Re: Is Ethernet input to wirelss router encrypted?

On Sat, 16 Dec 2006 10:53:59 -0600, Peabody
<waybackNO784SPAM44@yahoo.com> wrote:

>Newb. Ok, this is probably a silly question, but that never stopped
>me before. If you turn on WEP or WPA encryption at the wireless
>router, that applies only to wireless connections, not to
>wired connections - right?
>
Correct

In article <60i8o2h1bq6513fqvgest2uq8u1cmt1ciq@4ax.com>,
me2@privacy.net wrote:

> On Sat, 16 Dec 2006 10:53:59 -0600, Peabody
> <waybackNO784SPAM44@yahoo.com> wrote:
>
> >Newb. Ok, this is probably a silly question, but that never stopped
> >me before. If you turn on WEP or WPA encryption at the wireless
> >router, that applies only to wireless connections, not to
> >wired connections - right?
> >
> Correct

The next question then is what are the security concerns (if any) of
having a hard=wired ethernet connection to a wireless router ? What
extra concerns do I have.

Kurt Ullman <kurtullman@yahoo.com> hath wroth:

> The next question then is what are the security concerns (if any) of
>having a hard=wired ethernet connection to a wireless router ? What
>extra concerns do I have.

Wiretap, or rather ethernet tap.
<http://www.netoptics.com/products/product_family.asp?cid=1>
I've uncovered security problems where the wireless bridge is properly
protected from sniffing by encryption, but the ethernet cables going
to/from the bridge are not. I break into the telephone closet in the
office building, install an ethernet tap, and proceed to sniff all the
traffic. Physical security is important if you have something worth
protecting.

Incidentally, there are Layer 2 encryption products. I have some 3com
encrypted ethernet cards (somewhere) that have on board 3DES
encryption.
<http://www.3com.com/products/en_US/detail.jsp?tab=prodspec&sku=3CR990SVR97&pathtype=s upport>


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

In article <38n8o212h0kovv47e09hgtndv0kkbe9i52@4ax.com>,
Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:

> Kurt Ullman <kurtullman@yahoo.com> hath wroth:
>
> > The next question then is what are the security concerns (if any) of
> >having a hard=wired ethernet connection to a wireless router ? What
> >extra concerns do I have.
>
> Wiretap, or rather ethernet tap.
> <http://www.netoptics.com/products/product_family.asp?cid=1>
> I've uncovered security problems where the wireless bridge is properly
> protected from sniffing by encryption, but the ethernet cables going
> to/from the bridge are not. I break into the telephone closet in the
> office building, install an ethernet tap, and proceed to sniff all the
> traffic. Physical security is important if you have something worth
> protecting.
But this is my house and you would have to break into the cable box,
I guess?


>
> Incidentally, there are Layer 2 encryption products. I have some 3com
> encrypted ethernet cards (somewhere) that have on board 3DES
> encryption.
> <http://www.3com.com/products/en_US/d...3CR990SVR97&pa
> thtype=support>

On Sat, 16 Dec 2006 22:24:14 GMT, in alt.internet.wireless , Kurt
Ullman <kurtullman@yahoo.com> wrote:

>In article <38n8o212h0kovv47e09hgtndv0kkbe9i52@4ax.com>,
> Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>
>> Wiretap, or rather ethernet tap.
>
> But this is my house and you would have to break into the cable box,
>I guess?

Yes. This isn't a serious concern for home networks, unless some of
your cabling is acessible from public areas such as hallways or
fire-escapes.
>
>> Incidentally, there are Layer 2 encryption products.

Isn't it easier just to set up a VPN?
--
Mark McIntyre

Mark McIntyre <markmcintyre@spamcop.net> hath wroth:

>On Sat, 16 Dec 2006 22:24:14 GMT, in alt.internet.wireless , Kurt
>Ullman <kurtullman@yahoo.com> wrote:
>
>>In article <38n8o212h0kovv47e09hgtndv0kkbe9i52@4ax.com>,
>> Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>>
>>> Wiretap, or rather ethernet tap.
>>
>> But this is my house and you would have to break into the cable box,
>>I guess?

>Yes. This isn't a serious concern for home networks, unless some of
>your cabling is acessible from public areas such as hallways or
>fire-escapes.

Agreed. It really depends on how you run your CAT5 wiring. Most home
users would not notice an extra CAT5 cable leading to the outside of
the house. It would offer little in the way of sniffing opportunities
as the common ethernet switch does not repeat all packets. However,
it would allow access to the home LAN and possibly the client machines
if they were unprotected from local attacks.

The problem I mentioned really has to do with corporate LAN's and
wireless transparent bridges on rooftops. The CAT5 cable between the
rooftop bridge and the corporate ethernet switch is usually
unprotected.

>>> Incidentally, there are Layer 2 encryption products.
>
>Isn't it easier just to set up a VPN?

A VPN from where to where? The rooftop wireless transparent bridge is
just a Layer 2 bridge with no Layer 3 router features. A VPN acts as
a shim between these two layers and would require a router rather than
just a bridge. A VPN will work with all the traffic routed (not
bridged) through the VPN tunnel. That would probably be easier than
encrypting the entire LAN but only solves the wiretap problem for one
segment of the LAN.

Unfortunately, I have no customers with either Layer 2 or Layer 3
encrypted LAN's and have no clue how common these are in the wild. My
guess is that they're very uncommon. For home networks, they're
probably never used. Considering the level of paranoia about wireless
hacking in the trade press, I would have expected more mention of
wired encryption and security, but I guess not.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Sat, 16 Dec 2006 18:11:49 -0800, in alt.internet.wireless , Jeff
Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:

>Mark McIntyre <markmcintyre@spamcop.net> hath wroth:
>
>>
>>Isn't it easier just to set up a VPN?
>
>A VPN from where to where?

For home use, I was thinking about setting up the entire LAN as a VPN
into a server. Seen this done somewhere, forget where.
--
Mark McIntyre

Mark McIntyre <markmcintyre@spamcop.net> hath wroth:

>On Sat, 16 Dec 2006 18:11:49 -0800, in alt.internet.wireless , Jeff
>Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>
>>Mark McIntyre <markmcintyre@spamcop.net> hath wroth:
>>
>>>
>>>Isn't it easier just to set up a VPN?
>>
>>A VPN from where to where?

>For home use, I was thinking about setting up the entire LAN as a VPN
>into a server. Seen this done somewhere, forget where.

It should be fairly easy to do (although I've never tried it). Windoze
supports PPTP out of the box. Get a (wireless) router that will
terminate a VPN in the router, and you're done. DD-WRT comes with
PPTP client and server so that will work. I'm not so sure about the
various "VPN router" low end contrivances. I found one (forgot the
model but I'll dig it out of my notes) that would only support a VPN
termination on the WAN port, which makes sense for a router to router
VPN over the internet, but useless for a LAN side VPN. I guess I
should check if DD-WRT will do a LAN side VPN.

It works (so far). Results from ipconfig are:

Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
PPP adapter VPN to local router:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.15.2
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.15.2

Oh swell. Now I have two default gateways. ipconfig lies. The
results from "route print" (with some loopback and multicast routes
deleted) are even more confusing. I assigned the IP address of the
VPN termination to 192.168.15.1 and the stupid router hands me my own
client IP address 192.168.15.2 as the default gateway.
>Active Routes:
>Network Destination Netmask Gateway Interface Metric
> 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.11 2
> 0.0.0.0 0.0.0.0 192.168.15.2 192.168.15.2 1
> 192.168.1.0 255.255.255.0 192.168.1.11 192.168.1.11 1
> 192.168.1.1 255.255.255.255 192.168.1.11 192.168.1.11 1
> 192.168.1.255 255.255.255.255 192.168.1.11 192.168.1.11 1
> 192.168.15.255 255.255.255.255 192.168.15.2 192.168.15.2 1
> 255.255.255.255 255.255.255.255 192.168.15.2 1000003 1
>Default Gateway: 192.168.15.2

Let's see if traceroute is any more helpful:
>tracert 63.198.98.51
>Tracing route to adsl-63-198-98-51.dsl.snfc21.pacbell.net [63.198.98.51]
>over a maximum of 30 hops:
> 1 4 ms 3 ms 4 ms 192.168.15.1
> 2 15 ms 16 ms 16 ms dsl-63-249-85-gateway.cruzio.com [63.249.85.1]
> 3 14 ms 17 ms 17 ms 7200hurricane.cruzio.com [63.249.95.1]
(etc)

Well, that shows that it's going via the VPN to the router's IP
address of 192.168.15.1, so I guess it's working (maybe).

I'm still on the internet which is a good thing. The trouble is that
I can't tell if the LAN packets are going via the regular network
192.168.1.xxx or via the VPN at 192.168.15.xxx without sniffing. I
guess I'll have to change my local IP address to something outside the
netmask and see if it still works (later).

So much for "this should be easy", where 2 out of 3 diagnostics return
gibberish. Got a URL on how to do this so I don't have to do anything
useful tonite?


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Sun, 17 Dec 2006 16:30:49 -0800, in alt.internet.wireless , Jeff
Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:

>It works (so far). Results from ipconfig are:
>
>Windows 2000 IP Configuration
>Ethernet adapter Local Area Connection:
> Connection-specific DNS Suffix . :
> IP Address. . . . . . . . . . . . : 192.168.1.11
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.1.1
>PPP adapter VPN to local router:
> Connection-specific DNS Suffix . :
> IP Address. . . . . . . . . . . . : 192.168.15.2
> Subnet Mask . . . . . . . . . . . : 255.255.255.255
> Default Gateway . . . . . . . . . : 192.168.15.2
>
>Oh swell. Now I have two default gateways. ipconfig lies.

no, thats right, different default g/w for the LAN and VPN.

>VPN termination to 192.168.15.1 and the stupid router hands me my own
>client IP address 192.168.15.2 as the default gateway.

again IME thats correct for a VPN.

>So much for "this should be easy", where 2 out of 3 diagnostics return
>gibberish. Got a URL on how to do this so I don't have to do anything
>useful tonite?

Wish I did....

--
Mark McIntyre

On Wed, 20 Dec 2006 00:06:26 +0000, Mark McIntyre
<markmcintyre@spamcop.net> wrote:

>On Sun, 17 Dec 2006 16:30:49 -0800, in alt.internet.wireless , Jeff
>Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>
>>It works (so far). Results from ipconfig are:
>>
>>Windows 2000 IP Configuration
>>Ethernet adapter Local Area Connection:
>> Connection-specific DNS Suffix . :
>> IP Address. . . . . . . . . . . . : 192.168.1.11
>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>> Default Gateway . . . . . . . . . : 192.168.1.1
>>PPP adapter VPN to local router:
>> Connection-specific DNS Suffix . :
>> IP Address. . . . . . . . . . . . : 192.168.15.2
>> Subnet Mask . . . . . . . . . . . : 255.255.255.255
>> Default Gateway . . . . . . . . . : 192.168.15.2
>>
>>Oh swell. Now I have two default gateways. ipconfig lies.

>no, thats right, different default g/w for the LAN and VPN.

Y'er right. Two gateways is correct.

>>VPN termination to 192.168.15.1 and the stupid router hands me my own
>>client IP address 192.168.15.2 as the default gateway.
>
>again IME thats correct for a VPN.

My office VPN client does the same thing. I guess it makes sense. VPN
talks to itself in order to get to the tunnel on the local router.
Y'er right. That's also normal.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@comix.santa-cruz.ca.us
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS