D
- Status
StormBringer
Posts: 2,218 +0
You left one very important thing out. When using all those things together, you better know how to properly configure them to work together and to allow for the communication that you need, such as local networking(filesharing, etc...) being able to access secure sites that may become blocked by default with some security software, and complete network lockdown.
I've seen it hundreds of times, especially with wireless users, the user thinks he's all protected, then goes to where a "hotspot" is supposed to be and can't connect because his very secure system is now blocking him from connecting to the network because it is not on the list of allowed addresses.
This isn't a problem for those who know a bit about security, but then again, that article wasn't intended for people who already know how to secure their systems...
I've seen it hundreds of times, especially with wireless users, the user thinks he's all protected, then goes to where a "hotspot" is supposed to be and can't connect because his very secure system is now blocking him from connecting to the network because it is not on the list of allowed addresses.
This isn't a problem for those who know a bit about security, but then again, that article wasn't intended for people who already know how to secure their systems...
D
DelJo63
Outline of PC Online Security
Both Security and Personal Safety have two ways of being achieved
1) Passively
like an air bag, it requires the user to do nothing and
it responds to the conditions at hand.
2) Actively
like a seat belt, the user must engage it or it does
nothing to help you
In addition, there are Reactive tools (like anti-virus and IDS
scanners), as well as Proactive tools to avoid contamination altogether.
Lastly, there's no silver bullet that 'kills all vampires'. Like a
carpenter's tool box, there are special tools for each job and sometimes
multiple variations for the same task (ie a framing hammer versus a tack
hammer). You can NEVER have too many tools!
Dialup users get a new IP address every time they connect. This implies
that if I want to attack you specifically, it can only be done during
the life of your existing connection (else how can I find YOU next time).
This makes the attacker's life more difficult and they will usually look
for easier targets (ie: a machine with a fixed IP address).
Broadband and ISDN users have significant exposure. If you do nothing at
all, your computer sets on the Internet begging to be attacked. Without
some protective techniques, your computer can easily become a remote
robot used to infect other users too (very much like infectious diseases).
What are the steps to secure your system?
1) Get a Router - cheap, hardware-passive solution (ok, you have to buy
one, install it, and turn on) which is ~75% effective. Your system is
no longer visible to the Internet and the chances of direct attack are
greatly reduce (notice: not 100% protected). WHY? The modem will have
a Public IP address and this is visible. When the computer is connected
to a Router (and then to the modem), your system as a Private IP address
(ie: a non-routable address like 192.168.*.*) An Internet attack can
not be made directly against a non-routable address and your computer is
much safer. This is all done be a router technique called NAT (network
address translation).
2)Install Windows XP with SP2. This Service Pack reconfigures Windows
to be very much like Apple Macintosh has always been; all ports closed.
Without an open port, the system is exactly like not even being
connected at all and thus is much more immune from attack.
3)Get a Software Firewall - several are available, not expensive and
there is at lease one or more that are Freeware (ZoneAlarm, COMODO).
Windows XP users have a freebie from Microsoft which is a half/firewall solution;
half because it only controls inbound connections and has very little
configuration control -- the whole object of a firewall in the first place.
A configurable firewall will allow you to control inbound access very
effectively. For example, all of your local network (other computers
also connected to your router) can be allowed to enable File and Print
Sharing). Then inbound traffic from the Internet can be restricted by
default. You have control and the bad guys are locked out.
A firewall increases your protection level to ~95% effective. Why not
100%? Because you the user still 'invite' visitors into your system
with Email and Web pages! If you never read Email nor browsed the web
for information, then you would be secure, but then you've paid for
access that is useless to you too
Here are some specific tools to assist you in keeping your system safe
and sane:
ActiveX control
Spyware Blaster @ http://www.javacoolsoftware.com/
Keylogging protection, hijacker control, system modification
monitoring all leading to Identity Theft
Spybot Search & Destroy
@ http://www.spybot.info/en/index.html
love this one, as you can disable startups
without fussing with the Registry!
Popup control
Popup Stopper
@ http://www.panicware.com/product_psfree.html
Spam control
a) don't use the Preview Pane,
it allows access before you even get to delete it.
b) use a spam filter like http://www.giantcompany.com/
which was just acquired my Microsoft
http://www.microsoft.com/athome/security/spyware/default.mspx
c) another choice is Mozilla Thunderbird which avoids
ActiveX and VP scripting code altogether
AntiVirus Software
Reactive measure to fix the damage already active on your system. Some
products perform scans on files as they are being opened, which is a
Proactive approach to avoiding contamination.
edit: http://free.grisoft.com/
http://www.mcafee.com/us/default.asp
edit: Add a host file to block well known sites with various contaminations!
access this online text file,
then SAVE AS \windows\system32\drivers\etc\hosts\ (notice no extension and allow the replacement).
Both Security and Personal Safety have two ways of being achieved
1) Passively
like an air bag, it requires the user to do nothing and
it responds to the conditions at hand.
2) Actively
like a seat belt, the user must engage it or it does
nothing to help you
In addition, there are Reactive tools (like anti-virus and IDS
scanners), as well as Proactive tools to avoid contamination altogether.
Lastly, there's no silver bullet that 'kills all vampires'. Like a
carpenter's tool box, there are special tools for each job and sometimes
multiple variations for the same task (ie a framing hammer versus a tack
hammer). You can NEVER have too many tools!
Dialup users get a new IP address every time they connect. This implies
that if I want to attack you specifically, it can only be done during
the life of your existing connection (else how can I find YOU next time).
This makes the attacker's life more difficult and they will usually look
for easier targets (ie: a machine with a fixed IP address).
Broadband and ISDN users have significant exposure. If you do nothing at
all, your computer sets on the Internet begging to be attacked. Without
some protective techniques, your computer can easily become a remote
robot used to infect other users too (very much like infectious diseases).
What are the steps to secure your system?
1) Get a Router - cheap, hardware-passive solution (ok, you have to buy
one, install it, and turn on) which is ~75% effective. Your system is
no longer visible to the Internet and the chances of direct attack are
greatly reduce (notice: not 100% protected). WHY? The modem will have
a Public IP address and this is visible. When the computer is connected
to a Router (and then to the modem), your system as a Private IP address
(ie: a non-routable address like 192.168.*.*) An Internet attack can
not be made directly against a non-routable address and your computer is
much safer. This is all done be a router technique called NAT (network
address translation).
2)Install Windows XP with SP2. This Service Pack reconfigures Windows
to be very much like Apple Macintosh has always been; all ports closed.
Without an open port, the system is exactly like not even being
connected at all and thus is much more immune from attack.
3)Get a Software Firewall - several are available, not expensive and
there is at lease one or more that are Freeware (ZoneAlarm, COMODO).
Windows XP users have a freebie from Microsoft which is a half/firewall solution;
half because it only controls inbound connections and has very little
configuration control -- the whole object of a firewall in the first place.
A configurable firewall will allow you to control inbound access very
effectively. For example, all of your local network (other computers
also connected to your router) can be allowed to enable File and Print
Sharing). Then inbound traffic from the Internet can be restricted by
default. You have control and the bad guys are locked out.
A firewall increases your protection level to ~95% effective. Why not
100%? Because you the user still 'invite' visitors into your system
with Email and Web pages! If you never read Email nor browsed the web
for information, then you would be secure, but then you've paid for
access that is useless to you too
Here are some specific tools to assist you in keeping your system safe
and sane:
ActiveX control
Spyware Blaster @ http://www.javacoolsoftware.com/
Keylogging protection, hijacker control, system modification
monitoring all leading to Identity Theft
Spybot Search & Destroy
@ http://www.spybot.info/en/index.html
love this one, as you can disable startups
without fussing with the Registry!
Popup control
Popup Stopper
@ http://www.panicware.com/product_psfree.html
Spam control
a) don't use the Preview Pane,
it allows access before you even get to delete it.
b) use a spam filter like http://www.giantcompany.com/
which was just acquired my Microsoft
http://www.microsoft.com/athome/security/spyware/default.mspx
c) another choice is Mozilla Thunderbird which avoids
ActiveX and VP scripting code altogether
AntiVirus Software
Reactive measure to fix the damage already active on your system. Some
products perform scans on files as they are being opened, which is a
Proactive approach to avoiding contamination.
edit: http://free.grisoft.com/
http://www.mcafee.com/us/default.asp
edit: Add a host file to block well known sites with various contaminations!
access this online text file,
then SAVE AS \windows\system32\drivers\etc\hosts\ (notice no extension and allow the replacement).
D
DelJo63
network security PART-2
StormBringer make a good point, so I'll complete the exercise.
Internet Security with Systems on a Local Lan
So you have your system secured from outside, but now access to Lan file
and print sharing is all restricted. How do you restore Lan-to-Lan
communications?
{ there are many variations in configuring a firewall and this is NOT an
exhaustive guide - - rather, its intent is to get you a reasonable
degree of protection with minimum effort on your part. For now, let’s
focus on Lan-to-Lan - - wireless is another level and I’ll add that
information in the next installment. Also, the actual grammar used to
configure a firewall varies by vendor. The point here is to identify
the sequence of ALLOW/DENY rules to achieve a secured system}
Let’s first get graphical to see the layout and understand what we’re
dealing with.
A LAN system might look like:
...............Public | Private
................................|
................................+--->
....Modem ---> router +---> one or more systems
................................+--->
The bad boys are to the left side of the ‘router’ and your systems are
on the right. Our goal is to make the Public side behave as if it looks
like
...............Public | Private
.................................|
.............Modem ---> router
Notice the modem sees the router and nothing else!
And the Private side to look like
...............Public | Private
...............................+--->
...............................|---> one or more systems
...............................+--->
Notice the Private systems see each other
The first thing is to
..... DENY all INBOUND access all IP addresses onall PORTS.
This becomes your DEFAULT firewall rule and is the LAST
entry of the rule list. (Let’s be clear; if you use a software firewall,
then each and every system needs one!) Notice that we allow all
outbound traffic (not the best, but it will do for now ). This
simplifies things like accessing secured sites via HTTPS(443).
There are a few other rules you will want (above the default) as your
system needs these for internal operations as well as access to the
Internet.
....# a service on your system accessed by an application
.... ALLOW 127.0.0.1 inbound/outbound on All Ports
.... # needed for connection to ISP
.... ALLOW ICMP inbound/outbound from all
.... ALLOW ALL inbound Port 53 #dns requests
....
With this configuration, you have maximum safety and no one has access
to your systems – not even your own LAN systems!
So how do we get the Lan running again?
We get control of the Lan by noting that the IP addresses of your
systems are in the private, non routable address ranges of
.... 10.0.0.0 - 10.255.255.255
.... 172.16.0.0 - 172.31.255.255
.... 192.168.0.0 - 192.268.255.255
....................table-1
An attack from the public Internet will not be routed to any device
which has an address in these ranges. For illustration purposes, let’s say the
private side of the router is at address 192.168.0.1 (very common).
Each of our systems will get an
address using DHCP which is also in the same subnet (192.168.0.*). The
additional information we know is the ISP will give us an public IP
address which is *NOT* in the ranges of table-1 above (otherwise we
can’t access even the ISP).
Firewalls execute rules in the order listed and stops processing rules
when the first matching rule is found. To enable our Lan systems to
talk to each other, we need a special PERMIT rule to precede the default
rule.
With our Lan systems in the private non routable range and the external
world *NOT* in this range, we can add
.... LAN ACCESS PERMIT ALL inbound/outbound from 192.168.0.* all PORTS.
Move this rule to be immediately above the DEFAULT rule and all Lan
systems are re-enabled for File and Print Sharing and all other services
on any of our lan systems - - SMTP, POP3, FTP, and even Oracle
client/server.
Just to introduce you to another level of control a firewall *may*
exploit is the discrete control of specific ports. For example, Email
services are standardized on ports 25(smtp-outbound) and 110(POP3
inbound). Other Ports might be used, but the sender and receiver must
change the service configuration on both ends. Most admins will leave
the Port numbers alone, unless they need extra security. I make the
point on Port usage as prior to XP-SP2, Ports 135, 137-139 and 445 were
easy targets for hackers. Our LAN ACCESS rule above allows full access
to the Lan systems internally, but excludes all access from the outside
world. If you need to permit file sharing to and from a selected set of
systems but deny access to the others, then you need a more specific
rule than the one shown above - - something like
.. LANSPECIFIC PERMIT 192.168.0.{2,4} inbound/outbound ...
........TCP/UDP PORTS {135,137-139,445}
You should notice that the system at 192.168.0.3 is not shown and
therefore will not have access.
There are several other tweaks possible, and as I’m paranoid, I
implement what is know as hardware provisioning - - only known MAC
addresses are mapped into my private Lan. The MAC address is unique to
every Network Interface Card (NIC) in the world. { you can see the MAC
using IPCONFIG /ALL on each system}. When you have a Lan with many
systems (eg >15-20) this gets to be a pain to keep configured properly,
but with a small home-based network, this is worth the effort - -
especially when we get to discuss WiFi (wireless access).
To implement hardware provisioning, the ROUTER is setup to force
mappings like
........mac-1 to 192.168.0.2
........mac-2 to 192.168.0.3
and so on to the last known MAC on you network (eg: 192.168.0.4).
You then change the LAN ACCESS rule to read
.... PERMIT ALL inbound/outbound 192.168.0.1-192.168.0.4 all PORTS.
This rule is very specific and will protect you from rouge wireless
devices, and works well for your KNOWN systems. I make an issue for
KNOWN vs UNKNOWN, as life gets interesting with a wireless router and
someone setting down the street trying to use your network for free.
I’ll add that information in the next installment.
====== example rules =========
........ALLOW 127.0.0.1 inbound/outbound on All Ports # system local
........ALLOW ICMP inbound/outbound from all # allow Echo*
........ALLOW ALL inbound Port 53 # dns requests
....
....LAN ACCESS: PERMIT ALL inbound/outbound from 192.168.0.* all PORTS
....
....Default: DENY all INBOUND from all IP on All Ports
(*) ICMP Echo is very useful to debug routers and Tcp. It also allows
the whole world to know your system is on the net. Frequently,
professional admins will disallow ICMP Echo as a means to avoid making
the system easily visable and subject to Denial of Service(DoS) attacks.
Removing this rule however, will not ensure you never have a DoS
attack, so you might as well have the facility to assist you later.
StormBringer make a good point, so I'll complete the exercise.
Internet Security with Systems on a Local Lan
So you have your system secured from outside, but now access to Lan file
and print sharing is all restricted. How do you restore Lan-to-Lan
communications?
{ there are many variations in configuring a firewall and this is NOT an
exhaustive guide - - rather, its intent is to get you a reasonable
degree of protection with minimum effort on your part. For now, let’s
focus on Lan-to-Lan - - wireless is another level and I’ll add that
information in the next installment. Also, the actual grammar used to
configure a firewall varies by vendor. The point here is to identify
the sequence of ALLOW/DENY rules to achieve a secured system}
Let’s first get graphical to see the layout and understand what we’re
dealing with.
A LAN system might look like:
...............Public | Private
................................|
................................+--->
....Modem ---> router +---> one or more systems
................................+--->
The bad boys are to the left side of the ‘router’ and your systems are
on the right. Our goal is to make the Public side behave as if it looks
like
...............Public | Private
.................................|
.............Modem ---> router
Notice the modem sees the router and nothing else!
And the Private side to look like
...............Public | Private
...............................+--->
...............................|---> one or more systems
...............................+--->
Notice the Private systems see each other
The first thing is to
..... DENY all INBOUND access all IP addresses onall PORTS.
This becomes your DEFAULT firewall rule and is the LAST
entry of the rule list. (Let’s be clear; if you use a software firewall,
then each and every system needs one!) Notice that we allow all
outbound traffic (not the best, but it will do for now ). This
simplifies things like accessing secured sites via HTTPS(443).
There are a few other rules you will want (above the default) as your
system needs these for internal operations as well as access to the
Internet.
....# a service on your system accessed by an application
.... ALLOW 127.0.0.1 inbound/outbound on All Ports
.... # needed for connection to ISP
.... ALLOW ICMP inbound/outbound from all
.... ALLOW ALL inbound Port 53 #dns requests
....
With this configuration, you have maximum safety and no one has access
to your systems – not even your own LAN systems!
So how do we get the Lan running again?
We get control of the Lan by noting that the IP addresses of your
systems are in the private, non routable address ranges of
.... 10.0.0.0 - 10.255.255.255
.... 172.16.0.0 - 172.31.255.255
.... 192.168.0.0 - 192.268.255.255
....................table-1
An attack from the public Internet will not be routed to any device
which has an address in these ranges. For illustration purposes, let’s say the
private side of the router is at address 192.168.0.1 (very common).
Each of our systems will get an
address using DHCP which is also in the same subnet (192.168.0.*). The
additional information we know is the ISP will give us an public IP
address which is *NOT* in the ranges of table-1 above (otherwise we
can’t access even the ISP).
Firewalls execute rules in the order listed and stops processing rules
when the first matching rule is found. To enable our Lan systems to
talk to each other, we need a special PERMIT rule to precede the default
rule.
With our Lan systems in the private non routable range and the external
world *NOT* in this range, we can add
.... LAN ACCESS PERMIT ALL inbound/outbound from 192.168.0.* all PORTS.
Move this rule to be immediately above the DEFAULT rule and all Lan
systems are re-enabled for File and Print Sharing and all other services
on any of our lan systems - - SMTP, POP3, FTP, and even Oracle
client/server.
Just to introduce you to another level of control a firewall *may*
exploit is the discrete control of specific ports. For example, Email
services are standardized on ports 25(smtp-outbound) and 110(POP3
inbound). Other Ports might be used, but the sender and receiver must
change the service configuration on both ends. Most admins will leave
the Port numbers alone, unless they need extra security. I make the
point on Port usage as prior to XP-SP2, Ports 135, 137-139 and 445 were
easy targets for hackers. Our LAN ACCESS rule above allows full access
to the Lan systems internally, but excludes all access from the outside
world. If you need to permit file sharing to and from a selected set of
systems but deny access to the others, then you need a more specific
rule than the one shown above - - something like
.. LANSPECIFIC PERMIT 192.168.0.{2,4} inbound/outbound ...
........TCP/UDP PORTS {135,137-139,445}
You should notice that the system at 192.168.0.3 is not shown and
therefore will not have access.
There are several other tweaks possible, and as I’m paranoid, I
implement what is know as hardware provisioning - - only known MAC
addresses are mapped into my private Lan. The MAC address is unique to
every Network Interface Card (NIC) in the world. { you can see the MAC
using IPCONFIG /ALL on each system}. When you have a Lan with many
systems (eg >15-20) this gets to be a pain to keep configured properly,
but with a small home-based network, this is worth the effort - -
especially when we get to discuss WiFi (wireless access).
To implement hardware provisioning, the ROUTER is setup to force
mappings like
........mac-1 to 192.168.0.2
........mac-2 to 192.168.0.3
and so on to the last known MAC on you network (eg: 192.168.0.4).
You then change the LAN ACCESS rule to read
.... PERMIT ALL inbound/outbound 192.168.0.1-192.168.0.4 all PORTS.
This rule is very specific and will protect you from rouge wireless
devices, and works well for your KNOWN systems. I make an issue for
KNOWN vs UNKNOWN, as life gets interesting with a wireless router and
someone setting down the street trying to use your network for free.
I’ll add that information in the next installment.
====== example rules =========
........ALLOW 127.0.0.1 inbound/outbound on All Ports # system local
........ALLOW ICMP inbound/outbound from all # allow Echo*
........ALLOW ALL inbound Port 53 # dns requests
....
....LAN ACCESS: PERMIT ALL inbound/outbound from 192.168.0.* all PORTS
....
....Default: DENY all INBOUND from all IP on All Ports
(*) ICMP Echo is very useful to debug routers and Tcp. It also allows
the whole world to know your system is on the net. Frequently,
professional admins will disallow ICMP Echo as a means to avoid making
the system easily visable and subject to Denial of Service(DoS) attacks.
Removing this rule however, will not ensure you never have a DoS
attack, so you might as well have the facility to assist you later.
D
DelJo63
network security PART-3
Network Security using Wireless Access
Recall a LAN system might look like:
.............Public | Private
...............................|
...............................+--->
...Modem ---> router +---> one or more systems
...............................+--->
If you don't like the idea of poking holes in walls and ceilings to wire up Cat-5
cabling, the natural choice is a Wireless Router. The cables from the Router
to the system(s) are replaced with high frequency radio waves(RF) which can
be received in the 100-300ft radius of the Router. The modem-router
connection is hard wired and the router-system(s) is RF. As RF does not
respect property lines nor even the hard walls of your home, it travels until
reception is no longer <useful>. If we are not careful however, we can
unknowingly allow a network like
....
.............Public | Private
...............................|
...............................+<--->
...Modem ---> router +<---> one or more systems
...............................+<--->
.................................+
....................................+<---> some rouge system
...
If you can connect to the router with RF, so can anyone else!
We have two levels of protection available:
1) the connection to the wireless router
2) our firewall on each Lan system
..
The Wireless connectivity is strictly handled in the setup of the Router.
Here are some guidelines to make it as difficult as possible to create a
rouge-system connection to the Router.
..a) change the default SSID and write it down
.....(use something you know+one or two digits; eg 12nickname43)
..b) if your router has the feature, DISABLE SSID Broadcasting
..c) if your router supports hardware provisioning
.....(ie mapping MAC addresses to IP addresses) use it!
..d) enable ANY level of encryption available on the Router AND your
.....system's wireless adaptor.
.....Select a KEY (sometimes a pass phrase) and write it down too.
..
These steps make it very difficult to create a connection to your router
without knowing the exact steps you took. You will, by the nature of getting
your systems to talk to the router and making typos, prove this can be
frustrating. And that's the goal; make the bad guys give up before they get
any thing meaningful off your systems.
(You should be aware however, there is no such thing as perfect or absolute
security. If someone wants into your system bad enough, it can be done - -
it take a great deal of effort, time and $$$ to do so and usually the give up
early ).
OK, we have made the Router as difficult as reasonably possible, but some
bright <person> gets thru and connected - - now what? Our second line of
defense is the firewall configuration!
In Part-2 of this discussion I noted
..To implement hardware provisioning, the ROUTER is setup to force
..mappings like
.... mac-1 to 192.168.0.2
.... mac-2 to 192.168.0.3
..and so on to the last known MAC on you network (eg: 192.168.0.4).
..You then change the LAN ACCESS rule to read
.... PERMIT ALL inbound/outbound 192.168.0.1-192.168.0.4 all PORTS.
..This rule is very specific and will protect you from rouge wireless
..devices, and works well for your KNOWN systems. I make an issue for
..KNOWN vs UNKNOWN, as life gets interesting with a wireless router and
..someone setting down the street trying to use your network for free.
..
This is the key to keeping rouge-systems out of your Lan. The rule
.... PERMIT ALL inbound/outbound 192.168.0.1-192.168.0.4 all PORTS
in combination to the hardware provisioning ensures that even if a
connection is made, we will have two facts in our favor:
1) the DHCP address given to the rouge will *not* be in our range of
supported addresses { 192.168.0.1-192.168.0.4}
2) the firewall rules are set to PERMIT only known systems and DENY all else.
Under the premise that the rouge has a connection, at least there's no
access to your systems. The very most the rouge gets is a free network
connection from the router to the Internet - - and this is a low probability
event.
So what happens when you take your laptop to a hotspot?
First, it's not your router any longer so the hardware provisioning is gone and
you get a random IP address (not really random but also not very likely to be
one your firewall will allow). The rules that allow File and Print Sharing are
dependent upon the IP address being
...192.168.0.1-192.168.0.4. You get outbound access and everything else is
DENIED - - and that's exactly what I want when I go public.
Network Security using Wireless Access
Recall a LAN system might look like:
.............Public | Private
...............................|
...............................+--->
...Modem ---> router +---> one or more systems
...............................+--->
If you don't like the idea of poking holes in walls and ceilings to wire up Cat-5
cabling, the natural choice is a Wireless Router. The cables from the Router
to the system(s) are replaced with high frequency radio waves(RF) which can
be received in the 100-300ft radius of the Router. The modem-router
connection is hard wired and the router-system(s) is RF. As RF does not
respect property lines nor even the hard walls of your home, it travels until
reception is no longer <useful>. If we are not careful however, we can
unknowingly allow a network like
....
.............Public | Private
...............................|
...............................+<--->
...Modem ---> router +<---> one or more systems
...............................+<--->
.................................+
....................................+<---> some rouge system
...
If you can connect to the router with RF, so can anyone else!
We have two levels of protection available:
1) the connection to the wireless router
2) our firewall on each Lan system
..
The Wireless connectivity is strictly handled in the setup of the Router.
Here are some guidelines to make it as difficult as possible to create a
rouge-system connection to the Router.
..a) change the default SSID and write it down
.....(use something you know+one or two digits; eg 12nickname43)
..b) if your router has the feature, DISABLE SSID Broadcasting
..c) if your router supports hardware provisioning
.....(ie mapping MAC addresses to IP addresses) use it!
..d) enable ANY level of encryption available on the Router AND your
.....system's wireless adaptor.
.....Select a KEY (sometimes a pass phrase) and write it down too.
..
These steps make it very difficult to create a connection to your router
without knowing the exact steps you took. You will, by the nature of getting
your systems to talk to the router and making typos, prove this can be
frustrating. And that's the goal; make the bad guys give up before they get
any thing meaningful off your systems.
(You should be aware however, there is no such thing as perfect or absolute
security. If someone wants into your system bad enough, it can be done - -
it take a great deal of effort, time and $$$ to do so and usually the give up
early ).
OK, we have made the Router as difficult as reasonably possible, but some
bright <person> gets thru and connected - - now what? Our second line of
defense is the firewall configuration!
In Part-2 of this discussion I noted
..To implement hardware provisioning, the ROUTER is setup to force
..mappings like
.... mac-1 to 192.168.0.2
.... mac-2 to 192.168.0.3
..and so on to the last known MAC on you network (eg: 192.168.0.4).
..You then change the LAN ACCESS rule to read
.... PERMIT ALL inbound/outbound 192.168.0.1-192.168.0.4 all PORTS.
..This rule is very specific and will protect you from rouge wireless
..devices, and works well for your KNOWN systems. I make an issue for
..KNOWN vs UNKNOWN, as life gets interesting with a wireless router and
..someone setting down the street trying to use your network for free.
..
This is the key to keeping rouge-systems out of your Lan. The rule
.... PERMIT ALL inbound/outbound 192.168.0.1-192.168.0.4 all PORTS
in combination to the hardware provisioning ensures that even if a
connection is made, we will have two facts in our favor:
1) the DHCP address given to the rouge will *not* be in our range of
supported addresses { 192.168.0.1-192.168.0.4}
2) the firewall rules are set to PERMIT only known systems and DENY all else.
Under the premise that the rouge has a connection, at least there's no
access to your systems. The very most the rouge gets is a free network
connection from the router to the Internet - - and this is a low probability
event.
So what happens when you take your laptop to a hotspot?
First, it's not your router any longer so the hardware provisioning is gone and
you get a random IP address (not really random but also not very likely to be
one your firewall will allow). The rules that allow File and Print Sharing are
dependent upon the IP address being
...192.168.0.1-192.168.0.4. You get outbound access and everything else is
DENIED - - and that's exactly what I want when I go public.
- Status
Similar threads
Latest posts
-
4K QD-OLED vs. 4K WOLED: What You Need to Know- Burty117 replied
-
10 Things We Hate About Nvidia- Beerfloat replied
