 JuggernautIrreverent or irrelevant?Premium
join:2006-09-05
Kelowna, BC
kudos:2 | reply to norwegian
Re: Router security said by norwegian:I'm gathering at some point if internally infected, an external computer that is communicating back and forth can spoof the internal MAC address and the router will then allow more communication? Not quite DMZ status but it would surely be close?
Even if you spoof a MAC to a 'known' device, if the router is secured, you still need to have the login, and PW to gain access to WIFI, or the router.
If it is not secured, and have only a MAC filter, you're toast. You can spoof a MAC with a program. WIFI (and blue tooth) broadcasts them.
--
Better to have it and not need it, then need it and not have it. |
|
 StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2
 ·CenturyLink
2 edits | reply to norwegian
Sounds like you have an integrated modem/router from your ISP. My LAN is behind another 3rd party router. I don't trust what an ISP provides. That has been discussed here before (too lazy to find a link right now).
»Re: Do you trust AT&T with your security?
--
Don't feed trolls--it only makes them grow! |
|
| reply to Shady Bimmer
said by Shady Bimmer:WPA = Wi-Fi Protected Access, the next-generation security protocol after WEP. WPA has been deemed weak against brute-force attacks.
Only partially true. WPA only has weaknesses when used in TKIP mode. If you enable CCMP/AES mode, those weaknesses do not exist.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999 |
|
JuggernautIrreverent or irrelevant?Premium
join:2006-09-05
Kelowna, BC
kudos:2 | reply to StuartMW
Yep, I have my own router, and my ISP's modem. The router is between them, and my network.
--
Better to have it and not need it, then need it and not have it. |
|
Reviews:
·WestNet Broadband
| reply to Shady Bimmer
said by Shady Bimmer:The router/firewall is a layer of protection for the network, which itself is inherently insecure with many points of vulnerability.
Which I am learning more about from the discussion, even though it its the router that seems to be the centre of attention for me.
I didn't just want a "my bob2 is beeping it is infected" topic. These tend to be closed down rather quickly. So I tried a discussion in hopes I could view or review protocols to help understand more generally about setting up networks securely from starting with locking down a router and using it to it's full potential.
Sorry to all if I've mislead you a little.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
Reviews:
·WestNet Broadband
| reply to StuartMW
said by StuartMW:Sounds like you have an integrated modem/router from your ISP. My LAN is behind another 3rd party router. I don't trust what an ISP provides. That has been discussed here before (too lazy to find a link right now).
»Re: Do you trust AT&T with your security?
It is a Bob2 supplied by the vendor.
I have another router here, but had troubles setting up the second router, or understanding what security needs to be in place with the addressing and configurations. We discussed piggy backing routers here once or twice and consensus was equally bad v's good for this method. I doubt turning it into a bridge would help my wireless clients with protection.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| reply to norwegian
said by norwegian:I didn't just want a "my bob2 is beeping it is infected" topic.
If it starts beeping rapidly I'd be inclined to, um, run 
--
Don't feed trolls--it only makes them grow! |
|
JuggernautIrreverent or irrelevant?Premium
join:2006-09-05
Kelowna, BC
kudos:2 | reply to norwegian
One other thing to do, as it seems to have been missed. Use a SW FW as well, to stop stuff from going out. It's another layer for security.
--
Better to have it and not need it, then need it and not have it. |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 | And/or configure your own (custom) outgoing firewall rules in your router.
--
Don't feed trolls--it only makes them grow! |
|
Reviews:
·WestNet Broadband
| reply to Juggernaut
said by Juggernaut:Even if you spoof a MAC to a 'known' device, if the router is secured, you still need to have the login, and PW to gain access to WIFI, or the router.
If it is not secured, and have only a MAC filter, you're toast. You can spoof a MAC with a program. WIFI (and blue tooth) broadcasts them.
This is set up with a default SSID but the passphase is my own.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
|
|
JuggernautIrreverent or irrelevant?Premium
join:2006-09-05
Kelowna, BC
kudos:2 | That's an important part.
But, if it's your telco's unit, they have a backdoor to reset it for access. Better to have your router in between it, and your network.
--
Better to have it and not need it, then need it and not have it. |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| said by Juggernaut:But, if it's your telco's unit, they have a backdoor...
And if they do so does ASIO/The NSA/et al  But if you have a "Bob2" that's a given.
--
Don't feed trolls--it only makes them grow! |
|
Reviews:
·WestNet Broadband
| reply to KodiacZiller
You have me a little curious on this.
said by KodiacZiller:said by norwegian:
2. Hide SSID and only show it to allow the connection to happen before hiding it, use WPA2 as well.
Hiding the SSID has zero benefit. Hiding the SSID does nothing?
said by KodiacZiller:said by norwegian:2. Set specific MAC addresses. MAC filtering has little if any benefit.
Setting specific MAC address filtering is not worth a concern?
Can you elaborate on this, as setting MAC addressing was 1 of my "to do" jobs but you suggest I'm wasting my time, I gather because they can be spoofed?
said by KodiacZiller:The best steps you can take to secure a router are:
1) Set a strong WPA2 password.
2) Turn off any remote administering of the router unless you really need it.
This I have done.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
Reviews:
·WestNet Broadband
| reply to Juggernaut
said by Juggernaut:One other thing to do, as it seems to have been missed. Use a SW FW as well, to stop stuff from going out. It's another layer for security.
said by StuartMW:And/or configure your own (custom) outgoing firewall rules in your router.
I do have a firewall on all items, but to set serious filtering is a big task, software needs configuring, Microsoft services needs configuring, etc, etc.
I hear just allowing udp port 53 for DNS and UDP/TCP on port 80 for Internet is a good start.
Still it is not a simple 5 minute job eiter?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
Reviews:
·WestNet Broadband
| reply to Juggernaut
said by Juggernaut:That's an important part.
But, if it's your telco's unit, they have a backdoor to reset it for access. Better to have your router in between it, and your network.
So I should have set up my own router and wireless access point and not gone the path of "bundled package". Even if it does leave me to diagnose my own hardware which I think isn't a hard task.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
JuggernautIrreverent or irrelevant?Premium
join:2006-09-05
Kelowna, BC
kudos:2 | Yes. I have my own router, and my ISP's modem. And no, it's not a hard task.
--
Better to have it and not need it, then need it and not have it. |
|
| reply to norwegian
said by norwegian:Hiding the SSID does nothing? Absolutely nothing. Any war-driver with Backtrack can sniff hidden SSID's by default. Just about all war-driving software on any platform can do it.
said by norwegian:Setting specific MAC address filtering is not worth a concern?
Can you elaborate on this, as setting MAC addressing was 1 of my "to do" jobs but you suggest I'm wasting my time, I gather because they can be spoofed?
What happens is an attacker will sit outside and use a tool like ethereal to sniff the traffic on your network. While he can't actually see the data (since it is encrypted) he can see other information like the MAC addresses of clients. So, once he determines what the legit MAC addresses are, he runs a tool like ifconfig and changes his own MAC to match yours. It's trivial and only takes a minute.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999 |
|
|
Okay, this is where "Security by Obscurity" comes into play - if your firewall is ping able or not really makes no difference to the end result. Hidden or not you have to be track-able to some extent (without talking proxies).
|
|
Reviews:
·WestNet Broadband
| reply to KodiacZiller
said by KodiacZiller:said by norwegian:Hiding the SSID does nothing? Absolutely nothing. Any war-driver with Backtrack can sniff hidden SSID's by default. Just about all war-driving software on any platform can do it. Interesting that you bought this up.
Found this interesting:-
»www.youtube.com/watch?v=xuO5X1KlPDE
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
JuggernautIrreverent or irrelevant?Premium
join:2006-09-05
Kelowna, BC
kudos:2 | reply to norwegian
I make my router pingable. Why wouldn't I? It doesn't make a difference, anymore than hiding the SSID would. And, that is none.
--
Better to have it and not need it, then need it and not have it. |
|
