Slashdot Mirror
A Comparison of 802.11g Firewalls?
peoria kid asks: "Does anybody know how to compare the firewall effectiveness between the different providers of 802.11g networking solutions? I am considering purchasing a base station for my parents and I do not know if the Apple Airport base station or others such as Lynksys, or Lucent have better encryption and firewall protection."
They do NAT, and it's a side effect. If you want a real firewall, you need a real firewall or a computer running a real software firewall.
Take a look at Zyxel.
It's a NAT device, not a real firewall, but it's in the same category as the products you've mentioned, and it's more secure.
I haven't used it, and can't vouch for it. But it's gotten some good press.
As I understand it, if you can sniff enough packets that use the same key, you can crack the crypto. This thing uses a better (and standard) protocol that keeps changing the keys, so no one can sniff enough packets to recover the key.
I'm not sure I understand why they've kept the weak algorithm and shored it up by changing keys. My guess is that the cyrpto is built into a lot of wireless card hardware, and you can still use the built in hardware by rotating keys. A new algorithm would offload all of the crypto to the processor. That's just a guess, though.
In any event, I think this is believed to be secure now. I think that recent patches to XP support the new protocol with most wireless net adapters -- if you run XP, you don't have to worry about vendor support on the client side.
It just happens to be a side effect of doing network address translation. Nothing comes in that isn't requested or related to connections made.
They also have a default DENY policy which means that they are all about as secure as the other. The only problem would be if they came out with a new teardrop-like exploit that crashes the tcp/ip stack of the little routers, and that wouldn't affect security internally and would probably be solved by a firmware update.
Because most are black boxes, you have to take whoever the manufacturers word for it that they have a solid tcp/ip stack that won't be susceptible to this sort of attack.
Main thing I would worry about is the speed, find out what wireless firewalls are rated as the fastest. Make sure WEP is enabled and you have Mac Address filtering. It's still not going to be nearly as secure as a cable.
If you want to be secure, get a software firewall as well (ZoneAlarm, Tiny Personal, Norton, etc.), run Spybot or Ad-Aware, run a Virus Scanner and keep your software up to date.
Can I get an eye poke?
Dog House Forum
Trust me, I know. I work for a contractor who has me do this about half the time. I've put in wiring from old 50's businesses to going onsite for conduit work for tomorrow's buildings.
The only place I know we're using wireless is in a huge factory to send data from fringe stations in. And we also use the 2.4GHz 'flood lights' to prevent onlookers. That and wep have discouraged ANYBODY from looking in.
Get a Belkin.
It'll securely interupt your parent's networking once every eight hours to show them an ad, ironically for "parental controls".
Three times a day, your parents will know someone cares about them. What more could they ask for from their son?
Opinions on the Twiddler2 hand-held keyboard?
D-Link is what I'd recommend. They, like other Aetheros (sp?) -based equipment, has 'turbo-g' mode at double the normal rate of 54mbps. Just as long as you aren't within interference range of another turbo-g network, of course. :)
The real important thing is to change the ssid and add a password. That will force someone to be scanning for the wireless and also require them to spend 20 minutes craking the wpa / wep encryption. But if you get teh BEFW11P1 it has ipsec too. Not sure which ones of their products also have this. If you need wireless then try the WRV54G. Look for VPN capability as most vpn systems out are using ipsec.
Only 'flamers' flame!
Does slashdot hate my posts?
I live a 75 year old house. I have wired ethernet running to the 3 computer enabled rooms in the house. How did I achieve such a feat? Running cat 5 through the crawlspace and up through the floor next to each computer. This isn't rocket science, what's wrong with just calling an electrician to run a few wires people? Having the full 100 megabits is nice, and you save on equipment costs by going wired too. (cheap NICs and a cheap linksys router). Granted, this might be tougher in 2 story houses, but still, wireless is used too much because wiring is seen as so much of a hassle.
Photos.
Insightful? This just dodges the question. If the poster wanted to wire it, or had trouble wiring it, I'm supposing he would have done so, or asked about that. Maybe I'm giving the guy too much credit, but I don't think this is an insightful post at all. I think it's condescending, counterproductive, and should be modded 'offtopic' if anything. Then again my opinion is worthless =)
"where words meet intent, lies rhetoric's lament"
All of the combined routers/ap's provide the basic firewalling between the internet and the home network. You still need a software firewall on each pc.
The worst threat in this setup are other people using your ap to get to the internet, using your bandwidth and making you liable for their abuse. None of the small devices can stop that without some sort of authentication server beside it.
Either accept that risk or put a wireless nic in a dedicated pc and use that as firewall and ap with ipsec to the clients.
Premises that I based my decision on:
1: Parents are probably computer stupid
2: I dont think he wants to fix whenever one machine 'does not work'.
3: Wireless security is about non-existant (Yeah, wep-hackers are really big now)
4: Wired is 2x times the fastest wireless protocol, and cheaper to boot
In my experience, unles you're trying to get 2 or 3 machines in a large factory on the corporate lan, wireless is NOT the way to go.
I might have missed it, but it seems nobody has mentioned restricting access to the wireless network by MAC address. Every access point I've used from D-link and Netgear have had this ability. Though it's a pain to add new machines to the network and kills one of the benefits of wireless, it's certainly going to keep people from abusing your network.... spying is a different story altogether. But like everyone else has said, this is not enough. Software firewalling is your best bet.
Slang term for high lumen lights usually found on electric poles.
I found a type of light that emits large amounts of 2.4 GHz static. Because of this, we could guarantee the security of INTERCEPTING communications outside of the factory.
I've got two airports. One original and one of the g/b ones.
I also ran a mac as a server (not mail) on the net for 4 years without a hack. OS 9 even.
The airports have decent range and I have tested the g transmission speed as fast as 10 base T or better - up to 3394 Kbps for g/g peer to peer. No foolin. Divide by 10 for b/g or b/b speeds. No foolin. This is way faster than I can connect to the internet but get your connection speed and do the math.
NAT and DHCP work as billed.
Never been hacked so I can't comment about the firewall quality. Maybe that says something.
Password protected and with an external antenna, these are great devices.
- Zav - Imagine a Beowulf cluster of insensitive clods...
By the way, if the poster's parents are not moving very large files around and they basically use the computer to surf the web and read email (i.e., they don't need 100 Mbps), then a wireless connection certainly is something to consider.
Besides, if you are connected via something like residential dsl which can't even do 10Mbps, why insist on 100Mbps everywhere in the house? Having that wire between the computer and the printer is great when you want to print very large files, but if that is the only real need for that kind of bandwidth then it may be worth the wireless instead of running wires (running them properly that is, such as through walls and not just strung in the open along the baseboard).
One feature I miss in my Linksys 802.11b device is the ability to reserve dynamically allocated IPs for certain computers. This means that I can't easily use DHCP and static name resolution because there is no guarantee that the computer will have the same IP address. (i.e. I'd have to run a DNS server.)
Has anyone set up their wireless access point this way, and if so, is it straight-forward? I assume one can do it with OpenRadius?
And .11g is ONLY 55Mbit. Regular ethernet gear is 100Mbit. What exactly is the reason you need wireless?
55 is not for data transfers... but you knew that. Try 20-22.
As to why... I am thinking laptop. Or a desktop in an area where cat5 can not be run.
Wireless is great way to network a house without intrusive cabling. Most parents are against change...
Heh someone had just responded to one of my posts in a similar way when I wrote that, I was a bit bitter. That said, he didn't ask if he should use wireless or not, although he did say he was "considering," one. Anyways between the "lazy bum" and the lack of suggestion as far as firewalls, it's obvious that you're making assumptions which I would personally be offended by. Then again I'm blathering on when it's not my person I think has been attacked, which is rather pointless. Hey at least I explained myself =p
"where words meet intent, lies rhetoric's lament"
I am in an environment that could be considered "wireless hostile". I live with high school students gifted in math and science (and therefore usually computers, as well). They have ethernet in their rooms, but this gets shut off between 1am and 6am.
I bought a PowerBook not too long ago and would like to set up wireless access for my apartment. Knowing that I have to keep others from accessing the WAP, I have been researching possibilities.
So my big dilemma is not making sure crackers do not access the traffic (I would prefer they not be able to sit and watch what web sites I go to, but...), but rather making sure they cannot access the WAP.
Locking down the WAP to my MAC address would be a start. However, hacking a wireless client to use my MAC address is not too difficult. I thought about figuring out some way of shutting down the device between the hours of 1am and 5am (when they would be most motivated to access it, and when I am less likely to want access through it).
I had looked at more advanced authentication devices, but between lack of ease-of use (I would like to open the PowerBook and have networking work) and speed issues (VPN over 802.11x seems to suck a good chunk of bandwidth), I wanted to stay away from them.
WPA seems to solve a lot of problems for me. It is still open to dictionary attacks, but I am more than willing to come up with a 31 key passphrase. Between that and locking the WAP to only one MAC address, I would think it would be pretty secure.
It looks like more and more products are starting to support WPA (LinkSys, Apple, and DLink all do, it seems).
A couple of questions:
1) Will this solve my access requirements within reason?
2) Anyone have experience using Apple's Airport Extreme Card with WPA on a third-party WAP?
[Yes, I realize that a determined student could start a dictionary attack even on a 31 key passphrase, but I think that is reasonable closure if that is the only way of accessing the WAP]
- (c) 2018 Hank Zimmerman
It is mainly a marketing snare for the unwary. Not a lie, exactly, but being a nonstandard rate, your next piece of gear probably won't support it. Also, most g units will have to shift down from rate 54 just to reach into the next room, making a faster mode quite moot.
However, this is small potatoes, easily fixed. About the worst anyone can do is fill your file system and/or hang the machine. Since there's no root to root, it would take a very sophisticated exploit to bash a stack and really own it, and obviously no one rose to the challenge.
Luke, help me take this mask off