What's the question about wifi security for a small adhoc network
November 4, 2014 1:39 AM Subscribe
We have a wireless network at work that is being misused by neighbours. Our IT guy and I need help with keywords to ask for security solutions as Google is giving me adware articles, and I do SOHO macs, not PC networks.
This is a hobbled together Windows & Linux-mainly wifi office network of 20+ machines in Cambodia. My IT guy speaks okay English, but there are definitely communication issues. We moved offices recently and the neighbours are stealing bandwidth, which we have to pay for. We're changing passwords every month, but it looks like a staff might be sharing the password or some other hack. We also have a lot of volunteers who need to get connected every other day for brief periods so he's not keen on MAC-filtering because of the hassle. He's already done the WPA2 encryption, what are the other keywords I need to research? Searching gets me lots of "buy this hardware/software!" solutions. I have tech-smart volunteers who can help research and implement a solution, but I don't know what exactly I should be asking to explain the problem, like do I need a network diagram, is this something that can be done remotely, do I need to buy new hardware? Help me figure out what to understand so I can ask my tech volunteers to fix this.
This is a hobbled together Windows & Linux-mainly wifi office network of 20+ machines in Cambodia. My IT guy speaks okay English, but there are definitely communication issues. We moved offices recently and the neighbours are stealing bandwidth, which we have to pay for. We're changing passwords every month, but it looks like a staff might be sharing the password or some other hack. We also have a lot of volunteers who need to get connected every other day for brief periods so he's not keen on MAC-filtering because of the hassle. He's already done the WPA2 encryption, what are the other keywords I need to research? Searching gets me lots of "buy this hardware/software!" solutions. I have tech-smart volunteers who can help research and implement a solution, but I don't know what exactly I should be asking to explain the problem, like do I need a network diagram, is this something that can be done remotely, do I need to buy new hardware? Help me figure out what to understand so I can ask my tech volunteers to fix this.
You mention "every other day", do the volunteers need to be on at just defined times? Like, is everybody there on Tuesdays and Thursdays from noon-5 or something? You could set up a guest network that would only be available at the times the more-variable volunteers were around, and then have only ongoing staff on a MAC-filtered network? That strikes me as something one could do with only off-the-rack stuff more easily; I can imagine solutions that would be more complex, but it starts getting into things like "having a real router" and "having an IT guy who would have already known how to do this stuff", because you get into needing to have an authentication server and things like that. And creating logins for every volunteer seems like it would hit a similar level of hassle to adding their phones/computers to the MAC filter.
The guest network could also be limited to specific sites if the volunteers are only using it for certain tasks, possibly. That kind of filtering at least gets into what I can still do with my DD-WRT firmware and therefore seems more plausible to do with lower-end hardware.
I'm curious: Are you really sure it's the neighbors?
posted by Sequence at 2:04 AM on November 4, 2014 [3 favorites]
The guest network could also be limited to specific sites if the volunteers are only using it for certain tasks, possibly. That kind of filtering at least gets into what I can still do with my DD-WRT firmware and therefore seems more plausible to do with lower-end hardware.
I'm curious: Are you really sure it's the neighbors?
posted by Sequence at 2:04 AM on November 4, 2014 [3 favorites]
Setting up a usage monitoring system like that, while it would provide the sort of tracking barnone describes, is probably going to be more of a hassle than just turning on MAC filtering. I'm not sure you're going to find an approach that's less of a hassle than MAC filtering for achieving the specific goal of blocking the bandwidth leechers... everything you might do will require accessing or changing something on every volunteer's computer or device.
(Unless, maybe, as Sequence suggests they're only stealing bandwidth during certain times of the day or on certain days? I've used routers that had options to shut down wireless access between specified hours.)
posted by XMLicious at 2:10 AM on November 4, 2014
(Unless, maybe, as Sequence suggests they're only stealing bandwidth during certain times of the day or on certain days? I've used routers that had options to shut down wireless access between specified hours.)
posted by XMLicious at 2:10 AM on November 4, 2014
Why is it that you think the neighbors are stealing bandwidth?
posted by empath at 2:30 AM on November 4, 2014
posted by empath at 2:30 AM on November 4, 2014
It might help to start maintaining a blacklist of known bad MACs and associated websites and then throttle them down to a 1200 baud or so.
Assuming your hardware and software makes it easy.
posted by sebastienbailard at 2:34 AM on November 4, 2014 [1 favorite]
Assuming your hardware and software makes it easy.
posted by sebastienbailard at 2:34 AM on November 4, 2014 [1 favorite]
Why is it that you think the neighbors are stealing bandwidth?
Logs? If the office is empty at 1 AM and someone's downloading 2 gb of pornography it's probably not a staffer, especially if the admin knows the profile (IP addresses, MAC addresses) of the 20+ machines in the office.
posted by sebastienbailard at 2:38 AM on November 4, 2014 [1 favorite]
Logs? If the office is empty at 1 AM and someone's downloading 2 gb of pornography it's probably not a staffer, especially if the admin knows the profile (IP addresses, MAC addresses) of the 20+ machines in the office.
posted by sebastienbailard at 2:38 AM on November 4, 2014 [1 favorite]
Have 2 separate networks (using 2 routers), one for your pc's, and one for guests. Shut off the guest network at night. Filter the office network.
posted by blue_beetle at 3:40 AM on November 4, 2014 [9 favorites]
posted by blue_beetle at 3:40 AM on November 4, 2014 [9 favorites]
Yeah, you have a management issue, not a technical one.
You already have the solutions, but don't want to implement them. Lock down by MAC address and require a tech person to register every device on the network. Once you are over the initial bump it's not that hard to maintain.
Or do the username password on an unadvertised SID, and don't give it out to anyone. Have only one or two authorized people enter it for the people.
posted by cjorgensen at 6:48 AM on November 4, 2014
You already have the solutions, but don't want to implement them. Lock down by MAC address and require a tech person to register every device on the network. Once you are over the initial bump it's not that hard to maintain.
Or do the username password on an unadvertised SID, and don't give it out to anyone. Have only one or two authorized people enter it for the people.
posted by cjorgensen at 6:48 AM on November 4, 2014
Thinking this over I think I know where your issue lies:
Disable WPS. Whoever is hacking your wifi, if they're not getting the password by word of mouth like barnone suggests, is most likely hacking your wifi router through WPS.
So disable WPS, make sure your router's firmware is up-to-date, and change the admin password for the router itself.
posted by I-baLL at 7:16 AM on November 4, 2014 [1 favorite]
Disable WPS. Whoever is hacking your wifi, if they're not getting the password by word of mouth like barnone suggests, is most likely hacking your wifi router through WPS.
So disable WPS, make sure your router's firmware is up-to-date, and change the admin password for the router itself.
posted by I-baLL at 7:16 AM on November 4, 2014 [1 favorite]
The gold standard here is certificate based Enterprise-WPA2 with the certs issued by your active directory domain. Easy-peasy via group policy on your windows systems. The linux systems might be enough of a bear to whitelist the MAC addresses.
posted by bfranklin at 8:03 AM on November 4, 2014
posted by bfranklin at 8:03 AM on November 4, 2014
Filter by MAC address, and have volunteers plug in via Ethernet cables.
posted by suedehead at 9:36 AM on November 4, 2014
posted by suedehead at 9:36 AM on November 4, 2014
Seconding time limited second guest network. Buy a second cheap wifi router if you have to. Captive portal if you have the capability. Require a password that changes every day and just put up a sign saying "today's password is banana"
The lowest tech solution to this would be a $20 airlink or something router. At the end of the business day someone logs in, changes the password, and unplugs the router(or turns off a power strip. On a router that cheap I'd probably be wary of the power socket falling off the pcb if it was unplugged every day) and prints out a new sheet saying "today's password is peanut". In the morning someone flips it on.
Now, also, no one gets access to the regular wifi unless they're a full time employee.
There's way higher tech and even fully automated solutions to this, but that's the lowest tech and cheapest one I could think of.
And now as a bonus, they're on another network segment and seperate subnet from the rest of your gear. I'd still go in to the firewall/router config and set it so cheapo router can only see the internet, but yea.
posted by emptythought at 12:37 PM on November 4, 2014 [2 favorites]
The lowest tech solution to this would be a $20 airlink or something router. At the end of the business day someone logs in, changes the password, and unplugs the router(or turns off a power strip. On a router that cheap I'd probably be wary of the power socket falling off the pcb if it was unplugged every day) and prints out a new sheet saying "today's password is peanut". In the morning someone flips it on.
Now, also, no one gets access to the regular wifi unless they're a full time employee.
There's way higher tech and even fully automated solutions to this, but that's the lowest tech and cheapest one I could think of.
And now as a bonus, they're on another network segment and seperate subnet from the rest of your gear. I'd still go in to the firewall/router config and set it so cheapo router can only see the internet, but yea.
posted by emptythought at 12:37 PM on November 4, 2014 [2 favorites]
You could start low tech by using a plug in timer that would turn the router on and off based on your schedule. The same kind people use to turn their lights on and off to make it appear that someone is home when on vacation. Also, you don't mention if you're using hacked firmware but if you are you could try adjusting the radio power down to where you still get coverage in your office but no bleed through of the signal where your neighbors can attach to it. Otherwise what a few others have said here, just run a MAC white list for your office devices that need access. You could also setup a separate access point for your volunteers with a different ssid. Enable QoS with bandwidth throttling on this device. There are many cheap devices you can buy that support dd-wrt that could allow you to do this.
posted by white_devil at 7:51 AM on November 5, 2014
posted by white_devil at 7:51 AM on November 5, 2014
Response by poster: Thanks for all the answers - going up this week, and will go through them onsite with our IT guy. Most likely it'll be the guest wifi with everyone else identified.
posted by viggorlijah at 10:53 PM on November 17, 2014
posted by viggorlijah at 10:53 PM on November 17, 2014
« Older Tell me about radical acceptance/constructive... | How to catch hold of a disorganised boss to resign... Newer »
This thread is closed to new comments.
Perhaps you can have the wifi network require a login name and password to be used. Then you'd probably be able to figure out the culprit if they were logged on multiple times.
posted by barnone at 1:48 AM on November 4, 2014 [13 favorites]