A Comparison of 802.11g Firewalls? 51
peoria kid asks: "Does anybody know how to compare the firewall effectiveness between the different providers of 802.11g networking solutions? I am considering purchasing a base station for my parents and I do not know if the Apple Airport base station or others such as Lynksys, or Lucent have better encryption and firewall protection."
Most of them are only firewalls because.. (Score:2, Informative)
Re:Most of them are only firewalls because.. (Score:2)
If the attacker has direct access to the network of the external interface of the NAT box, the attacker can often make connections to the internal supposedly protected network.
Detail: With a number of NAT boxes if you send a packet to the external interface with an internal IP address as destination, the box forwards the packet. The source addresses of returning packets often do get translated, but you should be able to detranslate
Forget hardware... (Score:1)
Re:Wire it, you lazy bum (Score:2)
The only place I know we're using wireless is in a huge factory to send data from fringe stations in. And we also use the 2.4GHz 'flood lights' to prevent onlookers. That and wep have discouraged ANYBODY from looking in.
Re:Wire it, you lazy bum (Score:2)
I found a type of light that emits large amounts of 2.4 GHz static. Because of this, we could guarantee the security of INTERCEPTING communications outside of the factory.
Well (Score:2)
Re:Well (Score:1)
Having said that, if it was possible, I would have wired at least for the desktop machines, but when you can WEP and get cheap USB wireless adapters, wiring can be too much hassle!
Re:Wire it, you lazy bum (Score:1)
Re:Wire it, you lazy bum (Score:2)
1: Parents are probably computer stupid
2: I dont think he wants to fix whenever one machine 'does not work'.
3: Wireless security is about non-existant (Yeah, wep-hackers are really big now)
4: Wired is 2x times the fastest wireless protocol, and cheaper to boot
In my experience, unles you're trying to get 2 or 3 machines in a large factory on the corporate lan, wireless is NOT the way to go.
Re:Wire it, you lazy bum (Score:1)
Re:Wire it, you lazy bum (Score:3, Insightful)
By the way, if the poster's parents are not moving very large files around and they basically use the computer to surf the web and read email (i.e., they don't need 100 Mbps), then a wireless connection certainly is something to consider.
Besides, if you are connected via something
Re:Wire it, you lazy bum (Score:1)
55 is not for data transfers... but you knew that. Try 20-22.
As to why... I am thinking laptop. Or a desktop in an area where cat5 can not be run.
Wireless is great way to network a house without intrusive cabling. Most parents are against change...
Zyxel (Score:4, Informative)
It's a NAT device, not a real firewall, but it's in the same category as the products you've mentioned, and it's more secure.
I haven't used it, and can't vouch for it. But it's gotten some good press.
As I understand it, if you can sniff enough packets that use the same key, you can crack the crypto. This thing uses a better (and standard) protocol that keeps changing the keys, so no one can sniff enough packets to recover the key.
I'm not sure I understand why they've kept the weak algorithm and shored it up by changing keys. My guess is that the cyrpto is built into a lot of wireless card hardware, and you can still use the built in hardware by rotating keys. A new algorithm would offload all of the crypto to the processor. That's just a guess, though.
In any event, I think this is believed to be secure now. I think that recent patches to XP support the new protocol with most wireless net adapters -- if you run XP, you don't have to worry about vendor support on the client side.
Re:Zyxel (Score:1)
You can add a switch or router, this includes a DSL router for connections, to the back, so you don't even have to config an ip, just raw frames passed from one to the other.
If you want to tweak it has lots of options.
Re:Zyxel (Score:3, Informative)
Essentially, the WEP key that you type into the client is only used to get a new randomly-generated "session" key. It IS a part of the 802.11b/g spec, but many wireless cards don't expect the key changes, so you need to be careful about which products you buy (or, at least, you had to be careful when I looked at this stuff a year or so ago).
None of these are actually firewalls (Score:5, Informative)
They also have a default DENY policy which means that they are all about as secure as the other. The only problem would be if they came out with a new teardrop-like exploit that crashes the tcp/ip stack of the little routers, and that wouldn't affect security internally and would probably be solved by a firmware update.
Because most are black boxes, you have to take whoever the manufacturers word for it that they have a solid tcp/ip stack that won't be susceptible to this sort of attack.
Main thing I would worry about is the speed, find out what wireless firewalls are rated as the fastest. Make sure WEP is enabled and you have Mac Address filtering. It's still not going to be nearly as secure as a cable.
If you want to be secure, get a software firewall as well (ZoneAlarm, Tiny Personal, Norton, etc.), run Spybot or Ad-Aware, run a Virus Scanner and keep your software up to date.
Re:None of these are actually firewalls (Score:1)
Re:None of these are actually firewalls (Score:4, Informative)
Wireless is never going to be all that secure, so long as it is transmitted in the airwaves, someone will be able to pick it up. The best line of defense is knowing this and changing your habits accordingly. I always use encryption at the protocol level, when there is important data whizzing by.
imaps, instead of imap
pop3s, instead of pop3
ssh, instead of telnet or ftp
https, instead of http
The list goes on and on. By using these protocols you are also not nearly as susceptible to man in the middle attacks.
SIDE NOTE: The latest WPA patch from Microsoft (KB826942) broke my wireless capability severly. I could no longer connect to any wireless access point that had encryption disabled, like coffee shops or T-mobile. If anyone else is having problems connecting to unsecured access points, try uninstalling this. Just passin on the knowledge...
Re:None of these are actually firewalls (Score:1)
Thanks for the tip. I think that could explain the problems I have been having.
Re:None of these are actually firewalls (Score:2)
NAT tables have source and destination information. If a packet passes through the router, then it is because it matches the source, has the right destination and has passed the tcp/ip handshake. Spoofing a packet that would get past N
Re:None of these are actually firewalls (Score:1)
The Linksys WRT54G actually runs Linux [linksys.com]
A few people have been able to compile custom versions [sveasoft.com] of the firmware that include some extra (and very cool) functionality. If the tcp/ip stack is part of Linksys' GPL'd packages (I'm not sure if it is), it can be examined.
Re:None of these are actually firewalls (Score:2)
In addition, we do not know the quality of the 801.11g driver it comes with because the source has not been released. There are many layers to the security onion, and simply knowing it runs Linux doesn't tell us much.
Was it hardened? What iptables rules does it have? Where is the driver for the wireless card? Has the tcp/ip stack been modified? Why was the dev series kernel used
Re:None of these are actually firewalls (Score:1)
There are posted methods for either permanently replacing the firmware (but possibly frying it if you do it wrong) or simply overwriting it in RAM and if you reboot simply reloading it without risk of messing up the factory defaults.
You don't even need the sources from Linksys, you can cross-compile.
Linksys may not have -intended- this, for instance you do need an older firmware than is probably shipping on n
Re:None of these are actually firewalls (Score:2)
In addition making your own kernel/etc. has the distinct disadvantage of losing access to the 802.11g wireless card because there are currently no available linux drivers. So no matter what, even building your own kernel, etc would still leave you with a bit of black box'ed-ness which is what I was trying to say.
Besides this guy doesn't seem to know the differences between all the
Bilkin' (Score:5, Funny)
It'll securely interupt your parent's networking once every eight hours to show them an ad, ironically for "parental controls".
Three times a day, your parents will know someone cares about them. What more could they ask for from their son?
Re:Bilkin' (Score:1)
KevG
D-Link (Score:3, Interesting)
Re:D-Link (Score:2)
Don't enable Atheros' rate 108 (Score:1)
linksys... (Score:3, Informative)
The real important thing is to change the ssid and add a password. That will force someone to be scanning for the wireless and also require them to spend 20 minutes craking the wpa / wep encryption. But if you get teh BEFW11P1 it has ipsec too. Not sure which ones of their products also have this. If you need wireless then try the WRV54G. Look for VPN capability as most vpn systems out are using ipsec.
Re:linksys... (Score:2)
That is, until your AP or your cards start dropping connection. Call or email tech support & they'll tell you to set everything back to default for a few days to see if the problem goes away. If it does, well thats "..your solution.."
The only secure LinkSys WAP is one that's unplugged.
The worst threat is local (Score:1)
The worst threat in this setup are other people using your ap to get to the internet, using your bandwidth and making you liable for their abuse. None of the small devices can stop that without some sort of authentication server beside it.
Either accept that risk or put a wireless nic in a dedicated pc and use that as firewall and ap with ipsec to the clien
D-Link, Netgear (Score:1)
Re:D-Link, Netgear (Score:1)
Airport info (Score:2)
I also ran a mac as a server (not mail) on the net for 4 years without a hack. OS 9 even.
The airports have decent range and I have tested the g transmission speed as fast as 10 base T or better - up to 3394 Kbps for g/g peer to peer. No foolin. Divide by 10 for b/g or b/b speeds. No foolin. This is way faster than I can connect to the internet but get your connection speed and do the math.
NAT and DHCP work as billed.
Never been hacked so I
Of Course You Haven't Been Hacked (Score:1)
However, this is small potatoes, easily fixed. About the worst anyone can do is fill your file system and/or hang the machine. Since there's no root to root, it would take a very sophisticated
Linksys problem (Score:2)
Security options (Score:2)
Has anyone set up their wireless access point this way, and if so, is it straight-forward? I assume one can do it with OpenRadius? [xs4all.nl]
Re:Security options (Score:2)
If you have some money to throw at the wireless security problem, I would suggest looking into the Odyssey server from Funk software. It's much easier to setup
WPA (Score:2)
I bought a PowerBook not too long ago and would like to set up wireless access for my apartment. Knowing that I have to keep others from accessing the WAP, I have been researching possibilities.
So my big dilemma is not making sure crackers do not access the tr