Our wireless router has been having “issues”, so I bought a new one before it completely dies. We had used WEP on the old one, but switched to WPA2 about a year ago, and are using it on the new one.
The problem is my sons have DSes, and those can’t connect using WPA*. When we switched to WPA2 from WEP, they couldn’t do whatever it was they used to do.
Until the old one completely dies, is there some secure way to set up both wireless routers, with the old one using WEP, and used only for the DSes? I guess I don’t know what the security issue is. I know WEP is almost as bad as no security, but does it put our whole network at risk, or is it just that the transmitted data is easily accessible?
We wouldn’t use the WEP for PCs, only DSes, and they would only need to go to the internet, not have access to our local network. Can I limit it somehow to make it more secure than if we were just using WEP for everything? (We could only turn the old one on when they’re using it, but they’d never remember to turn it back off when they were done.)
I know I’d want to set the routers to different channels (from 1, 6, or 11).
OK it actually depends on the game, but the have several that only support WEP.
Once you crack the WEP password, you can use it to gain access to all the computers on the network. Think of it like doors to a building; you only need to break into the weakest of them in order to get in to everything.
To be precise, you have access to the wireless network and the data stream therefrom. Whether you have actual access to the computers on the networks depends on how hardened they are against intrusion. Prudent best practice is to assume the network can be compromised regardless of wireless encryption, establish good firewall and tripwire protocols, and don’t transmit any private data via cleartext i.e. unprotected e-mail.
And the average home user really isn’t worth the effort…
Any wireless security can be defeated. Even if someone breaks into your wireless it doesent hand them free access to use your computer as you do, doesent just hand over bank passwords, etc. Just like getting mugged, robbed, etc “can happen” and “will happen” are very different animals.
The official line from Nintendo is that the DS doesn’t have the processing power to handle the streaming encryption for WPA, so it’s not going to get more than WEP.
The issue with WEP is eavesdropping; if outsiders capture enough WEP packets, they can decode all WEP traffic on your network.
What your link describes is something different and, I think, incorrect even in its own message (it’s suggesting that another router layer is going to stop copyright holders from identifying your home network when piracy occurs. That isn’t true because no matter how much network address translation [i.e., home routing] is going on at the family’s end, their single external IP is still going out to other BitTorrent peers – including RIAA moles – and that’s what the ISP bases its cease-and-desist letters on).
In the OP’s scenario, I think a WEP network within a WPA2 network would limit eavesdropping to the WEP DSes (since the WPA2 router would hopefully be smart enough to not send other computers’ traffic to the DSes), but it would still be vulnerable to attackers masquerading as fake DSes and attacking the rest of the WPA2 network with malformed packets and such. In other words, it affords you privacy unless/until your security is breached. (It’s the difference between monitoring what you broadcast and hacking your computer)
In my experience, however, even a wide-open home WiFi network is at most going to get a few leeches. Hackers don’t really give enough of a damn about what you and your (presumably generic) family do to go all cloak-and-daggers on you. Unless you have security clearances or geeky enemies, I agree with what drachillix said: it just ain’t worth the effort.
This is reasonably simple. You set one router to WEP and the other to WPA2. You lock down the WEP router to just the MAC addresses of your DSes. Make sure each router gives out a separate range - e.g. 192.168.0.x for WEP and 172.16.a.b for WPA2 - then wire the WEP router into the WPA2 router. The WEP router must be downstream of the WPA2 router. Then lock down the IP address given by the WPA2 router to the WEP router. You basically want to block it from access to the rest of the network. The acme would be to have three routers, plugging both wireless routers into one wired router which then plugs into the internet and disabling routing between the two routers.
Cracking WEP isn’t trivial. The amount of time required decreases drastically as usage increases, because there’s more packets to capture, so it works best for high traffic routers. E.g., a Starbucks still running WEP could be cracked in a matter of minutes, but grandma checking her email once a day (assuming no other traffic) would take days or weeks.
Furthermore, any traffic worth worrying about (bank account info, etc) is encrypted via SSL and so is immune to eavesdropping. This, combined with the length of time required to crack WEP for a normal home network, makes it pretty unattractive in the real world. Most people will just move on and look for one of the 400 completely unsecured networks that likely exist in your area.
So, that said, if it were me, I’d feel comfortable turning on MAC filtering, turning off the SID broadcast, and just running WEP. But that’s just me, and that’s assuming you don’t want to run two routers for some reason. If you do, Quartz’s suggestion is ideal.
Wrong. Deauth + ARP Replay makes hacking a WEP encrypted network with ANY connected clients trivial. I should know, I cracked my neighbor’s wifi and used it this summer when comcast was having a hissy fit.
You actually want to stick the WEP router upstream of the WPA2 router. That way WEP clients are on the untrusted / internet side of the WPA2 router. Just make sure that the WEP router doesn’t allow wireless clients to access the admin interface since a compromise of the WEP router itself would place the WPA2 router at risk. Beyond that, any malicious WEP client would be indistinguishable from malicious internet traffic.
In my home setup, the WEP access point lives on a separate subnet, physically connected to a hub that’s also connected to one interface on a Linux box running Privoxy. Also connected to that hub is the computer in my son’s room. No traffic that isn’t whitelisted is passed.
A simpler solution might be to dump the WEP and buy a Nintendo USB access point (Here is an example.
This allows Nintendo devices, and only Nintendo devices, that you have approved to use a PC’s connection.
You can do that if you’ve got three routers, but the point of having the WEP router downstream of the WPA router is for security - to prevent bandwidth leeching and the like. If it’s upstream, it can’t be managed. The secondary benefit is parental control, so you can lock it down to certain times - or disconnect it entirely - withou affecting the rest of the home network.
I stand by my post. WEP + MAC filtering + Disabled SSID broadcast would have shut you down completely. It’s not a foolproof solution by any means, but who would bother at that point?
MAC filtering is purely security-by-obscurity; cloning a MAC address is trivial. Disabling SSID broadcast is better, but hardly foolproof if someone knows that a wireless point is available. WEP, as already mentioned, is trivially easy to crack with even a modest amount of network traffic. WPA2 is far more secure encryption protocol. And while it is true that most home networks don’t need that kind of protection from an information security standpoint, there are plenty of wannabe crackers out there who will hack your system purely for nuisance value.
Thanks everyone. I’m going to try putting the old CompUSA router downstream of the new router.
How do I set this up? For the old router, I’ve added the DSes and my laptop to the MAC filtering table, and selected “Enable MAC filtering” and “Allow”. I assume this means only the listed devices will be allowed to access the WEP WiFi.
I’m guessing I run Ethernet cable from the new router to the WAN port on the old router, rather than one of the numbered ports (on the old one)? What settings do I need to set on the new router to restrict the old one?
The IP range on the old router is 192.168.2.100 to 192.168.2.200 (Its address is 192.168.2.1). I haven’t found where to set the IP range on the new router yet, but its address is 192.168.1.1. Hopefully that’s different enough.
The old router was set to channel 6. The new router is set to “auto”. Is that OK?
I do have an older wired-only router laying around somewhere, but how what benefit would that give me?
Basically you want to stop it routing across into your other network.
That should be okay as long as the Subnet Mask on both routers is set to 255.255.255.0. But it’s easy to get confused, which is why I prefer visibly different IP ranges.
The benefit would be to physically separate the two networks. Your wired router plugs into your internet connection, and the two wireless routers plug into the wired router. You then forbid routing between the two wireless routers. This may be more than your routers can do.