A Comparison of 802.11g Firewalls?

peoria kid asks: "Does anybody know how to compare the firewall effectiveness between the different providers of 802.11g networking solutions? I am considering purchasing a base station for my parents and I do not know if the Apple Airport base station or others such as Lynksys, or Lucent have better encryption and firewall protection."

Most of them are only firewalls because..

They do NAT, and it's a side effect. If you want a real firewall, you need a real firewall or a computer running a real software firewall.

Re:Most of them are only firewalls because..

[TheLink]

Yah, and so you should test them out first - they aren't really firewalls.

If the attacker has direct access to the network of the external interface of the NAT box, the attacker can often make connections to the internal supposedly protected network.

Detail: With a number of NAT boxes if you send a packet to the external interface with an internal IP address as destination, the box forwards the packet. The source addresses of returning packets often do get translated, but you should be able to detranslate them and thus set up TCP connections etc.

Most NAT boxes are not really blocking packets, it's just that packets with the correct destination internal IP address don't often get to them in order to be forwarded in most cases.

For ADSL it often isn't such a huge risk - your ISP has to attack you, or be subverted to attack you. But for some other networks it can be an issue - where the immediate "external network" is easily accessible by untrusted parties.

Forget hardware...

[Txiasaeia]

...go with software. Get the best base station you can afford, then get either zonealarm or tiny firewall - free solutions, great security. These are your parents, not a huge corporation - you don't need to worry about ubersecurity.

Re:Forget hardware...

Something is broken now with /. and now I'm logged out when going from slashdot.org => ask.slashdot.org so that's why I'm posting as AC

Anyways, software is really what you want. Too many people think a hardware firewall protects them, then they click on some virus/worm/spam email and guess what? The trojan or what ever is now sending from their computer THROUGH the hardware firewall and out to the world. If your operating system doesn't monitor what outgoing ports are being opened up by what programs, then you have very poor firewall. How does a hardware router know which ports are ok and which are bad? Are you surfing the web, playing CS, using Kazaa, trojan ftpd server, spam sending from your computer, broadcasting to IRC server in Italy? The hardware just allows all outgoing packets.

Re:Forget hardware...

You've got it completely backwards. There is no way a program running on the local system can protect you from other programs running on the same system. The interfaces are way to complicated to be secure. Preventing local exploits is the best definition you can give for "impossible". And that is assuming you are running everything from a restricted user account, not the admin/system account which the PFW uses. If that's not enough to convince you: Many personal firewalls enable domain name resultion by default. That's all an attacker needs to leak arbitrary data. No warnings, no blocks, no nothing.

Additional downsides of software firewalls include: Feature bloat (->structural insecurity), temptation to allow more than necessary to avoid warnings, protection for only one system.

Wire it, you lazy bum

[Creepy+Crawler]

If the people you're buying wireless stuff for doesnt know what 'security' is, wire it. It prevents leechers, black-hats, spammers and other undesirables.

And .11g is ONLY 55Mbit. Regular ethernet gear is 100Mbit. What exactly is the reason you need wireless?

Re:Wire it, you lazy bum

Look around at the other houses the next time you get out of your own. You might notice that some of the houses weren't built last year. Maybe even the last decade. And *gasp* people live in them!

Re:Wire it, you lazy bum

[Creepy+Crawler]

Trust me, I know. I work for a contractor who has me do this about half the time. I've put in wiring from old 50's businesses to going onsite for conduit work for tomorrow's buildings.

The only place I know we're using wireless is in a huge factory to send data from fringe stations in. And we also use the 2.4GHz 'flood lights' to prevent onlookers. That and wep have discouraged ANYBODY from looking in.

Re:Wire it, you lazy bum

[rhetoric]

Insightful? This just dodges the question. If the poster wanted to wire it, or had trouble wiring it, I'm supposing he would have done so, or asked about that. Maybe I'm giving the guy too much credit, but I don't think this is an insightful post at all. I think it's condescending, counterproductive, and should be modded 'offtopic' if anything. Then again my opinion is worthless =)

Re:Wire it, you lazy bum

There are people who live in small towns that have large yards in small subdivisions that would find wireless hookups to be the most convienent networking solutions. Not everyone lives in a big city where a person would go unnoticed as they hack into a network. In low risk areas a couple simple hurdles might be adequate

Re:Wire it, you lazy bum

flood lights? What's that?

Re:Wire it, you lazy bum

Current laptops can run quite some time without wired power and you're going to tie them down again with cat5? Why?

Re:Wire it, you lazy bum

[Creepy+Crawler]

Premises that I based my decision on:

1: Parents are probably computer stupid
2: I dont think he wants to fix whenever one machine 'does not work'.
3: Wireless security is about non-existant (Yeah, wep-hackers are really big now)
4: Wired is 2x times the fastest wireless protocol, and cheaper to boot

In my experience, unles you're trying to get 2 or 3 machines in a large factory on the corporate lan, wireless is NOT the way to go.

Re:Wire it, you lazy bum

[Creepy+Crawler]

Slang term for high lumen lights usually found on electric poles.

I found a type of light that emits large amounts of 2.4 GHz static. Because of this, we could guarantee the security of INTERCEPTING communications outside of the factory.

Re:Wire it, you lazy bum

[hubie]

This is by far the best point to getting a wireless router. It has 10/100 ports on it to hook up your wired computers, and it allows you to hook up your laptop or other computer you want mobile. It is very darn convenient.

By the way, if the poster's parents are not moving very large files around and they basically use the computer to surf the web and read email (i.e., they don't need 100 Mbps), then a wireless connection certainly is something to consider.

Besides, if you are connected via something like residential dsl which can't even do 10Mbps, why insist on 100Mbps everywhere in the house? Having that wire between the computer and the printer is great when you want to print very large files, but if that is the only real need for that kind of bandwidth then it may be worth the wireless instead of running wires (running them properly that is, such as through walls and not just strung in the open along the baseboard).

Re:Wire it, you lazy bum

[BigBir3d]

And .11g is ONLY 55Mbit. Regular ethernet gear is 100Mbit. What exactly is the reason you need wireless?

55 is not for data transfers... but you knew that. Try 20-22.

As to why... I am thinking laptop. Or a desktop in an area where cat5 can not be run.

Wireless is great way to network a house without intrusive cabling. Most parents are against change...

Re:Wire it, you lazy bum

[rhetoric]

Heh someone had just responded to one of my posts in a similar way when I wrote that, I was a bit bitter. That said, he didn't ask if he should use wireless or not, although he did say he was "considering," one. Anyways between the "lazy bum" and the lack of suggestion as far as firewalls, it's obvious that you're making assumptions which I would personally be offended by. Then again I'm blathering on when it's not my person I think has been attacked, which is rather pointless. Hey at least I explained myself =p

Zyxel

[astrashe]

Take a look at Zyxel.

It's a NAT device, not a real firewall, but it's in the same category as the products you've mentioned, and it's more secure.

I haven't used it, and can't vouch for it. But it's gotten some good press.

As I understand it, if you can sniff enough packets that use the same key, you can crack the crypto. This thing uses a better (and standard) protocol that keeps changing the keys, so no one can sniff enough packets to recover the key.

I'm not sure I understand why they've kept the weak algorithm and shored it up by changing keys. My guess is that the cyrpto is built into a lot of wireless card hardware, and you can still use the built in hardware by rotating keys. A new algorithm would offload all of the crypto to the processor. That's just a guess, though.

In any event, I think this is believed to be secure now. I think that recent patches to XP support the new protocol with most wireless net adapters -- if you run XP, you don't have to worry about vendor support on the client side.

Re:Zyxel

[webhat]

I can vouch for it! Great, easy to config and you don't even have to modify anything in an out of the box situation.
You can add a switch or router, this includes a DSL router for connections, to the back, so you don't even have to config an ip, just raw frames passed from one to the other.
If you want to tweak it has lots of options.

Re:Zyxel

[PapaZit]

Cisco (commercial) wireless APs do the same trick.

Essentially, the WEP key that you type into the client is only used to get a new randomly-generated "session" key. It IS a part of the 802.11b/g spec, but many wireless cards don't expect the key changes, so you need to be careful about which products you buy (or, at least, you had to be careful when I looked at this stuff a year or so ago).

None of these are actually firewalls

[DA-MAN]

It just happens to be a side effect of doing network address translation. Nothing comes in that isn't requested or related to connections made.

They also have a default DENY policy which means that they are all about as secure as the other. The only problem would be if they came out with a new teardrop-like exploit that crashes the tcp/ip stack of the little routers, and that wouldn't affect security internally and would probably be solved by a firmware update.

Because most are black boxes, you have to take whoever the manufacturers word for it that they have a solid tcp/ip stack that won't be susceptible to this sort of attack.

Main thing I would worry about is the speed, find out what wireless firewalls are rated as the fastest. Make sure WEP is enabled and you have Mac Address filtering. It's still not going to be nearly as secure as a cable.

If you want to be secure, get a software firewall as well (ZoneAlarm, Tiny Personal, Norton, etc.), run Spybot or Ad-Aware, run a Virus Scanner and keep your software up to date.

Re:None of these are actually firewalls

[sinergy]

WEP isn't that great at all. Use WPA. Also, my two cents... the Linksys WRV54G wins those hands down. Intel Xscale proc, embedded Linux, VPN endpount. Backed by Cisco. (And supports WPA) Nobody ever got fired......

Re:None of these are actually firewalls

[DA-MAN]

WPA isn't all that great either. But you are right, WPA is better than WEP.

Wireless is never going to be all that secure, so long as it is transmitted in the airwaves, someone will be able to pick it up. The best line of defense is knowing this and changing your habits accordingly. I always use encryption at the protocol level, when there is important data whizzing by.

imaps, instead of imap
pop3s, instead of pop3
ssh, instead of telnet or ftp
https, instead of http

The list goes on and on. By using these protocols you are also not nearly as susceptible to man in the middle attacks.

SIDE NOTE: The latest WPA patch from Microsoft (KB826942) broke my wireless capability severly. I could no longer connect to any wireless access point that had encryption disabled, like coffee shops or T-mobile. If anyone else is having problems connecting to unsecured access points, try uninstalling this. Just passin on the knowledge...

Re:None of these are actually firewalls

Firewalling is not a side effect of network address translation. You're right, if a packet arrives at some port on the external ip on which the router itself isn't waiting for packets and there's no entry in the NAT table, then the packet is dropped. But if a packet should arrive on the external interface with a target IP address on the internal network, then NAT doesn't kick in and if the router is acting as a router (IOW it routes packets from interface to interface), then only a firewall will stop the incoming packet. Many DSL-routers are Linux-based, and that means they have ipforwarding enabled, otherwise they wouldn't do NAT either. Even if it's only a simple "drop/reject incoming SYN" rule and a "drop/reject unrelated UDP" rule, firewalling is a necessary additional step. NAT alone is not sufficient (Again: unless it is strictly NAT only, not routing. Linux both routes and NATs or it doesn't do either).

Re:None of these are actually firewalls

[joeface]

Because most are black boxes, you have to take whoever the manufacturers word for it that they have a solid tcp/ip stack that won't be susceptible to this sort of attack.

The Linksys WRT54G actually runs Linux

A few people have been able to compile custom versions of the firmware that include some extra (and very cool) functionality. If the tcp/ip stack is part of Linksys' GPL'd packages (I'm not sure if it is), it can be examined.

Re:None of these are actually firewalls

[whovian]

SIDE NOTE: The latest WPA patch from Microsoft (KB826942) broke my wireless capability severly. I could no longer connect to any wireless access point that had encryption disabled, like coffee shops or T-mobile. If anyone else is having problems connecting to unsecured access points, try uninstalling this. Just passin on the knowledge...

Thanks for the tip. I think that could explain the problems I have been having.

Re:None of these are actually firewalls

[DA-MAN]

But if a packet should arrive on the external interface with a target IP address on the internal network, then NAT doesn't kick in and if the router is acting as a router (IOW it routes packets from interface to interface), then only a firewall will stop the incoming packet.

NAT tables have source and destination information. If a packet passes through the router, then it is because it matches the source, has the right destination and has passed the tcp/ip handshake. Spoofing a packet that would get past NAT would be damn near improbable (but not impossible). So the firewalling is due to the NAT.

What you are confused about is 1:1 NAT and Port based NAT. On 1:1 NAT you would also need a firewall, however on Port based Natting, the rules are different.

Re:None of these are actually firewalls

[DA-MAN]

I would still consider that a black box because the sources that they have released are not sufficient to build a working kernel.

In addition, we do not know the quality of the 801.11g driver it comes with because the source has not been released. There are many layers to the security onion, and simply knowing it runs Linux doesn't tell us much.

Was it hardened? What iptables rules does it have? Where is the driver for the wireless card? Has the tcp/ip stack been modified? Why was the dev series kernel used instead of the stable series? What modules are enabled/disabled?

The list goes on....

Re:None of these are actually firewalls

There's routing and there's NAT (masquerading in this case). Once you understand that these are similar but different, you'll understand that NAT is not firewalling. Routers forward packets which aren't directed at themselves to the appropriate interfaces as listed in the routing table. In a typical masquerading NAT scenario, only packets which are addressed to the external interface IP of the NAT/router (on a port which was previously used for masquerading outgoing packets) get the NAT reverse mapping treatment. At this point you seem to assume that everything else is automatically dropped because the router/NAT can't find a match in its NAT table. That is not the case. Instead everything else is handled according to normal routing/host rules. That means (without a firewall) the router responds with "port unreachable" ICMP messages if a packet arrives at the router's external ip address on a closed port. It also means that the router forwards any packet which is addressed to an ip address on the internal network to the internal network untouched.

It's not technically necessary to combine routing and NAT, but the Linux kernel does (for good reasons), so a minimal set of firewall rules is necessary to close the routing "bypass". That is due to NAT not being firewalling.

Re:None of these are actually firewalls

[Jahf]

So go to this page from Seattle Wireless and start modifying your WRT54G to your heart's content.

There are posted methods for either permanently replacing the firmware (but possibly frying it if you do it wrong) or simply overwriting it in RAM and if you reboot simply reloading it without risk of messing up the factory defaults.

You don't even need the sources from Linksys, you can cross-compile.

Linksys may not have -intended- this, for instance you do need an older firmware than is probably shipping on new units, but it is quite feasible.

I use a WRT54G for my home router along with a WET11 bridge to connect to my ISP and have been quite happy with the combination (side note for other WISP users: the WET11 will take a more powerful 802.11b PCMCIA radio card ... I have a WET11 with a 200mW card in it from Demarctech that has the correct antenna connectors for the WET11).

Re:None of these are actually firewalls

[DA-MAN]

Just because you can change the firmware out and replace it with a custom built image does not make it any less of a black box.

In addition making your own kernel/etc. has the distinct disadvantage of losing access to the 802.11g wireless card because there are currently no available linux drivers. So no matter what, even building your own kernel, etc would still leave you with a bit of black box'ed-ness which is what I was trying to say.

Besides this guy doesn't seem to know the differences between all these routers, and wants to get it for his parent's and your solution is to do it yourself. That's just bad advice.

Bilkin'

[orthogonal]

Get a Belkin.

It'll securely interupt your parent's networking once every eight hours to show them an ad, ironically for "parental controls".

Three times a day, your parents will know someone cares about them. What more could they ask for from their son?

Re:Bilkin'

If he wanted to buy parental controls he could have just gone to the store and bought the shotgun and handcuffs himself.

Re:Bilkin'

[Xiadix]

Don't forget. Belkin now comes with ads for no additional charge. I know they have "corrected" their mistake, but I still feel the need to not buy from them to make others learn that we are not just a profit margin.

KevG

D-Link

[Tumbleweed]

D-Link is what I'd recommend. They, like other Aetheros (sp?) -based equipment, has 'turbo-g' mode at double the normal rate of 54mbps. Just as long as you aren't within interference range of another turbo-g network, of course. :)

Re:D-Link

[FueledByRamen]

One D-Link product to watch out for is the DI-624. I have one, and while it makes a reasonably good WAP (range isn't so great, but that's probably due to my house being full of copper heating pipes and wire mesh holding concrete for ceilings and walls), the router bit is just HORRIBLE. I had to demote it from router to WAP because it would crash and reboot every 20 or so minutes from the amount of traffic I was pushing through it. I wasn't even saturating my (1024/256 kbps) cable line, but I did have hundreds of concurrent TCP connections. I'd think that it would degrade in performance gracefully, but instead it just died every time the NAT tables filled up, dropping all of my connections. I have since put a SUN box (running Solaris and ipfw) in its place.

My friend has a DI-614+ (802.11b / turbo, 22Mbps) and its router function is far better (and its WAP is still pretty good), so I'm just thinking it's the one problem product (and others have had this problem with the same model, and yes I am running the latest firmware, etc)

linksys...

[josepha48]

I think that the linksys has ipsec, which is about as secure as you are gonna get when doing wireless.

The real important thing is to change the ssid and add a password. That will force someone to be scanning for the wireless and also require them to spend 20 minutes craking the wpa / wep encryption. But if you get teh BEFW11P1 it has ipsec too. Not sure which ones of their products also have this. If you need wireless then try the WRV54G. Look for VPN capability as most vpn systems out are using ipsec.

Re:linksys...

[MImeKillEr]

The real important thing is to change the ssid and add a password.

That is, until your AP or your cards start dropping connection. Call or email tech support & they'll tell you to set everything back to default for a few days to see if the problem goes away. If it does, well thats "..your solution.."

The only secure LinkSys WAP is one that's unplugged.

Well

[metalhed77]

I live a 75 year old house. I have wired ethernet running to the 3 computer enabled rooms in the house. How did I achieve such a feat? Running cat 5 through the crawlspace and up through the floor next to each computer. This isn't rocket science, what's wrong with just calling an electrician to run a few wires people? Having the full 100 megabits is nice, and you save on equipment costs by going wired too. (cheap NICs and a cheap linksys router). Granted, this might be tougher in 2 story houses, but still, wireless is used too much because wiring is seen as so much of a hassle.

Re:Well

[mashx]

This isn't always possible though: my house is over two hundred years old and has stone floors downstairs - so no crawl space! The extra difficulties of being on two storeys is another discussion agreed.

Having said that, if it was possible, I would have wired at least for the desktop machines, but when you can WEP and get cheap USB wireless adapters, wiring can be too much hassle!

The worst threat is local

[svindler]

All of the combined routers/ap's provide the basic firewalling between the internet and the home network. You still need a software firewall on each pc.

The worst threat in this setup are other people using your ap to get to the internet, using your bandwidth and making you liable for their abuse. None of the small devices can stop that without some sort of authentication server beside it.

Either accept that risk or put a wireless nic in a dedicated pc and use that as firewall and ap with ipsec to the clients.

Avoid LinkSys

Their products are utter shit. Their tech support is clueless.

D-Link, Netgear

[shadowxtc]

I might have missed it, but it seems nobody has mentioned restricting access to the wireless network by MAC address. Every access point I've used from D-link and Netgear have had this ability. Though it's a pain to add new machines to the network and kills one of the benefits of wireless, it's certainly going to keep people from abusing your network.... spying is a different story altogether. But like everyone else has said, this is not enough. Software firewalling is your best bet.

Re:D-Link, Netgear

[shadowxtc]

Shit, I forgot to mention... I don't know the exact model #s of the ones I've used but the D-link one is a access point/dsl router/print server with modem backup... and the Netgear one is a access point/dsl router/vpn router ... but none of them were 802.11g - only 802.11b. I'd assume a newer .11g model would only have more features.

Airport info

[azav]

I've got two airports. One original and one of the g/b ones.

I also ran a mac as a server (not mail) on the net for 4 years without a hack. OS 9 even.

The airports have decent range and I have tested the g transmission speed as fast as 10 base T or better - up to 3394 Kbps for g/g peer to peer. No foolin. Divide by 10 for b/g or b/b speeds. No foolin. This is way faster than I can connect to the internet but get your connection speed and do the math.

NAT and DHCP work as billed.

Never been hacked so I can't comment about the firewall quality. Maybe that says something.

Password protected and with an external antenna, these are great devices.

Linksys problem

[Coppit]

One feature I miss in my Linksys 802.11b device is the ability to reserve dynamically allocated IPs for certain computers. This means that I can't easily use DHCP and static name resolution because there is no guarantee that the computer will have the same IP address. (i.e. I'd have to run a DNS server.)

Security options

[hubie]

Most people have mentioned the need for WEP, WAP, MAC filters, etc., but some of the access points/routers have the capability of doing 802.1x authentication.

Has anyone set up their wireless access point this way, and if so, is it straight-forward? I assume one can do it with OpenRadius?

Re:Security options

[lizrd]

I didn't see anything on the OpenRadius site that indicates that package will do EAP authentication over RADIUS which is a requirement for doing 802.1x. Freeradius has some support for EAP authenticaiton in CVS, but I've not gotten it to work properly yet. Hopefully it will settle down soon, I would very much like to start using it on my home network.

If you have some money to throw at the wireless security problem, I would suggest looking into the Odyssey server from Funk software. It's much easier to setup then either Cisco ACS or Microsoft IAS and doesn't require a server version of Windows to run on. Microsoft's IAS has a passable implementation of PEAP, but the EAP-TLS implementation is clumbsy at best.

On the client side, the PEAP suppliant built into windows XP is adequate and is backported to Windows 2000 (and Me?) as a patch. The Open1x project looks promising for the *nix crowd. I haven't tested it yet since all my Linux boxes are wired.

WPA

[singularity]

I am in an environment that could be considered "wireless hostile". I live with high school students gifted in math and science (and therefore usually computers, as well). They have ethernet in their rooms, but this gets shut off between 1am and 6am.

I bought a PowerBook not too long ago and would like to set up wireless access for my apartment. Knowing that I have to keep others from accessing the WAP, I have been researching possibilities.

So my big dilemma is not making sure crackers do not access the traffic (I would prefer they not be able to sit and watch what web sites I go to, but...), but rather making sure they cannot access the WAP.

Locking down the WAP to my MAC address would be a start. However, hacking a wireless client to use my MAC address is not too difficult. I thought about figuring out some way of shutting down the device between the hours of 1am and 5am (when they would be most motivated to access it, and when I am less likely to want access through it).

I had looked at more advanced authentication devices, but between lack of ease-of use (I would like to open the PowerBook and have networking work) and speed issues (VPN over 802.11x seems to suck a good chunk of bandwidth), I wanted to stay away from them.

WPA seems to solve a lot of problems for me. It is still open to dictionary attacks, but I am more than willing to come up with a 31 key passphrase. Between that and locking the WAP to only one MAC address, I would think it would be pretty secure.

It looks like more and more products are starting to support WPA (LinkSys, Apple, and DLink all do, it seems).

A couple of questions:
1) Will this solve my access requirements within reason?
2) Anyone have experience using Apple's Airport Extreme Card with WPA on a third-party WAP?

[Yes, I realize that a determined student could start a dictionary attack even on a 31 key passphrase, but I think that is reasonable closure if that is the only way of accessing the WAP]

Don't enable Atheros' rate 108

[EldestNorski]

It is mainly a marketing snare for the unwary. Not a lie, exactly, but being a nonstandard rate, your next piece of gear probably won't support it. Also, most g units will have to shift down from rate 54 just to reach into the next room, making a faster mode quite moot.

Of Course You Haven't Been Hacked

[cmholm]

Well, there aren't many hacks available for services running on MacOS 9, I don't think even a "Ping Of Death" DoS attack. There's a theoretical posibility of sniffing passwords from AppleTalk over IP, FTP, HTTP, or POP (but you're not running a mail server), so that someone could get some files or relay a little spam.

However, this is small potatoes, easily fixed. About the worst anyone can do is fill your file system and/or hang the machine. Since there's no root to root, it would take a very sophisticated exploit to bash a stack and really own it, and obviously no one rose to the challenge.