As I blogged previously, I experienced problems with my wireless network after I attempted to secure it using wired equivalent privacy (WEP). My 802.11b access point didn’t support WiFi protected access (WPA), so I turned off all the security (except MAC address filtering), thinking that there’s nothing here worth stealing anyway (except my bandwidth, and I don’t mind if my neighbours share my connection from time to time). Then, last week I attended Steve Lamb’s presentation on Wireless security and remote access and one point he made really worried me – what if someone was using my connection for something illegal? How could I prove that it wasn’t me (my ISP’s logs would show the IP address of my ADSL router and my account details)… unfortunately the answer is “with great difficulty”.
Whilst I live on a pleasant housing estate on the edge of a rural market town and I like my neighbours, I don’t know what their Internet interests are, and I didn’t want to run that risk. That meant only one thing – the wireless security must come back on – and ideally using WPA or WPA2.
Stage 1 was to buy a new access point (for not too much money). My budget of Â£40 (+VAT) meant that choices were somewhat limited. I had considered the Linksys WRT54G and WRT54GC until the friendly people at broadbandstuff highlighted that these devices don’t include a modem – I hadn’t realised that there is a difference between a broadband router (which is for cable) and an ADSL wireless gateway (which includes an ADSL modem). After that, I considered the Linksys WAG54G and it’s replacement, the WAG354G, but both were slightly over my budget and some articles I read suggested that the firewall wouldn’t let me configure my own rules. Thinking about it, I realised that I don’t need a new router – my Solwise SAR 110 has been working well since I stealthed it (I’ve since opened up a few ports and occasionally have to reboot, which I suspect is due to a denial of service attack, but thankfully not too often). After deciding that I only need an access point, I considered models from Linksys, NetGear and D-Link. The Linksys WAP54G looked good, until I read an (admittedly quite old) Toms Networking review that suggested it’s not too great on a mixed 802.11b and 802.11g network. I don’t like the styling on the consumer-focused NetGear equipment, but the business-focused WG102 looked good, had a great specification, but was too expensive for me this time around, so I decided to go for the D-Link DWL-2000AP+ instead, because:
- It’s cheap (Â£35.99+VAT).
- They had stock at RL Supplies (so I could pick one up on my way home).
- I can’t follow the guideline of going for a one-brand WiFi infrastructure but I already have a D-Link DWL-520+ wireless PCI adapter in my server and using D-Link equipment (supporting AirPlus) would enable 22Mbps running (whilst my mixture of Compaq and HP-branded 802.11b kit would still run at 11Mbps and the Intel card in my Fujitsu-Siemens notebook would run at the full 54Mbps).
- It supports WPA (although not WPA2).
Stage 2 was to migrate from the old to the new access point. This was remarkably painless (D-Link DWL-2000AP+ firmware version 2.11 6 April 2005):
- Note the details of the old access point configuration before switching it off.
- Set the IP address on a client PC (wired connection) to use the 192.168.0.0/24 subnet.
- Browse to http://192.168.0.50/ and log on with the username admin and a blank password.
- Run the setup wizard from the access point Home/Wizard page to set the admin password, SSID and channel (I left this at 6 as I already know that my neighbours are using 1 and 11) and encryption level (none at this stage). Restart the access point when prompted.
- From the Home/LAN settings page, change the IP address of the access point to something suitable on the correct subnet (this will automatically change the settings for the DHCP server on the access point, but this is disabled by default in any case) and restart the access point when prompted. At this point you can reset the client PC to use the original IP settings (DHCP in my case).
- From the Advanced/Filters page, enter the MAC addresses for any devices which need to connect to the access point and select the option to only allow the defined addresses to connect. Annoyingly, the access point needs to restart after each address is added, but it does have a handy clone feature to read the MAC address of each connected device and add it to the list of allowed addresses. If the MAC addresses are unfamiliar, use the client PC to ping known devices and then read the ARP cache (
arp -a) to match MAC address to IP address.
- From the Home/Wireless page, change the access point name (from the default of DWL-2000AP+ to something which matches your naming standards). I used the name I had assigned to the existing access point, and which was already in my DNS. Restart the access point when prompted.
- Finally, from the Tools/System page, save all settings to the local hard drive (default filename is config.bin).
Stage 3 is to configure WPA; however I want to leave the network running unsecured for a while longer, just to check that the mix of 11, 22 and 54Mbps 802.11b and 802.11g clients is working well. Once I’m happy with that, I’ll lock down the network. In the meantime, check out Steve Lamb’s post (and blogcast) on the subject.