If you still think wireless security is useless because you have nothing to hide ...

[hagak]

"Nope every client needs to send a handshake every so often "

Right, but I am not sure I am understanding, or you are not understanding my question. I have ONE laptop that connects to ONE wireless router, a few hours a week. If that laptop is turned off, then the router won't be doing anything, and there will be no clients, so no traffic to pick up on, right?

Just trying to be clear, as I do not want to have misunderstandings about security.

--Dan

Yes as long as there are no other clients. Not sure I would even bother with wifi if all I had was one client Many people tend to have several devices as clients such as smartphones, laptops, networked media players, game consoles, Bluray players, DVRs, etc.

If you think disabling SSID makes your system more secure go for it, but please be clear in understanding it does not actually increase the security of your network one bit. Since you are running WPA, why bother with disabling SSID? It does not make sense to me.

 

[drozwood90]

Yes as long as there are no other clients. Not sure I would even bother with wifi if all I had was one client Many people tend to have several devices as clients such as smartphones, laptops, networked media players, game consoles, Bluray players, DVRs, etc.

If you think disabling SSID makes your system more secure go for it, but please be clear in understanding it does not actually increase the security of your network one bit. Since you are running WPA, why bother with disabling SSID? It does not make sense to me.

I never said I was running WPA... ;-)

It's been a while, I actually have no idea what I am running (no one asked).

--Dan

 

[hagak]

I never said I was running WPA... ;-)

It's been a while, I actually have no idea what I am running (no one asked).

--Dan

Oh, well then you really should be running WPA if you are at all concerned about the security of your network.

 

[tmbrown97]

I can't even imagine only one device on wifi... We have iPhones, iPod Touch, eReaders, iPad, Insignia Infocast, Sony Dash, Wii, network cameras, wifi phones; netbook, laptops, digital picture frames, etc... The number of devices on my home network is scary.

 

[drvnbysound]

I can't even imagine only one device on wifi... We have iPhones, iPod Touch, eReaders, iPad, Insignia Infocast, Sony Dash, Wii, network cameras, wifi phones; netbook, laptops, digital picture frames, etc... The number of devices on my home network is scary.

Hmm... I have my PS3 (PSN was recently hacked so no safeguard there )... and my Droid.. that's about it.

 

[drozwood90]

I am a really big "wired" guy. When we built the house, I ran 6-10 cat5e wires to EACH room. If you can't find a convenient jack, you haven't looked! The only reason I use wireless for my laptop is because the laptop is dieing. The Ethernet port is flaky...if you move the wire in it the wrong way, you get disconnected. So, I use the wireless...

The other 3 PCs in the house are wired. Printer is wired. My phone just connects through the SSH over the internet. So, I have no motivation to do it. Everything gigabit. Gotta love the speed! Especially since I am now running Win7 on all the machines in the house that can support it. I've been clocking about 70-105 meg/sec. In my area, even if I had the proper wifi cards / router, etc., with the saturation there is no way I'd get that kind of speed.

I guess by comparison, I've got a pretty lite network. For the sake of completeness, I'll take a look at the wifi settings and see what I am using (WPA-wise).

Thanks for the tip!

--Dan

 

[BraveSirRobbin]

I am a really big "wired" guy. When we built the house, I ran 6-10 cat5e wires to EACH room.

You sir are now my idol! ray:

 

[Ira]

My ISP plan (AT&T DSL) provides five static IP addresses. I got this package many years ago because I had someone VPN'ing into my LAN to get to a particular server and I didn't want to use a dynamic DNS service. When I look at the WAN config on the router, it doesn't provide a place to enter a static IP address. It is a PPPoE connection. But my WAN IP address hasn't changed in over ten years.

This is a little over my head, but is there anything I can do to make my LAN more secure by utilizing the "unused" static IP addresses in some way? Maybe have an additional wireless router that uses a different static IP address? If there is something I can do, please provide the "hardware layout" as well.

I'm thinking about dropping back to a dynamic IP address plan to save about $15/month since I really don't need the static IP address anymore, but if there are other things I can do with the static plan (especially from a security standpoint), I would consider keeping it.

Thanks,
Ira

 

[pete_c]

When I had DSL in Florida with Verizon they provided a Westell combo modem. It was a "do all" device (switch, firewall and AP) which would let you do the multiple static addressing with PPPoE. That was around 10 years ago or so.

 

[tmbrown97]

Hi Ira,

I'm not going to be able to get into all the specifics at the moment, but I've done what you're describing in small office environments. Typically what we would do is set the modem into Bridge mode where it literally just handled the PPPoE connection and handshake, then we'd put better routers just behind them. Typically this would be used only when you have multiple services that need the same port (2 web-sites or applications or direct internet access by more than one device.

The good news is that with a setup like that, there's a good chance of you being allowed to host on port 80 if you wanted - this is generally blocked for home users; so you could quite possibly set up your own web-site for personal stuff.

As far as really improving security, there are a couple ways. If you're using high-end networking equipment or at least really advanced equipment, you can create virtual interfaces and specify routing between them allowing you to have untrusted, private, and guest networks all in one - so you could connect to wireless and vpn to the secure side all on one router. What you could do in your situation is use cheaper situation and rig something up where the modem is in bridge mode connected to a 5-port switch; with a wifi router on it and a secure router - and basically build two totally isolated networks that can't talk to each other... because it'd essentially be like having two separate internet connections. Secure the wifi side with moderate security but keep anything you care about on the secure side hardwire; and vpn to that side from the wireless if you need to.

Lots of options... but for the average homeowner, normal PC security with a modern PC that's patched and up to date, along with a router using WPA for the wireless - and you don't have to worry about anything other than a targeted attack which is an odds game.

 

[apostolakisl]

Hi Ira,

I'm not going to be able to get into all the specifics at the moment, but I've done what you're describing in small office environments. Typically what we would do is set the modem into Bridge mode where it literally just handled the PPPoE connection and handshake, then we'd put better routers just behind them. Typically this would be used only when you have multiple services that need the same port (2 web-sites or applications or direct internet access by more than one device.

The good news is that with a setup like that, there's a good chance of you being allowed to host on port 80 if you wanted - this is generally blocked for home users; so you could quite possibly set up your own web-site for personal stuff.

As far as really improving security, there are a couple ways. If you're using high-end networking equipment or at least really advanced equipment, you can create virtual interfaces and specify routing between them allowing you to have untrusted, private, and guest networks all in one - so you could connect to wireless and vpn to the secure side all on one router. What you could do in your situation is use cheaper situation and rig something up where the modem is in bridge mode connected to a 5-port switch; with a wifi router on it and a secure router - and basically build two totally isolated networks that can't talk to each other... because it'd essentially be like having two separate internet connections. Secure the wifi side with moderate security but keep anything you care about on the secure side hardwire; and vpn to that side from the wireless if you need to.

Lots of options... but for the average homeowner, normal PC security with a modern PC that's patched and up to date, along with a router using WPA for the wireless - and you don't have to worry about anything other than a targeted attack which is an odds game.

I have ATT DSL with 5 static ip addresses as well. I am doing exactly this. The modem is strictly being a modem, then a switch behind it attaches 3 secured wired routers and a fourth public (unsecured) wifi router each with its own static WAN. It has run this way for maybe 8 years and we have had no incidents. I doubt that I have ever been a "target".

 

[Ira]

That all sounds interesting, and I have most of the pieces already. I have a Netgear ProSafe FVS336G wired SSL VPN router connected directly to the DSL modem, so I guess the DSL modem (Efficient Networks Speedstream 5360) might be already running in bridge mode. Anyone know how to tell for sure? It's been ten years since it was installed.

Edit: Did some research and it looks like the Speedstream 5360 is only a modem/bridge. It doesn't have any routing functions, so I'm good to go.

The FVS336G supports both SSL and IPSec VPN, although I haven't set it up yet. I need to do a firmware update on it for some SSL fixes and 64-bit support. I'm also considering replacing it with a Netgear ProSecure UTM5.

I have a Netgear WND3700 wireless router attached to the FVS336G for wireless access (no WAN connection directly to the WND3700), but I have a Netgear ProSafe SRXN3205 wireless router coming in on Monday to replace it. The SRXN3205 also supports SSL and IPSec VPN.

I got a couple of Netgear ProSafe GS108T smart switches in yesterday (sorry if this is starting to sound like a Netgear advertisement) to start experimenting with VLAN's.

It sounds like I can set up something very similar to what Lou Apo has. Any benefit using a smart switch between the modem and routers?

Let's say I set all this up. My wife can get to her company's LAN with a CISCO VPN client when attached to my wireless network. It will go PC -> wireless router -> switch -> DSL modem -> internet -> company LAN. When I use a wireless laptop, I can use an SSL VPN connection to tunnel into my wired LAN. If I make it a full tunnel, all internet traffic will be routed thru the UTM5 (if I get it), so my laptop connections will also be protected by the additional security features of the UTM5. That brings up two more questions...

1. Where can I put a LAN-attached (wired) printer that is defined as a "local" printer to all my PC's so that it can be used from both my wired LAN and wireless LAN?

2. Is there an easy way to establish a VPN connection during startup so it will be done "automagically", or force us to do it before connecting to the internet from a wireless device? Not really a requirement, but it would be nice, and it would be good to keep us from forgetting to do it.

I have my Elk M1, Brultech wireless device, and a couple of other HA-related devices connected to an unmanaged "industrial switch" (rated for high temp) in my attic. If I connect the unmanaged switch to a smart switch port that is set up as a VLAN, does that simply put all the unmamanged switch devices on the same VLAN?

Thanks,
Ira

 

[pete_c]

1. Where can I put a LAN-attached (wired) printer that is defined as a "local" printer to all my PC's so that it can be used from both my wired LAN and wireless LAN?

I "built" a sort of printing / office supplies closet in the home. I redid the power in the closet, added network, telephone (fax) and shelves.

I have a laser and multifunction printer in the closet.

If you wanted to play with Linux you can build a software firewall (Smoothwall). You can hang the wireless off its own network and create a set of rules for just the wireless network.

If the Cisco VPN is using split tunneling (a security risk) then you can print to any printer on the network; if not you would have to attach a printer physically to the wireless laptop.

 

[Ira]

The Cisco VPN client my wife is using must be set up as split tunneling because she can print to the printer now which the client is active. The one I use on my wired PCs is split tunnel.

But if I set all this up with a switch between the DSL modem and multiple routers, multiple static IP's, etc., the wireless router and the devices attached to it will be on a separate private LAN. For example, the wired LAN will be 192.168.1.nnn and the wireless LAN will be 192.168.2.nnn. How can I have a LAN-attached printer (or NAS box, etc.) on the wired LAN be "seen" from the wireless LAN, without opening up all of the wired LAN to the wireless LAN (which defeats the purpose of all of this)? The Cisco client doesn't seem to play nice with other VPN clients, so I don't think I can have a SSL VPN tunnel open to my wired LAN while the Cisco VPN client is open to the remote company's LAN.

How about putting the printer and other "common devices" on the switch attached to the DSL modem and give them their own static IP address? Or put a third router on that switch and put common devices on that router?

Which brings up another question...using PPPoE static IP addresses in the manner discussed (LAN switch between the DSL modem and multiple routers/devices), how do you determine which IP address goes to which router/device? On my current router, there's no place to enter a WAN static IP address. There's just a button to select PPPoE. Also, if the switch attached to the DSL modem is a smart switch, what IP address does it use...one of the static IP's or a private IP from one of the attached routers?

Thanks,
Ira

 

[pete_c]

How can I have a LAN-attached printer (or NAS box, etc.) on the wired LAN be "seen" from the wireless LAN, without opening up all of the wired LAN to the wireless LAN (which defeats the purpose of all of this)?

You can just create a separate wireless LAN and hang it off the firewall and create a set of rules in the firewall such the wireless LAN can only see the wired LAN printer.

Assume the WAN is the Red network. The Red network is connected to the firewall (whatever you use).

Inside your house create autonomous networks and call them the blue, yellow or green networks with autonomous NIC's for each network.

Then create a rule set for said "blue" network; IE: your wireless network giving it access to some stuff and not other stuff.

Historically I've dealt with Nortel and Cisco VPN clients. They work OK. Personally today they are "kludgy" and not worth the extra costs in licensing. My personal favorite though not as secure but cheap and utilized in an Enterprise environment (100K plus users) was utilizing an SSL Web based VPN client). Historically involved in its creation.

SSL VPN

Its up to you how "open" you want these networks to be and how much then each can talk to an adjacent network via the firewall.

Think of your core network as an onion; peel back the layers protecting it from the inside out.