I upgraded my cable/dsl router to one that alllows you to limit what mac addresses can reach the outside world (it was a firmware upgrade) and restricted it to the MAC addresses of my wireless and wired cards. After testing it that worked so I know that someone from the outside world can only get as far as the router and would have to know the router’s password to add themselves to the approved list or spoof their mac address to get out through it. Assuming that if someone did this they would have to be persistant I doubt anything I can think of would stop them from getting out, does anyone have any other ideas how to secure the network.
I’m not running anything like zone alarm on the local systems because I am not concered with phone home software
About the only other thing you could do is enable WEP - Wired Equivalent Protocol. Problem with WEP is it often clobbers performance.
Oh yeah, be sure all the passwords on the admin account and the SSID are good - Use miXEd cAse, d1gits and $ymbols. Please don’t use anything like “admin01” or “MannyNet”
Well, for my money (and I’ve been pretty deep in the network security world for a long time), just having a NAT-ing router between you and the world is plenty good for home use.
Some say they want a software firewall for their computer as well to control agents that get on your computer and try to call out, but if you’re very cautious about what’s installed and run anti-virus stuff, that shouldn’t be an issue. Hell, even if you do run a software firewall, you should still be cautious about what’s installed and run anti-virus checks.
But all that said…
I’m not quite sure what you’re looking to protect against. It sounds like you’ve gone to a lot of effort to protect yourself from people driving up in your driveway, hooking into your wireless network, and tryint to gain access to the internet. I don’t get what why that’s a concern…
Well the SSID is rather easy but then again knowing the essid will only get you on the lan, I’m not concerned about that I’m more worried about people getting out to the net WEP is too easily broken so I’m not using it, and I think the MAC address limit will be enough in that regards
I’m concerned that someone in a two or three bock street area from me (I’ve walked around with my laptop and can get a slow connection two streets away) would use my connection for some nefarious purpose (spreading virulli, hacking other systems, spamming) so I want to prevent such uses yet still make it easy for me to allow systems to access the net (such as a friend who brings over a computer or a neighbor who also has wireless and wants to access the internet through me)
Anybody with evil intent isn’t going to hook into your network and then use it to get an internet connection. It’s not impossible of course. But there are so many other easier (and better) ways to find victims to launch attacks from.
Your big concern with wireless should be that attackers will get access to your computer(s); and you should put some effort into perhaps a vulnerability scan or better firewalling, or virus protection or such.
Honestly, I think you’re devoting a lot of effort to solving a very minimal security issue.
Those with evil intentions and desires to use someone’s connection to the internet for foul purposes will more likely go where they know they can hop on the net for free without having to break in - more and more coffeeshops and libraries are operating “hot spots” where anyone with a wireless card can get on the net.
Securing a network is traditionally done to prevent anyone from accessing your computers, rather than the internet.
You should get WEP working on your network. It was pretty easy on our setup. We have two laptops 1 sony with built in 802.11 running windows XP and the other windows 98 with a PCMCIA 802.11 card with a linksys wireless wouter. WEP is reasonably secure. There are exploits but you are much better off with WEP running than not.
Bill , you work in network security and have never heard of war driving? Get network stumber, throw it on a wireless laptop and drive around sometime, it’s scary how easy it is to gain access. If your neighbor has wireless, he now has a free connection to the Internet.
That said, you have a very good point about protecting the internal machines.
Manny, I do network security in a medical setting. Definitely use WEP. Yes, it’s broken, but it does slow them down, hopefully long enough to discourage the drivebys.
Here at work we treat the wireless network as if it were just as hostile as the internet, and use a VPN and a firewall before it joins the regular network. That may be a bit overkill for you, as I doubt you have confidential patient data floating around your network.
I’d say youd be fine with WEP and MAC filters, but defineitly do WEP, otherwise you are almost inviting people in.
Friend Etherman. I’m very aware of hopping in the war wagon and going to town. I’ve actually done it once or twice just to see how much susceptibility there is out there (and there’s plenty).
That’s not what I disputed. What I disputed was when someone actually gained access to MannyL’s network, how they would take advantage of it. And I propose that it won’t be to get internet access. It’ll be to break and abuse resources inside his network.
