Wifi Security With OS 9

[benos]

I've had my neighbor (the only house within WiFi range) tapped into my WiFi network for some time now. (He's got an old OS 9 iMac.) But after reading enough "WiFi security threads," I changed my Linksys router to WPA. But the password is rejected in his Airport, and a little bit of research looks like OS 9 won't work with WPA. And it looks like the only way to password protect the WiFi network is WPA, WEP, or RADIUS. So what's the best workaround here? (To at least get a password on the network, until I can get him into a newer Mac.)

be

[moverfive]

I've had my neighbor (the only house within WiFi range) tapped into my WiFi network for some time now. (He's got an old OS 9 iMac.) But after reading enough "WiFi security threads," I changed my Linksys router to WPA. But the password is rejected in his Airport, and a little bit of research looks like OS 9 won't work with WPA. And it looks like the only way to password protect the WiFi network is WPA, WEP, or RADIUS. So what's the best workaround here? (To at least get a password on the network, until I can get him into a newer Mac.)

be

I am curious what the real tech folks will recommend - but in the past I have also restricted access to specific MAC addresses. So I only list the addresses of those computers I will allow on the network.

[ChuckS]

Brian,

WEP can be cracked. I downloaded some software and "broke in" to my network in about 15 minutes. (I did start a file transfer so I could capture a lot of packets) It would take a while but it can be done. I suggest the following

Continue using WEP

pick a unique SSID (something other than "linksys, etc")

turn off SSID broadcast

password the router

change the local IP address to something other than 192.168.1.xxx

set the DHCP client limit to number of DHCP clients that you have

enable MAC filtering and enter all the MAC addresses that you want to let in.

Enable logging in the router to see if something weird has been going on

If possible, turn off your AP when it is not in use

Change WEP and router passwords and the SSID periodically.

this will take you to the point where someone has to crack your WEP, break in to the router, and change/disable MAC filtering. It can be done but it will take a determined individual. When your friend upgrades, go to WPA. I don't beleive anybody outside of the NSA has broke that yet.

Later,

Chuck

Edited July 28, 2006 by ChuckS

[benos]

Thanks for the nice breakdown Chuck.

Do you know if the "use WEP, turn off SSID, and Mac address" steps compatible with OS 9?

be

[ChuckS]

Thanks for the nice breakdown Chuck.

Do you know if the "use WEP, turn off SSID, and Mac address" steps compatible with OS 9?

be

AFAIK, OS9 will support WEP, but as you know, not WPA. Your turn off SSID on your access point. (I just realized I am making a bunch of assumptions here: You are using some sort of router with your DLS/Cable Modem, correct???). The access point is where you disable SSID broadcast. That means you have to configure each computer manually to "know" the ssid. It has been a long time since I have messed around with a Mac, so you are on your own on the manual SSID entry. Hopefully, Apple did not make it too "friendly" and took out the method for manual configuration. If you can't find the MAC address printed anywhere, just log into your router and look for something like DHCP Client list. The numbers can be found there.

Your best bet is to leave the configuration as is, shut down the router and computers, and restart the router, bring up one computer, log into the router and check the DHCP Client list. Record the number and then bring up the rest of the computers one at a time and record the numbers. You will then enter them into the allowed table.

Let me know if you have any questions. Just take your time an make sure you get all the numbers right. It is a PITA but, because of butt heads, I guess it is better to be safe than sorry.

Gotta go dry fire, it is supposed to be on 92 MAX(!) at Norco tomorrow!

[George]

For the time being you can just turn off SSID and then use the "Other" option in the Airport network select pulldown to type in the exact name of the network. This will make the network invisible and if you use a non-trivial name, it will pretty much prevent anyone for guessing it.

WPA is the issue for the OS9 machine and you will need it turned off for him to connect. This means that your data can be intercepted, IF someone is on the network. If the network name is secure, you should be fine for a long while. I would worry a lot less about sniffers in a residential neighborhood like yours, but adding MAC address lockouts would slam the door prett tight (to a degree). MAC adress lockouts should work with a 9.2 machine in AirPort. The MAC address is available in the About This Mac option in Apple Menu.

You can use WEP in 9, but only 40bit works and I have had trouble getting OS 9 machines onto Linksys routers running WEP before. The older Graphite Apple 802.11b base stations allow OS 9 and WEP with no problems whatsoever. I have not tried any 9 systems on the newer Extreme and Express base stations.

[shred]

I'd go with some of Chuck's suggestions--

* WEP or better as soon as you can. 128 bit WEP if possible. Change the key every so often, which is a pain.

If you can do 802.1x, that's better than WEP (well, it is WEP, but it auto-changes the keys all the time for you)

* enable MAC filtering and only allow the known MACs in. Those can be spoofed by the same programs that can see non-broadcast SSIDs well, but you'll know it if you and the hacker are both on at once.

* disable router login from the wireless side.

Those three will keep anybody out that isn't actually trying to break in, and those that are will need a lot of packets (typically many hours to several days worth) to get anywhere. Neighbors could do it, drive-bys won't. 99% of WiFi hackers are drive-bys looking for free networks or neighbors looking for free networks.

[Adam B]

a MAC address can be spoofed, I change mine all of the time when I do penetration testing. <Here is my rant>-who runs OS 9 anymore anyways, have your neighbor switch to linux for PPC if he cant use the encription level you are providing with his OS. </rant>

At this point there really isn't anything that can't be cracked, with a little dedication. Wireless security isnt that great to start with and everytime I turn around there is a new GUI program that allows a monkey to crack your wireless network.

Turn off DHCP (manually assign IP addresses, something like 10.X.X.X or 172.16.X.X, somehting other than the old 192.168.X.X), turn off your SSID broadcasting and use MAC filtering plus use the lower level of encryption that OS 9 will allow and that is about as good as it gets.

[benos]

Thanks for all the info everyone! That was more than I was hoping for.

be