This was an experiment under slackware linux and windblows to secure my home wireless network.

In your wirless router
step 1. turn off "Broadcast ESSID"
step 2. turn off "DHCP"
step 3. use a "non-standard address scheme"
step 4. change the "ESSID" from "default" to anything other than "default"
step 5. Enable WEP
step 6. Enable MAC Filtering

On you computers
step 1. staticly configure the clients on your network
step 2. use a software firewall in the clients on your network

use this script to configure your linux machine and place in your rc.d directory, then make an entry in your rc.local script to run this one.
#####################################################
#!/bin/sh

# Change these settings as needed
INTERFACE=ethx
IPADDR=xxx.xxx.xxx.xxx
BCAST=xxx.xxx.xxx.xxx
GATEWAY=xxx.xxx.xxx.xxx
NMASK=xxx.xxx.xxx.xxx
NETWORK=xxx.xxx.xxx.xxx

ESSID=yourwirelessessid
WEP=your_WEP_KEY

#####Comment out the lines you DO NOT need based on your configuration######
#To comment out a line in this script put the "#" without the " before or after it.###
#For example the line that reads "#/sbin/dhcpcd $INTERFACE" is commented out.###
#Notice the "#"before the command.This means that this line will be ignored.###

#####################################################
###These 2 lines are used to set up your wireless WEP key & ESSID###########
/usr/sbin/iwconfig $INTERFACE essid $ESSID
/usr/sbin/iwconfig $INTERFACE enc $WEP
#####################################################

#####################################################
######Use this line if your ethernet is configured through DHCP#############
#/sbin/dhcpcd $INTERFACE
#####################################################

#####################################################
######Use these 3 lines if you have configured your ethernet connection
######as a static connection
/sbin/ifconfig $INTERFACE $IPADDR broadcast $BCAST netmask $NMASK allmulti
/sbin/route add -net $NETWORK netmask $NMASK gw $GATEWAY dev $INTERFACE
/sbin/route -A inet add default gw $GATEWAY $INTERFACE
#####################################################

statically configure your windblows clients as necessary

now you should have as secure as possble wireless network. especially if you use all non-standard settings.

The security comes in that the fact that the intruder will have to guess your ESSID,WEP key, your non-standard ipaddress scheme and then try to clone one of your MAC Addresses to connect to your network. all this in combination with not broadcasting a DHCP resonse will make it not worth the intruders time to persue hacking into your network.

remember these steps will severely impede an intruders attempt to use your network, but in the end, if they want in bad enough they'll proabaly find away to do it.

Some may disagree, but turning off DHCP and using a "non-standard address scheme" won't make a significant difference. Also turning off broadcasting may help, though it can cause problems as well.

If all you are trying to do is keep out casual intruders, MAC filtering plus WEP should be sufficient. In order for a potential intruder to connect with these two features enabled he is going to need to get your WEP key. The most likely way to get this is by sniffing your own traffic and getting the key from that. Once he/she has the key, address range and SSID are easy to obtain and really do not constitute additional work. MAC filtering is also easy to fool, though a casual war driver might have problems with it so it is worth doing if your configuration allows it.

My main problem with WEP is it gives a false sense of security. For all practical purposes a WEP connection should be considered the equivalent to connecting from a public access point. Any information sent relying on only wep for security can be deciphered by a persistent attacker. (Think ftp passwords, remote X sessions, etc...) Again though, for casual intruders WEP plus MAC filtering is fine. If you really want to secure it as much as possible, force all wireless connections to use IPSec. It can still be beaten by a determined intruder, but the threshold required is much higher.

Run Kismet and see how well your theories hold up.

Disabling SSID broadcast does not make the access point invisible (except to NetStumbler or a similarly crude tool), nor does it hide the SSID. The access point must, by design, respond to a probe request with its SSID.

MAC addresses are always passed in cleartext, never encrypted. They are immediately available to a listener, along with the IP address of the AP and clients.

WEP is flawed, but more difficult to crack than many would have you believe. Short of WPA or some other 802.1x-based protection, WEP with frequently changed keys is still your best protection.

Out of curiosity, is it okay for two network devices to be on the same network which report the same MAC address? I imagine it is but?

Steve

I agree with Mephisto. Turning on WEP and MAC address filtering is perfect for keeping the casual intruder out, but if someone with skill wants to get in, they are going to all it takes is time. Another thing that I did not see mentoined was upgrading the firmware one your router. Also after you do that, the vender of your router might have upgraded/added new functionality such as WPA (Wifi Protected Access). WPA is the successor to WEP and does not suffer from the holes/vunerablities in WEP. Granted your drivers for your Wifi card have to support WPA as well. But WPA was designed in mind with just a update of software/firmware/driver not new hardware, so most things should be compabable.

-tank

The basic rules are that an interface should have only one MAC and a given IP address should have only one MAC. What we are discussing though is two devices in the same network segment with the same MAC address. In the case of wireless I believe it would work, but it may cause network problems. Basically both clients would receive all the data going to and from the MAC. On a conventional ethernet switch you would not be able to have two interfaces with the same MAC of course. But a wireless access point is by it's nature a hub.

For a simple example of bypassing WEP controls you might read this: http://www.oreillynet.com/lpt/a/4081 The amount of traffic needed to crack a key is really the determining factor on how long it would take. (low traffic = long time, high traffic = short time) As Tank728 mentioned, WPA is more secure and a better option than WEP if hardware and drivers support it

it's great to see all the responses to this thread, it helps me learn more about the subject at hand. thanks to all of you for your input and helpfull suggestions.

steve