DIR-655 as an access point

[Martin]

After years of being wired, I took the plunge and went wireless, that is to say I'm trying to.

Added a D-Link DIR-655 to my existing home network as an access point: disabled UPnP, DHCP and gave it an available address on my network.

In a laptop I added a D-Link DWA-642 adapter configured to get an IP automatically.

Being only slightly paranoid I enabled WPA2 and thought I would also apply MAC filtering. I entered the MAC addresses of the wireless adapter as well as that of the wired connection.

If only the wired connection is enabled, everything works as before, gets an IP automatically and surf the web.

If only the wireless connection is enabled, I can NOT see the DIR-655, it says it can not get an IP. If I change the adapter and manually give it an IP, I can see the DIR-655 but not the local network not the Internet.

Does every MAC address on the network have to be added?
Is there something else that needs to be activated to make it work wireless?
Is there any other security feature that I should be using to prevent unwelcome visitors?

 

[jdabbs]

Did you verify the wireless adapter was able to lease an IP before you enabled WPA2/MAC filtering? It's much easier to identify problems as they occur. Do you have MAC filtering enabled on your primary router too?

Also, MAC filtering is useless; I wouldn't be surprised if it takes more time to configure than it does to be circumvented. WPA/WPA2 with a strong passphrase is sufficient. To improve on that, you could use a different, also strong, password on your router to keep intruders from taking control.

 

[starfox101]

I was about the same way. Wired, then added linksys wrt350 for wireless. My son works nights, sometimes pulls up in his car to connect with laptop.
I just hooked the wireless router to the wired using the switch part of the wireless router. Changed the default ip address, turned off firewall, and DHCP. Works fine. Had to setup the wireless router direct connect with my pc first. Both routers had the same IP address.

 

[Martin]

As for the connectivity problem, I finally discovered that the AP was not talking to my existing router nor any other PC on the local network because the AP did not accept their MAC addresses as legitimate.

As for the whole MAC filtering issue, I've read in many places that it is more of a nuisance for the defender than an obstacle for the attacker. Is there a simple article that explains why? IT sure sounds like a good idea.

Would making the AP invisible so that the "SSID of the DIR-655 will not be seen by Site Survey utilities" do any good as far as security?

Does anyone turn off their AP when it is not needed? If there is no target then the baddies can't try to break in.

 

[thiggins]

Both MAC address filtering and blocking SSID broadcast are not foolproof. They basically can help keep casual snoopers and connection stealers out of your network. But they don't provide any obstacle to more knowledgeable users with even simple tools like NetStumbler.

Basically, MAC addresses can be detected and forged, making MAC filtering ineffective. Blocking SSID broadcast is also ineffective because there are tools that can probe for and discover APs in this mode.

How To Crack WEP - Part 3: Securing your WLAN may be worth a read.

 

[valient]

Also, MAC filtering is useless; I wouldn't be surprised if it takes more time to configure than it does to be circumvented. WPA/WPA2 with a strong passphrase is sufficient. To improve on that, you could use a different, also strong, password on your router to keep intruders from taking control.

Is that really true, though? Assuming the attacker doesn't have physical access to the router (in which case all bets are off at any rate), then doesn't the attacker need to join the wireless network in the first place in order to log into the router? And if an attacker can manage to brute-force a 256-bit randomly-generated passphrase on a WPA2/AES-only wireless network, would a strong password for the router's web interface really deter such an über-hacker?

I'm asking this seriously, BTW, not just trying to contradict you. I want to know if there really is a good reason for me to change my router's password from a lame one to a strong one.

 

[Martin]

Further to the security aspects of wireless, is there a way to have my DIR-655 notify me, send an email, when a connection is made or attempted? I was looking at the logged events but didn't see one about this type of event or didn't understand those that are there.

 

[jdabbs]

Is that really true, though? Assuming the attacker doesn't have physical access to the router (in which case all bets are off at any rate), then doesn't the attacker need to join the wireless network in the first place in order to log into the router? And if an attacker can manage to brute-force a 256-bit randomly-generated passphrase on a WPA2/AES-only wireless network, would a strong password for the router's web interface really deter such an über-hacker?

I'm asking this seriously, BTW, not just trying to contradict you. I want to know if there really is a good reason for me to change my router's password from a lame one to a strong one.

Having a secured router config is more of a deterrent than an obstacle. For home users, the likely reason for intrusion is to obtain Internet access. If it's a neighbor's network that is being accessed, avoiding detection is important as it'll probably be a long term "borrowing." First step break in, second step determine what other security measures are in place. Logs are a major worry: Gmail has the user's email address in the url; having that logged would be pretty damning. The easiest way to check is to access the router config. Once in, SOP is to snag the other authorized MACs on the network, change the password, disable logging (and make note of if they're being stored remotely), and create an exception for your MAC if you're lazy. By changing the password on the router, the end user will have to reset the router to gain access; that'll erase evidence of modification.

Uncertainty about getting caught (relative to initially being given the run of the place) boils down to "what you don't know can hurt you." Having your router passworded won't stop people who already have access from using your connection, but it leaves an ominous gray spot that encourages the cautious intruder to use an alternative, if available. From the end user's perspective, it gives you some chance of noticing (through logging) that someone has obtained access, and that evidence gathering should be initiated.

To actually address your points instead of elaborating on mine:

(Not explicitly stated) You have a passphrase that will take longer than the heat death of the universe to brute force. Shouldn't that be strong enough? In an ideal environment, yes. You've ruled out considering the physical approach, but there may still be vulnerabilities. Attacking an wireless adapter's drivers isn't unheard of. Additionally, if you have guests over, a cabled-in laptop with a ad-hoc connection may be the gateway into your network. In such an event, the only thing slowing an attacker in obtaining your passphrase is your router password.

Contending with the über-hacker: Would a strong router password stop someone capable of cracking it, as well as WPA2? Probably not. However, I do not think WPA2 is such an indicator of prowess. What separates someone capable of brute forcing a 8-character passphrase from a 20-character one? Time (and/or equivalent computational power). People can pick up WPA cracking fairly easily; there is an enormous gulf between those who can run a tool off a livecd and those that can do that, as well as know enough to write their own script to brute force router passwords. The more disparate skills necessary to defeat a security setup, the more secure it is. This is the strength of defense in depth.

WRT cracker skill, I will concede that the benefit from changing from a weak password to a strong one is of much lesser benefit than simply changing from the default to a weak one. I do think the relative cost of implementation is close to identical, so it really comes down to how much you value convenience.

 

[jdabbs]

Further to the security aspects of wireless, is there a way to have my DIR-655 notify me, send an email, when a connection is made or attempted? I was looking at the logged events but didn't see one about this type of event or didn't understand those that are there.

You'd have to configure a Syslog server on another machine, then have that one notify you for events that match your criteria. Without owning one, I wouldn't expect it to record failed wireless authentication attempts though (if that's what you're after).

 

[scotty]

Further to the security aspects of wireless, is there a way to have my DIR-655 notify me, send an email, when a connection is made or attempted? I was looking at the logged events but didn't see one about this type of event or didn't understand those that are there.

I have a DIR-655, used as an access point no less, and I've set up logging, but I dont think it logs any failed wireless access attempts. It can log a variety of other things, though, but mostly normal firewall kinds of things like port scans.

Unless you're in a particularly high risk environment, I would think doing all of the basics would be more than enough (i.e. WPA/2 with a strong key). Mac and SSID filtering are largely useless.

 

[Martin]

Thanks for everyone's advice. It helped me understand some of this wireless stuff. So aside from having what jdabbs calls "a passphrase that will take longer than the heat death of the universe to brute force," I gather that not much else is of real value. when it comes to access security. Now I just have to keep physical access under control.