I have a wireless network at home consisting of a Motorola wr850g with
dd-wrt as the main router/WAP. I also have another wr850g with dd-wrt
acting as a client bridge to my home office to provide access to the
computers in there. There are also an additional 2 computers floating
around with wireless adapters. With this setup I can run WPA-PSK with
no problems.
However, I have also have a Dell Axim X3i PDA with Wifi built in that I
would like to use with this network. The problem is that the PDA
doesn't handle WPA -- only WEP. I have a spare wireless router (a
trusty old Siemens Speedstream 2624) that I could add to the system for
WEP only devices, but that would introduce a weak link into the network
security.
Question: Can I easily isolate the traffic on the WEP only router from
the rest of the network so if an attacker gets on the WEP router, he/she
only has internet access and not local network access? (I'm fine with
some hacker trying to hack my PDA.)
The Siemens router is very reliable and could be the main router if that
would help the security situation, but it is not very feature filled as
far as routers go.
"Bryant Smith" <bryantthesmith@lycos.com> wrote in message
news:egecl5$a16$1@az33news01.freescale.net...
> Question: Can I easily isolate the traffic on the WEP only router from
> the rest of the network so if an attacker gets on the WEP router, he/she
> only has internet access and not local network access? (I'm fine with
> some hacker trying to hack my PDA.)
>
I'm doing just that. The AP on the captive portal is even running
completetly open (unencrypted) for my neighbors (or anyone else) to use when
they are outside on their porch. I like sharing.
Yep, everything that matters to me is secure and protected.
Bryant Smith <bryantthesmith@lycos.com> hath wroth:
>However, I have also have a Dell Axim X3i PDA with Wifi built in that I
>would like to use with this network. The problem is that the PDA
>doesn't handle WPA -- only WEP.
Bryant Smith wrote:
> I have a wireless network at home consisting of a Motorola wr850g with
> dd-wrt as the main router/WAP. I also have another wr850g with dd-wrt
> acting as a client bridge to my home office to provide access to the
> computers in there. There are also an additional 2 computers floating
> around with wireless adapters. With this setup I can run WPA-PSK with
> no problems.
>
> However, I have also have a Dell Axim X3i PDA with Wifi built in that I
> would like to use with this network. The problem is that the PDA
> doesn't handle WPA -- only WEP. I have a spare wireless router (a
> trusty old Siemens Speedstream 2624) that I could add to the system for
> WEP only devices, but that would introduce a weak link into the network
> security.
>
> Question: Can I easily isolate the traffic on the WEP only router from
> the rest of the network so if an attacker gets on the WEP router, he/she
> only has internet access and not local network access? (I'm fine with
> some hacker trying to hack my PDA.)
>
> The Siemens router is very reliable and could be the main router if that
> would help the security situation, but it is not very feature filled as
> far as routers go.
>
> Thanks
Thanks for the replies. The Juniper Odyssey client is a little too
pricey for the use it will get and I don't want to have a machine
running all the time. I think the solution I'll use is one from Jeff
posted Nov 3 2005. I'll use a double NAT configuration for the insecure
network. Here is a link to the previous thread for those interested:
My trusty old Speedstream should be able to handle this configuration.
If it can't, I'll see if I can set up a virtual lan or something like it
using my dd-wrt router.
On Tue, 10 Oct 2006 09:49:42 -0700, Bryant Smith
<bryantthesmith@lycos.com> wrote in
<eggib3$rth$1@az33news01.freescale.net>:
>Bryant Smith wrote:
>> I have a wireless network at home consisting of a Motorola wr850g with
>> dd-wrt as the main router/WAP. I also have another wr850g with dd-wrt
>> acting as a client bridge to my home office to provide access to the
>> computers in there. There are also an additional 2 computers floating
>> around with wireless adapters. With this setup I can run WPA-PSK with
>> no problems.
>>
>> However, I have also have a Dell Axim X3i PDA with Wifi built in that I
>> would like to use with this network. The problem is that the PDA
>> doesn't handle WPA -- only WEP. I have a spare wireless router (a
>> trusty old Siemens Speedstream 2624) that I could add to the system for
>> WEP only devices, but that would introduce a weak link into the network
>> security.
>>
>> Question: Can I easily isolate the traffic on the WEP only router from
>> the rest of the network so if an attacker gets on the WEP router, he/she
>> only has internet access and not local network access? (I'm fine with
>> some hacker trying to hack my PDA.)
>... I think the solution I'll use is one from Jeff
>posted Nov 3 2005. I'll use a double NAT configuration for the insecure
>network. Here is a link to the previous thread for those interested:
>
><http://groups.google.com/group/alt.internet.wireless/browse_frm/thread/dd1d98548089c0dc>
LAN #1
WAN===[Router #1]===================[Router #2]=======LAN #2
WAN = xxx.xxx.xxx.xxx WAN = 192.168.1.2
WAN NM = 255.255.255.0 WAN NM = 255.255.255.252 <===!!!!
LAN = 192.168.1.1 LAN = 192.168.5.1
IP's = 192.168.1.xxx IP's = 192.168.5.xxx
LAN NM = 255.255.255.0 LN NM = 255.255.255.0
That's a hack that may not actually be secure. That's because Router #2
may forward any packet it gets for addresses not on LAN #2 (including
LAN #1 addresses like 192.168.1.10) to Router #1, and there's a risk
that Router #1 might be smart enough to send them back out its LAN port,
not its WAN port, which would allow them to reach computers on LAN #1,
with Router #2 NAT providing a return path.
You could address this issue in Router #2 by blocking, rather than
forwarding, addresses on LAN #1, using firewall rules or routing
(although you may need alternative firmware to do so). Or run the two
wireless networks in parallel through a cheap switch if your ISP will
give you a second external IP address.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
John Navas <spamfilter0@navasgroup.com> hath wroth:
>><http://groups.google.com/group/alt.internet.wireless/browse_frm/thread/dd1d98548089c0dc>
>
> LAN #1
> WAN===[Router #1]===================[Router #2]=======LAN #2
>
> WAN = xxx.xxx.xxx.xxx WAN = 192.168.1.2
> WAN NM = 255.255.255.0 WAN NM = 255.255.255.252 <===!!!!
> LAN = 192.168.1.1 LAN = 192.168.5.1
> IP's = 192.168.1.xxx IP's = 192.168.5.xxx
> LAN NM = 255.255.255.0 LN NM = 255.255.255.0
>
>That's a hack that may not actually be secure.
It works in at least 2 locations. I did some testing to see if I
could "see" any of the clients on LAN #1 from LAN #2. Nope. As long
as the Netmask of Router #2 was limited to a small subnet, nothing
outside of that subnet was visible (or pingable).
>That's because Router #2
>may forward any packet it gets for addresses not on LAN #2 (including
>LAN #1 addresses like 192.168.1.10) to Router #1, and there's a risk
>that Router #1 might be smart enough to send them back out its LAN port,
>not its WAN port, which would allow them to reach computers on LAN #1,
>with Router #2 NAT providing a return path.
That's possible but unlikely. Most decent routers have a built in ACL
rule set for the WAN port that prevents attackers from the WAN from
spoofing LAN IP addresses. Unfortunately, there are routers that will
allow spoofing of LAN addresses from the WAN side. I think one of the
early versions of the DI-604 did just that.
>You could address this issue in Router #2 by blocking, rather than
>forwarding, addresses on LAN #1, using firewall rules or routing
>(although you may need alternative firmware to do so). Or run the two
>wireless networks in parallel through a cheap switch if your ISP will
>give you a second external IP address.
On Wed, 11 Oct 2006 19:24:05 -0700, Jeff Liebermann
<jeffl@comix.santa-cruz.ca.us> wrote in
<s69ri2t67crq9m1477rttp25am259ni0l6@4ax.com>:
>John Navas <spamfilter0@navasgroup.com> hath wroth:
>
>>><http://groups.google.com/group/alt.internet.wireless/browse_frm/thread/dd1d98548089c0dc>
>>
>> LAN #1
>> WAN===[Router #1]===================[Router #2]=======LAN #2
>>
>> WAN = xxx.xxx.xxx.xxx WAN = 192.168.1.2
>> WAN NM = 255.255.255.0 WAN NM = 255.255.255.252 <===!!!!
>> LAN = 192.168.1.1 LAN = 192.168.5.1
>> IP's = 192.168.1.xxx IP's = 192.168.5.xxx
>> LAN NM = 255.255.255.0 LN NM = 255.255.255.0
>>
>>That's a hack that may not actually be secure.
>
>It works in at least 2 locations.
My brother used to say he hadn't died, so smoking must not be all that
harmful. ;)
>I did some testing to see if I
>could "see" any of the clients on LAN #1 from LAN #2. Nope. As long
>as the Netmask of Router #2 was limited to a small subnet, nothing
>outside of that subnet was visible (or pingable).
I'd want to do more thorough analysis before reaching any conclusions.
Forgive me for being unimpressed, but I don't know ZoneCD. What I do
know is that there are lots of crappy products on the market.
>>That's because Router #2
>>may forward any packet it gets for addresses not on LAN #2 (including
>>LAN #1 addresses like 192.168.1.10) to Router #1, and there's a risk
>>that Router #1 might be smart enough to send them back out its LAN port,
>>not its WAN port, which would allow them to reach computers on LAN #1,
>>with Router #2 NAT providing a return path.
>
>That's possible but unlikely.
That's an assumption.
>Most decent routers have a built in ACL
>rule set for the WAN port that prevents attackers from the WAN from
>spoofing LAN IP addresses. ...
What relevance does that have to my scenario?
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
John Navas wrote:
<snip>
>
> You could address this issue in Router #2 by blocking, rather than
> forwarding, addresses on LAN #1, using firewall rules or routing
> (although you may need alternative firmware to do so).
>
<snip>
My spare router does allow me to set up routing tables, but I've never
done that sort of thing before. I would assume that I could set up a
rule that would route all traffic going from the insecure side to the
WAN and not the LAN. I don't have access to my network right now, so
I'll have to check this out later.
On Thu, 12 Oct 2006 08:41:09 -0700, Bryant Smith
<bryantthesmith@lycos.com> wrote in
<egln2g$cim$1@az33news01.freescale.net>:
>John Navas wrote:
><snip>
>>
>> You could address this issue in Router #2 by blocking, rather than
>> forwarding, addresses on LAN #1, using firewall rules or routing
>> (although you may need alternative firmware to do so).
>
><snip>
>
>My spare router does allow me to set up routing tables, but I've never
>done that sort of thing before. I would assume that I could set up a
>rule that would route all traffic going from the insecure side to the
>WAN and not the LAN. I don't have access to my network right now, so
>I'll have to check this out later.
What you want is to *block* all traffic addressed to LAN #1, not send it
to the WAN (gateway, actually Router #1), which might result in it being
forwarded to LAN #1.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
John Navas wrote:
> On Thu, 12 Oct 2006 08:41:09 -0700, Bryant Smith
> <bryantthesmith@lycos.com> wrote in
> <egln2g$cim$1@az33news01.freescale.net>:
>
>> John Navas wrote:
>> <snip>
>>> You could address this issue in Router #2 by blocking, rather than
>>> forwarding, addresses on LAN #1, using firewall rules or routing
>>> (although you may need alternative firmware to do so).
>> <snip>
>>
>> My spare router does allow me to set up routing tables, but I've never
>> done that sort of thing before. I would assume that I could set up a
>> rule that would route all traffic going from the insecure side to the
>> WAN and not the LAN. I don't have access to my network right now, so
>> I'll have to check this out later.
>
> What you want is to *block* all traffic addressed to LAN #1, not send it
> to the WAN (gateway, actually Router #1), which might result in it being
> forwarded to LAN #1.
>
Excuse my ignorance, but will blocking all traffic to LAN #1 also block
access to the internet since the main router (the one connected to the
modem) is technically in LAN #1?
On Thu, 12 Oct 2006 13:38:38 -0700, Bryant Smith
<bryantthesmith@lycos.com> wrote in
<egm8g9$hh3$1@az33news01.freescale.net>:
>John Navas wrote:
>> On Thu, 12 Oct 2006 08:41:09 -0700, Bryant Smith
>> <bryantthesmith@lycos.com> wrote in
>> <egln2g$cim$1@az33news01.freescale.net>:
>>
>>> John Navas wrote:
>>> <snip>
>>>> You could address this issue in Router #2 by blocking, rather than
>>>> forwarding, addresses on LAN #1, using firewall rules or routing
>>>> (although you may need alternative firmware to do so).
>>> <snip>
>>>
>>> My spare router does allow me to set up routing tables, but I've never
>>> done that sort of thing before. I would assume that I could set up a
>>> rule that would route all traffic going from the insecure side to the
>>> WAN and not the LAN. I don't have access to my network right now, so
>>> I'll have to check this out later.
>>
>> What you want is to *block* all traffic addressed to LAN #1, not send it
>> to the WAN (gateway, actually Router #1), which might result in it being
>> forwarded to LAN #1.
>
>Excuse my ignorance, but will blocking all traffic to LAN #1 also block
>access to the internet since the main router (the one connected to the
>modem) is technically in LAN #1?
Sorry for not being clear -- what I meant was blocking all traffic with
destination addresses on LAN #1 other than the WAN gateway (Router #2);
i.e.,
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
Mixed encryption network 
Linear Mode
