Two more questions about wireless security

I got two good questions last week, via Facebook, that I answered briefly in the comments, but are worth further exploration: Does it beef up wireless security to hide the SSID and only allow the MAC addresses of hardware you own?

Those are good questions. Smart questions. I like those kinds of questions.

Unfortunately, neither measure gets you a whole lot. Against a sophisticated attacker, that buys you minutes, compared to the security of a strong password, which buys you years. It’s like having a locked screen door in front of the vault door at Fort Knox. (Assuming you’re using a strong password–if you’re using a weak password and these measures, it’s like having multiple locked screen doors.)

Then again, not everyone is a sophisticated attacker.
Read more

Disabling WPS by upgrading to DD-WRT

Tom Gatermann told me he succeeded in disabling WPS by upgrading his Linksys router–I didn’t ask what model and probably shouldn’t post that anyway–with DD-WRT.

Explicitly disabling WPS in DD-WRT is unnecessary because DD-WRT doesn’t implement WPS at all–which is a good thing. There’s no setting to look for, it’s just automatic.

Read more

Balancing safety and versatility

John C Dvorak has a very simple solution to the HP printing problem. Lock down the firmware so it’s not upgradeable. And while we’re at it, do the same thing to routers and other equipment.

This solves the problem of loading rogue firmware on the devices, but there are several problems with such a draconian approach.
Read more

How to make a DMZ with two routers

I’ve alluded in the past to why it’s a good idea to make a DMZ with two routers, but I’ve never gone into depth about how and necessarily why to do it.

If your ISP gave you a combination modem/switch/access point/router and it only supports 100 megabit wired and 54-megabit (802.11g) wireless and you want to upgrade to gigabit wired/150-meg (802.11n) wireless, here’s a great way to make the two devices work together and improve your security.

Read more

How to power your computer up from away from home

The low-tier, DIY VPN has proven popular. The biggest drawback with its approach has been that it requires you to keep a PC on at home. But if your computer is configured to hibernate after a period of inactivity, or if the power goes out, you’ll have a problem.

If you’re willing to do some work, you can use Wake-on-LAN over any Internet connection to solve that issue and power on the computer at will.
Read more

How to secure your wi-fi router

It’s not enough to know what to look for in a router. I wanted to get some solid advice on wi-fi network security. Who better to give that advice than someone who built an airplane that hacks wi-fi? So I talked to WhiteQueen at http://rabbit-hole.org, the co-builder of a wi-fi hacking airplane that made waves at Defcon.

Hacker stereotypes aside, WhiteQueen was very forthcoming. He’s a white hat, and I found him eager to share what he knows.

Read more

What to look for in a router

I revisit the topic of what to look for in a router every six or seven years. As important as it always was, I think it’s even more important today, as there are a number of underpowered routers on the market and it’s best to avoid them.

This post originated in 2010. I revised it for 2017 needs, and by the time I was done, I’m not sure much of my 2010 text was left. But that’s OK.

Read more

Review: D-Link DSL-2640B

I’ve had DSL for right around 10 years. I would have ordered it sooner, except it wasn’t available in my area any earlier than that.

Over the years I’ve owned several modems. I started out with an Alcatel, then after I moved a mile down the street I owned a couple of different Speedstream modems. Each would drop connections every so often, and each had a different (and undocumented, of course) ritual to get it back online.

The highest praise I can give to the D-Link DSL-2640B is that I haven’t discovered such a ritual yet. If the phone line and electricity are working, it finds a way to stay online.

There’s nothing especially flashy about the 2640B. It’s an unassuming black and silver box, similar in styling to modern PCs, with jacks in the back. It’s a combination modem, gateway, and switch in one package, so in my case, it replaced two boxes–my Speedstream modem, and my Linksys WRT54G. Many ISPs have been distributing all-in-one units made by companies like 2wire in recent years; the D-Link is similar to those, but a bit smaller than many of them.

Setup is trivial for someone who’s set up devices like my old Linksys. Those who’ve never done such a thing may need assistance. I can’t vouch for the quality of D-Link’s customer service because I didn’t need it. Before I plugged the unit into my phone line, I plugged a laptop into the D-Link, brought the two units over to my desktop PC where I brought up my Linksys configuration, and I checked all my settings against the Linksys. About 10 minutes later, I plugged the D-Link into my phone line, it connected to my ISP, and it’s been online ever since.

The nicest feature is its ADSL information screen. It tells me the modem speed (downstream and upstream), number of errors, and other diagnostic information. I’ve seen my speed range from 1.5 megabit to as low as 256K (upstream stays steady at 384K), but it’s never dropped. I’ll take speed fluctuations over dropped connections any day. If the quality of my phone line deteriorates any further (or maybe I should say, “when”)–I’ll be armed with some good information. Southwestern Bell/SBC/AT&T have always been able to dismiss my complaints in the past. I imagine that’ll be harder to do when I can tell them exactly how many tens of millions of downstream errors I have, versus 96 upstream errors.

Despite those connections, the modem keeps on trucking. I’m impressed.

My sole complaint is that the DynDNS client doesn’t pass my domain name to my internal network. I had to put an entry for my DynDNS name into my hosts file. This won’t be an issue for anyone who isn’t running their own web server, but it’s a little aggravating for those who do. Less aggravating than a dropped connection though.

So if you need a new DSL modem for whatever reason, I recommend the D-Link DSL-2640B. It isn’t flashy, but it works and keeps working.

Update 10 October 2010: I’ve been using this unit for about 15 months, and it’s still going strong. So I can recommend it even more strongly than when I wrote this. It’s out of warranty now, and I didn’t even notice.

Wiring the house

My trusty Linksys WRT54G started dying yesterday. I think I’ve had it 3-4 years, so it’s had a decent run.

I have some temporary wiring in place until I decide what I want to do, but I really think I want some wired Ethernet.For one thing, my phone wiring is really bad, and I think that’s affecting my DSL speed and reliability. Modern CAT5 wiring would solve that problem neatly. And if I ran a dedicated unfiltered line straight to the modem and filtered lines everywhere else, I could get by with just a single line filter, instead of a half dozen. That should improve reliability too.

And while I’m running CAT5, I might as well run two wires, so I’ll have convenient network jacks in several places in the house. And if I’m running wire, I might as well run CAT5e and get gigabit capability. That should give me faster and more reliable networking, both locally and online.

The project would take about $100 worth of cable and jacks, I estimate. I already have plenty of jacks, so I’d just have to buy a spool of CAT5e. That, and find the time to run it.

I may keep wireless around for ultimate convenience (a combo DSL modem/router/access point costs about $70, which isn’t much more than another WRT54G, and my modem is getting old too), but I like the idea of having my desktop PCs connected via gigabit. It’ll make sharing drives more practical, and potentially much more secure if I get fancy with network segmenting and firewalling.

I think I’m going to be asking the network wizard at work a lot of questions… Good thing he sits right next to me.

And now mostly I need a free weekend to do all this.

If you have wireless, you need DD-WRT

I picked up a spare Linksys WRT54G recently, and tonight I finally got a chance to try DD-WRT, a free replacement operating system, on it.

Amazing is an understatement. The biggest complaint I usually hear about wireless networking is range (and when people complain about reliability, they almost always mean range), and DD-WRT offers several solutions to this.First of all, DD-WRT allows cheap, ubiquitous routers to serve other functions. Wireless repeaters cost $100. Wireless routers cost $50. DD-WRT lets you turn that $50 router into a repeater, among other things. So if there’s a dead spot in your house, you can pick up another WRT54G (be sure to get the WRT54GL version if you’re buying new; when buying used, you want version 6 or earlier, and version 2 or so is probably the best), load DD-WRT on it, use it as a repeater, and save 50 bucks. Some of the used units on Amazon or eBay already have DD-WRT loaded on them, which can save you some effort.

Second of all, once you load DD-WRT, you can connect to it, click on Wireless, then Advanced Settings, and scroll down to TX Power. The default value is 28. You may want to adjust that.

I was also happy to see that once when I configured my second WRT54G as a wireless bridge, the computer I was using to configure it gained Internet access through it. So a DD-WRT-equipped router can do double duty. If you have a video game console with an Ethernet port on it, you can put one of these routers in the same room with it, run a cable to the device to put the game system online, and at the same time configure the router to serve as a repeater, strengthening your wireless signal. So not only do you save $50 by not having to buy a repeater, it can also mean one less wireless card you have to buy.

The one thing I’ll say about DD-WRT is that when you load it, you need to take precautions. If you follow the instructions, loading it is a safe procedure that only takes a minute or two. But if you don’t follow the instructions, it’s possible to ruin the router. You never want to change firmware using a wireless connection; use a computer connected to a wired port. And with my particular router and the version of DD-WRT I was loading, I had to use Internet Explorer. For some reason Firefox has difficulty getting this particular job done. Also you have to load the factory default settings at one point or another during the configuration. So read the documentation at least twice and make sure you understand everything before you proceed.

I like DD-WRT a lot and I plan to load it on the WRT54G that I have connected to my DSL modem very soon. The main benefit I see is being able to crank the power of the signal up a bit, but there are plenty of other goodies in there that I may end up using. Perhaps more importantly, my WRT54G stopped working with DynDNS at some point, and Cisco/Linksys doesn’t seem to be revising the standard WRT54G firmware anymore. But DD-WRT has an active community behind it, so if something changes, I’m confident that there’ll be a new DD-WRT to take care of me, whether I need it next year or five years from now.

Pay DD-WRT.com a visit, find a compatible router (there are non-Linksys models that are compatible also) and pick one up. It won’t disappoint you.