version of WEP with a per-packet key mixing function. Though in some texts it says that TKIP wraps WEP, so...

But my point was actually that if just one of your access points is running on WEP then you are not really WPA protected. Even if the others run WPA.

__________________
Coffee

pottsynz

I didn't say don't use any security, thats just nuts. What I meant was people won't hack your network if they can't a signal A lousy connection will be horrible for packet sniffing too. Suitably placed the AP will provide access to the house but not the street...its just first line security...they can't hack something thats not there.

Houses over here (NZ) are usually are quite far from curb...big sections etc
So I'm probably thinking locally...I guess its diff in the states.

Mephisto2

TKIP is an additional protocol that runs ON TOP of WEP. WEP is still used as the underlying encryption. What happens is that you no longer use single static WEP keys, but TKIP leveragels 802.1X to generate "dynamic" WEP keys (500 trillion possibilities).

TKIP, or Temporal Key Integrity Protocol, is not really a standalone encryption protocol. All it does is rehash the frame on a per-packet basis, thereby avoiding the flaw in WEP whereby predictable weak IV (Initialization Vectors) are used after a certain length of time.

Basically, in general terms, TKIP "scrambles" WEP packets a bit more than they would normally be.

However, I guess we're kinda splitting hairs here.


Mr Mephisto

beofotch5

I agree with all of this.

bendsley

The Temporal Key Integrity Protocol, pronounced tee-kip, is part of the IEEE 802.11i encryption standard for wireless LANs. TKIP is the next generation of WEP, the Wired Equivalency Protocol, which is used to secure 802.11 wireless LANs. TKIP provides per-packet key mixing, a message integrity check and a re-keying mechanism, thus fixing the flaws of WEP.

__________________
"You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane."

Mephisto2

Actually, the message integrity check is provided by a seperate protocol called (appropriately enough) MIC, or Message Integrity Check.

Also, it's entirely possible to use TKIP and not 802.11i. TKIP is also used as the encryption standard in WPA.


Mr Mephisto

zfleebin

Hell yeah Mr. Mephisto, thats some good stuff there. Thank you

theFez

i would also suggest turning off dhcp and only allowing your assigned ips to connect and change the default location of the administration page. by default it is usualy 192.168.1.1

right now, sitting in my living room i can connect to 3 different wireless networks that have the default admin password, default admin page location, no encryption, broadcast ssid, and have dhcp enabled.

the real pain in the ass is that i have had to turn my ssid broadcast back on because it was hard to get my laptop to connect to my network with all these other ones around.

cokelvr

Thanks for all of the info. Now time to read it and digest it all>

Mephisto2

Actually fez, that's some excellent advice and something I overlooked.

Whilst I wouldn not necessarily disable DHCP, you could change the size of the scope so as to only allow enough IP addresses for your own clients.

In other words, if you know you will only be using your access point with one or two devices in your own house, why bother "offering" up to 50 or 100 IP addresses.

Additionally, changing the "location of your administrative" page really means changing the IP addresse of your access point and the default gateway etc. Whilst this will add abosolutely zero additional security, it is nice not to have your access point having the default values. It can also cause problems with your client "flip flopping", especially if it shares the same SSID as a nearby AP.


Finally, I neglected to mention that I would try to use a different channel from the default. Generally speaking you should use channel 1, channel 6 or channel 11. Different manufactures set their access points to use different default channels. It's also the way to avoid interference from nearby access points.


Of course these final three settings are a little bit more "technical" and some users may not be comfortable playing around with them. But it's still good advice.


Mr Mephisto

cokelvr

Well, I got Linksys and got it up and running. Thanks for all the help and advice. I will let you know if something comes up that befuddles me.

Kurt

Mephisto2

Hey Kurt,

did you enable WPA on that Linksys box? Let me know and I can walk you through it if you want.


Mr Mephisto

zfleebin

Hey Mr. Mephisto: I tried to enable wpa on my linksys broadband router and it consistently throws my wireless computer off the network and denies it access to the internet. Am I missing something?

theFez

dont sound so surprised, it happens more often than you might think!

__________________
# chmod 111 /bin/Laden

AxelF

You enabled WPA on the computer too right?

__________________
Coffee

Mephisto2

What model Linksys router do you have?

I may be able to walk you through each step.


Mr Mephisto

zfleebin

Actually, I think I figured it out. I have a linksys b router and I guess that the router doesn't support wpa. I setup 128 bit wep so that should be enough for now. Hell of a post though man, thanks for the info.

Mephisto2

If you upgrade the firmware it should support WPA.

Highly recommended.


Mr Mephisto

AxelF

Yeah, thanks again Mr Mephisto! Your guide is a real gem and it should be put up as a sticky in this forum.

__________________
Coffee

cokelvr

Yes, it was part of the wizard setup.

cokelvr

Also I am happy so far with connection speed. is max all the time. Of course I am only going through the floor.