ADDandy Posted June 16, 2009 Share Posted June 16, 2009 Hey everyone, I just bought a house and i have the benifit of not having tennants for the first month, so i have the time to set up a proper and awesome home network. there is a diagram of my network attached. Network Hardware: 2Wire Router: this is the broadband box that comes with my internet service. i want to run the open/WEP wifi off this router. i want this router to only be able to access only the internet, and nothing else on the LAN. it will be the guest wifi network, but should keep my actuall network sans virus. Linksys 610N: main firewall/router, broadcasting main wifi network (B & N) WPA2 personal. running DD-WRT (hopefully). Switch 1: this switch is for ethernet into the basement (3 personal computers, PS3, Xbox, 2 extra in media center area) Questions: 1) What is the best way to make the WEP-wifi network only able to access the internet and not any of the other LAN devices? 2) What is a good is a good 8port GigE switch? i was looking at an HP pro-curve 1400 8g but they are about 30$ over my budget for the switch (i want to spend 100 cnd) 3) Is the PS3 or Xbox a better platform for watching content stored on the media server (fed10 box)? 4) Is the 610N the best router? i am looking for 4 port gigE, wireless G/N simultanious Dual band 5) i have a bunch of extra wireless G equipment (some dlink, asus). would it be easier to set up the internet only guest wifi using one of these? Thanks Attention Deficit DINOSAURS! Quote Link to comment Share on other sites More sharing options...
decepticon_eazy_e Posted June 16, 2009 Share Posted June 16, 2009 Hey everyone, I just bought a house and i have the benifit of not having tennants for the first month, so i have the time to set up a proper and awesome home network. there is a diagram of my network attached. Network Hardware: 2Wire Router: this is the broadband box that comes with my internet service. i want to run the open/WEP wifi off this router. i want this router to only be able to access only the internet, and nothing else on the LAN. it will be the guest wifi network, but should keep my actuall network sans virus. Linksys 610N: main firewall/router, broadcasting main wifi network (B & N) WPA2 personal. running DD-WRT (hopefully). Switch 1: this switch is for ethernet into the basement (3 personal computers, PS3, Xbox, 2 extra in media center area) Questions: 1) What is the best way to make the WEP-wifi network only able to access the internet and not any of the other LAN devices? 2) What is a good is a good 8port GigE switch? i was looking at an HP pro-curve 1400 8g but they are about 30$ over my budget for the switch (i want to spend 100 cnd) 3) Is the PS3 or Xbox a better platform for watching content stored on the media server (fed10 box)? 4) Is the 610N the best router? i am looking for 4 port gigE, wireless G/N simultanious Dual band 5) i have a bunch of extra wireless G equipment (some dlink, asus). would it be easier to set up the internet only guest wifi using one of these? Thanks Attention Deficit DINOSAURS! Ok I'll give this a shot.... 1. Use that router/firewall as your gateway to the internal network. There is no way to keep the wifi traffic off the LAN unless you have some advanced ACLs or packet filtering going on, which I doubt your 2Wire router does. If you lock down your 610N properly, you should be fine. 2. Define "good switch"? Do you need it to do vlans? If you want an unmanaged gigabit switch for a network of this size, just go with what fits your budget. They're all the same at that level. Honestly, you won't be putting enough stress on the switch to see the flaws, if any. 3. Depends on what you want to watch. Do they play all the file formats you want? I like XBMC but I have to make sure to get the appropriate formats supported for that. It's all up to your tastes. 4. Each vendor has a different implementation of N (almost), so we'll have to just sit back and wait until N is final, so I make no judgments there. My opinion is the best router is one that can run custom firmware like DD-WRT or Tomato. 5. Again, depends on the capabilities of the specific equipment. I doubt consumer grade equipment can make dedicated SSIDs tied to a specific vlan. Put an AP outside your firewall and you'll be fine. You might get your bandwidth sapped, but that's another issue. Home networks are a different breed altogether, you don't need to take into considerations things that you do in enterprise networks. They don't have the same requirements or considerations. You really don't need gigabit and when you are all done, if you measure your bandwidth, I would be surprised if you went over 100Mbps between PCs streaming. The software will be your bottleneck. Quote Link to comment Share on other sites More sharing options...
ADDandy Posted June 16, 2009 Author Share Posted June 16, 2009 ok 1) i was hoping to get the WEP wifi working like a fonera works, were it has a private wifi and then a completly seperate wifi that only gets the internet. 2) i define a good switch by low switching latency and good through put, and when i say 'i define' i mean 'the sysAdmin at work told me that is what to look for' 3) in most cases it will be standard video formats, i just wanted to know which has the best viewing experience when streaming off a linux based media server. 4) right now the 610N is in almost supported by DD-wrt. they don't have the dual band working yet. 5) sorry i should clarify that question. 5 new) Would it be easier to set up the Guest wireless network (the one that doesn't have access to any network resources, it can only access the internet) using a dlink product? Thanks! Quote Link to comment Share on other sites More sharing options...
decepticon_eazy_e Posted June 16, 2009 Share Posted June 16, 2009 ok 1) i was hoping to get the WEP wifi working like a fonera works, were it has a private wifi and then a completly seperate wifi that only gets the internet. 2) i define a good switch by low switching latency and good through put, and when i say 'i define' i mean 'the sysAdmin at work told me that is what to look for' 3) in most cases it will be standard video formats, i just wanted to know which has the best viewing experience when streaming off a linux based media server. 4) right now the 610N is in almost supported by DD-wrt. they don't have the dual band working yet. 5) sorry i should clarify that question. 5 new) Would it be easier to set up the Guest wireless network (the one that doesn't have access to any network resources, it can only access the internet) using a dlink product? Thanks! 1. If your router/modem thing has it, you'll see an option in the GUI. I doubt it's there. Use 2 APs instead. 2. The sysadmin here says get a cisco switch. You'll pay a ton for it, especially gigabit, compared to dlink/netgear/junk. The more ram and higher CPU will give you better numbers, it's going to be hard to find the specs for consumer grade switches. 3. If it's HDMI on both, it'll probably look the same on both. They're both gaming systems, treat them as such, this is the equivalent of asking which cell phone has a better camera and basing your decision on that. 4. Then I would say no, I like the advanced options that you get. But that's just me. 5+. Nothing is easier using Dlink. :) You are looking for enterprise features in consumer grade equipment, there's a reason that this stuff costs so much less. Quote Link to comment Share on other sites More sharing options...
MRGRIM Posted June 17, 2009 Share Posted June 17, 2009 I'm also interested in running to Wireless SSID to isolate my Public and Private networks, I've not really found a 100% way to do this yet. I had hoped to do it with DD-WRT but it just doesn't seem to work right, a wireless device in my house craps out constantly when I use any kind of security so I was just going to allow it to connect to the public wireless and only allow it access to a specific server. At the moment I'm having to use 2 AP's I'll probally invest in some Cisco kit one day. ;) Quote Link to comment Share on other sites More sharing options...
barry99705 Posted June 17, 2009 Share Posted June 17, 2009 Here's how I have my network set up. I'm running an older P3 machine with 3 nics in it with smoothwall as it's os. This is my firewall/router. One nic is WAN, one is LAN, and the third is WIFI. The WIFI and LAN ports are on separate subnets. The LAN can talk to the WIFI, but not the other way around. This setup can also track internet usage, and run a pretty good basic IDS/IPS. I have a WRT54gs running the wireless in AP mode, it doesn't do any routing or ip assigning. Quote Link to comment Share on other sites More sharing options...
decepticon_eazy_e Posted June 17, 2009 Share Posted June 17, 2009 Here's how I have my network set up. I'm running an older P3 machine with 3 nics in it with smoothwall as it's os. This is my firewall/router. One nic is WAN, one is LAN, and the third is WIFI. The WIFI and LAN ports are on separate subnets. The LAN can talk to the WIFI, but not the other way around. This setup can also track internet usage, and run a pretty good basic IDS/IPS. I have a WRT54gs running the wireless in AP mode, it doesn't do any routing or ip assigning. "The LAN can talk to the WIFI, but not the other way around." How did you configure 1 way packet exchange? ('exchange' is used for lack of a better word, since there would be no actual exchange) TCP transactions need to make round trips, hence both networks need permission to talk to each other. Either they can both talk to each other, or they cannot. Quote Link to comment Share on other sites More sharing options...
Sparda Posted June 17, 2009 Share Posted June 17, 2009 I think he means that the wifi is on the WAN side of a NAT. Thus devices behind the NAT can establish a new connection to devices on the wifi while devices on the wifi cannot establish connections to devices behind the NAT. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted June 18, 2009 Share Posted June 18, 2009 I think he means that the wifi is on the WAN side of a NAT. Thus devices behind the NAT can establish a new connection to devices on the wifi while devices on the wifi cannot establish connections to devices behind the NAT. Kinda. Both networks are inside the firewall and natted, but the firewall is keeping them separate as well. Hosts on the lan can make connections to devices on the wifi, but not the other way around. Quote Link to comment Share on other sites More sharing options...
decepticon_eazy_e Posted June 18, 2009 Share Posted June 18, 2009 Kinda. Both networks are inside the firewall and natted, but the firewall is keeping them separate as well. Hosts on the lan can make connections to devices on the wifi, but not the other way around. I figured that, but let's not get in the habit of calling a NAT device a firewall. NAT is not an acceptable method of firewalling for security, it's for convenience. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted June 18, 2009 Share Posted June 18, 2009 I figured that, but let's not get in the habit of calling a NAT device a firewall. NAT is not an acceptable method of firewalling for security, it's for convenience. I never said it was. Which is why I don't use those POS dsl modems isp's hand out. Especially 2wire, freaking things have a huge security flaw. Quote Link to comment Share on other sites More sharing options...
ADDandy Posted June 18, 2009 Author Share Posted June 18, 2009 I never said it was. Which is why I don't use those POS dsl modems isp's hand out. Especially 2wire, freaking things have a huge security flaw. they have a huge security flaw? when you say you don't use them, do you just make them a dumb modem and handle your network with a router? Quote Link to comment Share on other sites More sharing options...
Sparda Posted June 18, 2009 Share Posted June 18, 2009 The NAT technology (or configuration if this is a more accurate name) works very similarly to a firewall. The difference been that NAT has the advantage of been able to map several connections to different hosts on a network. If you mean this in the context of consumer NAT routers being crap firewalls you are indeed correct. A good number of them (particularly the no name brands) have fail all over them. Quote Link to comment Share on other sites More sharing options...
decepticon_eazy_e Posted June 18, 2009 Share Posted June 18, 2009 The NAT technology (or configuration if this is a more accurate name) works very similarly to a firewall. The difference been that NAT has the advantage of been able to map several connections to different hosts on a network. If you mean this in the context of consumer NAT routers being crap firewalls you are indeed correct. A good number of them (particularly the no name brands) have fail all over them. I meant in the context of TCP sequence numbers on the outgoing packets, if you can predict them, you can punch a hole in the NAT "firewall" and go right in. A device that performs packet inspection would be an appropriate firewall. NAT is good for home networks, but don't get a false sense of security by calling it a firewall. Quote Link to comment Share on other sites More sharing options...
Sparda Posted June 18, 2009 Share Posted June 18, 2009 I meant in the context of TCP sequence numbers on the outgoing packets, if you can predict them, you can punch a hole in the NAT "firewall" and go right in. A device that performs packet inspection would be an appropriate firewall. NAT is good for home networks, but don't get a false sense of security by calling it a firewall. If a NAT device assigns each new connection by sequentially generating information that identifies each connection, you would indeed be able to more easily guess this information. You would also have to know what outside resources they where connecting to in order to 'get through' the NAT. If you managed to get a packet through the NAT, the NAT thinks your IP address on the internet is not the one you actually have. The result is you never receive any thing back from your target. If a packet did get through it will have achieved nothing unless you have a payload that can be delivered in a single packet or multiple packets that are not actually part of the steam while appearing to be. A computer behind a firewall is just as vulnerable to this kind of attack as a computer behind a NAT. Both a software firewall or hardware firewall would rely on the OS to generate the information that uniquely identifies each connection. If the OS generates it sequentially nothing has changed. Aside from this there is also the issue of you not knowing what software will ultimately receive your payload. Obviously a computer will, but will it go to Firefox, IE, Steam, Pidgin, iTunes even? If you have a payload that exploits the network stack of a given OS (probably Windows) you increase your target size slightly. Given that there are approximately 4000000000 possible IP address on the internet and that there are approximately 64000 possible ports usable by any given connection. If you knew a particular host on the internet was always there you would be hammering at it for a very long time before you got a packet through. Unless you are passively monitoring traffic going in and out of the connection is very unlikely any packet will get in. Mathematically speaking there are 4000000000^64000 = very big number possible combinations of IP address and port used. Realistically speaking you are more likely to randomly turn in to an elephant that has found it's self at the edge of the expanding universe in a elephant sized stable than get a packet through NAT with out knowing any thing about the target. Quote Link to comment Share on other sites More sharing options...
decepticon_eazy_e Posted June 19, 2009 Share Posted June 19, 2009 If .... It's possible and it's been done, I agree it's probably unlikely you or I will be the victim of such an attack. If the router/firewall doesn't do any packet inspection, the packets get passed through if they match the appropriate conditions. If you can guess those conditions, you probably have a better chance at getting through. It's just naive to tell somebody that a netgear router doing NAT is the equivalent of a firewall. I understand that the start of this discussion was somebody using Smoothwall, which probably does packet inspection, so I'm not knocking that, but it might be configured to do so in that example. http://en.wikipedia.org/wiki/TCP_Sequence_Prediction_Attack http://www.tech-faq.com/tcp-sequence-prediction.shtml Somebody would have to be pretty dedicated and knowledgeable to accomplish such a feat with a specific goal in mind, who would do such a thing? http://www.networkcomputing.com/unixworld/...ty/001.txt.html Mitnick did it. Quote Link to comment Share on other sites More sharing options...
Ryan Posted June 19, 2009 Share Posted June 19, 2009 Ok I'll give this a shot.... 1. Use that router/firewall as your gateway to the internal network. There is no way to keep the wifi traffic off the LAN unless you have some advanced ACLs or packet filtering going on, which I doubt your 2Wire router does. If you lock down your 610N properly, you should be fine. you could also but this device on a dmz. for your gaming devices you will have to forward the ports manually. and personally i think the 360 is the better platform for viewing media Quote Link to comment Share on other sites More sharing options...
barry99705 Posted June 19, 2009 Share Posted June 19, 2009 they have a huge security flaw? when you say you don't use them, do you just make them a dumb modem and handle your network with a router? I use a dumb modem and let smoothwall do the work. They don't get the chance to fuck up my network. I'm not sure if it's been fixed or not, I don't care. http://blogs.chron.com/techblog/archives/2...ng_exploit.html Quote Link to comment Share on other sites More sharing options...
decepticon_eazy_e Posted June 19, 2009 Share Posted June 19, 2009 I use a dumb modem and let smoothwall do the work. They don't get the chance to fuck up my network. I'm not sure if it's been fixed or not, I don't care. http://blogs.chron.com/techblog/archives/2...ng_exploit.html I can tell you that the 2wire routers in my townhome complex have not been fixed yet! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.