What's the best & most secure wireless router for the money? It looks like my neighbour(s) have hacked my network secured with WPA2, so I'm looking for something with a builtin 802.11x / RADIUS server.

Right now, ME has the Asus RT-N56U for $110 and the N66U for $160. I'm also willing to look at small business APs like the Linksys WAP4410N for $200. What's the best bang for the buck? :?:

Did you use a strong passphrase? You might also create a decoy AP with weaker security and throttle/log them mercilessly.

How did you determine that they were able to hack it? WPA2 is unlikely to be hacked with a strong passphrase.

http://www.yellowpipe.com/yis/tools/WPA_key/generator.php

Perhaps you have a WPS enabled router. If you do, check to make sure you disable it. It's possible you might have a router where WPS isn't actually disabled even when configured to do so. What do you currently use?

My passphrase was of moderate strength, but I've changed it to a much stronger strength passphrase. My WPS has been disabled for a long time. The problem with WPS is that it can still be used even though it's disabled in the firmware. It's some sort of flaw in the system just like there's a fatal flaw in WEP and there's minor flaws in WPA that make it vulnerable.

I know I've been hacked when I check the list of clients. All my clients have a standard naming convention, so when 2 new connected clients with names I don't recognize popped up, I know I've been hacked.

I'm currently running a Dlink DIR-655 version A4 firmware version 1.21NA. The newer firmwares are not as stable and lower performance compared to 1.21.

Keep your current router plugged in but with extremely low bandwidth limits and buy another one with the SSID broadcast turned off. Should trick anyone who thinks they already bypassed your security.

As for the replacement, anything that can run ddwrt should be immune to the WPS trick as it doesnt support WPS.

Verizon Jetpack 4G LTE Mobile Hotspot MiFi 4620L by Novatel Wireless is a good wireless router.

Keep your router and wireless seperate

I hate wireless, but with the proliferation of tablets, I am forced to install a wireless access point

I use the Cisco WAP321, it includes a radius server

http://www.cisco.com/cisco/web/solutions/small_business/products/wireless/300_series_wireless_access_points/index.html

You can, of course, use RADIUS, or similar. With enough compute horsepower, of course, these can be still cracked.

Another approach is to run a relatively insecure wireless network (well not really -- WPA2 is still fairly secure), and then run a VPN encapsulation layer ontop of such, where the VPN facilitates access to your network resources, and, if applicable, the broader Internet. An intruder, therefore, would have to break into both the wireless, as well as the VPN facility.

You can, of course, use RADIUS, or similar. With enough compute horsepower, of course, these can be still cracked.

Another approach is to run a relatively insecure wireless network (well not really -- WPA2 is still fairly secure), and then run a VPN encapsulation layer ontop of such, where the VPN facilitates access to your network resources, and, if applicable, the broader Internet. An intruder, therefore, would have to break into both the wireless, as well as the VPN facility.

The Cisco AP does all that.

In this case, I think the concern is about bandwidth. Not access to the network.

What about filtering by MAC address.
Since you know all your devices and don't accept guests this could be an additional layer.
I know these can spoofed but as long as your devices remain connected it's first come first served right?

What about filtering by MAC address.
Since you know all your devices and don't accept guests this could be an additional layer.
I know these can spoofed but as long as your devices remain connected it's first come first served right?

Chances are the guy who hacked it will just add his MAC address.

I know I've been hacked when I check the list of clients. All my clients have a standard naming convention, so when 2 new connected clients with names I don't recognize popped up, I know I've been hacked.Was it wireless or DHCP clients?

I don't think you need anything fancy. Any Tomato/DD-WRT based routers should do the trick.

Was it wireless or DHCP clients?

Wireless. Only a 12-year old would name their computer "BigHarryP....." :rolleyes:

How strong does a WPA2 AES passphrase need to be?

Is something like "correcthorsebatterystaple (http://xkcd.com/936/)" sufficient?

How strong does a WPA2 AES passphrase need to be?
Check this: http://lastbit.com/pswcalc.asp


Is something like "correcthorsebatterystaple (http://xkcd.com/936/)" sufficient?
This is still a dictionary attack

How did you determine that they were able to hack it? WPA2 is unlikely to be hacked with a strong passphrase.

http://www.yellowpipe.com/yis/tools/WPA_key/generator.php

That's pretty cool. Assuming it's accurate, a 7-digit full ASCII password would take 5 years to crack.

That's pretty cool. Assuming it's accurate, a 7-digit full ASCII password would take 5 years to crack.
Those non-printing characters would be a pain to type in on your phone, though.

Those non-printing characters would be a pain to type in on your phone, though.

Perhaps you could email it to your phone and copy & paste?

Perhaps you could email it to your phone and copy & paste?If you can easily transfer the key file to all devices then you might as well utilize the full 63 characters (but even then I would go with printable characters only).

Chances are the guy who hacked it will just add his MAC address.

If he can't login as admin then how would he do that?

If he can't login as admin then how would he do that?He'll just spoof one of the whitelisted MACs and thus make it even harder to detect him.

the most secure router is a hardwired router.

BTW - Even a WPA2 router is still subject to WPS exploits. Google for "Reaver WPS" :D