Travel Technology - My WiFi Woes This Weekend

I've spent most of the holiday weekend trying to configure and optimize my first wireless network at home. I've run into a couple of problems, hence this post. My wireless network currently consists of the following;

i) A Belkin ADSL modem with built in wired and wireless router (801.11g)

ii) My new work laptop - a brand new HP NC6000 with built in WiFi

iii) My creaking old Dell Inspiron 8300 laptop with a new Belkin 802.11g card.

My new work laptop and Belkin router work beautifully together using WiFi (from anywhere in the house - I'm looking forward to trying this out on the move :D ). Likewise, my Dell when attached to the router via a LAN cable works extremely well, actually improving on the DSL connectiton I had with my original modem. However, when I configure my Dell with the 802.11g card (replacing the exisint PCMCI LAN card), the performance I get over wireless is very poor though I have improved things quite a bit with a few optimizations (MTU, finding the best channel and switching on G Nitro).

So, I'm wondering: Before I go pursuing Belkin technical support again over this (and they have been helpful), am I perhaps trying to do a bit too much with an old laptop in need of replacement? Have I missed anything in my own investigation of the problem?

Not sure what your problem is, but old laptops should work just fine. I am using a Dell C600 which is about the same vintage as your 8300 and it works great. We have used multiple old computers with our old 802.11b and now 802.11g network. Essentially all of your computers should work faster than the wireless link to the internet.

Do you have good reception--does your performance improve when you move the laptop closer?--At our house we get different performance depending on location. When you get too far from the wireless access point, performance goes down.

BTW, I had a Belkin PCI card in my home theatre computer, and I couldn't get it to work well with windows XP and a different brand access point--especially with network encryption. When I put in a different brand of card, everything was hunky dory. I have had good success with D-Link and Net gear.

I experimented with switching encryption off this morning and everything speeded up significantly. Not really a solutions as - call me paranoid - I quite like encryption set to on . I suspect the encryption is being done by Belkin's drivers and perhaps not very efficiently given my laptops vintage. I am running Windows XP Home with all the latest updates on the laptop and this has generally (up until now) been a big improvement on the Windows 98 install it came with.

I may try a different brand of PCMCIA card and see if that improves things.

In the meantime, I'm more than happy with the performance improvement I get using a LAN/Cable connection versus DSL modem to USB connection (and I have a wireless option should I choose to lounge while browsing FT :D ).

Try and determine what the chipset is in the Belkin, it can only be one of a few, then try using a driver from a different manufacturer. I stopped buying Belkin last year, nothing but trouble from them.

If you're truly paranoid you should know that WEP encryption is easliy cracked. Turning off SSID broadcast might offer almost the same level of security against casual interlopers (I'm guessing)...

(gotta love the 30 second free edit in the new software...)

WEP isn't the most secure of things but a quick google search indicates that it is better than nothing and to the best of my knowledge, I don't live in a hacker intensive environment. It will do while I get my head around how to use WPA. Hiding the SSID is a good idea though so I'll probably do this.

This is all still somewhat new to me. Am I correct in understanding that if I do hide and then change the SSID on my router, connecting to my wireless network is simply a matter of knowing what name to type in?

Besides not broadcasting your SSID consider restricting wireless access just to your own MAC addresses. So if someone ever finds out you SSID you can still prevent aunautorized access.

V.good idea @:-) ^ ^

I only need to allow two or three devices onto my network (plus the occasional prospect of a guest) so this would be very practical.

Edited to add: Done. One slightly more secure wireless network. It will be even more secure when I pull the plug out before I go to bed tonight :D

Try and determine what the chipset is in the Belkin, it can only be one of a few, then try using a driver from a different manufacturer. I stopped buying Belkin last year, nothing but trouble from them.

I see what you mean about the trouble bit :( I've just had a disasterous episode installing the latest drivers (on Belkin's recommendation) and nearly ended up having to format my hard disk and start from scratch. Still, re-installing the original drivers that came with the card has given me a noticable performance enhancement.

Besides not broadcasting your SSID consider restricting wireless access just to your own MAC addresses. So if someone ever finds out you SSID you can still prevent aunautorized access.

That won't stop anyone who is smart enough (and has a wireless car) whose MAC address can be spoofed.

If you have enough time (to gather enough data to crack a WEP key) and a decent knowledge of Unix/Linux, you can pretty much get into any AP with WEP and MAC address filtering. It just takes more time and a bit of knowledge.

I still suggest that if you truly care about others watching your traffic that you utilize a VPN to encrypt all wireless traffic, as well as acting as a gateway to keep someone else from jumping your LAN and using your bandwidth. I'd also turn off DHCP on any access points--why give any freebies?

That won't stop anyone who is smart enough (and has a wireless car) whose MAC address can be spoofed.

If you have enough time (to gather enough data to crack a WEP key) and a decent knowledge of Unix/Linux, you can pretty much get into any AP with WEP and MAC address filtering. It just takes more time and a bit of knowledge.

I still suggest that if you truly care about others watching your traffic that you utilize a VPN to encrypt all wireless traffic, as well as acting as a gateway to keep someone else from jumping your LAN and using your bandwidth. I'd also turn off DHCP on any access points--why give any freebies?
But if you're using a VPN, you lose local network access anyway? Unless of course you use split tunnelling, in which case you're giving up much of the security benefits of VPN...

If you use DCHP, and limit the IP range to the number of devices you use, and use 128 bit WEP, then it's going to be a rare individual who'll crack you. :)

I'd like to point out that with wireless, it is sometimes good to point out what the differant types of security and access controls and restrictions will do so that a user can decide what makes sense for them based on what they need/want to control.

The SSID turning off, MAC address filtering and Changing Default Passwords for the Access point are primarily focussed on restricting access to the Access Point and possibly therefore the network that is connected to it. A good Access point will allow you to completly RESTRICT any access to the WAN that is hardwired to the Access Point as well.

What the means is that a user will not either SEE, be able to CONNECT or USE your internet connection via the access point.

Best things to do in no specific order are: Change Default Access Point Password; Change Default SSID; Turn off SSID broadcast; Restrict to YOUR MAC Addresses only.

Encryption focusses specifically on encrypting the signal as it flies through the air. This means, that even if someone is not connected to your access point, then can easily SNIFF out your signal as it flies through the air and copy it, decrypt it and SEE what the data is. Turning on Encryption, WEP or WPA is fairly weak and can indeed be easily broken.

It will slow everything down though if on, but even if all the ACCESS security controls are turned on, a hacker can easily sniff out your data and copy it. Granted, it is a bit complicated but there are simple programs on the internet to do this. (gotta love the internet)

So, focus on what you need. If you are not that concerned about your data, simple emails, web browsing, etc. Don't necessarilly worry about WEP or WPA.

The other ACCESS restrictions are very easy to implement and won't slow anything down at all.

my .02$

But if you're using a VPN, you lose local network access anyway? Unless of course you use split tunnelling, in which case you're giving up much of the security benefits of VPN...

If you use DCHP, and limit the IP range to the number of devices you use, and use 128 bit WEP, then it's going to be a rare individual who'll crack you. :)

Plus, there are utilities that will alert you to changes in your LAN like new IP's on the AP, new computer names, new MAC's etc.... :)

With a wireless sniffer, I can see SSID's whether broadcast or not.

It's trivial to download a script from a hacker website that will crack WEP keys. You don't even have to know how it works.

It's trivial to spoof a MAC address.

The answer? Use WPA or the soon to be released 802.11i for a very, very high level of security. Higher in fact than any VPN or anything on a wired LAN. Todays wifi cards support WPA so you just need to make sure your access point does too.

Not to be commercial, but my access points support both WPA TKIP and AES with 152-bit keys. To give you an idea of how secure AES is, if a supercomputer could crack a DES key in one minute, that same supercomputer would take 149 trillion years to crack an AES key.

Another option for those who can't use 802.1x or WPA, you can specify MAC addresses and combine that with a unique key which works pretty good.

Ha! I use a 100' long Cat 5 cable :D

With a wireless sniffer, I can see SSID's whether broadcast or not.

It's trivial to download a script from a hacker website that will crack WEP keys. You don't even have to know how it works.

It's trivial to spoof a MAC address.

The answer? Use WPA or the soon to be released 802.11i for a very, very high level of security. Higher in fact than any VPN or anything on a wired LAN. Todays wifi cards support WPA so you just need to make sure your access point does too.

Not to be commercial, but my access points support both WPA TKIP and AES with 152-bit keys. To give you an idea of how secure AES is, if a supercomputer could crack a DES key in one minute, that same supercomputer would take 149 trillion years to crack an AES key.

Another option for those who can't use 802.1x or WPA, you can specify MAC addresses and combine that with a unique key which works pretty good.

All well and good but how paranoid does a residential user such as myself need to be.

All well and good but how paranoid does a residential user such as myself need to be.

Well if your neighbors can get a signal from your PC, then can see everything you see that isn't encrypted. This includes passwords.

Well if your neighbors can get a signal from your PC, then can see everything you see that isn't encrypted. This includes passwords.stimpy - Just to verify: If I'm traansmitting a password to a secure website (with the little padlock present in the IE status bar) I'm OK, but if the website is NOT secure, then the passowrd is out in the open?

With a wireless sniffer, I can see SSID's whether broadcast or not.

It's trivial to download a script from a hacker website that will crack WEP keys. You don't even have to know how it works.

It's trivial to spoof a MAC address.

The answer? Use WPA or the soon to be released 802.11i for a very, very high level of security. Higher in fact than any VPN or anything on a wired LAN. Todays wifi cards support WPA so you just need to make sure your access point does too.

Not to be commercial, but my access points support both WPA TKIP and AES with 152-bit keys. To give you an idea of how secure AES is, if a supercomputer could crack a DES key in one minute, that same supercomputer would take 149 trillion years to crack an AES key.

Another option for those who can't use 802.1x or WPA, you can specify MAC addresses and combine that with a unique key which works pretty good.

Sniff this! :)

http://www.blackalchemy.to/project/fakeap/

stimpy - Just to verify: If I'm traansmitting a password to a secure website (with the little padlock present in the IE status bar) I'm OK, but if the website is NOT secure, then the passowrd is out in the open?

I don't know from IE padlocks, but if the URL starts with https the s stands for SSL which encrypts all the data. But if it is http or you are getting your email from a POP server, then your password is in the clear.

stimpy - thanks for the confirmation re: sites using secure sockets layer. IE displays the padlock icon whenever an SSL site is used (I believe Netscape Navigator displays a similar icon).

But if you're using a VPN, you lose local network access anyway? Unless of course you use split tunnelling, in which case you're giving up much of the security benefits of VPN...

If you use DCHP, and limit the IP range to the number of devices you use, and use 128 bit WEP, then it's going to be a rare individual who'll crack you. :)

The truly paranoid would subdivide their own home network, and require the VPN to simply egress to the internet. I don't do it, but I know those who do :p .

By "use a VPN," I should have been a bit more specific: use a VPN to any resources you might care about. I personally am perfectly happy connecting to joe random AP, since I'm running a software firewell, a VPN to my corporate network with two-phase auth, and either SSH or SSL based access to all my personal stuff (except FT, of course :eek: ).

I guess it does back to your personal level of paranoia. 128 bit wep (with the AP setup to require WEP), MAC address filtering, changing the default SSID and turning off SSID broadcast should prevent everyone short of the determined script kiddie from either seeing your data or associating with your AP.

The other (and often overlooked) method to secure one's wireless setup is to turn down the power on the radio such that it does not pass beyond the perimeter of one's home.

I guess it does back to your personal level of paranoia. 128 bit wep (with the AP setup to require WEP), MAC address filtering, changing the default SSID and turning off SSID broadcast should prevent everyone short of the determined script kiddie from either seeing your data or associating with your AP.

The other (and often overlooked) method to secure one's wireless setup is to turn down the power on the radio such that it does not pass beyond the perimeter of one's home.

128 bit keys for WEP doesn't help since it's the same short initialization vector that's sent in the clear that you can use to break the key pretty easily. But even though I know how easy it is to break into your network, I certainly wouldn't bother. As you say, how paranoid are you?

As for lowering your power, that may also lower your link speed which is why most people like to use full power. An option is to use 802.11a or g which has a higher link rate and even if you lower the power it will likely be much faster than 802.11b.

If you're truly paranoid you should know that WEP encryption is easliy cracked. Turning off SSID broadcast might offer almost the same level of security against casual interlopers (I'm guessing)...

(gotta love the 30 second free edit in the new software...)


^ ^ ^

Besides not broadcasting your SSID consider restricting wireless access just to your own MAC addresses. So if someone ever finds out you SSID you can still prevent aunautorized access.

I don't think most people are concerned with someone stealing some service from their access point nearly as much as they are with other people reading their mail

Well if your neighbors can get a signal from your PC, then can see everything you see that isn't encrypted. This includes passwords.

My father reports that in his condo in Chicago from several floors up he can see AP's in near by buildings. And just because someone is not running an AP doesnt mean they don't have a wireless card and cant see yours

I can sometimes see several unsecured networks from the hotel I'm staying at in Nuernberg - none will let me log on though - I assume they are using MAC address filtering since they don't ask me for a wep key or a pass phrase. I can also log onto the hotel's wireless network (currently not very secure and not charging for use).

I can sometimes see several unsecured networks from the hotel I'm staying at in Nuernberg - none will let me log on though - I assume they are using MAC address filtering since they don't ask me for a wep key or a pass phrase. I can also log onto the hotel's wireless network (currently not very secure and not charging for use).


In my suburban neighborhood, I can connect to two other wireless networks, both of which have encryption turned off.

Hmmm... maybe I can give up my DSL service and poach on theirs? :)

In my suburban neighborhood, I can connect to two other wireless networks, both of which have encryption turned off.

Hmmm... maybe I can give up my DSL service and poach on theirs? :)

Exactly! When I pop on netstumbler, I see five AP's from my dining room table...and I'm the only one running any form of encryption...in fact none of them even changed the default SSID.

I dont need to fear my neighbors...they should fear me. ;)

The answer? Use WPA or the soon to be released 802.11i for a very, very high level of security. Higher in fact than any VPN or anything on a wired LAN. Todays wifi cards support WPA so you just need to make sure your access point does too.



stimpy,

Do you happen to know when the new (802.11i) will be released? I am thinking about wiring home/home office for the first time and am wondering if it is worth the wait.

(I'd have sent this privately, but I bet others would like to know, too.)

Thanks!

BTW: NetStumbler 0.4.0 just released...now works with Linksys and MANY more cards! www.netstumbler.com