Topic 'Re: Router security' in forum 'Security' - dslreports.com

Topic 'Re: Router security' in forum 'Security' - dslreports.com http://www.dslreports.com/forum/Re-Router-security-27558400 en Thu, 20 Jun 2013 03:09:24 EDT Thu, 20 Jun 2013 03:09:24 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27587303 said by EGeezer:

Virtual beer for you!

Thanks for the offer but I have the real stuff in the fridge :D
--
Don't feed trolls--it only makes them grow!]]> http://www.dslreports.com/forum/Re-Router-security-27587303 Wed, 03 Oct 2012 16:58:43 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27587290 said by StuartMW:

... but I now have VLAN's up and going :)

PC's (no wi-fi anymore--all cabled) in one.
Wi-fi stuff in another.
VOIP in another.

I may have to tweak things a little but I think my LAN is more secure :)

Woohoo! Virtual beer for you! ]]> http://www.dslreports.com/forum/Re-Router-security-27587290 Wed, 03 Oct 2012 16:56:12 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27584950
I have always seen network security as working exactly like building security. Once you get access via some method or person inside the initial barriers your job has become many times easier because buildings like networks use the outer walls as their primary line of defense. Once passed that primary wall a skilled hacker will be able to find weaker sub systems that can lead to the main system.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports]]> http://www.dslreports.com/forum/Re-Router-security-27584950 Wed, 03 Oct 2012 04:21:22 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27584389 hidden SSID
use ONLY WPA2-PSK with AES
Turn off remote port admin
Turn off WIfi Admin

No that's the trick...
Save your settings in Admin menu (settings.bin) in your computer, THEN
TURN OFF ALL ADMIN login options (no login even in plugin LAN port)!!!

All is left for 'break-in' to tamper your setting is RESET BUTTON :), but after reset, you can notice your wifi won't work, (wrong AP name, wrong SSID & wrong WPA2 password), the ALARM is rang :)]]> http://www.dslreports.com/forum/Re-Router-security-27584389 Tue, 02 Oct 2012 21:57:14 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27584219 said by HELLFIRE:

1. not with the level of configuration of gear that is available at the local electronics shop.
You're basically looking at stuff like Dynamic ARP Inspection,

You can do Dynamic ARP inspection for free.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999]]> http://www.dslreports.com/forum/Re-Router-security-27584219 Tue, 02 Oct 2012 21:01:57 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27583669 said by EGeezer:

Stuart, you may like this configuration example;

Thanks. My router doesn't implement all the features described in that clip but I now have VLAN's up and going :)

PC's (no wi-fi anymore--all cabled) in one.
Wi-fi stuff in another.
VOIP in another.

I may have to tweak things a little but I think my LAN is more secure :)
--
Don't feed trolls--it only makes them grow!]]> http://www.dslreports.com/forum/Re-Router-security-27583669 Tue, 02 Oct 2012 17:56:19 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27582436 said by norwegian:

There seems to be a few areas of concern for any network that is relevant now.

1. ARP
2. File sharing
3. Exploits
4. Infection

There maybe more, but these would have to be the initial concerns?

1. not with the level of configuration of gear that is available at the local electronics shop.
You're basically looking at stuff like Dynamic ARP Inspection, 'sticky' MAC addresses, (private) VLANs,
and a few other things that are not available at the consumer level, and at the Enterprise level is
in the neighborhood of $10K or more

Points 2 to 4 I'll leave to other ppl that have already posted.

said by norwegian:

So I tried a discussion in hopes I could view or review protocols to help understand more generally about setting up networks securely from starting with locking down a router and using it to it's full potential.

Here's my breakdown of security from a network-view

Layer 1 / Physical : no physical access to the router / cables, console / remote access disabled
Layer 2 / Logical : see my point above, but it goes back to knowing WHO and WHAT is on the LAN, especially that
pesky "unknown computer" in Windows Network Neighborhood"
Layer 3 / Network : alittle more involved, unless you have a very customizable rig / setup.
Layer 4 / Transport : also alittle more involved, but basically knowing WHAT programs / traffic is running around the
network, both INbound and OUTbound. Some basic stuff would be knowning commands like 'netstat,' etc.
Layer 5 - 7 : Application : As others have said, up-to-date system and patches, anti-virus, anti-malware, etc.
maintaining current backups, strong passwords and the like, AND MAINTAINING LOGS of what's going on.

My 00000010bits

Regards]]> http://www.dslreports.com/forum/Re-Router-security-27582436 Tue, 02 Oct 2012 13:50:58 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27578509
I wonder whether you can use WPA2-Enterprise mixed and it would work with the smartphones? I have not tested this. After some checking, I think this probably would not work, either. I also found some commentary about WPA2-Enterprise and Apple iOS5 having issues with connecting.
--
It is easier for a camel to put on a bikini than an old man to thread a needle.]]> http://www.dslreports.com/forum/Re-Router-security-27578509 Mon, 01 Oct 2012 14:21:17 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27578485 said by rcdailey:

Do I understand you to mean that the smartphones, etc., do not have WPA2 enterprise support?

That has been my experience. I've not seen the ability to configure 802.1x RADIUS authentication on the devices I've encountered. ]]> http://www.dslreports.com/forum/Re-Router-security-27578485 Mon, 01 Oct 2012 14:14:02 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27578469 --
It is easier for a camel to put on a bikini than an old man to thread a needle.]]> http://www.dslreports.com/forum/Re-Router-security-27578469 Mon, 01 Oct 2012 14:10:37 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27578392

»www.youtube.com/watch?v=tbG9YboATvA

I See ZyXel has a SOHO router line that supports both VLAN and imbedded RADIUS server.

See »www.zyxel.com/products_services/···html?t=p

Also see discussion at

»VLAN routing help needed (USG50)

The big problem I have with my RADIUS implementation is that I can't configure smartphones, tablets, printers etc. to connect . They don't seem to have any WPA2 enterprise support.

]]> http://www.dslreports.com/forum/Re-Router-security-27578392 Mon, 01 Oct 2012 13:51:47 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27578366 said by EGeezer:

I suggest investigating VLANs as a possible security feature.

That's what I'm considering doing as my router supports VLAN's.

But as you said it's not trivial to configure and I want to think about the implications (what can talk to what etc) before I dive in.
--
Don't feed trolls--it only makes them grow!]]> http://www.dslreports.com/forum/Re-Router-security-27578366 Mon, 01 Oct 2012 13:41:15 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27578343
Configuration isn't a trivial matter, but once it's set up, it's low maintenance.

Here's a couple of educational links to review the subject;

»computer.howstuffworks.com/lan-switch15.htm

See »www.cisco.com/web/about/ac123/ac···ion.html

For a nice discussion on wireless router hardening, see
»Harden your router/AP in five steps ]]> http://www.dslreports.com/forum/Re-Router-security-27578343 Mon, 01 Oct 2012 13:32:13 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27578295 --
It is easier for a camel to put on a bikini than an old man to thread a needle.]]> http://www.dslreports.com/forum/Re-Router-security-27578295 Mon, 01 Oct 2012 13:18:28 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27578252
The key remains LAN access, doesn't it. How does one log onto the LAN, users and user levels, passwords, etc? If it is easy to log onto the LAN locally, then once the wifi connection and strong password are known, logging onto the LAN will also be easy, won't it?
--
It is easier for a camel to put on a bikini than an old man to thread a needle.]]> http://www.dslreports.com/forum/Re-Router-security-27578252 Mon, 01 Oct 2012 13:08:21 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27578228 said by workablob:

Disable WPS if you can.

Agreed. WPS is broken.

»WiFi Protected Setup PIN brute force vulnerability

Fortunately my (older) router doesn't support WPS.
--
Don't feed trolls--it only makes them grow!]]> http://www.dslreports.com/forum/Re-Router-security-27578228 Mon, 01 Oct 2012 13:01:18 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27578163
Linksys gives the illusion of allowing one to disable it but it is just an illusion.

DDWRT will let you do it.

Dave
--
I may have been born yesterday. But it wasn't at night.]]> http://www.dslreports.com/forum/Re-Router-security-27578163 Mon, 01 Oct 2012 12:42:10 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27578101 --
Don't feed trolls--it only makes them grow!]]> http://www.dslreports.com/forum/Re-Router-security-27578101 Mon, 01 Oct 2012 12:26:25 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27577305 said by norwegian:

Okay, this is where "Security by Obscurity" comes into play...

There's no such thing on the internet. It doesn't matter where you live, New York city or a shack in Siberia, you will be found,
--
Don't feed trolls--it only makes them grow!]]> http://www.dslreports.com/forum/Re-Router-security-27577305 Mon, 01 Oct 2012 08:42:27 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27577295 said by norwegian:

Still it is not a simple 5 minute job eiter?

No it isn't. It's up to you as to how serious you want to be about security.

I don't know how many people configure their own firewall(s), incoming and outgoing, but I've been doing it since getting my first (non-integrated) router in 2000 or so.

I bought and read this book as a guide.

Building Internet Firewalls

Also I have a Syslog server that logs stuff. Again it's up to you how far you want to go but most of the effort is one-time.
--
Don't feed trolls--it only makes them grow!]]> http://www.dslreports.com/forum/Re-Router-security-27577295 Mon, 01 Oct 2012 08:38:32 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27577084 said by Juggernaut:

Yes. I have my own router, and my ISP's modem. And no, it's not a hard task.

I guess my problem is:

Modem is broken, invested in an all in one - Bob2

I have an old modem Netcomm 4+ replaced with Dlink (started playing up) to work with. I also have a Belkin wireless router and a plain router.

Maybe I need to revisit using the old gear or turning off the wireless in Bob2 and making it a bridge to the next router. Bit of playing around but might be worth looking at.

Whether it stops the beeps who knows, but this Bob2 modem/wireless router does have a beep no other hardware had.
Guess I need to test electrical currents to see if there is an issue for the hardware there.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

]]> http://www.dslreports.com/forum/Re-Router-security-27577084 Mon, 01 Oct 2012 02:26:06 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576987 --
Better to have it and not need it, then need it and not have it.]]> http://www.dslreports.com/forum/Re-Router-security-27576987 Mon, 01 Oct 2012 00:15:51 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576972 said by KodiacZiller:

said by norwegian:

Hiding the SSID does nothing?

Absolutely nothing. Any war-driver with Backtrack can sniff hidden SSID's by default. Just about all war-driving software on any platform can do it.

Interesting that you bought this up.

Found this interesting:-

»www.youtube.com/watch?v=xuO5X1KlPDE
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

]]> http://www.dslreports.com/forum/Re-Router-security-27576972 Mon, 01 Oct 2012 00:09:42 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576969 Okay, this is where "Security by Obscurity" comes into play - if your firewall is ping able or not really makes no difference to the end result. Hidden or not you have to be track-able to some extent (without talking proxies). ]]> http://www.dslreports.com/forum/Re-Router-security-27576969 Mon, 01 Oct 2012 00:06:14 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576925 said by norwegian:

Hiding the SSID does nothing?

Absolutely nothing. Any war-driver with Backtrack can sniff hidden SSID's by default. Just about all war-driving software on any platform can do it.

said by norwegian:

Setting specific MAC address filtering is not worth a concern?
Can you elaborate on this, as setting MAC addressing was 1 of my "to do" jobs but you suggest I'm wasting my time, I gather because they can be spoofed?

What happens is an attacker will sit outside and use a tool like ethereal to sniff the traffic on your network. While he can't actually see the data (since it is encrypted) he can see other information like the MAC addresses of clients. So, once he determines what the legit MAC addresses are, he runs a tool like ifconfig and changes his own MAC to match yours. It's trivial and only takes a minute.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999]]> http://www.dslreports.com/forum/Re-Router-security-27576925 Sun, 30 Sep 2012 23:34:02 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576905 --
Better to have it and not need it, then need it and not have it.]]> http://www.dslreports.com/forum/Re-Router-security-27576905 Sun, 30 Sep 2012 23:22:05 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576898 said by Juggernaut:

That's an important part.

But, if it's your telco's unit, they have a backdoor to reset it for access. Better to have your router in between it, and your network.

So I should have set up my own router and wireless access point and not gone the path of "bundled package". Even if it does leave me to diagnose my own hardware which I think isn't a hard task.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

]]> http://www.dslreports.com/forum/Re-Router-security-27576898 Sun, 30 Sep 2012 23:16:01 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576894 said by Juggernaut:

One other thing to do, as it seems to have been missed. Use a SW FW as well, to stop stuff from going out. It's another layer for security.

said by StuartMW:

And/or configure your own (custom) outgoing firewall rules in your router.

I do have a firewall on all items, but to set serious filtering is a big task, software needs configuring, Microsoft services needs configuring, etc, etc.

I hear just allowing udp port 53 for DNS and UDP/TCP on port 80 for Internet is a good start.

Still it is not a simple 5 minute job eiter?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

]]> http://www.dslreports.com/forum/Re-Router-security-27576894 Sun, 30 Sep 2012 23:13:32 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576886

said by KodiacZiller:

said by norwegian:

2. Hide SSID and only show it to allow the connection to happen before hiding it, use WPA2 as well.

Hiding the SSID has zero benefit.

Hiding the SSID does nothing?

said by KodiacZiller:

said by norwegian:

2. Set specific MAC addresses.

MAC filtering has little if any benefit.

Setting specific MAC address filtering is not worth a concern?
Can you elaborate on this, as setting MAC addressing was 1 of my "to do" jobs but you suggest I'm wasting my time, I gather because they can be spoofed?

said by KodiacZiller:

The best steps you can take to secure a router are:

1) Set a strong WPA2 password.

2) Turn off any remote administering of the router unless you really need it.

This I have done.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

]]> http://www.dslreports.com/forum/Re-Router-security-27576886 Sun, 30 Sep 2012 23:08:16 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576878 said by Juggernaut:

But, if it's your telco's unit, they have a backdoor...

And if they do so does ASIO/The NSA/et al :( But if you have a "Bob2" that's a given.
--
Don't feed trolls--it only makes them grow!]]> http://www.dslreports.com/forum/Re-Router-security-27576878 Sun, 30 Sep 2012 23:05:49 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576874
But, if it's your telco's unit, they have a backdoor to reset it for access. Better to have your router in between it, and your network.
--
Better to have it and not need it, then need it and not have it.]]> http://www.dslreports.com/forum/Re-Router-security-27576874 Sun, 30 Sep 2012 23:03:32 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576867 said by Juggernaut:

Even if you spoof a MAC to a 'known' device, if the router is secured, you still need to have the login, and PW to gain access to WIFI, or the router.

If it is not secured, and have only a MAC filter, you're toast. You can spoof a MAC with a program. WIFI (and blue tooth) broadcasts them.

This is set up with a default SSID but the passphase is my own.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

]]> http://www.dslreports.com/forum/Re-Router-security-27576867 Sun, 30 Sep 2012 22:59:29 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576858 --
Don't feed trolls--it only makes them grow!]]> http://www.dslreports.com/forum/Re-Router-security-27576858 Sun, 30 Sep 2012 22:57:29 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576855 --
Better to have it and not need it, then need it and not have it.]]> http://www.dslreports.com/forum/Re-Router-security-27576855 Sun, 30 Sep 2012 22:55:18 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576851 said by norwegian:

I didn't just want a "my bob2 is beeping it is infected" topic.

If it starts beeping rapidly I'd be inclined to, um, run :D
--
Don't feed trolls--it only makes them grow!]]> http://www.dslreports.com/forum/Re-Router-security-27576851 Sun, 30 Sep 2012 22:54:28 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576849 said by StuartMW:

Sounds like you have an integrated modem/router from your ISP. My LAN is behind another 3rd party router. I don't trust what an ISP provides. That has been discussed here before ~~(too lazy to find a link right now)~~.

»Re: Do you trust AT&T with your security?

It is a Bob2 supplied by the vendor.

I have another router here, but had troubles setting up the second router, or understanding what security needs to be in place with the addressing and configurations. We discussed piggy backing routers here once or twice and consensus was equally bad v's good for this method. I doubt turning it into a bridge would help my wireless clients with protection.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

]]> http://www.dslreports.com/forum/Re-Router-security-27576849 Sun, 30 Sep 2012 22:53:24 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576840 said by Shady Bimmer:

The router/firewall is a layer of protection for the network, which itself is inherently insecure with many points of vulnerability.

Which I am learning more about from the discussion, even though it its the router that seems to be the centre of attention for me.

I didn't just want a "my bob2 is beeping it is infected" topic. These tend to be closed down rather quickly. So I tried a discussion in hopes I could view or review protocols to help understand more generally about setting up networks securely from starting with locking down a router and using it to it's full potential.

Sorry to all if I've mislead you a little.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

]]> http://www.dslreports.com/forum/Re-Router-security-27576840 Sun, 30 Sep 2012 22:48:43 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576816 --
Better to have it and not need it, then need it and not have it.]]> http://www.dslreports.com/forum/Re-Router-security-27576816 Sun, 30 Sep 2012 22:38:40 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576815 said by Shady Bimmer:

WPA = Wi-Fi Protected Access, the next-generation security protocol after WEP. WPA has been deemed weak against brute-force attacks.

Only partially true. WPA only has weaknesses when used in TKIP mode. If you enable CCMP/AES mode, those weaknesses do not exist.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999]]> http://www.dslreports.com/forum/Re-Router-security-27576815 Sun, 30 Sep 2012 22:38:26 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576809 (too lazy to find a link right now).

»Re: Do you trust AT&T with your security?
--
Don't feed trolls--it only makes them grow!]]> http://www.dslreports.com/forum/Re-Router-security-27576809 Sun, 30 Sep 2012 22:35:34 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576808 said by norwegian:

I'm gathering at some point if internally infected, an external computer that is communicating back and forth can spoof the internal MAC address and the router will then allow more communication? Not quite DMZ status but it would surely be close?

Even if you spoof a MAC to a 'known' device, if the router is secured, you still need to have the login, and PW to gain access to WIFI, or the router.

If it is not secured, and have only a MAC filter, you're toast. You can spoof a MAC with a program. WIFI (and blue tooth) broadcasts them.
--
Better to have it and not need it, then need it and not have it.]]> http://www.dslreports.com/forum/Re-Router-security-27576808 Sun, 30 Sep 2012 22:35:27 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576806 said by norwegian:

2. Hide SSID and only show it to allow the connection to happen before hiding it, use WPA2 as well.

Hiding the SSID has zero benefit.

2. Set specific MAC addresses.

MAC filtering has little if any benefit.

The best steps you can take to secure a router are:

1) Set a strong WPA2 password.

2) Turn off any remote administering of the router unless you really need it.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999]]> http://www.dslreports.com/forum/Re-Router-security-27576806 Sun, 30 Sep 2012 22:33:20 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576801 said by Shady Bimmer:

The (long) thread posted immediately after this initial post is a worthwhile read. On that, and the rest of the thread, is the question one of gaining access to the router/firewall itself, or one of gaining access to the network? Bypassing consumer router/firewalls to gain access to a network is often easier than gaining access to the router/firewall itself.

It may end up being more about this.

The initial question though was about this:
The router a Bob2 has started beeping, dual beeps every now and then. I assumed it was a hardware issue. Tech support have given me a new one and as soon as it plugged in and was configured it started beeping too. If there is a sudden one off bug of the Bob2 and is a genuine hardware/firmware issue, I'm gathering it will get picked up soon enough as I will be reopening the tech support ticket.

If it is relative to something on my network causing this, it is my problem not the ISP's?

While this is all happening I thought it best to consult with the good people here about what can and cannot be a part of the new (less than a month old phenomenon.) So there maybe the 2 points to be concerned with, not just router security. Thirst for knowledge does not come from 1 direction only, so bare with me, I'm not sure where the topic is heading - I will however try to keep my own questions on topic too.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

]]> http://www.dslreports.com/forum/Re-Router-security-27576801 Sun, 30 Sep 2012 22:30:36 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576792 said by norwegian:

Doesn't DHCP use NetBIOS?

No. Having it enabled allows you to "browse" your network but is that necessary? It is easy enough to create network shortcuts to shared folders and disable NetBIOS.

2. Home networks is a Microsoft term, what of Apple (Ipods, Ipads, MacBooks), WD Live stream and all other types of hardware relying on network connections via the router/switch etc?

I don't know but I'd only enable what you really need.
--
Don't feed trolls--it only makes them grow!]]> http://www.dslreports.com/forum/Re-Router-security-27576792 Sun, 30 Sep 2012 22:24:00 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576780 said by norwegian:

You mean something like this?
...

Well if you share USB sticks I'd disable AutoRun for sure. Also set your A/V to scan removable drives.

As Anav

said this is a common trick. I think the Stuxnet virus made it's way to Iranian PC's via a USB stick.
--
Don't feed trolls--it only makes them grow!]]> http://www.dslreports.com/forum/Re-Router-security-27576780 Sun, 30 Sep 2012 22:18:19 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576779 said by Juggernaut:

All of the connected HW should be visible in your router interface. Wireless, and wired.

I've found the location in the router for that and once everything is set up I will try to apply this comment of yours.

MAC's are easily spoofed.

I'm gathering at some point if internally infected, an external computer that is communicating back and forth can spoof the internal MAC address and the router will then allow more communication? Not quite DMZ status but it would surely be close?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

]]> http://www.dslreports.com/forum/Re-Router-security-27576779 Sun, 30 Sep 2012 22:18:12 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576761
In the early days all my cabled LAN's were manually configured for the network and DHCP, DNS services were turned off.
Now to the present and wireless:
Doesn't DHCP use NetBIOS? I know once I have enough of a play with the wireless I could look at all connections being mapped to specific addresses to stop DHCP etc which would allow turning off services such as NetBIOS, WINS, LMHOSTS etc
But routers do not allow configuration like in this Microsoft Article on NetBIOS

2. Home networks is a Microsoft term, what of Apple (Ipods, Ipads, MacBooks), WD Live stream and all other types of hardware relying on network connections via the router/switch etc?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

]]> http://www.dslreports.com/forum/Re-Router-security-27576761 Sun, 30 Sep 2012 22:11:34 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576737 said by norwegian:

Not sure where this will take me - call it curiosity.
Which is the easiest to attack a router, the inside or the outside?

The (long) thread posted immediately after this initial post is a worthwhile read. On that, and the rest of the thread, is the question one of gaining access to the router/firewall itself, or one of gaining access to the network? Bypassing consumer router/firewalls to gain access to a network is often easier than gaining access to the router/firewall itself.

An attack on a router/firewall would typically have little benefit other than to then use this access to gain access to the internal (protected) network. Finding a path around the router protection, at least in the consumer router/firewall case, is typically easier than finding an exploit to the router itself.

It might be worthwhile to remember a few years ago where many institutions were infected with a fast-propagating worm that leveraged a windows vulnerability. The perimeter security (dual-layer firewalls in conjunction with router ACLs) was useless and was never attacked itself in any of those cases.

The router/firewall is a layer of protection for the network, which itself is inherently insecure with many points of vulnerability.]]> http://www.dslreports.com/forum/Re-Router-security-27576737 Sun, 30 Sep 2012 22:01:32 EDT Re: Router security http://www.dslreports.com/forum/Re-Router-security-27576731 said by norwegian:

1. ARP

Not sure you can do much about ARP poisoning on a home network.

2. File sharing

I'd turn off Home Groups (or whatever Microsoft calls them) for sure. Enable simple password protected file sharing with limted folders if you wish to transfer between machines.

3. Exploits

Disable NetBIOS. You don't really need it.

4. Infection

Use an A/V you like and keep it up-to-date.

Then there's the obvious (hopefully) stuff. Don't click on links without knowing where they go. Don't download from warez etc.
--
Don't feed trolls--it only makes them grow!]]> http://www.dslreports.com/forum/Re-Router-security-27576731 Sun, 30 Sep 2012 21:56:59 EDT