Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Comparison of 802.11g Firewalls?

Posted by Cliff on from the protecting-your-airborne-packets dept.

peoria kid asks: "Does anybody know how to compare the firewall effectiveness between the different providers of 802.11g networking solutions? I am considering purchasing a base station for my parents and I do not know if the Apple Airport base station or others such as Lynksys, or Lucent have better encryption and firewall protection."

9 of 51 comments (clear)

  1. Most of them are only firewalls because.. by Anonymous Coward · · Score: 2, Informative

    They do NAT, and it's a side effect. If you want a real firewall, you need a real firewall or a computer running a real software firewall.

  2. Zyxel by astrashe · · Score: 3, Informative

    Take a look at Zyxel.

    It's a NAT device, not a real firewall, but it's in the same category as the products you've mentioned, and it's more secure.

    I haven't used it, and can't vouch for it. But it's gotten some good press.

    As I understand it, if you can sniff enough packets that use the same key, you can crack the crypto. This thing uses a better (and standard) protocol that keeps changing the keys, so no one can sniff enough packets to recover the key.

    I'm not sure I understand why they've kept the weak algorithm and shored it up by changing keys. My guess is that the cyrpto is built into a lot of wireless card hardware, and you can still use the built in hardware by rotating keys. A new algorithm would offload all of the crypto to the processor. That's just a guess, though.

    In any event, I think this is believed to be secure now. I think that recent patches to XP support the new protocol with most wireless net adapters -- if you run XP, you don't have to worry about vendor support on the client side.

    1. Re:Zyxel by PapaZit · · Score: 2, Informative

      Cisco (commercial) wireless APs do the same trick.

      Essentially, the WEP key that you type into the client is only used to get a new randomly-generated "session" key. It IS a part of the 802.11b/g spec, but many wireless cards don't expect the key changes, so you need to be careful about which products you buy (or, at least, you had to be careful when I looked at this stuff a year or so ago).

      --
      Forward, retransmit, or republish anything I say here. Just don't misquote me.
  3. None of these are actually firewalls by DA-MAN · · Score: 4, Informative

    It just happens to be a side effect of doing network address translation. Nothing comes in that isn't requested or related to connections made.

    They also have a default DENY policy which means that they are all about as secure as the other. The only problem would be if they came out with a new teardrop-like exploit that crashes the tcp/ip stack of the little routers, and that wouldn't affect security internally and would probably be solved by a firmware update.

    Because most are black boxes, you have to take whoever the manufacturers word for it that they have a solid tcp/ip stack that won't be susceptible to this sort of attack.

    Main thing I would worry about is the speed, find out what wireless firewalls are rated as the fastest. Make sure WEP is enabled and you have Mac Address filtering. It's still not going to be nearly as secure as a cable.

    If you want to be secure, get a software firewall as well (ZoneAlarm, Tiny Personal, Norton, etc.), run Spybot or Ad-Aware, run a Virus Scanner and keep your software up to date.

    --
    Can I get an eye poke?
    Dog House Forum
    1. Re:None of these are actually firewalls by DA-MAN · · Score: 3, Informative

      WPA isn't all that great either. But you are right, WPA is better than WEP.

      Wireless is never going to be all that secure, so long as it is transmitted in the airwaves, someone will be able to pick it up. The best line of defense is knowing this and changing your habits accordingly. I always use encryption at the protocol level, when there is important data whizzing by.

      imaps, instead of imap
      pop3s, instead of pop3
      ssh, instead of telnet or ftp
      https, instead of http

      The list goes on and on. By using these protocols you are also not nearly as susceptible to man in the middle attacks.

      SIDE NOTE: The latest WPA patch from Microsoft (KB826942) broke my wireless capability severly. I could no longer connect to any wireless access point that had encryption disabled, like coffee shops or T-mobile. If anyone else is having problems connecting to unsecured access points, try uninstalling this. Just passin on the knowledge...

      --
      Can I get an eye poke?
      Dog House Forum
  4. Bilkin' by orthogonal · · Score: 4, Funny

    Get a Belkin.

    It'll securely interupt your parent's networking once every eight hours to show them an ad, ironically for "parental controls".

    Three times a day, your parents will know someone cares about them. What more could they ask for from their son?

    --
    Opinions on the Twiddler2 hand-held keyboard?
  5. D-Link by Tumbleweed · · Score: 2, Interesting

    D-Link is what I'd recommend. They, like other Aetheros (sp?) -based equipment, has 'turbo-g' mode at double the normal rate of 54mbps. Just as long as you aren't within interference range of another turbo-g network, of course. :)

  6. linksys... by josepha48 · · Score: 2, Informative
    I think that the linksys has ipsec, which is about as secure as you are gonna get when doing wireless.

    The real important thing is to change the ssid and add a password. That will force someone to be scanning for the wireless and also require them to spend 20 minutes craking the wpa / wep encryption. But if you get teh BEFW11P1 it has ipsec too. Not sure which ones of their products also have this. If you need wireless then try the WRV54G. Look for VPN capability as most vpn systems out are using ipsec.

    --

    Only 'flamers' flame!
    Does slashdot hate my posts?

  7. Re:Wire it, you lazy bum by hubie · · Score: 2, Insightful
    This is by far the best point to getting a wireless router. It has 10/100 ports on it to hook up your wired computers, and it allows you to hook up your laptop or other computer you want mobile. It is very darn convenient.

    By the way, if the poster's parents are not moving very large files around and they basically use the computer to surf the web and read email (i.e., they don't need 100 Mbps), then a wireless connection certainly is something to consider.

    Besides, if you are connected via something like residential dsl which can't even do 10Mbps, why insist on 100Mbps everywhere in the house? Having that wire between the computer and the printer is great when you want to print very large files, but if that is the only real need for that kind of bandwidth then it may be worth the wireless instead of running wires (running them properly that is, such as through walls and not just strung in the open along the baseboard).