Thanks Bricker. My ignorance is being fought. I just didn’t know. There really are evil forces out there looking to hijack wifi.
The real question is, what do I do?
I don’t know if I’m WEP or WPA or WAP or WIMP.
I’m just using whatever defaults my Linksys router wifi thingie came with.
Of course, the chances that the neighbors’ cows are hijacking my wifi are slim, but should I be worried?
[QUOTE=Bricker]
My concern isn’t so much my internal network. In fact, I’d say that there’s very little on my network that’s vulnerable to attack, since I stay fully patched and impose reasonably strict security settings via GPO to all my internal Win machines and keep my Linux boxes pretty hardened.
My concern is an attacker using my connection for outbound traffic. Your proposed configuration would still permit that.
Also, I’m not sure what you mean when you say “In your router’s DMZ.” There’s only one internal network. Let’s say I set up a second WAP. Setting up a DMZ on the router typically refers to using NAT port-forwarding to direct all incoming, otherwise unassigned traffic to a particular device. But the device itself is still part of the Layer 2 internal broadcast domain.
In other words, if I set up a second WAP, without physically isolating it, then what would stop it from getting to my internal network?
[/QUOTE]
My understanding of a DMZ is that it was isolated from the network so that accessing that piece of kit (server or access point) wouldn’t allow access to the non-DMZ resources on the network.
Maybe I need to do some more reading.
And yeah, I’m in total agreement with both your concerns and with the mind-bogglingly dumb decision on Nintendo’s part to not update the DS with WPA encryption.
There are ways to mitigate the problems–yours is more effort than I was putting in, but on the other hand I’m logging traffic and paging myself on new ip addresses showing as source addresses–e-mail-to-SMS gateways are wonderful for that, that combined with fixed DHCP leases makes for instant peace of mind.
[QUOTE=Scylla]
I’m just using whatever defaults my Linksys router wifi thingie came with.
[/QUOTE]
Err… if it came set up like my linksys waps then you’re running totally unsecured, no WEP, no WPA and not even an admin password.
[QUOTE=Scylla]
Thanks Bricker. My ignorance is being fought. I just didn’t know. There really are evil forces out there looking to hijack wifi.
The real question is, what do I do?
I don’t know if I’m WEP or WPA or WAP or WIMP.
I’m just using whatever defaults my Linksys router wifi thingie came with.
Of course, the chances that the neighbors’ cows are hijacking my wifi are slim, but should I be worried?
[/QUOTE]
How long was the password you had to type in to use your wireless?
10 characters? Probably WEP. Longer? Probably WPA.
As for what the threats are, the easiest way to tell is to take your laptop outside when you’re bored and see how far away you can walk with it and still get a signal. That’ll tell you how close someone has to be to your house, give or take (I’d add 25-40% to be safe unless I knew my laptop had a particularly high-gain antenna.)
You mention your neighbors’ cows, so I assume you’re pretty rural. Nonetheless, you might be surprised–I’ve picked up signals from standard wireless boxes (there are nearby restaurants that offer free wi-fi and have visible Linksys hardware when I patronize them) from over 200 yards or more away without any particular special gear or effort.
[QUOTE=Szlater]
My understanding of a DMZ is that it was isolated from the network so that accessing that piece of kit (server or access point) wouldn’t allow access to the non-DMZ resources on the network.
Maybe I need to do some more reading.
[/QUOTE]
He’s not using a router, he’s using a custom solution. It also doesn’t prevent the DMZ from communicating with outside servers–in fact, the point of a DMZ is to facilitate that. Since his primary worry isn’t “data theft/hacking” but rather “people using my connection for illegal acts”, DMZ won’t help.
[QUOTE=Scylla]
Thanks Bricker. My ignorance is being fought. I just didn’t know. There really are evil forces out there looking to hijack wifi.
The real question is, what do I do?
I don’t know if I’m WEP or WPA or WAP or WIMP.
I’m just using whatever defaults my Linksys router wifi thingie came with.
Of course, the chances that the neighbors’ cows are hijacking my wifi are slim, but should I be worried?
[/QUOTE]
It depends. I’m in a suburban neighborhood, on a lot that measures 60 feet by 160 feet. There are probably eight to twelve houses in my wifi range, and in at least one of them is someone that knows how to break WEP. 
If you’re physically separated from your neighbors, such that (as you hint, or as Zerial achieves with his aluminum siding) no one could be close enough to grab your signal without your seeing them, then there’s really no need to worry. I’m not worried about Black Hats in vans leeching my signal; it’s a neighbor kid with a Linux box and time to play that is most likely my nemesis.
When I set up my in-laws’ wireless system in the Dominican Republic, I used no encryption at all. House construction there is basically solid concrete walls – when you live in a place that has earthquakes and hurricanes, you build solid or rebuild frequently – and their signal doesn’t even reach through their house, much less outside.
But if you have neighbors in reach, then I’d say you should be worried enough to use WPA encryption.
[QUOTE=Bricker]
Thank you. It’s amazing that I post a rant about why DS only supports an encryption standard so insecure it can be broken by a meth-addled retarded monkey, and everyone’s questions are, “Gee, Bricker, are you taking your computer security too seriously?”
[/QUOTE]
People are saying that because your situation is an anomaly. People just don’t hack residential Wi-Fi connections anymore. The fact that it happened to you makes you the poor 1 in a million bastard who gets hit by the lightning bolt (except if you weren’t paying attention you wouldn’t have suffered any harm anyway, so “lightning bolt” is a bit of overkill).
My router is located in a part of the house where someone would have to be sitting on my front steps to get any kind of a signal. I think I’d notice that. Of course, why they’d pass over the open networks (or the huge 24 hour network at the grocery store down the street) is beyond me.
[QUOTE=Justin_Bailey]
People are saying that because your situation is an anomaly. People just don’t hack residential Wi-Fi connections anymore. The fact that it happened to you makes you the poor 1 in a million bastard who gets hit by the lightning bolt (except if you weren’t paying attention you wouldn’t have suffered any harm anyway, so “lightning bolt” is a bit of overkill).
[/QUOTE]
Honestly, the biggest worry I have concerning connection hacking is the neighbor linux kid who’s mad because I yelled at him for hypothetically riding his bike through my garden and who thinks a visit from the FBI about child porn is just what I need to mellow out my attitude.
That is, targeted attacks on me specifically, regardless of the justification level.
More to the point, as I alluded to in my post about my personal defenses, I don’t really care about making my network impenetrable–I just want that neighbor kid to find easier ground to cover and I don’t want someone with a real or imagined grudge to be able to put me in hot water.
[QUOTE=Zeriel]
He’s not using a router, he’s using a custom solution. It also doesn’t prevent the DMZ from communicating with outside servers–in fact, the point of a DMZ is to facilitate that. Since his primary worry isn’t “data theft/hacking” but rather “people using my connection for illegal acts”, DMZ won’t help.
[/QUOTE]
But even with a “DMZ” set up by a commercial home router, it doesn’t isolate the internal “DMZ” node from the rest of the network. In other words, your entire internal network is switched, not routed. There are no internal routes, no Layer 3 traffic control, internal to your home, even if you have a DMZ set up.
A “DMZ” set up with a home router just manages external traffic to one node; it doesn’t stop or control internal-to-internal at all.
[QUOTE=Justin_Bailey]
People are saying that because your situation is an anomaly. People just don’t hack residential Wi-Fi connections anymore. The fact that it happened to you makes you the poor 1 in a million bastard who gets hit by the lightning bolt (except if you weren’t paying attention you wouldn’t have suffered any harm anyway, so “lightning bolt” is a bit of overkill).
[/QUOTE]
People make their own luck.
I keep my spare tire inflated, and check it every time I gas up.
Last week a co-worker missed a meeting – he got a flat and when he went to get his spare, found it, too, was flat. Now he was unlucky - no question about it. And it wasn’t a critical, be-here-or-you’re-fired meeting. But I couldn’t help thinking that in the identical set of circumstances, I’d have been on time anyway, because I check my spare tire. Now, of course other things can happen that are outside my control. I could have been broadsided by a bus or my fuel pump could have died. But my routine seeks to minimize what can go wrong. Risk management, let’s say.
So, too, here. If someone did hack my signal, either at random or (as Zeriel suggests, deliberately because, say, I had a Bush 2004 sign in the front yard) then I’d be the victim of bad luck. And when the RIAA letter or the FBI agents arrived on my front porch, I could bemoan my bad luck, and spend time, effort, and money getting it all straightened out.
Or I could engage in a bit of risk management. This stuff isn’t complicated. The Rule Against Perpetuities – THAT was complicated, which is why I didn’t consider civil law as a career. This stuff is easy to learn and fun to do, and it mitigates my risk of bad luck striking me. So why shouldn’t I do it?
You don’t really have a Bush 2004 sign in your front yard, do you?
What about my idea, Bricker? Visible surge protector with a glowing red rocker switch? Keep it in sight, and even if Bricker Jr fails to turn it off, you’ll notice when you pass by. Especially if the lights are off in the room.
[QUOTE=E-Sabbath]
What about my idea, Bricker? Visible surge protector with a glowing red rocker switch? Keep it in sight, and even if Bricker Jr fails to turn it off, you’ll notice when you pass by. Especially if the lights are off in the room.
[/QUOTE]
That’s actually pretty workable, especially since my wife – who is non-technical – can also be involved in the “turn-it-off-if-it’s-on” task.
As an interim measure, I like it!
[QUOTE=Bricker]
But even with a “DMZ” set up by a commercial home router, it doesn’t isolate the internal “DMZ” node from the rest of the network. In other words, your entire internal network is switched, not routed. There are no internal routes, no Layer 3 traffic control, internal to your home, even if you have a DMZ set up.
A “DMZ” set up with a home router just manages external traffic to one node; it doesn’t stop or control internal-to-internal at all.
[/QUOTE]
That depends entirely on your home router–and I thought about it and realized that the Linksys RV08s and Cisco PIX501s I’m used to are not typical for average home users. :smack:
Now that I think about it, I do remember my Westell 327W working as you describe, which is why I don’t use the DMZ function.
At home, my wife & myself both have DS’s. We also have a wired home network (Mac & PC, living together like ebony & ivory). If I shove a USB WiFi adaptor into my wife’s PC so that we can compete against other players, does this mean, basically, that we’re instantly compromising our network, and virtually rendering useless our hardware firewall?
Also, does anyone know what the range on those little USB dongles is? I was just thinking of doing it this weekend, and then this thread appeared. Dope be praised!
[QUOTE=Bricker]
I’d need to use third-party firmware on the WAP.
The configuration is sound, but I don’t have a combined WAP and router. I’m using a separate WAP and a hardened Linux box as my external interface, and it’s the thing that’s doing NATting and port-forwarding between the outside world and my internal networks.
[/QUOTE]
Oops. Yeah, I was thinking in terms of the popular WAP/router combos. When combined with third-party firmware, they can be pretty nice.
The default firmware, though… In the case of my WRT54G, it was awful. It even had trouble with PPPoE. It would drop and reconnect after couple hours. Not an issue for web browsing, but it was annoying to have my SSH sessions go kaput.
[QUOTE=Bricker]
Or I could engage in a bit of risk management. This stuff isn’t complicated.
[/QUOTE]
Hear, hear. We have wireless network security for a reason: it’s a good idea. It’s baffling to me that someone who thinks wireless security is at all important thinks that broken wireless security is good enough because “who would bother to hack my network?” This is like saying you don’t want your car to be stolen, so instead of leaving it on a busy street with the keys in it, you’ll hide it around the corner on a quiet street with the keys in it. After all, who’s going to go looking for cars with keys in them on a quiet street?
Bricker, I think your traffic filtering solution is the only one that will actually have the desired effect. I was originally going to suggest putting the WEP router on the outside and putting your current gateway behind it, which means anyone can crack your WEP and use your network connection but they can’t get to your home network, but that obviously doesn’t help since one of your goals is to make sure random hackers can’t use your internet connection at all.
[QUOTE=Dangerosa]
Possibly because the DS was released in 2003 and hasn’t really gone through significant upgrades since that point in time
[/QUOTE]
In terms of my earlier analogy, if somebody was still selling a printer that was mostly the same as the original 2003 model, I’d expect the version they sell now to have a USB port.
Especially since WEP to WPA is, as far as I remember, a software update.