Go Back   Wireless and Wifi Forums > News > Newsgroups > alt.internet.wireless
Register FAQ Forum Rules Members List Calendar Search Today's Posts Advertise Mark Forums Read

 
Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 08-03-2006, 10:13 PM
paul.hester@gmail.com
Guest
 
Posts: n/a
Default Linksys router - how to block wired/LAN access

Hi all,

I have a LinkSys WRT54G Wireless-G Broadband Router. I have
successfully managed to only allow access to the wireless network for a
series of MAC addresses using the Wireless MAC filter.

I can't apply the same rule for wired/LAN access (i.e. PCs plugged
directly into the router). Has anyone had any success blocking wired
access?

Any help would be appreciated.

Thanks,

Paul


Reply With Quote
  #2 (permalink)  
Old 08-03-2006, 11:08 PM
Duane Arnold
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

paul.hester@gmail.com wrote:
> Hi all,
>
> I have a LinkSys WRT54G Wireless-G Broadband Router. I have
> successfully managed to only allow access to the wireless network for a
> series of MAC addresses using the Wireless MAC filter.
>
> I can't apply the same rule for wired/LAN access (i.e. PCs plugged
> directly into the router). Has anyone had any success blocking wired
> access?
>


Block them for what reason?

Duane :)

Reply With Quote
  #3 (permalink)  
Old 08-03-2006, 11:31 PM
paul.hester@gmail.com
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

I work in a shared office space, so it's to stop people just plugging
their PC straight into our router and using our internet connection.

Paul

Duane Arnold wrote:
> paul.hester@gmail.com wrote:
> > Hi all,
> >
> > I have a LinkSys WRT54G Wireless-G Broadband Router. I have
> > successfully managed to only allow access to the wireless network for a
> > series of MAC addresses using the Wireless MAC filter.
> >
> > I can't apply the same rule for wired/LAN access (i.e. PCs plugged
> > directly into the router). Has anyone had any success blocking wired
> > access?
> >

>
> Block them for what reason?
>
> Duane :)



Reply With Quote
  #4 (permalink)  
Old 08-03-2006, 11:56 PM
John Navas
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

On 3 Aug 2006 15:13:56 -0700, paul.hester@gmail.com wrote in
<1154643236.023227.241090@b28g2000cwb.googlegroups .com>:

>I have a LinkSys WRT54G Wireless-G Broadband Router. I have
>successfully managed to only allow access to the wireless network for a
>series of MAC addresses using the Wireless MAC filter.
>
>I can't apply the same rule for wired/LAN access (i.e. PCs plugged
>directly into the router). Has anyone had any success blocking wired
>access?


MAC filtering is essentially *useless* because valid MAC addresses are
so easily spoofed. For real security you need to use WPA.

Really controlling wired LAN access takes something like enforced
authentication (which could also be used for wireless), but that's
non-trivial to set up.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

Reply With Quote
  #5 (permalink)  
Old 08-04-2006, 01:44 AM
Duane Arnold
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

paul.hester@gmail.com wrote:
> I work in a shared office space, so it's to stop people just plugging
> their PC straight into our router and using our internet connection.
>


Well, someone may have another suggestion for you, but I would disable
the DHCP server on the router. I would then assign a static IP on the
router to each wireless machine's NIC, which you'll have to manually
assign the IP and configure each NIC manually to access the WAN/Internet
or LAN machines via the router.

You do it manually instated of letting the router's DHCP server issue an
IP to a machine wire or wireless that has the NIC configured to obtain
an IP from the router automatically.

That means anyone with a wire NIC machine wouldn't be able to just plug
the machine into the router and gain access to the WAN or LAN, because
they would have to configure the NIC to use a static IP on the router.

They wouldn't be able to do it if the computer's NIC was set to obtain a
DHCP IP from the router with the DHCP server on the router disabled. The
router will not issue the IP(s).

Most are not savvy enough to know how to configure the computer's NIC
for static IP usage on the router.

You can disable the router's DHCP server and make the machines use
static IP(s).

http://linksys.custhelp.com/cgi-bin/...hp?p_faqid=534

That's one way.

Duane :)



> Paul
>
> Duane Arnold wrote:
>
>>paul.hester@gmail.com wrote:
>>
>>>Hi all,
>>>
>>>I have a LinkSys WRT54G Wireless-G Broadband Router. I have
>>>successfully managed to only allow access to the wireless network for a
>>>series of MAC addresses using the Wireless MAC filter.
>>>
>>>I can't apply the same rule for wired/LAN access (i.e. PCs plugged
>>>directly into the router). Has anyone had any success blocking wired
>>>access?
>>>

>>
>>Block them for what reason?
>>
>>Duane :)

>
>


Reply With Quote
  #6 (permalink)  
Old 08-04-2006, 02:09 AM
John Navas
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

On Fri, 04 Aug 2006 01:44:48 GMT, Duane Arnold <"Do forget about
it"@PleaeDo.BET> wrote in
<kExAg.7674$gF6.758@newsread2.news.pas.earthlink.n et>:

>paul.hester@gmail.com wrote:
>> I work in a shared office space, so it's to stop people just plugging
>> their PC straight into our router and using our internet connection.

>
>Well, someone may have another suggestion for you, but I would disable
>the DHCP server on the router. I would then assign a static IP on the
>router to each wireless machine's NIC, which you'll have to manually
>assign the IP and configure each NIC manually to access the WAN/Internet
>or LAN machines via the router.
>
>You do it manually instated of letting the router's DHCP server issue an
>IP to a machine wire or wireless that has the NIC configured to obtain
>an IP from the router automatically.
>
>That means anyone with a wire NIC machine wouldn't be able to just plug
>the machine into the router and gain access to the WAN or LAN, because
>they would have to configure the NIC to use a static IP on the router.
>
>They wouldn't be able to do it if the computer's NIC was set to obtain a
>DHCP IP from the router with the DHCP server on the router disabled. The
>router will not issue the IP(s).
>
>Most are not savvy enough to know how to configure the computer's NIC
>for static IP usage on the router.


But many are, especially those you want to keep out. I personally don't
think that provides any meaningful level of security. No offense
intended.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

Reply With Quote
  #7 (permalink)  
Old 08-04-2006, 07:12 AM
Duane Arnold
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

John Navas wrote:
> On Fri, 04 Aug 2006 01:44:48 GMT, Duane Arnold <"Do forget about
> it"@PleaeDo.BET> wrote in
> <kExAg.7674$gF6.758@newsread2.news.pas.earthlink.n et>:
>
>
>>paul.hester@gmail.com wrote:
>>
>>>I work in a shared office space, so it's to stop people just plugging
>>>their PC straight into our router and using our internet connection.

>>
>>Well, someone may have another suggestion for you, but I would disable
>>the DHCP server on the router. I would then assign a static IP on the
>>router to each wireless machine's NIC, which you'll have to manually
>>assign the IP and configure each NIC manually to access the WAN/Internet
>>or LAN machines via the router.
>>
>>You do it manually instated of letting the router's DHCP server issue an
>>IP to a machine wire or wireless that has the NIC configured to obtain
>>an IP from the router automatically.
>>
>>That means anyone with a wire NIC machine wouldn't be able to just plug
>>the machine into the router and gain access to the WAN or LAN, because
>>they would have to configure the NIC to use a static IP on the router.
>>
>>They wouldn't be able to do it if the computer's NIC was set to obtain a
>>DHCP IP from the router with the DHCP server on the router disabled. The
>>router will not issue the IP(s).
>>
>>Most are not savvy enough to know how to configure the computer's NIC
>>for static IP usage on the router.

>
>
> But many are, especially those you want to keep out. I personally don't
> think that provides any meaningful level of security. No offense
> intended.
>


You do know that it has nothing to do with the wireless side of it. It
has to do with someone walking up to that router and plugging in a wire
computer right is someone's face.

I think it's an effective measure to prevent that. As for the wireless
side of it, anyone can get a DHCP IP or use a static IP on the router.
It's not stopping anything, but it will stop the average Joe Blow on the
wire.

I'll tell you right now, 90% of the people that post to this NG don't
know how to do it. They can barely turn the computer *on*.

I am sorry but I disagree.

Duane :)

Reply With Quote
  #8 (permalink)  
Old 08-04-2006, 01:59 PM
John Navas
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

On Fri, 04 Aug 2006 07:12:52 GMT, Duane Arnold <"Do forget about
it"@PleaeDo.BET> wrote in
<UrCAg.3315$xp2.2238@newsread1.news.pas.earthlink. net>:

>John Navas wrote:


>> But many are, especially those you want to keep out. I personally don't
>> think that provides any meaningful level of security. No offense
>> intended.

>
>You do know that it has nothing to do with the wireless side of it. It
>has to do with someone walking up to that router and plugging in a wire
>computer right is someone's face.


The assumption that wired is more secure that wireless isn't necessarily
valid. All too many switches and hubs and cables aren't physically
secured. I know of a case where a "foreign" laptop was found in a
wiring closet merrily gathering data. Never did find out who did it.
I've seen other cases where employees inserted small switches or hubs in
accessible cable runs to create more connections that were unknown to
computer people. Not to mention rogue wireless access points. Moral:
Wired networks also need to be carefully and completely secured. Just
using manual IP assignment instead of DHCP provides no real security.

>I think it's an effective measure to prevent that. As for the wireless
>side of it, anyone can get a DHCP IP or use a static IP on the router.
>It's not stopping anything, but it will stop the average Joe Blow on the
>wire.


The major worry isn't Joe Blow -- it's those with bad intent and some
skill, who won't even be slowed down by manual IP assignment.

>I'll tell you right now, 90% of the people that post to this NG don't
>know how to do it. They can barely turn the computer *on*.


The worry isn't those that can't, it's those that can, and if you stop
them, then you stop those that can't as well. Going after those that
can't still leaves you vulnerable to those that can, which makes no
sense, particularly since you'll be making life more difficult for
legitimate users.

Security is a balancing act because convenience and robustness. Make
the system inconvenient, and people will rebel, sometimes in obvious
ways, sometimes in subtle ways, defeating that security (e.g., the
PostIt with password stuck to a monitor). Using manual IP assignment
for security fails that tradeoff IMHO.

>I am sorry but I disagree.


Is that a personal opinion or a professional opinion?

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

Reply With Quote
  #9 (permalink)  
Old 08-04-2006, 02:33 PM
Bill Kearney
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access


> Well, someone may have another suggestion for you, but I would disable
> the DHCP server on the router. I would then assign a static IP on the
> router to each wireless machine's NIC, which you'll have to manually
> assign the IP and configure each NIC manually to access the WAN/Internet
> or LAN machines via the router.


Yep, then they'd have to know the subnet range in order to configure their
own stuff. Move the router to an address OTHER than x.x.x.1 while you're at
it. That way your workstations are on 172.16.88.x/255.255.0.0 with the
router on 172.16.88.100 (as an example) as the gateway. And if you're using
WPA on the wireless it'd be more work than the casual abuser would be likely
to tackle.

Private networks can use more than just the 192.168.x.x/255.255.255.0
subnet. You can use Class A (10.x.x.x/255.0.0.0) and Class B
(172.16.x.x/255.255.0.0) ranges. For either of those ranges you replace the
'x' with a number between 0 and 254. It's unlikely someone trying to guess
static addresses is going to try non-192.168.x.x ranges. Not impossible,
but pretty unlikely for casual users.

So start by moving the router to a different subnet and IP address. Then
manually configure the workstations (wired and wireless) to use that new
subnet/mask/gateway. Then go back to the router and disable DHCP services.
Set up WPA for the wireless. Then just ditch MAC filtering entirely as it's
a weak method, at best. Prevent wired connections by just locking it in a
box, drawer, cabinet or something else that doesn't also block the signal.

What you might also want to consider is arpwatch. That way you could at
least get notified if unexpect MAC addresses start connecting to your
devices.

-Bill Kearney


Reply With Quote
  #10 (permalink)  
Old 08-04-2006, 02:35 PM
Bill Kearney
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

> I work in a shared office space, so it's to stop people just plugging
> their PC straight into our router and using our internet connection.


Lock it in a cabinet. Why bother burdening the router with the added tasks
of packet filtering? It's not like there's CPU power to spare on
residential-grade devices like the WRT54 series.

MAC filtering is a joke, all they need to do is get the address of one of
your allowed addresses and use that for their device. If they do this while
your device is active you'll have a helluva time trying to figure out what's
causing the trouble. Using MAC filtering alone will not stop them. You'd
have to go a step further and use some sort of security like RADIUS to add
another layer. They'd have to possess both the MAC address AND the
username/password used to authenticate the session.

Of course you should be using WPA security for the wireless anyway. That'd
make MAC filtering rather pointless too.

I'd start by just putting the router in a locked cabinet or box of some
kind. That'd at least stop them from jacking into it directly. But also
consider that if they're close enough to the box to jack into it, what's to
stop them from using the ethernet jack on the wall? Assuming there is one,
of course. They could just plug a hub or switch into that and leech
connectivity from there. So make sure there's decent physical security on
that too.

-Bill Kearney


Reply With Quote
  #11 (permalink)  
Old 08-04-2006, 03:01 PM
Duane Arnold
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

John Navas wrote:
> On Fri, 04 Aug 2006 07:12:52 GMT, Duane Arnold <"Do forget about
> it"@PleaeDo.BET> wrote in
> <UrCAg.3315$xp2.2238@newsread1.news.pas.earthlink. net>:
>
>
>>John Navas wrote:

>
>
>>>But many are, especially those you want to keep out. I personally don't
>>>think that provides any meaningful level of security. No offense
>>>intended.

>>
>>You do know that it has nothing to do with the wireless side of it. It
>>has to do with someone walking up to that router and plugging in a wire
>>computer right is someone's face.

>
>
> The assumption that wired is more secure that wireless isn't necessarily
> valid. All too many switches and hubs and cables aren't physically
> secured. I know of a case where a "foreign" laptop was found in a
> wiring closet merrily gathering data.


Whose fault is that? If someone was to be so stupid as to let it happen,
there is nothing that can be done about that kind of stupidly.

> Never did find out who did it.
> I've seen other cases where employees inserted small switches or hubs in
> accessible cable runs to create more connections that were unknown to
> computer people.


Not in front of someone who is aware of the situation. The router is
right there in that person's face I'll assume that has made this post.

> Not to mention rogue wireless access points. Moral:
> Wired networks also need to be carefully and completely secured. Just
> using manual IP assignment instead of DHCP provides no real security.


In this person's case, I think it is unless the person is blind, can't
read the logs and can't see a cable plugged in that was not there before.

>
>
>>I think it's an effective measure to prevent that. As for the wireless
>>side of it, anyone can get a DHCP IP or use a static IP on the router.
>>It's not stopping anything, but it will stop the average Joe Blow on the
>>wire.

>
>
> The major worry isn't Joe Blow -- it's those with bad intent and some
> skill, who won't even be slowed down by manual IP assignment.


The person is walking up to a router in a small LAN situation. Unless
this person is James Bond, I wouldn't worry about it too much.
>
>
>>I'll tell you right now, 90% of the people that post to this NG don't
>>know how to do it. They can barely turn the computer *on*.

>
>
> The worry isn't those that can't, it's those that can, and if you stop
> them, then you stop those that can't as well.


That's the price that will have to be paid, if the OP wants some kind of
control of the situation, which I'll assume the OP knows what's on the
network for the most part in a small LAN situation.

> Going after those that
> can't still leaves you vulnerable to those that can, which makes no
> sense, particularly since you'll be making life more difficult for
> legitimate users.


We're talking a small LAN situation here. If the person cannot stay on
top of it, then the company should get someone who can.

The person is not the admin at Rockwell International.
>
> Security is a balancing act because convenience and robustness. Make
> the system inconvenient, and people will rebel, sometimes in obvious
> ways, sometimes in subtle ways, defeating that security (e.g., the
> PostIt with password stuck to a monitor). Using manual IP assignment
> for security fails that tradeoff IMHO.


Well, I suggest you provide some type of solution here and put it on the
table, because it's better than nothing.

Nothing is 100%. But the solution I have put on the table is better than
nothing and the OP is going to have to way the pros and cons.

It's his call and it's not yours or mine. That's the bottom line here.
>
>
>>I am sorry but I disagree.

>
>
> Is that a personal opinion or a professional opinion?
>


?????

Duane :)

Reply With Quote
  #12 (permalink)  
Old 08-04-2006, 03:32 PM
John Navas
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

On Fri, 04 Aug 2006 15:01:12 GMT, Duane Arnold <"Do forget about
it"@PleaeDo.BET> wrote in
<YiJAg.7852$gF6.7431@newsread2.news.pas.earthlink. net>:

>> Security is a balancing act because convenience and robustness. Make
>> the system inconvenient, and people will rebel, sometimes in obvious
>> ways, sometimes in subtle ways, defeating that security (e.g., the
>> PostIt with password stuck to a monitor). Using manual IP assignment
>> for security fails that tradeoff IMHO.

>
>Well, I suggest you provide some type of solution here and put it on the
>table, because it's better than nothing.


My solution is to physically secure the network, but assume it _will_ be
compromised, and protect clients accordingly, using managed switches
rather than cheap hubs, strong authentication, encryption, internal VPN,
internal firewalls, active/passive scanning, etc. Small businesses that
set up LANs without a proper budget and expert advice are just asking
for trouble, like driving without a seatbelt, or even an airbag.

>Nothing is 100%.


Your solution isn't even close to that, particularly since it does
nothing about the more serious threats.

>But the solution I have put on the table is better than
>nothing


Not much, and much less than is needed IM(ns)HO.

>and the OP is going to have to way the pros and cons.


True. Sadly, most business pay way too little attention to security,
which is why it's such a serious problem. But good for me, since I get
paid to come in and clean up the messes.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

Reply With Quote
  #13 (permalink)  
Old 08-04-2006, 04:20 PM
Duane Arnold
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

John Navas wrote:
> On Fri, 04 Aug 2006 15:01:12 GMT, Duane Arnold <"Do forget about
> it"@PleaeDo.BET> wrote in
> <YiJAg.7852$gF6.7431@newsread2.news.pas.earthlink. net>:
>
>
>>>Security is a balancing act because convenience and robustness. Make
>>>the system inconvenient, and people will rebel, sometimes in obvious
>>>ways, sometimes in subtle ways, defeating that security (e.g., the
>>>PostIt with password stuck to a monitor). Using manual IP assignment
>>>for security fails that tradeoff IMHO.

>>
>>Well, I suggest you provide some type of solution here and put it on the
>>table, because it's better than nothing.

>
>
> My solution is to physically secure the network, but assume it _will_ be
> compromised, and protect clients accordingly, using managed switches
> rather than cheap hubs, strong authentication, encryption, internal VPN,
> internal firewalls, active/passive scanning, etc. Small businesses that
> set up LANs without a proper budget and expert advice are just asking
> for trouble, like driving without a seatbelt, or even an airbag.
>
>
>>Nothing is 100%.

>
>
> Your solution isn't even close to that, particularly since it does
> nothing about the more serious threats.
>
>
>>But the solution I have put on the table is better than
>>nothing

>
>
> Not much, and much less than is needed IM(ns)HO.
>
>
>>and the OP is going to have to way the pros and cons.

>
>
> True. Sadly, most business pay way too little attention to security,
> which is why it's such a serious problem. But good for me, since I get
> paid to come in and clean up the messes.
>


Why don't you make this post to the other poster in the thread. I think
we're on the same page on disable the DHCP server, issue static IP(s)
and lock the router up in a cabinet. That way James Bond won't walk into
the office and plug a cable into it.

Sorry, but I'll have to say this is much to do about *nothing*.

Duane :)

Reply With Quote
  #14 (permalink)  
Old 08-04-2006, 06:19 PM
phil-news-nospam@ipal.net
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

On Thu, 03 Aug 2006 23:08:20 GMT Duane Arnold <"Do forget about it"@pleaedo.bet> wrote:
| paul.hester@gmail.com wrote:
|> Hi all,
|>
|> I have a LinkSys WRT54G Wireless-G Broadband Router. I have
|> successfully managed to only allow access to the wireless network for a
|> series of MAC addresses using the Wireless MAC filter.
|>
|> I can't apply the same rule for wired/LAN access (i.e. PCs plugged
|> directly into the router). Has anyone had any success blocking wired
|> access?
|>
|
| Block them for what reason?

How about "company security policy".

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2006-08-04-1319@ipal.net |
|------------------------------------/-------------------------------------|

Reply With Quote
  #15 (permalink)  
Old 08-04-2006, 06:22 PM
phil-news-nospam@ipal.net
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

On Fri, 04 Aug 2006 02:09:50 GMT John Navas <spamfilter0@navasgroup.com> wrote:
| On Fri, 04 Aug 2006 01:44:48 GMT, Duane Arnold <"Do forget about
| it"@PleaeDo.BET> wrote in
| <kExAg.7674$gF6.758@newsread2.news.pas.earthlink.n et>:
|
|>paul.hester@gmail.com wrote:
|>> I work in a shared office space, so it's to stop people just plugging
|>> their PC straight into our router and using our internet connection.
|>
|>Well, someone may have another suggestion for you, but I would disable
|>the DHCP server on the router. I would then assign a static IP on the
|>router to each wireless machine's NIC, which you'll have to manually
|>assign the IP and configure each NIC manually to access the WAN/Internet
|>or LAN machines via the router.
|>
|>You do it manually instated of letting the router's DHCP server issue an
|>IP to a machine wire or wireless that has the NIC configured to obtain
|>an IP from the router automatically.
|>
|>That means anyone with a wire NIC machine wouldn't be able to just plug
|>the machine into the router and gain access to the WAN or LAN, because
|>they would have to configure the NIC to use a static IP on the router.
|>
|>They wouldn't be able to do it if the computer's NIC was set to obtain a
|>DHCP IP from the router with the DHCP server on the router disabled. The
|>router will not issue the IP(s).
|>
|>Most are not savvy enough to know how to configure the computer's NIC
|>for static IP usage on the router.
|
| But many are, especially those you want to keep out. I personally don't
| think that provides any meaningful level of security. No offense
| intended.

It's worse if staffer's children can come with them to work at various
times. They tend to be the ones that know how to do whatever it takes
to get on the net, access AIM, MySpace, etc.

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2006-08-04-1320@ipal.net |
|------------------------------------/-------------------------------------|

Reply With Quote
  #16 (permalink)  
Old 08-04-2006, 06:24 PM
phil-news-nospam@ipal.net
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

On Fri, 04 Aug 2006 07:12:52 GMT Duane Arnold <"Do forget about it"@pleaedo.bet> wrote:

| You do know that it has nothing to do with the wireless side of it. It
| has to do with someone walking up to that router and plugging in a wire
| computer right is someone's face.

What if the router is being attached to the office LAN which every computer
is already attached to, but only certain computers are to be allowed full
access to the net or to the wireless side?


| I'll tell you right now, 90% of the people that post to this NG don't
| know how to do it. They can barely turn the computer *on*.

But their children know exactly what to do.

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2006-08-04-1322@ipal.net |
|------------------------------------/-------------------------------------|

Reply With Quote
  #17 (permalink)  
Old 08-04-2006, 06:29 PM
phil-news-nospam@ipal.net
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

On Fri, 04 Aug 2006 13:59:05 GMT John Navas <spamfilter0@navasgroup.com> wrote:

| Security is a balancing act because convenience and robustness. Make
| the system inconvenient, and people will rebel, sometimes in obvious
| ways, sometimes in subtle ways, defeating that security (e.g., the
| PostIt with password stuck to a monitor). Using manual IP assignment
| for security fails that tradeoff IMHO.

I totally agree.

I do use manual static IP in most case. But it's not a mechanism of
security. I also know MAC based access control isn't secure, but it
can be enough in many cases on the wired side.

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2006-08-04-1326@ipal.net |
|------------------------------------/-------------------------------------|

Reply With Quote
  #18 (permalink)  
Old 08-04-2006, 06:46 PM
phil-news-nospam@ipal.net
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

On Fri, 4 Aug 2006 10:33:38 -0400 Bill Kearney <wkearney99@hotmail.com> wrote:

|> Well, someone may have another suggestion for you, but I would disable
|> the DHCP server on the router. I would then assign a static IP on the
|> router to each wireless machine's NIC, which you'll have to manually
|> assign the IP and configure each NIC manually to access the WAN/Internet
|> or LAN machines via the router.
|
| Yep, then they'd have to know the subnet range in order to configure their
| own stuff. Move the router to an address OTHER than x.x.x.1 while you're at
| it. That way your workstations are on 172.16.88.x/255.255.0.0 with the
| router on 172.16.88.100 (as an example) as the gateway. And if you're using
| WPA on the wireless it'd be more work than the casual abuser would be likely
| to tackle.
|
| Private networks can use more than just the 192.168.x.x/255.255.255.0
| subnet. You can use Class A (10.x.x.x/255.0.0.0) and Class B
| (172.16.x.x/255.255.0.0) ranges. For either of those ranges you replace the
| 'x' with a number between 0 and 254. It's unlikely someone trying to guess
| static addresses is going to try non-192.168.x.x ranges. Not impossible,
| but pretty unlikely for casual users.

Using 255 is fine unless it is the very last IP address in a range,
however large the range happens to be. 172.25.73.255 is fine in
172.25.64.0/18 or even in 172.25.0.0/16 (B if you are using classes).

FYI, I use 169.254.0.0/16. Hint: RFC3330


| So start by moving the router to a different subnet and IP address. Then
| manually configure the workstations (wired and wireless) to use that new
| subnet/mask/gateway. Then go back to the router and disable DHCP services.
| Set up WPA for the wireless. Then just ditch MAC filtering entirely as it's
| a weak method, at best. Prevent wired connections by just locking it in a
| box, drawer, cabinet or something else that doesn't also block the signal.

If the office also has a wired LAN which all the non-wireless computers
are connected, and some of them need internet access, then in effect all
of the computers are conneced in some way, depending on the topology of
the infrastructure.


| What you might also want to consider is arpwatch. That way you could at
| least get notified if unexpect MAC addresses start connecting to your
| devices.

Which won't help on MAC spoofers.

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2006-08-04-1331@ipal.net |
|------------------------------------/-------------------------------------|

Reply With Quote
  #19 (permalink)  
Old 08-04-2006, 07:10 PM
Duane Arnold
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

phil-news-nospam@ipal.net wrote:
> On Fri, 04 Aug 2006 02:09:50 GMT John Navas <spamfilter0@navasgroup.com> wrote:
> | On Fri, 04 Aug 2006 01:44:48 GMT, Duane Arnold <"Do forget about
> | it"@PleaeDo.BET> wrote in
> | <kExAg.7674$gF6.758@newsread2.news.pas.earthlink.n et>:
> |
> |>paul.hester@gmail.com wrote:
> |>> I work in a shared office space, so it's to stop people just plugging
> |>> their PC straight into our router and using our internet connection.
> |>
> |>Well, someone may have another suggestion for you, but I would disable
> |>the DHCP server on the router. I would then assign a static IP on the
> |>router to each wireless machine's NIC, which you'll have to manually
> |>assign the IP and configure each NIC manually to access the WAN/Internet
> |>or LAN machines via the router.
> |>
> |>You do it manually instated of letting the router's DHCP server issue an
> |>IP to a machine wire or wireless that has the NIC configured to obtain
> |>an IP from the router automatically.
> |>
> |>That means anyone with a wire NIC machine wouldn't be able to just plug
> |>the machine into the router and gain access to the WAN or LAN, because
> |>they would have to configure the NIC to use a static IP on the router.
> |>
> |>They wouldn't be able to do it if the computer's NIC was set to obtain a
> |>DHCP IP from the router with the DHCP server on the router disabled. The
> |>router will not issue the IP(s).
> |>
> |>Most are not savvy enough to know how to configure the computer's NIC
> |>for static IP usage on the router.
> |
> | But many are, especially those you want to keep out. I personally don't
> | think that provides any meaningful level of security. No offense
> | intended.
>
> It's worse if staffer's children can come with them to work at various
> times. They tend to be the ones that know how to do whatever it takes
> to get on the net, access AIM, MySpace, etc.
>


Let me tell you something, if someone came into work with their child
and they did it, they would be reprimanded. If they did it on their own
and I found out about it, they would be reprimanded.

It's your show and not their show. If you can't control the situation,
then maybe, you shouldn't be trying to do anything. They are not going
to listen to you anyway.

Who is in charge of the network there, you or them.

Duane :)

Reply With Quote
  #20 (permalink)  
Old 08-04-2006, 07:12 PM
Duane Arnold
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

phil-news-nospam@ipal.net wrote:
> On Thu, 03 Aug 2006 23:08:20 GMT Duane Arnold <"Do forget about it"@pleaedo.bet> wrote:
> | paul.hester@gmail.com wrote:
> |> Hi all,
> |>
> |> I have a LinkSys WRT54G Wireless-G Broadband Router. I have
> |> successfully managed to only allow access to the wireless network for a
> |> series of MAC addresses using the Wireless MAC filter.
> |>
> |> I can't apply the same rule for wired/LAN access (i.e. PCs plugged
> |> directly into the router). Has anyone had any success blocking wired
> |> access?
> |>
> |
> | Block them for what reason?
>
> How about "company security policy".
>


Yeah it's called I sat the thing up and if you step out of line, your
out of here.

Duane :)

Reply With Quote
  #21 (permalink)  
Old 08-04-2006, 07:21 PM
Duane Arnold
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

phil-news-nospam@ipal.net wrote:
> On Fri, 4 Aug 2006 10:33:38 -0400 Bill Kearney <wkearney99@hotmail.com> wrote:
>
> |> Well, someone may have another suggestion for you, but I would disable
> |> the DHCP server on the router. I would then assign a static IP on the
> |> router to each wireless machine's NIC, which you'll have to manually
> |> assign the IP and configure each NIC manually to access the WAN/Internet
> |> or LAN machines via the router.
> |
> | Yep, then they'd have to know the subnet range in order to configure their
> | own stuff. Move the router to an address OTHER than x.x.x.1 while you're at
> | it. That way your workstations are on 172.16.88.x/255.255.0.0 with the
> | router on 172.16.88.100 (as an example) as the gateway. And if you're using
> | WPA on the wireless it'd be more work than the casual abuser would be likely
> | to tackle.
> |
> | Private networks can use more than just the 192.168.x.x/255.255.255.0
> | subnet. You can use Class A (10.x.x.x/255.0.0.0) and Class B
> | (172.16.x.x/255.255.0.0) ranges. For either of those ranges you replace the
> | 'x' with a number between 0 and 254. It's unlikely someone trying to guess
> | static addresses is going to try non-192.168.x.x ranges. Not impossible,
> | but pretty unlikely for casual users.
>
> Using 255 is fine unless it is the very last IP address in a range,
> however large the range happens to be. 172.25.73.255 is fine in
> 172.25.64.0/18 or even in 172.25.0.0/16 (B if you are using classes).
>
> FYI, I use 169.254.0.0/16. Hint: RFC3330
>
>
> | So start by moving the router to a different subnet and IP address. Then
> | manually configure the workstations (wired and wireless) to use that new
> | subnet/mask/gateway. Then go back to the router and disable DHCP services.
> | Set up WPA for the wireless. Then just ditch MAC filtering entirely as it's
> | a weak method, at best. Prevent wired connections by just locking it in a
> | box, drawer, cabinet or something else that doesn't also block the signal.
>
> If the office also has a wired LAN which all the non-wireless computers
> are connected, and some of them need internet access, then in effect all
> of the computers are conneced in some way, depending on the topology of
> the infrastructure.
>
>
> | What you might also want to consider is arpwatch. That way you could at
> | least get notified if unexpect MAC addresses start connecting to your
> | devices.
>
> Which won't help on MAC spoofers.
>


This issue is not about the wireless. James Bond steps into the office
with the wire computer and somehow he is going to access the wireless
side of the network and gain access. Maybe, he'll do this with a paper
clip as an antenna.

Duane :)

Reply With Quote
  #22 (permalink)  
Old 08-04-2006, 07:27 PM
Duane Arnold
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

phil-news-nospam@ipal.net wrote:
> On Fri, 04 Aug 2006 07:12:52 GMT Duane Arnold <"Do forget about it"@pleaedo.bet> wrote:
>
> | You do know that it has nothing to do with the wireless side of it. It
> | has to do with someone walking up to that router and plugging in a wire
> | computer right is someone's face.
>
> What if the router is being attached to the office LAN which every computer
> is already attached to, but only certain computers are to be allowed full
> access to the net or to the wireless side?


What if it's about none of this? This is more of this James Bond.
>
>
> | I'll tell you right now, 90% of the people that post to this NG don't
> | know how to do it. They can barely turn the computer *on*.
>
> But their children know exactly what to do.
>


Then someone is going to be rolled on the carpet and it wouldn't be me.

Duane :)

Reply With Quote
  #23 (permalink)  
Old 08-05-2006, 03:13 AM
Bill Kearney
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

> Using 255 is fine unless it is the very last IP address in a range,
> however large the range happens to be. 172.25.73.255 is fine in
> 172.25.64.0/18 or even in 172.25.0.0/16 (B if you are using classes).


Technically true. But as a general rule it's often easier to just avoid it.
If you do something like use 172.16.77.0/255.255.255.0 (class B range, class
C netmask) then you'd be screwed as the .255 address isn't available. Since
it's a private network it really doesn't matter what netmask you use. Some
devices will only let you use a Class C netmask but won't care about the
subnet.

> FYI, I use 169.254.0.0/16. Hint: RFC3330


Eh, I prefer not to. Given that it's a dynamic range it's not without it's
possible hassles. If you're going with static addresses why bother with the
169 range?

> If the office also has a wired LAN which all the non-wireless computers
> are connected, and some of them need internet access, then in effect all
> of the computers are conneced in some way, depending on the topology of
> the infrastructure.


Which says what, exactly?

>
> | What you might also want to consider is arpwatch. That way you could at
> | least get notified if unexpect MAC addresses start connecting to your
> | devices.
>
> Which won't help on MAC spoofers.


Most won't show up blind. They'll show up once with their legit address and
that would trigger arpwatch. I'm not saying arpwatch will catch them all,
just that it's one more tool in the security process. Someone 'hell bent'
on hacking access to the network can certainly find ways to keep their box
from being seen.

But if these are windows machines, running w2k or later, it's possible to
authenticate the actual machines via the OS (not just the current user). No
residential grade equipment that I'm aware of has the ability to integrate
with an Active Diretory for this, but enterprise devices can. Or some
clever scripting might also be put into use. Periodically confirm that the
MAC address corresponds with it's known IP address and that it's machine SID
matches properly. If it doesn't match, due to the MAC being spoofed, then
cut off service to that port/address. Not many places are likely to expend
this much effort however.

-Bill Kearney


Reply With Quote
  #24 (permalink)  
Old 08-05-2006, 03:14 AM
Bill Kearney
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

> This issue is not about the wireless. James Bond steps into the office
> with the wire computer and somehow he is going to access the wireless
> side of the network and gain access. Maybe, he'll do this with a paper
> clip as an antenna.


No, that would be MacGyver, not Bond.

Reply With Quote
  #25 (permalink)  
Old 08-05-2006, 04:16 AM
Duane Arnold
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

Bill Kearney wrote:
>>This issue is not about the wireless. James Bond steps into the office
>>with the wire computer and somehow he is going to access the wireless
>>side of the network and gain access. Maybe, he'll do this with a paper
>>clip as an antenna.

>
>
> No, that would be MacGyver, not Bond.


You're right. Bond would be high tech about it and use the antenna in
his belt. He could then use the wireless connection and start up the BMW
parked outside for the getaway. Maybe, he'll drive it up to the front door.

Duane :)


Reply With Quote
  #26 (permalink)  
Old 08-05-2006, 01:46 PM
Doug Jamal
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access


On 5-Aug-2006, Duane Arnold <"Do forget about it"@PleaeDo.BET> wrote:

> No, that would be MacGyver, not Bond.
>
> You're right. Bond would be high tech about it and use the antenna in
> his belt. He could then use the wireless connection and start up the BMW
> parked outside for the getaway. Maybe, he'll drive it up to the front
> door.
>
> Duane :)


I love it. :)

--
----------
Just Me, D

Reply With Quote
  #27 (permalink)  
Old 08-05-2006, 03:48 PM
John Navas
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

On Fri, 04 Aug 2006 16:20:19 GMT, Duane Arnold <"Do forget about
it"@PleaeDo.BET> wrote in
<7tKAg.9615$157.7862@newsread3.news.pas.earthlink. net>:

>John Navas wrote:


>> True. Sadly, most business pay way too little attention to security,
>> which is why it's such a serious problem. But good for me, since I get
>> paid to come in and clean up the messes.

>
>Why don't you make this post to the other poster in the thread. I think
>we're on the same page on disable the DHCP server, issue static IP(s)
>and lock the router up in a cabinet. That way James Bond won't walk into
>the office and plug a cable into it.


While I do secure wired networks (not just in a standard cabinet),
I don't disable DHCP -- I consider it an important network service.

>Sorry, but I'll have to say this is much to do about *nothing*.


Fair enough.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

Reply With Quote
  #28 (permalink)  
Old 08-05-2006, 03:49 PM
Duane Arnold
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

Doug Jamal wrote:
> On 5-Aug-2006, Duane Arnold <"Do forget about it"@PleaeDo.BET> wrote:
>
>
>>No, that would be MacGyver, not Bond.
>>
>>You're right. Bond would be high tech about it and use the antenna in
>>his belt. He could then use the wireless connection and start up the BMW
>>parked outside for the getaway. Maybe, he'll drive it up to the front
>>door.
>>
>>Duane :)

>
>
> I love it. :)
>


Yeah, James Bond 007 is in *Forever Wireless* with MacGyver, Jackie
Chan and Ellen DeGeneres.

<g>

Duane :)

Reply With Quote
  #29 (permalink)  
Old 08-05-2006, 03:55 PM
John Navas
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

On 4 Aug 2006 18:29:44 GMT, phil-news-nospam@ipal.net wrote in
<eb03mo52h4s@news1.newsguy.com>:

>On Fri, 04 Aug 2006 13:59:05 GMT John Navas <spamfilter0@navasgroup.com> wrote:
>
>| Security is a balancing act because convenience and robustness. Make
>| the system inconvenient, and people will rebel, sometimes in obvious
>| ways, sometimes in subtle ways, defeating that security (e.g., the
>| PostIt with password stuck to a monitor). Using manual IP assignment
>| for security fails that tradeoff IMHO.
>
>I totally agree.
>
>I do use manual static IP in most case. But it's not a mechanism of
>security. I also know MAC based access control isn't secure, but it
>can be enough in many cases on the wired side.


To each his/her own. I've personally found MAC filtering to cause more
harm than good -- I've wasted quite a bit of time and client money
troubleshooting problems that turned out to be [grr!] well-intentioned
MAC filtering someone forgot about. In one case the President flipped
out and canned the computer guy when his new laptop wouldn't work for an
important meeting while the computer guy was on vacation. Since MAC
filtering is all too easy to defeat, I advise clients not to use it. If
they care about security (as they should), other methods should be used.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

Reply With Quote
  #30 (permalink)  
Old 08-05-2006, 03:59 PM
John Navas
Guest
 
Posts: n/a
Default Re: Linksys router - how to block wired/LAN access

On 4 Aug 2006 18:24:11 GMT, phil-news-nospam@ipal.net wrote in
<eb03cb42h4s@news1.newsguy.com>:

>On Fri, 04 Aug 2006 07:12:52 GMT Duane Arnold <"Do forget about it"@pleaedo.bet> wrote:
>
>| You do know that it has nothing to do with the wireless side of it. It
>| has to do with someone walking up to that router and plugging in a wire
>| computer right is someone's face.
>
>What if the router is being attached to the office LAN which every computer
>is already attached to, but only certain computers are to be allowed full
>access to the net or to the wireless side?


They don't have to plug in to the router -- if the LAN is unsecured,
they can use any cable in the LAN. I routinely carry around a small
switch that can do the job -- I can even change its MAC address.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

Reply With Quote
Reply


« Wireless Dell can't find Apple Extreme | newbie »
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Netgear card won't connect to Linksys router wizard_chef alt.internet.wireless 1 09-23-2006 04:32 PM
checking my router Amanda alt.internet.wireless 28 08-08-2006 03:31 PM
Using a Linksys router as an access point bwadamson@gmail.com alt.internet.wireless 4 09-28-2005 04:06 PM
WiFi Broadband router decison? Linksys, US Robotics...?? ForceRecon Hardware Discussion 26 06-24-2004 01:54 AM


All times are GMT. The time now is 03:19 PM.



Powered by vBulletin® Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.6.0 PL2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45