Setting Up Network Security

[Superfreak3]

I just purchased a TRENDNET TEW-432BRP wireless router and here is
what I have so far in the way of functionality....

I currently have Broadcast SSID set to disabled
My broadcast strength is set to low
I have two computers able to access the network through MAC Filter

Now, how can I secure the wireless network more?

I want to set the encryption to WPA2 - PSK with AES (I know the PSK is
for personal as opposed to Enterprise, but not sure on the AES.). The
router setup area for this also prompts for a passphrase. What type
of value should I use here. What is this used for?

When I attempt to set up the encryption, I can no longer access the
net through my two laptops. When I attempt to set up the connection
to my wireless network on one of them via Windows Wireless Network
Configuration Settings, I am prompted for a Network Key. Where do I
get this or how is it generated? Does it relate at all to the
passphrase that would be entered as described above?

In the Wireless Network Configuration Settings area, it indicates that
if WEP is used , the key can be either 5 (64 bit) or 13 (128 bit)
ASCII characters or 10 (64 bit)/26(128 bit) HEX characters. ????? Is
this the same for WPA2?

Also, the installation CD jacket that accompanied the router has an
area to record your SSID and Encryption Key. Where do I get this key
or how is it generated? How does it relate to the passphrase or
Network key described above, if at all?

Any help is greatly appreciated. I just want to make my home network
as secure as I can.

Thanks in advance!

 

[smlunatick]

I just purchased a TRENDNET TEW-432BRP wireless router and here is
what I have so far in the way of functionality....

I currently have Broadcast SSID set to disabled
My broadcast strength is set to low
I have two computers able to access the network through MAC Filter

Now, how can I secure the wireless network more?

I want to set the encryption to WPA2 - PSK with AES (I know the PSK is
for personal as opposed to Enterprise, but not sure on the AES.).  The
router setup area for this also prompts for a passphrase.  What type
of value should I use here.  What is this used for?

When I attempt to set up the encryption, I can no longer access the
net through my two laptops.  When I attempt to set up the connection
to my wireless network on one of them via Windows Wireless Network
Configuration Settings, I am prompted for a Network Key.  Where do I
get this or how is it generated?  Does it relate at all to the
passphrase that would be entered as described above?

In the Wireless Network Configuration Settings area, it indicates that
if WEP is used , the key can be either 5 (64 bit) or 13 (128 bit)
ASCII characters or 10 (64 bit)/26(128 bit) HEX characters. ?????  Is
this the same for WPA2?

Also, the installation CD jacket that accompanied the router has an
area to record your SSID and Encryption Key.  Where do I get this key
or how is it generated?  How does it relate to the passphrase or
Network key described above, if at all?

Any help is greatly appreciated.  I just want to make my home network
as secure as I can.

Thanks in advance!

You need to get a separate update to enable the WPA2 security with XP.
http://www.microsoft.com/downloads/...25-ce2b-47a4-abec-274845dc9e91&displaylang=en

And you should also update all wireless adapter drivers.

Also not broadcasting the SSID is not a method of securing the
wireless network. It can cause network access problems or slow downs.

As for the Emcryption key / network key, this is the "passphrase" that
you come up with. If you set up a "key" within the wireless router,
you need to enter the same key at each wireless network adapter.

 

[Superfreak3]

You need to get a separate update to enable the WPA2 security with XP.http://www.microsoft.com/downloads/details.aspx?FamilyID=009d8425-ce2...

And you should also update all wireless adapter drivers.

Also not broadcasting the SSID is not a method of securing the
wireless network.  It can cause network access problems or slow downs.

As for the Emcryption key / network key, this is the "passphrase" that
you come up with.  If you set up a "key" within the wireless router,
you need to enter the same key at each wireless network adapter.- Hide quoted text -

- Show quoted text -

Is there any way to tell if XP and the Wireless Adapters are WPA2-
ready before installing XP update or adapter drivers?

 

[Superfreak3]

Is there any way to tell if XP and the Wireless Adapters are WPA2-
ready before installing XP update or adapter drivers?- Hide quoted text -

- Show quoted text -

Well, when I attempt to run the download from the provided link, it
basically indicates that what I am trying to install is older than
what is currently installed. It can only be applied to SP 1. So, I
guess I'm up-to-date.

In the Wireless Configuration Settings area, the authentication choice
does not include WPA2 on my laptop, however. It does contain WPA-PSK
(Personal) though. Will this cause problems if Router is set to WPA2?

 

[Lem]

Well, when I attempt to run the download from the provided link, it
basically indicates that what I am trying to install is older than
what is currently installed. It can only be applied to SP 1. So, I
guess I'm up-to-date.

In the Wireless Configuration Settings area, the authentication choice
does not include WPA2 on my laptop, however. It does contain WPA-PSK
(Personal) though. Will this cause problems if Router is set to WPA2?

Your ability to use WPA2 (on the computer side) depends on two things:
that WindowsXP has been properly updated with WPA2 support AND that the
wireless adapter supports WPA2. If WinXP has the WPA2 updated and you
still don't see WPA2 in the wireless configuration screens for your
adapter, you may be able to get WPA2 by updating the driver for your
wifi adapter. Check the website of the adapter's manufacturer (or a
laptop manufacturer, if you're using a laptop).

If you can't configure *any one* of your wireless adapter to use WPA2,
then yes, setting the router to use WPA2 will cause problems.

On the other hand, WPA-PSK with AES encryption (if this option is
available on *all* devices) is practically as good as (if not equivalent
to) WPA2.

Finally, MAC address filtering -- like disabling SSID broadcast -- is
not an effective security measure. Although MAC address filtering is
not as likely to cause problems as disabling SSID broadcast, it's just
one more thing to have to remember to deal with if you ever have to
troubleshoot your wifi connectivity.

--
Lem -- MS-MVP - Networking

To the moon and back with 2K words of RAM and 36K words of ROM.
http://en.wikipedia.org/wiki/Apollo_Guidance_Computer
http://history.nasa.gov/afj/compessay.htm

 

[Lem]

Your ability to use WPA2 (on the computer side) depends on two things:
that WindowsXP has been properly updated with WPA2 support AND that the
wireless adapter supports WPA2. If WinXP has the WPA2 updated and you
still don't see WPA2 in the wireless configuration screens for your
adapter, you may be able to get WPA2 by updating the driver for your
wifi adapter. Check the website of the adapter's manufacturer (or a
laptop manufacturer, if you're using a laptop).

If you can't configure *any one* of your wireless adapter to use WPA2,
then yes, setting the router to use WPA2 will cause problems.

On the other hand, WPA-PSK with AES encryption (if this option is
available on *all* devices) is practically as good as (if not equivalent
to) WPA2.

Finally, MAC address filtering -- like disabling SSID broadcast -- is
not an effective security measure. Although MAC address filtering is
not as likely to cause problems as disabling SSID broadcast, it's just
one more thing to have to remember to deal with if you ever have to
troubleshoot your wifi connectivity.

To be clearer, *any one* in my comment means *all*. Basically, all
wireless devices that are on any given wireless network must have the
same level of encryption.

--
Lem -- MS-MVP - Networking

To the moon and back with 2K words of RAM and 36K words of ROM.
http://en.wikipedia.org/wiki/Apollo_Guidance_Computer
http://history.nasa.gov/afj/compessay.htm

 

[Superfreak3]

Your ability to use WPA2 (on the computer side) depends on two things:
that WindowsXP has been properly updated with WPA2 support AND that the
wireless adapter supports WPA2.  If WinXP has the WPA2 updated and you
still don't see WPA2 in the wireless configuration screens for your
adapter, you may be able to get WPA2 by updating the driver for your
wifi adapter.  Check the website of the adapter's manufacturer (or a
laptop manufacturer, if you're using a laptop).

If you can't configure *any one* of your wireless adapter to use WPA2,
then yes, setting the router to use WPA2 will cause problems.

On the other hand, WPA-PSK with AES encryption (if this option is
available on *all* devices) is practically as good as (if not equivalent
to) WPA2.

Finally, MAC address filtering -- like disabling SSID broadcast -- is
not an effective security measure.  Although MAC address filtering is
not as likely to cause problems as disabling SSID broadcast, it's just
one more thing to have to remember to deal with if you ever have to
troubleshoot your wifi connectivity.

--
Lem -- MS-MVP - Networking

To the moon and back with 2K words of RAM and 36K words of ROM.http://en.wikipedia.org/wiki/Apollo_Guidance_Computerhttp://history.nasa.gov/afj/compessay.htm- Hide quoted text -

- Show quoted text -

In the Wireless Configuration widget on my laptop, if I select WPA-
Personal (PSK) the network key requirement changes to 'between 8 and
63 characters'. Will this be equilavent to the passphrase? Should I
write down whatever value I use here as the Encryption Key?

Also, with the WPA option in the widget, there is no AES. This is a
setting in the router, I believe.

 

[Superfreak3]

In the Wireless Configuration widget on my laptop, if I select WPA-
Personal (PSK) the network key requirement changes to 'between 8 and
63 characters'.  Will this be equilavent to the passphrase?  Should I
write down whatever value I use here as the Encryption Key?

Also, with the WPA option in the widget, there is no AES.  This is a
setting in the router, I believe.- Hide quoted text -

- Show quoted text -

Also, the other laptop is a Mac PowerBook, so I guess that's a
different dilemma.

 

[Superfreak3]

Also, the other laptop is a Mac PowerBook, so I guess that's a
different dilemma.- Hide quoted text -

- Show quoted text -

I read about not broadcasting the SSID and using MAC filters to
enhance the security not to solely base your piece of mind on them.

Once I get the Encryption thing straightened out, am I basically
secure with regard to the wireless network within my home?

I can't quite recall if when I choose WPA in my router settings if it
requires a passphrase or not.

So for the sake of clarity, the exact string of characters that I
enter in the passphrase is what is to be used in the Wireless
Configuration on my laptop as the Network Key? Is this too the
Encryption Key? It appears that the passphrase and/or network key
need to confirm to some format based on the level of encryption
desired. Is this the case?

I'm sorry if I'm being repetitive, but I just want to get this out of
the way and not have to worry much about security of my network.

 

[Lem]

I read about not broadcasting the SSID and using MAC filters to
enhance the security not to solely base your piece of mind on them.

Once I get the Encryption thing straightened out, am I basically
secure with regard to the wireless network within my home?

I can't quite recall if when I choose WPA in my router settings if it
requires a passphrase or not.

So for the sake of clarity, the exact string of characters that I
enter in the passphrase is what is to be used in the Wireless
Configuration on my laptop as the Network Key? Is this too the
Encryption Key? It appears that the passphrase and/or network key
need to confirm to some format based on the level of encryption
desired. Is this the case?

I'm sorry if I'm being repetitive, but I just want to get this out of
the way and not have to worry much about security of my network.

If you use WPA encryption with a reasonably "strong"
password/passphrase/key (more about this later), then you are indeed
basically secure with regard to your home wireless network.

There are still many websites that suggest "hiding" your SSID (i.e., not
broadcasting it) and using MAC address filtering as methods of
increasing the security of a home wifi network. Neither technique adds
much, if anything, to your security, and not broadcasting the SSID may
cause problems. If you're interested, read this:
http://blogs.technet.com/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx

There are 3 "flavors" of encryption commonly available for home wifi
networks: WEP, WPA, and WPA2. WEP today is similar to leaving your
front door open, closing the screen door, and fastening the screen door
with a hook. WPA was an interim measure. WPA2 is the current state of
the art for home wifi security. Prior to WPA2 being "certified," some
wifi manufacturers had a setting for WPA that offered either TKIP or AES
encryption. In this case, choose AES; this is the encryption scheme
that's used in WPA2.

Your router may have an encryption mode that will automatically work
with either WPA or WPA2, whichever your wifi adapters are capable of.
If so, be sure to select that mode rather than WPA2-only or the like.

If your wifi adapters (or your laptop, if you're using a built-in wifi
adapter) is less than 2 or 3 years old, it may well support WPA2. Be
sure to check for any driver updates.

All encryption techniques involve the use of a "secret." Anyone who
knows the secret can understand the encrypted message. Anyone who does
not know the secret can not (unless they can "break" the encryption).

When WEP encryption was used, the secret was generally called a "key."
In the context of WPA and WPA2, it's often called a "passphrase" (but it
also may be called a "pre-shared key"). Whatever you call it, it's the
secret that protects your wifi network.

When you enabled WPA or WPA2 on your router, you *did* enter a
passphrase. Generally, the router instructs you that your passphrase
must be between 8 and 63 characters long. Exactly what those characters
are is up to you. If you decide to make your passphrase 12345678, then
no matter how sophisticated the encryption technology may be, anyone who
really wants to try is going to be able to easily figure out your secret
and break into your network.

There are lots of tips for generating a strong passphrase (i.e., one
that's not easily subject to brute force attack). Although there are
password generators available on the Internet that will generate a
"random" 63-character passphrase, you'll never remember it unless you
write it down. In general, pick a phrase that's 15-20 characters in
length, include upper and lower case letters, numbers, and symbols, and
avoid "dictionary words." Some users develop mnemonic phrases that
generate seemingly random passwords — for instance, the first letter of
each word. Another way to make "random" passwords more memorable is to
use random words (see http://en.wikipedia.org/wiki/Diceware) or
syllables instead of randomly chosen letters.

Barb Bowman, an MS-MVP and frequent contributor here, has a good article
on using WPA2:
http://www.microsoft.com/windowsxp/using/security/expert/bowman_wirelesssecurity.mspx

Finally, I don't know the details of setting up WPA or WPA2 on a
PowerBook, but it shouldn't be too difficult or much different than Windows.


--
Lem -- MS-MVP - Networking

To the moon and back with 2K words of RAM and 36K words of ROM.
http://en.wikipedia.org/wiki/Apollo_Guidance_Computer
http://history.nasa.gov/afj/compessay.htm

 

[Superfreak3]

If you use WPA encryption with a reasonably "strong"
password/passphrase/key (more about this later), then you are indeed
basically secure with regard to your home wireless network.

There are still many websites that suggest "hiding" your SSID (i.e., not
broadcasting it) and using MAC address filtering as methods of
increasing the security of a home wifi network. Neither technique adds
much, if anything, to your security, and not broadcasting the SSID may
cause problems. If you're interested, read this:http://blogs.technet.com/steriley/archive/2007/10/16/myth-vs-reality-...

There are 3 "flavors" of encryption commonly available for home wifi
networks: WEP, WPA, and WPA2. WEP today is similar to leaving your
front door open, closing the screen door, and fastening the screen door
with a hook. WPA was an interim measure. WPA2 is the current state of
the art for home wifi security. Prior to WPA2 being "certified," some
wifi manufacturers had a setting for WPA that offered either TKIP or AES
encryption. In this case, choose AES; this is the encryption scheme
that's used in WPA2.

Your router may have an encryption mode that will automatically work
with either WPA or WPA2, whichever your wifi adapters are capable of.
If so, be sure to select that mode rather than WPA2-only or the like.

If your wifi adapters (or your laptop, if you're using a built-in wifi
adapter) is less than 2 or 3 years old, it may well support WPA2. Be
sure to check for any driver updates.

All encryption techniques involve the use of a "secret." Anyone who
knows the secret can understand the encrypted message. Anyone who does
not know the secret can not (unless they can "break" the encryption).

When WEP encryption was used, the secret was generally called a "key."
In the context of WPA and WPA2, it's often called a "passphrase" (but it
also may be called a "pre-shared key"). Whatever you call it, it's the
secret that protects your wifi network.

When you enabled WPA or WPA2 on your router, you *did* enter a
passphrase. Generally, the router instructs you that your passphrase
must be between 8 and 63 characters long. Exactly what those characters
are is up to you. If you decide to make your passphrase 12345678, then
no matter how sophisticated the encryption technology may be, anyone who
really wants to try is going to be able to easily figure out your secret
and break into your network.

There are lots of tips for generating a strong passphrase (i.e., one
that's not easily subject to brute force attack). Although there are
password generators available on the Internet that will generate a
"random" 63-character passphrase, you'll never remember it unless you
write it down. In general, pick a phrase that's 15-20 characters in
length, include upper and lower case letters, numbers, and symbols, and
avoid "dictionary words." Some users develop mnemonic phrases that
generate seemingly random passwords -- for instance, the first letter of
each word. Another way to make "random" passwords more memorable is to
use random words (seehttp://en.wikipedia.org/wiki/Diceware) or
syllables instead of randomly chosen letters.

Barb Bowman, an MS-MVP and frequent contributor here, has a good article
on using WPA2:http://www.microsoft.com/windowsxp/using/security/expert/bowman_wirel...

Finally, I don't know the details of setting up WPA or WPA2 on a
PowerBook, but it shouldn't be too difficult or much different than Windows.

--
Lem -- MS-MVP - Networking

To the moon and back with 2K words of ...

read more >>- Hide quoted text -

- Show quoted text -

This information is most helpful!

From Steve Riley's article, it seems that the wireless network is set
up on the Windows system before any setting are set in the Router.
Should this be the case? I went ahead and set the settings in the
Router first. Is this my problem.

From the Wizard he illustrates, you can set the key to be generated
automatically??

Also>>
To enable automatic wireless network configuration
1. Click Start, click Control Panel, and then double-click Network
Connections.
2. Right-click Wireless Network Connection, and then click Properties.
3. On the Wireless Networks tab, make sure the Use Windows to
configure my wireless network settings check box is selected.

I don't have a Wireless Networks tab in this widget.

So, in short, the passphrase I use in the router settings is what I
should use in conntecting to the network from the laptops. Is that
the idea?

 

[Lem]

This information is most helpful!

From Steve Riley's article, it seems that the wireless network is set
up on the Windows system before any setting are set in the Router.
Should this be the case? I went ahead and set the settings in the
Router first. Is this my problem.

From the Wizard he illustrates, you can set the key to be generated
automatically??

Also>>
To enable automatic wireless network configuration
1. Click Start, click Control Panel, and then double-click Network
Connections.
2. Right-click Wireless Network Connection, and then click Properties.
3. On the Wireless Networks tab, make sure the Use Windows to
configure my wireless network settings check box is selected.

I don't have a Wireless Networks tab in this widget.

So, in short, the passphrase I use in the router settings is what I
should use in conntecting to the network from the laptops. Is that
the idea?

I'm not sure what article you're looking at. The Steve Riley article I
linked to discusses why not to hide SSID (or use MAC filtering), and I
don't see where he discusses any "wizard."

In any event, you should configure the router first (as you did).

If you don't have a Wireless Networks tab in the Wireless Network
Connection Properties dialog, then you probably are using a utility
supplied by the laptop manufacturer (or the wifi adapter mfr), and it
has disabled the Windows Wireless Zero Configuration service. See
http://www.ezlan.net/wzc.html

Yes. The passphrase you entered in the router encryption configuration
page is the one you use when connecting to the network.


--
Lem -- MS-MVP - Networking

To the moon and back with 2K words of RAM and 36K words of ROM.
http://en.wikipedia.org/wiki/Apollo_Guidance_Computer
http://history.nasa.gov/afj/compessay.htm

 

[Superfreak3]

I'm not sure what article you're looking at.  The Steve Riley article I
linked to discusses why not to hide SSID (or use MAC filtering), and I
don't see where he discusses any "wizard."

In any event, you should configure the router first (as you did).

If you don't have a Wireless Networks tab in the Wireless Network
Connection Properties dialog, then you probably are using a utility
supplied by the laptop manufacturer (or the wifi adapter mfr), and it
has disabled the Windows Wireless Zero Configuration service.  Seehttp://www.ezlan.net/wzc.html

Yes.  The passphrase you entered in the router encryption configuration
page is the one you use when connecting to the network.

--
Lem -- MS-MVP - Networking

To the moon and back with 2K words of RAM and 36K words of ROM.http://en.wikipedia.org/wiki/Apollo_Guidance_Computerhttp://history.nasa.gov/afj/compessay.htm- Hide quoted text -

- Show quoted text -

It was a link on the article regarding SSID and MAC Filtering:

http://www.microsoft.com/downloads/...e8-fc41-4eb1-9374-44612e64f0fb&displaylang=en

I don't see WPA2 in my Network Authentication drop-down on my laptop,
so I guess I'll just use WPA-PSK with AES set as well.

 

[Jack \(MVP-Networking\).]

Hi
WPA-PSK with AES is the current consumer WPA2.
Jack (MVP-Networking).

I'm not sure what article you're looking at. The Steve Riley article I
linked to discusses why not to hide SSID (or use MAC filtering), and I
don't see where he discusses any "wizard."

In any event, you should configure the router first (as you did).

If you don't have a Wireless Networks tab in the Wireless Network
Connection Properties dialog, then you probably are using a utility
supplied by the laptop manufacturer (or the wifi adapter mfr), and it
has disabled the Windows Wireless Zero Configuration service.
Seehttp://www.ezlan.net/wzc.html

Yes. The passphrase you entered in the router encryption configuration
page is the one you use when connecting to the network.

--
Lem -- MS-MVP - Networking

To the moon and back with 2K words of RAM and 36K words of
ROM.http://en.wikipedia.org/wiki/Apollo_Guidance_Computerhttp://history.nasa.gov/afj/compessay.htm-
Hide quoted text -

- Show quoted text -

It was a link on the article regarding SSID and MAC Filtering:

http://www.microsoft.com/downloads/...e8-fc41-4eb1-9374-44612e64f0fb&displaylang=en

I don't see WPA2 in my Network Authentication drop-down on my laptop,
so I guess I'll just use WPA-PSK with AES set as well.

 

[Superfreak3]

Hi
WPA-PSK with AES is the current consumer WPA2.
Jack (MVP-Networking).










It was a link on the article regarding SSID and MAC Filtering:

http://www.microsoft.com/downloads/details.aspx?familyid=269902e8-fc4...

I don't see WPA2 in my Network Authentication drop-down on my laptop,
so I guess I'll just use WPA-PSK with AES set as well.- Hide quoted text -

- Show quoted text -

Ah, Got It! Cool.

I have my network secured with WPA-PSK, hopefully, and can gain access
with my Dell and Mac PowerBook G4 laptops.

One thing that did ring true, mentioned in early post, is that I had
to Broadcast the SSID for the Mac. If not broadcasted, the Mac
indicated that the access point didn't utilitze the encryption type
being used (or something to that effect). Once broadcasted, I was
able to connect without issue.

"WPA-PSK with AES is the current consumer WPA2" - on the Mac side, I
think they were two distinct encryption choices, but if WPA-PSK with
AES option selected gives security equal to or similar to WPA2, I'm
OK, I guess.

Thanks so much for all the help! It was so easy and I was getting
frustrated as it just was not working. If I had kept plugging away at
the passphrase, I probably would have stumbled onto success, but this
helped Greatly!

Thanks Again!