The best secure wireless network for a college dorm

[geoffreak]

My roommate and I are wanting to share a network in our dorm room by using a single router (a Linksys WRT54G) to connect to the school's network and provide our room with a wireless network that actually works (the school's is crap).

Here are the devices that will be on the network:
- Mac Mini (wired)
- 2x Xbox 360 (wired)
- Wii (wireless)
- MacBook Pro (wireless)
- Dell laptop (wireless)
- random HP printer (wireless)

Obviously, being in a dorm, there are tons of other people who could jump onto our wireless network and use the internet. Normally you wouldn't think this would be a problem, but our wired connection is protected and tracked using a 802.1X protection, so if anyone else were to be using our internet connection for illegal activities or the like, we would be the ones who would get in trouble and have our internet terminated.

How can I protect the wireless network from being jumped onto? I plan on using WPA2 security, MAC address filtering (can I do this only on wireless?), and not broadcasting the SSID, but is this enough, and will it work with the Wii and printer?

 

[miles01110]

You could block the ports used by the various filesharing protocols if you're worried about that.

 

[belvdr]

Looks like you're doing all you can, and I wouldn't bother with MAC filtering, as it is too easy to spoof.

Miles' suggestion is spot on too. Block those ports and/or only allow port TCP 80 and 443.

 

[RandomKamikaze]

Looks like you're doing all you can, and I wouldn't bother with MAC filtering, as it is too easy to spoof.

Miles' suggestion is spot on too. Block those ports and/or only allow port TCP 80 and 443.

Might be easy to spoof, but it's another hurdle.

OP, I have got the same wireless security as you and my wireless printer works fine. I haven't tried the Wii. My laptops connect fine, as does my iPhone. All other devices are hard wired. I don't have any outbound port restrictions

 

[belvdr]

Might be easy to spoof, but it's another hurdle.

OP, I have got the same wireless security as you and my wireless printer works fine. I haven't tried the Wii. My laptops connect fine, as does my iPhone. All other devices are hard wired. I don't have any outbound port restrictions

I guess. It doesn't seem like much of a hurdle, since you can just sniff them over the air.

By the way, I have the same setup (minus MAC filtering) and my Wii has had no issues.

 

[RandomKamikaze]

I guess. It doesn't seem like much of a hurdle, since you can just sniff them over the air.

By the way, I have the same setup (minus MAC filtering) and my Wii has had no issues.

I agree, and if they are determined to get in they will, but the more work you make it, the bigger the chance they will just give up. We are talking about students...(joke)

 

[K3mp]

I would just use WPA2. If you block port 80 your xbox experience will suck.

 

[belvdr]

I would just use WPA2. If you block port 80 your xbox experience will suck.

And there's no reason to have an Internet connection then either.

 

[whatupg1]

Also make sure to use a secure password for the router one that is not in the dictionary and easily guessed.

 

[geoffreak]

Thanks for the tips, everyone.
I'll keep the password somewhat difficult to guess, but there is no point in having an impossible password, because if they can't guess it, they'll just monitor wireless traffic anyways. Now, I don't think that anyone will try and hack into our wireless network, but better be safe than sorry.
I think I will avoid the port blocking because I am a web developer and need access to a larger number of ports than most people ever use. File sharing clients can search for any open port, so technically as long as one is open, it can get through.
We will be situated in a corner of the dorm on the top (third) floor (a corner next to the street and a parking lot), so placing the wireless router as far into the corner of the building as possible will decrease the number of people who could possibly hack into the system. The dorm as actually really far out of the way on the corner of campus, so I don't expect anyone who has the ability to hack a wireless network to be anywhere nearby.

 

[xparaparafreakx]

1. Are you even allowed to have wireless in your dorm? Is there a certain way they want you to configure it? Please tell me your not going to let the router set up as DHCP and not as an ethernet bridge?

2. As time goes by, someone will crack into the router. Someone is going to use kismet and get into your router.

3. Is it worth losing your internet access in your dorm?

I lived in a dorm 2 years agos and this is what I did.

I email the people and was told you can not have wireless routers in your room. However they were okay with me doing an ethernet bridge.

I changed my password and network name every month. I figured some computer science major on the dorm floor got bored and was using kismet. I disconnected the router when I was going out or went home.

 

[paduck]

1. Are you even allowed to have wireless in your dorm? Is there a certain way they want you to configure it? Please tell me your not going to let the router set up as DHCP and not as an ethernet bridge?

2. As time goes by, someone will crack into the router. Someone is going to use kismet and get into your router.

3. Is it worth losing your internet access in your dorm?

I lived in a dorm 2 years agos and this is what I did.

I email the people and was told you can not have wireless routers in your room. However they were okay with me doing an ethernet bridge.

I changed my password and network name every month. I figured some computer science major on the dorm floor got bored and was using kismet. I disconnected the router when I was going out or went home.

While there is no reason to be excessively paranoid, setting up your router as encrypted and changing the key every month is a good idea - dorm room or not. If you turn it off when you are gone for the day and at night, that will limit its availability for someone to do a brute force attack.

The bottom line then is that you have made yourself significantly less of a target than all your college dorm buddies around you who aren't running WAP2 encryption and leave their wireless routers on 24x7. The key is to have better targets around than you. You could go further and make it so your SSID/wireless name aren't publicly broadcast, but that is probably not necessary.

You have a lot of technology in a little dorm room (two xBoxes and a Wii?).

The comment about the wired network is good as well - you won't get hacked if everything is wired and there is no wireless!

I'd also check and see what your college's policy is on wireless networks. You don't want to get the plug pulled for violating that either. And trust me, they will find out that you are doing it...

 

[dmmcintyre3]

1. do the printer wired.
   
2. WPA2 + RADIUS + HIDDEN RANDOM SSID + lowest transmit power possible
   
3. Set up an login screen where you have to login every time you connect and deny access to any port before you log in to this page. Use a different password form the WPA2 key. Set the login page on a different port than 80 (something random 4 digits and no repeating characters )
   
4. Set the page to redirect a unidentified user agent to a 403 page. Use a custom user agent or a unknown browser with a custom user agent. (insert random codes in there (non previously used or part of your MAC address)Then make them connect a VPN to even get to all this security
5. Proxy Server logging all activity

Bet the collage will just think it is a network with no internet if they do find it.
User Agent
Change some things but:

SPAM/1.6.9 (SPAMintosh; S; PPC Mac OS X 10_9_7; en-us) iSPAMKit/530.18 (GHTML, like GOOGLE) Version/0.5.2 SPAMFORUMBROWSER/268.91

 

[Airforcekid]

I use airport express all basic security and unplug it when not in use. Im not allowed to have any router (why I dont know) but I have never been caught. Also how can you turn the strength of the signal down?

 

[xparaparafreakx]

1. do the printer wired.
   
2. WPA2 + RADIUS + HIDDEN RANDOM SSID + lowest transmit power possible
   
3. Set up an login screen where you have to login every time you connect and deny access to any port before you log in to this page. Use a different password form the WPA2 key. Set the login page on a different port than 80 (something random 4 digits and no repeating characters )
   
4. Set the page to redirect a unidentified user agent to a 403 page. Use a custom user agent or a unknown browser with a custom user agent. (insert random codes in there (non previously used or part of your MAC address)Then make them connect a VPN to even get to all this security
5. Proxy Server logging all activity

Bet the collage will just think it is a network with no internet if they do find it.
User Agent
Change some things but:

SPAM/1.6.9 (SPAMintosh; S; PPC Mac OS X 10_9_7; en-us) iSPAMKit/530.18 (GHTML, like GOOGLE) Version/0.5.2 SPAMFORUMBROWSER/268.91

Awesome. And i though I was over kill.

Now all it takes is someone with kismet to sniff all the data and get the password to log in.

Or they will skip you and log into someone elses wireless.

As for RADIUS, I think im lazy and gonna go for bluesocket for my site this summer.

 

[geoffreak]

My college technically doesn't allow for routers in our rooms, but last year while I was talking with the IT department for some help on something, they said they noticed "routing activity" and I just replied "your point?". They warned me that I would be the one who got in trouble if someone broke the rules using my access, but didn't really seem to care. I wouldn't get any support for it though.

I will setup the router to do DHCP because our logins are only granted access to one MAC address on wired and one MAC address on wireless. It is a PITA to get them to allow for more computers.

I'm not terribly worried about people hacking into my wireless. I'll get to know all the people who are in dorm rooms close enough to pickup the wireless signal so I can see if any have the technical knowledge to do such an act.

Most people won't go through the trouble of hacking another wireless network because of the campus-wide wireless network already in place. It would be much simpler to login to someone else's wireless access account than to crack an unknown network. Also, a large number of people with any remote technical knowledge bring their own routers and do what I'm doing, so they don't need to bother to hack another network. Also, there are a number of free wifi access points just off campus where everyone goes to bittorrent anyways (the only reason to hack someone else's account).

Last year when I had my own wireless network, I didn't bother turning off the router when I was out of my dorm room because nothing was on wireless besides my laptop which I always take with me (anyone with any knowledge about wireless networks knows that you need to have active wireless traffic in order to crack into a network). I only turned it off when I left for Christmas break (the power was off in the dorm) or when I had to use the router for a robotics project.

 

[TBi]

If you are really security conscious then buy a more expensive router which supports VPN log on. My draytek Vigor 2820 Allows you to set up a wireless network (encrypted or not) but you can only access the router/network by creating a VPN connection into the router.

So you can have a WPA2 password and a further VPN password before anyone can actually get into your network. For even more security you can use certificates so people can't just hack your VPN password.

Now that's secure

 

[geoffreak]

A VPN router sounds cool, but I don't think it will work with a wireless printer or a Wii

 

[dukebound85]

most if not all colleges do not allow for wireless in dorms set up by students as its out of the control for them

just dont do it if its against their policy

 

[ChrisA]

My roommate and I are wanting to share a network in our dorm room by using a single router (a Linksys WRT54G) to connect to the school's network and provide our room with a wireless network that actually works (the school's is crap).

Why even bother with wireless? Is the room so large that you can't run wires? As long as you don't have to cross a doorway just run wire along the baseboards. Wire is always much faster, more secure and much lower cost.

 

[Stratoukos]

It my be usefull to know how WPA2 is broken. They only need to sniff one packet, get the hash of your passwords and try to break it brute-force style through eternity. So finding ways to reduce the radius of your WLAN won't benefit you since they only need one packet.

So what I would do is protect the router with WPA2, carefully watch the logs and if anyone ever got into I would change the password, leaving the attacker back at square one (maybe you can write a script for it. Unknown MAC logged -> change password to a random string and alert me)

The real danger imo are "unconventional attacks". You have some friends over at your room, you look away, they check your pw from your settings. What if you or your roomate gets a boyfriend/girlfriend? Would he/she get the password? That kind of stuff.

 

[Zortrium]

Securing a wireless network so that anyone other than a seasoned and determined hacker can't gain access is pretty simple:

1. Use a totally random, mixed case + numbers + symbols WPA2 key that's at least 15 characters or so. The key doesn't need to be easily typed or anything since it probably only needs to be entered once per device. This will prevent any sort of brute forcing on the network.

2. Use an equally obscure password for the router login. Moreover, disallow router access from wireless clients. This means that you'll only be able to get to the router from the machines that are physically plugged in, which adds an extra layer of security.

3. Disable the wireless SSID broadcast (as you're already planning to do).

4. Wireless MAC address filtering (as you're already planning to do).

5. The last thing I'm surprised nobody's mentioned is the possibility of custom firmware. You mentioned that your router is a WRT54G -- these routers are great because they run Linux, which allows you to install custom firmwares that are leaps and bounds better than the junk Linksys firmware that comes on it. I recommend the excellent Tomato firmware -- my home network is run by it on a WRT54G. Note that you can only easily install custom firmware on a WRT54G if it's a version 4 or prior -- those after version 5 are crippled and not as capable.

 

[lag1090]

I plan on using WPA2 security, MAC address filtering (can I do this only on wireless?), and not broadcasting the SSID, but is this enough, and will it work with the Wii and printer?

That pretty much the best that you can get.

Filtering ports isn't going to help you very much. Your only safer alternative would be to use an all-wired network.

Some routers also include the option for setting the broadcast signal strength. Turning it down would lessen the chances of someone connecting to your network.

 

[geoffreak]

Why even bother with wireless? Is the room so large that you can't run wires? As long as you don't have to cross a doorway just run wire along the baseboards. Wire is always much faster, more secure and much lower cost.

First of all, the Wii is only wireless and so is the printer, so that means we can't use those devices. The cost of my setup is zero because I already own the equipment, but buying more wires would increase the cost, not not mention that I won't have enough ports on my router. I move around the room a lot, so having wires all over the floor to connect my laptop is not an option.

The real danger imo are "unconventional attacks". You have some friends over at your room, you look away, they check your pw from your settings. What if you or your roomate gets a boyfriend/girlfriend? Would he/she get the password? That kind of stuff.

I don't have to worry about these because we live an a very obscure dorm, and all our "friends" are elsewhere. My roommate and I have agreed on not bringing girlfriends back to the room, and we have the same set of friends that we trust. Our room will always be a mess so we will avoid having people over to avoid having to clean

Moreover, disallow router access from wireless clients. This means that you'll only be able to get to the router from the machines that are physically plugged in, which adds an extra layer of security.

Good idea. I don't know why I didn't think of this

The last thing I'm surprised nobody's mentioned is the possibility of custom firmware. You mentioned that your router is a WRT54G -- these routers are great because they run Linux, which allows you to install custom firmwares that are leaps and bounds better than the junk Linksys firmware that comes on it. I recommend the excellent Tomato firmware -- my home network is run by it on a WRT54G. Note that you can only easily install custom firmware on a WRT54G if it's a version 4 or prior -- those after version 5 are crippled and not as capable.

My Linksys router is quite old (3-4 years), so I'm fairly certain that it can run a custom firmware, but I've never bothered to try. I've heard of this specific firmware for my router before but have never gotten around to trying it out. Maybe this weekend I'll give it a look over.

Some routers also include the option for setting the broadcast signal strength. Turning it down would lessen the chances of someone connecting to your network.

I haven't noticed such an option in the WRT54G's original firmware, but it is possible that the Tomato firmware could do this. Having such an option would certainly lessen the chances of a hacker coming in.

 

[TBi]

Personally i think you are worrying too much. I don't think many people will be bothered hacking a WPA2 encrypted network.