dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3861
share rss forum feed


norwegian
Premium
join:2005-02-15
Outback
reply to Juggernaut

Re: Router security

said by Juggernaut:

Yes. I have my own router, and my ISP's modem. And no, it's not a hard task.

I guess my problem is:

Modem is broken, invested in an all in one - Bob2

I have an old modem Netcomm 4+ replaced with Dlink (started playing up) to work with. I also have a Belkin wireless router and a plain router.

Maybe I need to revisit using the old gear or turning off the wireless in Bob2 and making it a bridge to the next router. Bit of playing around but might be worth looking at.

Whether it stops the beeps who knows, but this Bob2 modem/wireless router does have a beep no other hardware had.
Guess I need to test electrical currents to see if there is an issue for the hardware there.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

2 edits
reply to norwegian

said by norwegian:

Still it is not a simple 5 minute job eiter?

No it isn't. It's up to you as to how serious you want to be about security.

I don't know how many people configure their own firewall(s), incoming and outgoing, but I've been doing it since getting my first (non-integrated) router in 2000 or so.

I bought and read this book as a guide.

Building Internet Firewalls

Also I have a Syslog server that logs stuff. Again it's up to you how far you want to go but most of the effort is one-time.
--
Don't feed trolls--it only makes them grow!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to norwegian

said by norwegian:

Okay, this is where "Security by Obscurity" comes into play...

There's no such thing on the internet. It doesn't matter where you live, New York city or a shack in Siberia, you will be found,
--
Don't feed trolls--it only makes them grow!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to norwegian

BTW this whole thread has got me thinking about what devices I have on wi-fi. With a little bit of work (hardware + firewall setup) I could make some of them hardwired (cabled). That'd just decrease the probability that they could be reached.
--
Don't feed trolls--it only makes them grow!



workablob

join:2004-06-09
Houston, TX
kudos:3
reply to norwegian

Disable WPS if you can.

Linksys gives the illusion of allowing one to disable it but it is just an illusion.

DDWRT will let you do it.

Dave
--
I may have been born yesterday. But it wasn't at night.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by workablob:

Disable WPS if you can.

Agreed. WPS is broken.

»WiFi Protected Setup PIN brute force vulnerability

Fortunately my (older) router doesn't support WPS.
--
Don't feed trolls--it only makes them grow!


rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA
Reviews:
·Time Warner Cable
reply to StuartMW

Yeah, everything I've read says that hiding SSID is useless. I have done it only to keep casual users from trying to connect, but that probably just ensures that the only attempts will be malicious or non-casual. The router wifi is secured anyway with a strong password in WPA2 and also the administrator name and password are unique and remote administration is disabled. There's really no need for remote administration for most people, anyway, is there?

The key remains LAN access, doesn't it. How does one log onto the LAN, users and user levels, passwords, etc? If it is easy to log onto the LAN locally, then once the wifi connection and strong password are known, logging onto the LAN will also be easy, won't it?
--
It is easier for a camel to put on a bikini than an old man to thread a needle.



rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA
Reviews:
·Time Warner Cable
reply to StuartMW

I have a really old D-Link at home that is not wireless, so I don't have to worry about that one, at least when it comes to WPS. I have verified that the wireless router at an office I have some responsibility for is not vulnerable to that attack because it does not support WPS.
--
It is easier for a camel to put on a bikini than an old man to thread a needle.



EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

1 recommendation

reply to norwegian

I suggest investigating VLANs as a possible security feature. It essentially lets you define specific paths between specific points and a trunk connection to border routers or shared printers. Since VLAN switches provide layer 2 data link level switching, they are impervious to many of the LAN side malware spreading exploits extant today.

Configuration isn't a trivial matter, but once it's set up, it's low maintenance.

Here's a couple of educational links to review the subject;

»computer.howstuffworks.com/lan-switch15.htm

See »www.cisco.com/web/about/ac123/ac···ion.html

For a nice discussion on wireless router hardening, see
»Harden your router/AP in five steps



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by EGeezer:

I suggest investigating VLANs as a possible security feature.

That's what I'm considering doing as my router supports VLAN's.

But as you said it's not trivial to configure and I want to think about the implications (what can talk to what etc) before I dive in.
--
Don't feed trolls--it only makes them grow!


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

1 edit

Stuart, you may like this configuration example;

»www.youtube.com/watch?v=tbG9YboATvA


I See ZyXel has a SOHO router line that supports both VLAN and imbedded RADIUS server.

See »www.zyxel.com/products_services/···html?t=p

Also see discussion at

»VLAN routing help needed (USG50)

The big problem I have with my RADIUS implementation is that I can't configure smartphones, tablets, printers etc. to connect . They don't seem to have any WPA2 enterprise support.



rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA
Reviews:
·Time Warner Cable

Do I understand you to mean that the smartphones, etc., do not have WPA2 enterprise support? I think that must be true, as I have not seen that available in smartphones that I allowed. They do support WPA2 (non-enterprise).
--
It is easier for a camel to put on a bikini than an old man to thread a needle.



EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

said by rcdailey:

Do I understand you to mean that the smartphones, etc., do not have WPA2 enterprise support?

That has been my experience. I've not seen the ability to configure 802.1x RADIUS authentication on the devices I've encountered.


rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA
Reviews:
·Time Warner Cable

3 edits

OK, that's what I thought. The router I have dealt with in this situation can support VLAN and also WPA2-Enterprise, but all those smartphones don't understand WPA2-Enterprise.

I wonder whether you can use WPA2-Enterprise mixed and it would work with the smartphones? I have not tested this. After some checking, I think this probably would not work, either. I also found some commentary about WPA2-Enterprise and Apple iOS5 having issues with connecting.
--
It is easier for a camel to put on a bikini than an old man to thread a needle.


HELLFIRE
Premium
join:2009-11-25
kudos:17
reply to norwegian

said by norwegian:

There seems to be a few areas of concern for any network that is relevant now.

1. ARP
2. File sharing
3. Exploits
4. Infection

There maybe more, but these would have to be the initial concerns?

1. not with the level of configuration of gear that is available at the local electronics shop.
You're basically looking at stuff like Dynamic ARP Inspection, 'sticky' MAC addresses, (private) VLANs,
and a few other things that are not available at the consumer level, and at the Enterprise level is
in the neighborhood of $10K or more

Points 2 to 4 I'll leave to other ppl that have already posted.

said by norwegian:

So I tried a discussion in hopes I could view or review protocols to help understand more generally about setting up networks securely from starting with locking down a router and using it to it's full potential.

Here's my breakdown of security from a network-view

Layer 1 / Physical : no physical access to the router / cables, console / remote access disabled
Layer 2 / Logical : see my point above, but it goes back to knowing WHO and WHAT is on the LAN, especially that
pesky "unknown computer" in Windows Network Neighborhood"
Layer 3 / Network : alittle more involved, unless you have a very customizable rig / setup.
Layer 4 / Transport : also alittle more involved, but basically knowing WHAT programs / traffic is running around the
network, both INbound and OUTbound. Some basic stuff would be knowning commands like 'netstat,' etc.
Layer 5 - 7 : Application : As others have said, up-to-date system and patches, anti-virus, anti-malware, etc.
maintaining current backups, strong passwords and the like, AND MAINTAINING LOGS of what's going on.

My 00000010bits

Regards


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

reply to EGeezer

said by EGeezer:

Stuart, you may like this configuration example;

Thanks. My router doesn't implement all the features described in that clip but I now have VLAN's up and going

PC's (no wi-fi anymore--all cabled) in one.
Wi-fi stuff in another.
VOIP in another.

I may have to tweak things a little but I think my LAN is more secure
--
Don't feed trolls--it only makes them grow!


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to HELLFIRE

said by HELLFIRE:

1. not with the level of configuration of gear that is available at the local electronics shop.
You're basically looking at stuff like Dynamic ARP Inspection,

You can do Dynamic ARP inspection for free.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


Anon users

@anonymouse.org

change AP name
hidden SSID
use ONLY WPA2-PSK with AES
Turn off remote port admin
Turn off WIfi Admin

No that's the trick...
Save your settings in Admin menu (settings.bin) in your computer, THEN
TURN OFF ALL ADMIN login options (no login even in plugin LAN port)!!!

All is left for 'break-in' to tamper your setting is RESET BUTTON , but after reset, you can notice your wifi won't work, (wrong AP name, wrong SSID & wrong WPA2 password), the ALARM is rang


Kearnstd
Space Elf
Premium
join:2002-01-22
Mullica Hill, NJ
kudos:1
reply to norwegian

In any network it is by nature weaker from the inside. on home routers it is that they trust all from the inside many times and there is always the ability from the inside if one has physical access to set it back to factory.

I have always seen network security as working exactly like building security. Once you get access via some method or person inside the initial barriers your job has become many times easier because buildings like networks use the outer walls as their primary line of defense. Once passed that primary wall a skilled hacker will be able to find weaker sub systems that can lead to the main system.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports



EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric
reply to StuartMW

said by StuartMW:

... but I now have VLAN's up and going

PC's (no wi-fi anymore--all cabled) in one.
Wi-fi stuff in another.
VOIP in another.

I may have to tweak things a little but I think my LAN is more secure

Woohoo! Virtual beer for you!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

said by EGeezer:

Virtual beer for you!

Thanks for the offer but I have the real stuff in the fridge
--
Don't feed trolls--it only makes them grow!
Expand your moderator at work