 AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | reply to norwegian
Re: Router security Inside, because its least expected and harder to control. Throw 500 free USB sticks into a lobby, guaranteed one person will stick into a laptop or work pc in teh building.......... or at home..... |
|
| reply to StuartMW
Re: Router security said by StuartMW:WEP is crackable in seconds. Most people know that.
Crackable in seconds ==> Wide-open I don't think I disputed that, and in fact stated WEP is known to be very weak. Regardless it has nothing to do with a WAP.
Thus using the original error (of WAP = WEP) by antdude  above.
WEP/WPA/WPA2 are security protocols. WAP is a physical object that provides wireless network connectivity. Completely unrelated.
Get it?
WAP = Wireless Access Point, which is by definition wide open already. I still don't get why you think that is humorous, other than that you may have misread/misinterpreted a previous post. |
|
| reply to norwegian
Re: Router security said by norwegian:Which is the easiest to attack a router, the inside or the outside?
This thread seems to have strayed from the original question (above) and before this thread gets locked:
The answer depends on what is meant by 'attack a router'. Generally a consumer router/firewall is designed to protect a private network inside one's home. In a commercial space, the concept is the same (protect internal network) but is typically done with dedicated-purpose firewalls separate from routers.
In a consumer space, an "internal" attack on a router may be easier, if only because router administration is often completely blocked/filtered from external interfaces. In commercial space, this is also true for many internal networks. If router administration is enabled on the external interface, then there is little difference between an internal or exernal attack on the router itself.
With respect to ease of gaining access to a network, if you already have access to the internal network then there is no attack involved. Once there, you have direct access to the hosts on that network which you would not have from an external attack. Most attacks focus on gaining access to the internal network, which typically involves compromising the firewall (or router/firewall) (but not always). botnet trojans can provide network access independent of access to any consumer router/firewall largely due to the unrestricted outbound access that is typical in those installations. When dealing with network access as a whole, this is only as strong as the weakest device regardless of whether it is a host or a router/firewall (in consumer space). |
|
 JuggernautIrreverent or irrelevant?Premium
join:2006-09-05
Kelowna, BC
kudos:2 | Internal is always the weakest link. A download, or a bad link will lead to disaster.
Modern routers are far harder to breach, if set up reasonably well.
--
Better to have it and not need it, then need it and not have it. |
|
 StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2
 ·CenturyLink
| said by Juggernaut:Modern routers are far harder to breach, if set up reasonably well.
I have my router configured so it is only accessible, from the LAN side, by serial (direct connection). HTTPS and SSH. The last two require a certain certificate in addition to the usual password. Is it possible for it to be hacked? Sure but unlikely.
--
Don't feed trolls--it only makes them grow! |
|
|
|
| reply to Juggernaut
said by Juggernaut:Internal is always the weakest link. A download, or a bad link will lead to disaster.
That is the difference between attacking/breaching a network and attackig/breaching a router (firewall).
Gain access to a host via malicious download (active or passive) and you have easy access to the network. This would not gain access to the router necessarily. A firewall (consumer router/firewall) would only be less secure on its internal side over its external side due to the fact that its management may be blocked entirely from the external side. If additional care is taken such as that used by corporations and individuals as noted by StuartMW then even gaining just internal network access may have no advantage in exploiting the router/firewall over an external attack.
If the question is over gaining access to the network then yes, as I noted the network is only as strong as its weakest device. The router/firewall is rarely the weakest point and is as a result not the common point of attack. It is more often easier to gain access to a network by using an exploit on another host, bypassing the router/firewall entirely.
This is one reason (among several) that commercial firewall implementations typically restrict traffic in both directions. In the event access to a given internal host is obtained, this in turn may not be used easily as a bypass around inbound firewall restrictions. These protections are no guarantee, but are just one control among many.
To the original question: A given firewall (consumer router/firewall) is less secure internally only due to the fact that it may have unrestricted management access on its internal network. There is nothing in particular beyond that to make the internal interface(s) any less "secure" than the external interface(s).
The internal network itself, however, is typically easier to attack than the router/firewall in most consumer installations. Penetrating the router and penetrating the network are two different cases. |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| said by Shady Bimmer:The internal network itself, however, is typically easier to attack than the router/firewall in most consumer installations. Penetrating the router and penetrating the network are two different cases.
True. Which is why I only have specific folders shared between machines on my LAN and those folders are only used when transferring files. Thus if a particular machine is compromised the attacker can't (easily) get to files on other machines. NetBIOS (over TCP/IP) is also disabled (it is easily exploited).
--
Don't feed trolls--it only makes them grow! |
|
Reviews:
·WestNet Broadband
| reply to Shady Bimmer
Thanks for persevering. I asked the question based on the expanded network that has come about. As everything is hooked up to the router I am or was under the belief the router is the point of concern, but as you pointed out it is the network itself which is the concern, hence the internal switch of the router/4 port + wireless network that is the weak link.
So the router is fine as I seem to have it locked down enough I believe.
There seems to be a few areas of concern for any network that is relevant now.
1. ARP
2. File sharing
3. Exploits
4. Infection
There maybe more, but these would have to be the initial concerns? Would you class UDP as a point too?
Interesting discussion, thanks all.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
Reviews:
·WestNet Broadband
| reply to Anav
|
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| reply to norwegian
Not sure you can do much about ARP poisoning on a home network.
I'd turn off Home Groups (or whatever Microsoft calls them) for sure. Enable simple password protected file sharing with limted folders if you wish to transfer between machines.
Disable NetBIOS. You don't really need it.
Use an A/V you like and keep it up-to-date.
Then there's the obvious (hopefully) stuff. Don't click on links without knowing where they go. Don't download from warez etc.
--
Don't feed trolls--it only makes them grow! |
|
| reply to norwegian
said by norwegian:Not sure where this will take me - call it curiosity.
Which is the easiest to attack a router, the inside or the outside? The (long) thread posted immediately after this initial post is a worthwhile read. On that, and the rest of the thread, is the question one of gaining access to the router/firewall itself, or one of gaining access to the network? Bypassing consumer router/firewalls to gain access to a network is often easier than gaining access to the router/firewall itself.
An attack on a router/firewall would typically have little benefit other than to then use this access to gain access to the internal (protected) network. Finding a path around the router protection, at least in the consumer router/firewall case, is typically easier than finding an exploit to the router itself.
It might be worthwhile to remember a few years ago where many institutions were infected with a fast-propagating worm that leveraged a windows vulnerability. The perimeter security (dual-layer firewalls in conjunction with router ACLs) was useless and was never attacked itself in any of those cases.
The router/firewall is a layer of protection for the network, which itself is inherently insecure with many points of vulnerability. |
|
Reviews:
·WestNet Broadband
| reply to StuartMW
1. On NetBios:
In the early days all my cabled LAN's were manually configured for the network and DHCP, DNS services were turned off.
Now to the present and wireless:
Doesn't DHCP use NetBIOS? I know once I have enough of a play with the wireless I could look at all connections being mapped to specific addresses to stop DHCP etc which would allow turning off services such as NetBIOS, WINS, LMHOSTS etc
But routers do not allow configuration like in this Microsoft Article on NetBIOS
2. Home networks is a Microsoft term, what of Apple (Ipods, Ipads, MacBooks), WD Live stream and all other types of hardware relying on network connections via the router/switch etc?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
Reviews:
·WestNet Broadband
| reply to Juggernaut
said by Juggernaut:All of the connected HW should be visible in your router interface. Wireless, and wired.
I've found the location in the router for that and once everything is set up I will try to apply this comment of yours.
MAC's are easily spoofed.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| reply to norwegian
said by norwegian:You mean something like this?
...
Well if you share USB sticks I'd disable AutoRun for sure. Also set your A/V to scan removable drives.
As Anav said this is a common trick. I think the Stuxnet virus made it's way to Iranian PC's via a USB stick.
--
Don't feed trolls--it only makes them grow! |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| reply to norwegian
No. Having it enabled allows you to "browse" your network but is that necessary? It is easy enough to create network shortcuts to shared folders and disable NetBIOS.
2. Home networks is a Microsoft term, what of Apple (Ipods, Ipads, MacBooks), WD Live stream and all other types of hardware relying on network connections via the router/switch etc?
--
Don't feed trolls--it only makes them grow! |
|
Reviews:
·WestNet Broadband
| reply to Shady Bimmer
said by Shady Bimmer:The (long) thread posted immediately after this initial post is a worthwhile read. On that, and the rest of the thread, is the question one of gaining access to the router/firewall itself, or one of gaining access to the network? Bypassing consumer router/firewalls to gain access to a network is often easier than gaining access to the router/firewall itself.
It may end up being more about this.
The initial question though was about this:
The router a Bob2 has started beeping, dual beeps every now and then. I assumed it was a hardware issue. Tech support have given me a new one and as soon as it plugged in and was configured it started beeping too. If there is a sudden one off bug of the Bob2 and is a genuine hardware/firmware issue, I'm gathering it will get picked up soon enough as I will be reopening the tech support ticket.
If it is relative to something on my network causing this, it is my problem not the ISP's?
While this is all happening I thought it best to consult with the good people here about what can and cannot be a part of the new (less than a month old phenomenon.) So there maybe the 2 points to be concerned with, not just router security. Thirst for knowledge does not come from 1 direction only, so bare with me, I'm not sure where the topic is heading - I will however try to keep my own questions on topic too.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
| reply to norwegian
said by norwegian:
2. Hide SSID and only show it to allow the connection to happen before hiding it, use WPA2 as well.
Hiding the SSID has zero benefit.
2. Set specific MAC addresses.
The best steps you can take to secure a router are:
1) Set a strong WPA2 password.
2) Turn off any remote administering of the router unless you really need it.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999 |
|
