[QUOTE=Zeriel]
That depends entirely on your home router–and I thought about it and realized that the Linksys RV08s and Cisco PIX501s I’m used to are not typical for average home users. :smack:
Now that I think about it, I do remember my Westell 327W working as you describe, which is why I don’t use the DMZ function.
[/QUOTE]
Yeah, most home routers only support one internal VLAN, even if they support multiple private LANs, they simply have a place to define an internal gateway to the other LANs.
You could create such a scheme with two standard home routers, of course. But I don’t know too many people with Cisco PIX in their homes.
(Now, since I have a Linux box doing my external-facing routing, I could add this scheme easily; all I need is another eth interface and another switch to connect it to.
Bricker, I think your traffic filtering solution is the only one that will actually have the desired effect. I was originally going to suggest putting the WEP router on the outside and putting your current gateway behind it, which means anyone can crack your WEP and use your network connection but they can’t get to your home network, but that obviously doesn’t help since one of your goals is to make sure random hackers can’t use your internet connection at all.
[/QUOTE]
What I have now is not a wireless router – it’s a wireless access point only only; no routing.
[QUOTE=Zeriel]
Especially since WEP to WPA is, as far as I remember, a software update.
[/QUOTE]
Unless there’s some funky chipset on the DS … yeah, it should be a software update. I admit that this question is outside the bounds of my expertise, and maybe there’s some hugely convincing reason it can’t be done… but I don’t know it.
[QUOTE=ntucker]
Hear, hear. We have wireless network security for a reason: it’s a good idea. It’s baffling to me that someone who thinks wireless security is at all important thinks that broken wireless security is good enough because “who would bother to hack my network?” This is like saying you don’t want your car to be stolen, so instead of leaving it on a busy street with the keys in it, you’ll hide it around the corner on a quiet street with the keys in it. After all, who’s going to go looking for cars with keys in them on a quiet street?
[/QUOTE]
But that’s a terrible analogy as in that case, anyone can just get in the car and drive off. A better analogy would involve locking a spare set of car keys inside the car and assuming you’re safe because what are the odds of a lockpicker coming along when there are all these other cars with their keys in the ignition and other cars that have big signs on them that say “FREE!”
In that analogy, why wouldn’t you be safe?
[QUOTE=Bricker]
Unless there’s some funky chipset on the DS … yeah, it should be a software update. I admit that this question is outside the bounds of my expertise, and maybe there’s some hugely convincing reason it can’t be done… but I don’t know it.
[/QUOTE]
There is. DS hardware cannot be updated. What’s in there now is roughly the same thing that’s been in there since the system launched. And it’s not in Nintendo’s interests to change the system networking software on new DSes as this is not a dealbreaker for (nearly!) anyone considering a DS.
I am far from a security expert. That being said, why would the following not work as a reasonable safeguard against unauthorized use of the wireless network:
[ul]
[li]leave WEP on[/li][li]turn off SSID name broadcast[/li][li]filter all MACs so only the DS has wireless access[/li][li]turn off DHCP on the router and give every machine a static IP[/li][li]set the router and all static IPs to an unguessable random subnet, like 157.88.193.x[/li][/ul]
I mean, I’m sure it could theoretically be cracked, but with six other networks in range, it seems more likely a hacker would just move on, ya know?
There is. DS hardware cannot be updated. What’s in there now is roughly the same thing that’s been in there since the system launched. And it’s not in Nintendo’s interests to change the system networking software on new DSes as this is not a dealbreaker for (nearly!) anyone considering a DS.
[/QUOTE]
But the implementation of WPA isn’t strictly hardware, is it? This should be a firmware revision. Corrections on this point welcome; I’m just having a hard time picturing a chipset that doesn’t permit WPA to be used.
No. Just hoping that you’re going to stay lucky. Especially if we consider that there are many car thieves who get a thrill from breaking into a locked car, just for the challenge. The “professional” car thief will sure steal the simpler targets; the amateur might well go after yours to have a challenge.
[QUOTE=Bricker]
But the implementation of WPA isn’t strictly hardware, is it? This should be a firmware revision. Corrections on this point welcome; I’m just having a hard time picturing a chipset that doesn’t permit WPA to be used.
[/QUOTE]
That’s my point. The DS does not do firmware revisions. The firmware on hardware already released can’t be updated and Nintendo has not updated the firmware on new DSes because it buys them nothing.
[QUOTE=Max Torque]
I am far from a security expert. That being said, why would the following not work as a reasonable safeguard against unauthorized use of the wireless network:
[ul]
[li]leave WEP on[/li][li]turn off SSID name broadcast[/li][li]filter all MACs so only the DS has wireless access[/li][li]turn off DHCP on the router and give every machine a static IP[/li][li]set the router and all static IPs to an unguessable random subnet, like 157.88.193.x[/li][/ul]
I mean, I’m sure it could theoretically be cracked, but with six other networks in range, it seems more likely a hacker would just move on, ya know?
[/QUOTE]
Because all of the “security” measures you just identified are defeated by the same tool in the same process. The “sniffer” tool that grabs wireless traffic out of the air can see the SSID on packets, the IP addresses in use, the MAC addresses in use, and it’s not even necessary to take an additional step to get all that info – it’s right there in front of you. The only thing that configuration does is prevent someone from using Windows to “connect to this network.” If someone is prepared to break WEP, none of those other measures are even the slightest roadbump. It’s not a “theoretical” crack – you turn on the machine and start airodump or kismet and they’re right there in front of you.
[QUOTE=Justin_Bailey]
That’s my point. The DS does not do firmware revisions. The firmware on hardware already released can’t be updated and Nintendo has not updated the firmware on new DSes because it buys them nothing.
[/QUOTE]
OK.
From the reactions in this thread, it sure seems like you’re right and a wide swatch of people are perfectly happy to use WEP.
[QUOTE=Justin_Bailey]
But that’s a terrible analogy as in that case, anyone can just get in the car and drive off.
[/quote]
Much like anyone can get on your WEP-protected network with very little effort. Regardless, you have reminded me of the folly of using analogies. Namely, that anyone who disagrees with you is prone to calling your analogy bad because it does not, in fact, match the real-world scenario in every way possible. I retract my analogy and decline the opportunity point out ways in which I think yours is terrible.
Here is my revised statement:
It’s baffling to me that someone who thinks wireless security is at all important thinks that broken wireless security is good enough because “who would bother to hack my network?” This is like saying you don’t want [something bad to happen], so instead of [keeping that bad thing from happening in an effective way], you [provide some trivally-defeated protection]. After all, who’s going to go [to the trouble to defeat your protection]?
Hooray, a completely unassailable, uninteresting, and unilluminating analogy.
It’s baffling to me that someone who thinks wireless security is at all important thinks that broken wireless security is good enough because “who would bother to hack my network?” This is like saying you don’t want [something bad to happen], so instead of [keeping that bad thing from happening in an effective way], you [provide some trivally-defeated protection]. After all, who’s going to go [to the trouble to defeat your protection]?
The next revision of the DS will undoubtedly support WPA. The thing is, Bricker, when Nintendo releases hardware, they freeze it, so it’s a known standard.
[QUOTE=Bricker]
That’s actually pretty workable, especially since my wife – who is non-technical – can also be involved in the “turn-it-off-if-it’s-on” task.
As an interim measure, I like it!
[/QUOTE]
Or plug the WEP WAP into Bob. This is a top end one, you can get them cheaper.