Kevin Beaver Jul 31, 2009   9:45 PM GMT

Good point BlankReg, however you should never, ever assume that just because WPA or WPA are being used that you're automatically secure from wireless attacks. Elcomsoft's Wireless Security Auditor (EWSA) takes WPA and WPA2 pre-shared key cracking to an entirely new level. Using the mathematical acceleration provided by the certain video cards (several from NVIDIA and ATI are supported) EWSA can be used to perform a dictionary crack of your pre-shared keys at a rate up to 50,000 keys per second. So, WPA and strong pre-shared keys are a must....even if you've tested your wireless encryption and have come up with no weaknesses there's still likely room for improvement.

25,760 pointsBadges:

Rklanke Aug 1, 2009   6:37 PM GMT

Yes, change from WEP to WPA with strong encryption, but use strong keys as well. Weak keys are the failure point in any encryption scheme. See Steve Gibson's https://www.grc.com/passwords.htm, and it is free. I, too, don't see the point of multiple firewalls. Unless, perhaps, you're hosting a server. You're not hosting a server, are you? (That includes peer-to-peer file sharing, by the way.) There are products sold as firewalls and there's the concept of the firewall. Conceptually, a firewall filters (drops, ignores) network traffic. What did you want filtered? Remember that you are concerned with inbound and outbound traffic. Without a server, "ignore unsolicited inbound traffic" and "don't install any trojan horses" are your goals. This you can implement using a single firewall. With a server, your goals are more complicated and could require additional traffic filtering (additional firewalls).. Don't advertise your SSID. Some things you don't advertise. You know your SSID (and your key). Do not leave plug-and-play enabled on your wireless router. Do not configure your wireless router (and your firewall) to enable peer-to-peer file sharing. Too often people enable unsolicited network traffic to reach the end device. Too often the wireless router is breached and the firewall is breached because they are someone has configured them to leave little protection. See the Microsoft Technet article Secure Wireless Access Point for additional considerations. Not security related, but: Is that a b/g router? Bear in mind that when an 802.11b device connects (at up to 11 Mbps), the 802.11g devices operate at reduced throughput (up to 11 Mbps, not the desired 54 Mbps). Get rid of your 802.11b devices and switch the router to 802.11g only. Not security related, but: On the client, add Xirrus WiFi tools. Great information, free, ultra-nerdy, important information. Back to security: Is that a corporate, not home implementation? Have a concern about your perimeter? Don't like the idea of someone sitting in your parking lot, sniffing your traffic? You've implemented WPA with strong encryption AND strong keys (because an easily guessed password defeats any encryption) and you're not broadcasting your SSID, so you should be safe. Just in case, though, take that old b/g router and put it a little way into the parking lot, just far enough that eavesdroppers get this router; just far enough that it has the strongest signal. These "honey-routers" would be configured like production routers. They get power but they don't get a network drop. Don't put these "honey-routers" on your corporate network. The trick you're exploiting is: eavesdroppers cannot choose the device they connect to; they get these nearby "honey-router" devices. When connect successfully (because they're disgruntled ex-employees, perhaps), they cannot get interesting information. They get stuck on these "honey-routers". Now you need a way to protect these "honey-routers" from being disconnected from power or stolen. They will be discovered. Alarm them and include them within the range of your security cameras. Do not give in to the temptation of connecting them to the facility network to send an alert when they go off-line. Do not give eavesdroppers a way to acquire more information.

1,250 pointsBadges: