My Recommended WiFi Configuration

I had a request from one of Scoble's loyal readers to post my reccommendation for a WiFi setup. I helped Scoble set up his when I was in Redmond last month, and from what he says, it seems to be working great.  So here it goes.

BoyWonder.NET's Golden Rule:: AVOID D-LINK AT ALL COSTS. I don't care what the price is. I don't care what the box tells you. D-Link has a hard enough time interoperating with other D-Link equipment, LET ALONE other manufacturers. This is because it tries to achieve 22MBps by going across 2 channels at once. AVOID IT LIKE THE PLAGUE. Want more proof? Scoble's access point was a D-Link. We drop-kicked that thing like Jackie Chan on Coke. Moving on.

I only stick with Linksys products. With one exception. Motorola came out with a combination Cable Modem, Broadband Router, Print Server, and Wireless Access Point that I've heard is top-notch. It interoperates with Linksys stuff very well. I don't own it, but if they had a Wireless-G version I'd buy it.

Now that 802.11G is a standard, go ahead an pick yourself up a Linksys Wireless-G Combo Router/Access Point. I've had nothing but positive experiences from this router. It is super east to configure, and secure bu default, which is always nice. With the G standard, you'll be able to use B and G products at the same time. Good for you. Bad for 802.11a. Personally, I'm still using B at home, and I'll only upgrade if I get a G-enabled laptop.

The best part about this router, besides the secure by default setup and simple web-based configuration, is the ability to open it up to be configured remotely. Anyone that needs help setting up their box, I'd be more than happy to do so, from the comfort of my own home :)

Next, make sure you get these Wireless-G PCMCIA cards. Same as above, and you'll find that they work very will with any WiFi access point. it's super easy to set up and configure.

Now that you've got everything running, log into your router. There are a few basic steps you can take to make sure you aren't hacked, and no one else leeches off your bandwidth. First, on the first page, re-assign your router IP address. It is 192.168.0.1 by default. Make it something like 192.168.146.254, and go ahead and keep the subnet the same. For those of you that don't know what IP's and subnets actually do, this means that your network is based on the 192.168.146 address, and you have 253 available nodes to work with. This is more than adequate in most if not all situations. And, by using a nonstandard internal IP address, you have reduced your risk of someone getting in.

Next, change your SSID. Something random that only you would know. Don't make it a password, because it is possible to sniff these right out of the air. That is harder to do so, however, if you turn off SSID broadcasting. This will require you to set up WindowsXP to connect to it manually later, but this is no big deal. Speaking of passwords, click the next tab and change your administrative password. Something unique with letters and numbers. Try using the hacker code of using numbers to signify letters. If your favorite place is Redmond, then your password could be r3dm0Nd. Chances are you'll beat most dictionary attacks. Try combing two words for greater protection. Now, make sure UPnP is off (who invented that anyways?), and move to DHCP.

You may not like me for this, but I don't care. Turn it off. Yeah, you're gonna have some extra work to do. But it will be a tad bit harder getting onto your network if you're not handing out IPs to any random schmuck. The rest of the basic settings you won't have to worry about. Click the advanced tab and continue.

Now, make sure the Block WAN Requests option is enabled. This prevents any kind of remote attack from crippling your computer. It's REAL nice, and my favorite feature. Make sure all your passthroughs are enabled if you have any kind of VPN connection. If you decide you want to have remote management on, PLEASE change the port. Lets move on to Forwarding.

Forwarding. This is how you open up the firewall. My recommendation: only open up what you have to. NOTE: Netmeeting runs on ports 389, 522, 1503, 1720, and 1731. If you're using Remote Desktop Connection and you're remapped the port (like all good RDC users should), make sure you upen up that port too. Now, skip the routing tables, and move to the MAC Address tab.

Here's where I run a rather nifty little trick. Sometimes I use apps that need a direct connection to the net. In these cases, I have to unplug my router from the modem and plug my NIC card into the modem. The problem with most providers is that the cable modem is tied to the MAC address on whatever network card you are using. Usually, when you make this change, you have to reboot the modem to rebind to the new MAC address. Well, here you can make the router spoof the MAC address on your LAN card, so you don't have to make that reboot. Nifty, huh?

Now for the good stuff. Click the “Wireless” tab. Increase your “Basic Rates” dropdown to the 2nd option (you'll get higher transmission rates). Leave everything else alone, but enable your MAC filter. Look at the active MAC table, and see which MACs are connected. You shouldn't have any unless you set up your PCMCIA cards already. Pop those bad boys out of the case, and look on the backside. They should have the MAC address printed on the back. Enter them into the filters table, and turn the filters on. Now, only the cards in the table will be able to get a Station ID.

All together, this will deter most would-be hackers. The hard core guys will be able to sniff out the information they need to get in, and you're SOL anyways. Now, use all those settings to set up the PCMCIA cards, and you're golden.

That's it. I would have loved to have done some screenshots and stuff, but I wouldn't want to give away MY configuration now would I? Hope that helps.

8 Comments

  • I have a Netgear 611WGR, a WiFi DSL router, which support UPnP, i.e. I don't have to forward any ports to Windows Messenger. Instead, the messenger tells the router which ports it requires.

  • I have a D-Link 802.11b/g Router with a 4-port switch, a stand-alone 5-port switch from D-Link, two D-Link PCI 10/100 cards, and a D-Link wireless PC card. I've had no problems with any of them, and I've found D-Link to be, by far, the easiest to configure. The wireless router works fine with both the D-Link card, as well as with the built-in 802.11b in my Dell laptop.



    OTOH, I have had more problems than success with Linksys products (though it's been a couple of years since I've used them).



    Also, turning off Broadcast SSID is NOT a security measure. The SSID is sent as a part of other types of requests, so it's not possible to hide it entirely. All you're doing by turning off the broadcast SSID is causing more traffic when dealing with roaming computers. If I can find the article I read on this, I'll post another comment with the URL.


  • Last, but not least, I should point out that if you've only got one AP, there's probably no reason not to disable broadcast of the SSID, since it won't impact your performance if you don't have users roaming from AP to AP. But while that will make it a little harder for a casual war driver to find your network, it still really doesn't count as security, since the SSID is easy to obtain using other means.

  • Great post, Robert. I agree 100% with the D-link comment. I have some older access points that are quite difficult to configure and won't work with their newer stuff. They worked ok out of the box, but if you want "advanced" features like WEP, it was very difficult to configure. Don't bother calling their "support", either. I had one of their guys hang up on me, and the other told me that I must have installed XP wrong.



    -Dustin

  • Robert,



    You wrote:



    "Yes, turning off the SSID may not be a security feature, but leaving it on makes connecting to your network just that much easier. You can configure your WiFi card to connect to that SSID auromatically without having to discover it."



    I'm aware of that, and I agree that reducing the attack surface makes sense where possible. But many people (including manufacturers) tout disabling the Broadcast SSID as a security feature, when in fact the SSID can be easily had by other means. Not much of a security feature, IMO. But nonetheless, it's still worth turning it off if you're not worried about any additional traffic it might generate.



    You also wrote:



    "And I don't use WEP, cause it can be sniffed out."



    Granted, you may get better results with your VPN solution, but why not use WEP as well, since it at least raises the bar for casual access? No, you shouldn't rely on WEP if you want to be completely secure. But as with the Broadcast SSID, each additional step a would-be attacker has to take is potentially useful in defending your network.



  • Extremely valid points, and it does seem like I am kind of contradicting myself. In my experience, WAP is a real PITA for end users (lay people) to deal with. So in weighing the benefits vs. effort required, I chose to say no to WEP and wait for WPA. WAP just does not add that much security for the hassles, and it is super easy to break.



    It might behoove me to mention too that this was not designed for you guys as much as it was for lay people. Yeah you might have the patience to deal with the problems that come up trying to implement WAP. My mom wouldn't. I really tried to write it as if my mom were reading it (she's fairly computer savvy, so it's a good target for me. If my mom can start understanding my writing I can then move down and try to get my sisters too.)

  • Wait...you don't expect lay people to be able to set up WEP, but you *do* expect them to be able to set up a VPN!?! Come on, Robert...surely you jest. First of all, lay persons may not even have the necessary hardware and/or software to set up a VPN, and beyond that, many wouldn't have any clue how to set one up if they did.



    So if they're not using WEP, and they're not able to set up a VPN like you did, they're basically sitting there with their wireless network open to anyone who wants to come along and use it.



    What I find really funny about all of this is that I've yet to hear wireless AP manufacturers blamed for making it easy for people to get hacked, despite the fact that on most wireless routers and APs, the default settings are completely insecure. Sure, most of them default to NAT and use firewall settings to block traffic from the WAN connection, but that's not much help if someone can easily connect to your WLAN on the default settings. Given how much crap Microsoft gets for their insecure defaults, I have to wonder why there's not more noise about this. Probably because people recognize that it would be next to impossible to sell an AP with completely secure defaults that would still be useful.

  • Again, good points. If you notice, the VPN part was not a part of the initial setup procedures I discussed. It was a response to your query. Had I intended VPN to be a part of the discussion, it would have been included in the tutorial. Note that the comment was specifically targeted at you.



    Now, I invite you to go back to that blackpaper link you pointed me to. Click it. Now, try actually reading it this time. Don't just skim it and use it for a rebuttal. COMPREHEND it. You'll find striking similarities to things I said. You'll also find parts where it talks about turning off the SSID, and filtering MAC addresses, and so forth. Yes, it does say that these methods are not 100% secure. I never said they were. I did say they were pretty effective most of the time. Which is exponentially better than nothing.



    And on that note, I think I'm finished on this topic. I posted this to help out someone who wanted my advice, not to have a lengthy discussion about WiFi security. For the target audience, my tutorial was adequate and accurate. If you need to implement WiFi in a corporation, look elsewhere. That was not the point. Scoble's house is not a multinational corporation.

Comments have been disabled for this content.