Don't like the snow? You can make a bookmark with the following text instead of a url: javascript:snowStorm.toggleSnow(). Clicking it will toggle the snow on and off.
Our new Indie Games subforum is now open for business in G&T. Go and check it out, you might land a code for a free game. If you're developing an indie game and want to post about it, follow these directions. If you don't, he'll break your legs! Hahaha! Seriously though.
Our rules have been updated and given their own forum. Go and look at them! They are nice, and there may be new ones that you didn't know about! Hooray for rules! Hooray for The System! Hooray for Conforming!

WEP Precautions/Wireless Isolation (AKA "can't use WPA2")

MugenmidgetMugenmidget Registered User regular
I have a few potential security holes with my awkward wireless setup that I could use some tips on fixing.

Right now the setup goes as follows:

-Actiontec MI424-WR Router with wireless disabled, default firmware a la Verizon
-WRT54G with Tomato 1.10 firmware working as a wireless bridge
-Multiple computers with wired connections, file-sharing enabled
-One computer with a Linksys wireless PCI card that supports up to WPA2
-XBOX 360 with XBOX (original) MN-740 wireless gaming adapter, only supports WEP
-Multiple DS handhelds that only support WEP
-Wii console that supports up to WPA2

The 360 is isolated to an extent that wireless is a lot handier than trying to run cable to its destination. The 360 wireless gaming adapter is far too expensive and doesn't even support WPA2. So right now the WRT54G is only using WEP so it can interface with the MN-740. Connections to the WRT54G are assigned IPs by the Actiontec, so even wireless clients are seen as wired.

This yields a problem, because the "AP Isolation" option on the WRT54G does nothing to deter file-sharing and the Actiontec seems very limited in its ability to distinguish the difference between wireless connections and isolate them appropriately. So basically anyone who obtains access to the WRT54G has full permission in the network.

There is a MAC filter list and SSID broadcast is disabled. I imagine that's enough to keep most people out but I don't feel all that great having shared files on a vulnerable network.

I attempted to flash the firmware on the MN-740 to support WPA as outlined here: http://www.dslreports.com/forum/remark,13360873

The problem is that WPA still didn't work, yet WEP continued to function. Accessing the device's setting pages through a browser shows that the firmware upgrade seemed to take place in some capacity, not sure what happened there but WEP definitely still works.

Another router JUST to use as a bridge for the 360 seems like overkill but may honestly be the best solution, although I'd like to just work with what I already have if that's possible.

An additional point of interest is that I have also own a WL-167G USB stick that could technically broadcast to the 360 and be removed when not in use. This is what we did with the DS systems before the 360 entered the picture, but I'd like to think of it as a last resort because my main questions are:

-Are there additional methods of isolating clients from file-sharing on the WRT54G with this particular firmware, especially when it's only acting like a bridge?
-Are there other security holes I should know about with this setup?
-Asides from disabling the SSID broadcast and adding a MAC filter list, are there any other good practices for maintaining some semblance of security with WEP?

This setup is really wonky and I'm sure some of my questions are kinda vague. All kinds of random suggestions you want to throw out are welcome, just wanted to discuss this so I can figure out how I should move into making it more secure.

Mugenmidget on
mtap.jpg

Posts

  • corcorigancorcorigan Registered User regular
    edited May 2008
  • mcdermottmcdermott Registered User regular
    edited May 2008
    -Asides from disabling the SSID broadcast and adding a MAC filter list, are there any other good practices for maintaining some semblance of security with WEP?

    You'll never really get more than the semblance of security with WEP. Just sayin'. However, if you truly are stuck with WEP the only other suggestion I have for you is to ensure that your transmit power is set as low as possible as well, limiting the physical area in which you are vulnerable to attacks. For instance, I can cover a majority of my house at like 25% power (I forget what it was in dB).

  • MugenmidgetMugenmidget Registered User regular
    edited May 2008
    Hm, thanks for the heads up guys. I knew I was kidding myself but it's good to have it pounded in, I might try using the WL-167g for the 360 and DS since that'd not only provide a lower transmit power inherently but I could isolate it enough that it wouldn't matter if it was hijacked.

    That article also makes me wonder if it's worth the stress of using a MAC filter and disabling SSID broadcast. It's not like those are any worse to maintain than a crazy WPA2 password (which is only a problem on the Wii and less of one with a USB keyboard), but it really doesn't sound like they do much besides prevent accidental access by neighbors. But it's not that much extra work to juggle them so I'll probably keep them around.

    mtap.jpg
  • MugenmidgetMugenmidget Registered User regular
    edited May 2008
    Okay, the adapter is working but for some reason in Soft AP mode it only provides up to 11mbps. I'm not sure if that's normal, everywhere else it seems like it's advertised as providing speeds of up to 54mbps but that's might be referring to it as a client. Is it normal for devices like this to be able to utilize higher speeds only as a client? Is there something I could configure to fix the speeds?

    mtap.jpg
Sign In or Register to comment.