Are you running a firewall? You should be!

Ryan:

Thanks for an excellent article.  This is one of the best I have seen on the forum.  You deserve accolades.  A noble act, indeed.

I am using TM1300 behind a NAT firewall offered by my Linksys router.  And I just ran the Symantec Security check you recommended.  I have in addition to the I5100, an Alpha running Linux and an iMac connected to the router.  The Symantec check found one open port (ssh) and one closed port (http) that I enabled on the router to let me and my friend connect to the Linux box to do work, and to serve work-related webpages.  It was a relief to see that the firewall does protect me (apart from the open ports mentioned above, that I try and keep as secure as possible).

One question I have is this: for the I5100, that uses TM1300 to connect to the Linksys via the WAP, do I need additional (software) firewall?  I guess I'm not sure if any attack on the I5100 must come via the router and the WAP, or whether the TM1300 in the I5100 can be "attacked" bypassing the router/WAP.  Can you (or others) please comment on this point?

Thanks again for a great article.

Rajiv

Message Edited by rpras on 10-02-2003 08:25 PM

rpras:

There are 2 most likely scenerios of attack via the wireless network:

1) Someone can sit in an area where they can detect your network, and sniff out traffic for a few hours/days (depending on the computer they have, what strength encryption you're using, etc). After capturing enough packets, they can decrypt your key. Then, they can easily read all of the packets you are sending, and since they have your key, they can attempt to connect directly to your router. If you don't have any access control except for WEP enabled, they will be able to join the router and become part of your network. From here, any file shares you have they can connect to, as well as attempt to explioit any security weaknesses you have.

2) If you aren't paying attention, Windows will connect you to new networks it finds without asking. Someone could get lucky and have you connect to them, and then the situation is the same as above.

A firewall only makes it harder for the person to connect directly to you- it doesn't protect against them reading all of the traffic you are sending. It's impossible to tell who is passively collecting packets as well. You can make it harder for them to connect to the router by turning off SSID broadcasting, and enabling MAC address filtering. (Both can be circumvented, but it makes it that much harder).

Even so, if the Linksys is only running NAT and not a firewall on top of it, I'd recommend a firewall just so you get some outbound protection.

Jerry- I disagree. I liken your comment to saying 'as long as you are a cautious driver, always checking your blind spot and obeying the speed limit, you don't need to wear your seat belt.' (It's not a perfect analogy, but it shows my point)

I highly recommend this be made a sticky on this forum and also the Wireless Networking forum.  An excellent and very informative resource for all users.  Thank you Ryan!

Hi folks:

Just found some time to get back to this discussion.

---- Ryan wrote:

1) Someone can sit in an area where they can detect your network, and sniff out traffic for a few hours/days (depending on the computer they have, what strength encryption you're using, etc). After capturing enough packets, they can decrypt your key. Then, they can easily read all of the packets you are sending, and since they have your key, they can attempt to connect directly to your router. If you don't have any access control except for WEP enabled, they will be able to join the router and become part of your network. From here, any file shares you have they can connect to, as well as attempt to explioit any security weaknesses you have.

----

Right -- sniffing was one thing I was worried about.  That is the reason I change my WEP keys frequently.  IIRC, this is also basically the idea behind WAP, isn't it (in addition to its authentication capabilities over WEP)?  "Frequently" is a relative term here.  I do this maybe 1-2 times a week.  So this brings up another point: how long does one need to "sniff" before they break my encryption?  A day, a week... what?  (Obviously it depends on their computing capabilities, but some average number would be nice to set a benchmark.)

----

2) If you aren't paying attention, Windows will connect you to new networks it finds without asking. Someone could get lucky and have you connect to them, and then the situation is the same as above.

----

This I need to be careful about.  How does one go about restricting the 1300 to connect to the preffered network only (my WAP) and not behave promiscuously?  I have the option "Automatically connect to non-preferred networks" in the Advanced area for the 1300 unchecked -- is that enough?

---- Jerry wrote:

If you have a good router which can stealth your network, don't use compromised browsers and email clients (Outlook Express, etc.), don't open unknown email attachments or download unknown executable files, and check what you do download with a good virus program, you will be relatively safe from a virus or worm attack.

----

Yes -- I checked that my router actually "stealths" the network, so that is cause for comfort.  I already follow your other suggestions.  Not yet a virus/trojan attack, so I must be doing the right things.  But your points are well made, and others should take note of them -- you can never be too safe -- be vigilant.  My antivirus definitions files are updated daily, for example, and Windows patches applied when they appear -- not automatically, because I still want some control for myself. 

One thing I do not have (yet) that Ryan pointed out is outbound filtering/protection.  But I'm the only one using the I5100, and have been lucky so far. 

Thanks for a great thread guys, and I appreciate everyone's replies.

Cheers,

Rajiv

---

@Botteur wrote:

I was wondering if anybody knows if there is a software that can be used to automatically change the wep key on a daily or a weekly basis so that we don't have to do it manually? I think that would add an extra security. I have a Netgear MR814V2 router, and as far as I know, WAP is only available on g routers ?

---

Heheee -- no, I'm not laughing at you.  This is the idea that popped into my head a while ago, and it's funny you thought it up too!!  Sorta like a poor man's WPA, eh?

No, I guess the easiest will be to just upgrade to WPA.  WPA is available on 802.11b routers too (examples, please?), or at least can be if the company provides an updated firmware (mine won't ).

Cheers,

Rajiv

---

@rpras wrote:

WPA is available on 802.11b routers too (examples, please?), or at least can be if the company provides an updated firmware (mine won't ).

So far D-Link hasn't for the DI-614+ or pccard DWL-650+.  Sure wish they would.

---

I know of no such utility. It would have to interface directly with the router. I know my belkin router has a little program you can run on windows that will program the router for you- if you could reverse enginner it and figure out what port and how it's configuring it, you could write a little VB script that changes the key and then prints it so you can enter it.

Otherwise, since you can't run scripts on the router, it would be very difficult to accomplish.

I agree, I ran the tests and was told I had a "Healthy set up". I think it may be too healthy,, I am unable to access some sites and web pages,, Microsoft updates page  and MccAffe updates site, alond with Lycos and some Yahoo sites..

My thought is that the Dell 1184 firewall is conflicting with my MccAffe firewall.. Can I turn off the dell TM 1184 firewall?? I have shut my virus scan and firewall down to see if it changed.  Not, so I suspect the Dell installed firewall... You with me???

Or am I out in left field about this?

I am running WinXP on a dimension 2350, Have DSL thru a speedstream 5660 router into a Dell Tru Mobile 1184 Router, Have updated firm ware and it works on my other computer running Win 98 ( my recipient computer), But my Dim 2350 is my server computer and has the problem.

Any help would be appreciated!!