dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
8

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to Shady Bimmer

Premium Member

to Shady Bimmer

Re: Router security

said by Shady Bimmer:

The router/firewall is a layer of protection for the network, which itself is inherently insecure with many points of vulnerability.

Which I am learning more about from the discussion, even though it its the router that seems to be the centre of attention for me.

I didn't just want a "my bob2 is beeping it is infected" topic. These tend to be closed down rather quickly. So I tried a discussion in hopes I could view or review protocols to help understand more generally about setting up networks securely from starting with locking down a router and using it to it's full potential.

Sorry to all if I've mislead you a little.

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

said by norwegian:

I didn't just want a "my bob2 is beeping it is infected" topic.

If it starts beeping rapidly I'd be inclined to, um, run

Juggernaut
Irreverent or irrelevant?
Premium Member
join:2006-09-05
Kelowna, BC

Juggernaut to norwegian

Premium Member

to norwegian
One other thing to do, as it seems to have been missed. Use a SW FW as well, to stop stuff from going out. It's another layer for security.

StuartMW
Premium Member
join:2000-08-06

1 recommendation

StuartMW

Premium Member

And/or configure your own (custom) outgoing firewall rules in your router.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to Juggernaut

Premium Member

to Juggernaut
said by Juggernaut:

One other thing to do, as it seems to have been missed. Use a SW FW as well, to stop stuff from going out. It's another layer for security.

said by StuartMW:

And/or configure your own (custom) outgoing firewall rules in your router.

I do have a firewall on all items, but to set serious filtering is a big task, software needs configuring, Microsoft services needs configuring, etc, etc.

I hear just allowing udp port 53 for DNS and UDP/TCP on port 80 for Internet is a good start.

Still it is not a simple 5 minute job eiter?

StuartMW
Premium Member
join:2000-08-06

2 edits

StuartMW

Premium Member

said by norwegian:

Still it is not a simple 5 minute job eiter?

No it isn't. It's up to you as to how serious you want to be about security.

I don't know how many people configure their own firewall(s), incoming and outgoing, but I've been doing it since getting my first (non-integrated) router in 2000 or so.

I bought and read this book as a guide.

Building Internet Firewalls

Also I have a Syslog server that logs stuff. Again it's up to you how far you want to go but most of the effort is one-time.

EGeezer
Premium Member
join:2002-08-04
Midwest

1 recommendation

EGeezer to norwegian

Premium Member

to norwegian
I suggest investigating VLANs as a possible security feature. It essentially lets you define specific paths between specific points and a trunk connection to border routers or shared printers. Since VLAN switches provide layer 2 data link level switching, they are impervious to many of the LAN side malware spreading exploits extant today.

Configuration isn't a trivial matter, but once it's set up, it's low maintenance.

Here's a couple of educational links to review the subject;

»computer.howstuffworks.c ··· ch15.htm

See »www.cisco.com/web/about/ ··· ion.html

For a nice discussion on wireless router hardening, see
»Harden your router/AP in five steps

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

said by EGeezer:

I suggest investigating VLANs as a possible security feature.

That's what I'm considering doing as my router supports VLAN's.

But as you said it's not trivial to configure and I want to think about the implications (what can talk to what etc) before I dive in.

EGeezer
Premium Member
join:2002-08-04
Midwest

1 edit

EGeezer

Premium Member

Stuart, you may like this configuration example;

»www.youtube.com/watch?v= ··· 9YboATvA


I See ZyXel has a SOHO router line that supports both VLAN and imbedded RADIUS server.

See »www.zyxel.com/products_s ··· html?t=p

Also see discussion at

»VLAN routing help needed (USG50)

The big problem I have with my RADIUS implementation is that I can't configure smartphones, tablets, printers etc. to connect . They don't seem to have any WPA2 enterprise support.


rcdailey
Dragoonfly
Premium Member
join:2005-03-29
Rialto, CA

rcdailey

Premium Member

Do I understand you to mean that the smartphones, etc., do not have WPA2 enterprise support? I think that must be true, as I have not seen that available in smartphones that I allowed. They do support WPA2 (non-enterprise).

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer

Premium Member

said by rcdailey:

Do I understand you to mean that the smartphones, etc., do not have WPA2 enterprise support?

That has been my experience. I've not seen the ability to configure 802.1x RADIUS authentication on the devices I've encountered.

rcdailey
Dragoonfly
Premium Member
join:2005-03-29
Rialto, CA

3 edits

rcdailey

Premium Member

OK, that's what I thought. The router I have dealt with in this situation can support VLAN and also WPA2-Enterprise, but all those smartphones don't understand WPA2-Enterprise.

I wonder whether you can use WPA2-Enterprise mixed and it would work with the smartphones? I have not tested this. After some checking, I think this probably would not work, either. I also found some commentary about WPA2-Enterprise and Apple iOS5 having issues with connecting.

StuartMW
Premium Member
join:2000-08-06

1 recommendation

StuartMW to EGeezer

Premium Member

to EGeezer
said by EGeezer:

Stuart, you may like this configuration example;

Thanks. My router doesn't implement all the features described in that clip but I now have VLAN's up and going

PC's (no wi-fi anymore--all cabled) in one.
Wi-fi stuff in another.
VOIP in another.

I may have to tweak things a little but I think my LAN is more secure

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer

Premium Member

said by StuartMW:

... but I now have VLAN's up and going

PC's (no wi-fi anymore--all cabled) in one.
Wi-fi stuff in another.
VOIP in another.

I may have to tweak things a little but I think my LAN is more secure

Woohoo! Virtual beer for you!

StuartMW
Premium Member
join:2000-08-06

1 recommendation

StuartMW

Premium Member

said by EGeezer:

Virtual beer for you!

Thanks for the offer but I have the real stuff in the fridge