Home » linksys » Page 5

linksys

When will we take security seriously?

Overheard today at work:
“Hackers don’t usually work during the day, or on weekends…”

I guess by that same logic, I could say that I ran file servers with all ports exposed on the public Internet for years and never got hacked (just don’t mention that those years started in 1996 and ended in 1998).

It’s sad that there are people who still don’t take security seriously. The attitude I heard 10 years ago–“What? Do they want to look at the GIFs and JPEGs on my hard drive? If they can get in, they can have ’em!”–pervades today. Nobody’s interested in your GIFs and JPEGs because you don’t have anything that hasn’t been posted on Usenet’s alt.binaries groups a dozen times, but they want your high-speed connection. It doesn’t matter anymore how insignificant you are. If your computer is online, they want it.

I’m quickly reaching the point where I believe it’s socially irresponsible to have anything faster than a 56K dialup connection and not have a hardware-based firewall sitting between you and the Internet. I bought a couple of the low-end Network Everywhere-brand (made by Linksys) 4-port cable/DSL routers a year ago. I paid $50 apiece for them. That’s what you’ll pay for a shrink-wrapped “Internet Security” software package, but it’s more effective and it doesn’t slow your computer down. Even a one-computer household should have one.

As far as antivirus software goes, Grisoft offers antivirus software free for home use. Yes, it slows your computer down. If you don’t like that, run Linux. Grisoft’s AVG is free, effective, and easy to use. And it stamps outgoing e-mail, assuring your friends that your mail has been scanned. That’s comforting in these days.

Hopefully the typical computer user will soon outgrow the teenage it-can’t-happen-to-me mindset.

But I won’t hold my breath. Since hackers only work on weekdays, problems can only happen when I’m at work and my home PC is off, right?

CompUSA’s $30 house-brand router looks like a rare bargain

I just built a network for a friend using CompUSA’s $30 cable/DSL router/4-port switch. I’m not sure if the price was a Memorial Day special, or if that’s the regular price. Considering you can’t get a Linksys or D-Link for under $50 without rebate hassles, and usually they cost closer to $80, that’s a nice deal.
The CompUSA unit looks bland and generic–it’s brown and boxy, from the same design school as the original Commodore 64–but that’s the only knock I have on it. Hide it behind your desk if its homely looks bother you. Installing it was literally a plug-in-and-go affair. Plug in the cable modem, plug in the computers, release the computers’ IP addresses and renew them (or reboot if you wish), and they’re all on the network.

If you want to get fancy, then open the manual. You can do port forwarding, set up a DMZ, and do everything else you’d expect from a consumer router. It even includes dynamic DNS support–something the more expensive units didn’t give you, the last I checked.

I can’t speak for the long-term reliability of the unit, since I literally spent 15 minutes with it. The price is good enough that to me, it’s worth a slight risk. In devices like this, it’s the wall wart that’s most likely to fail anyway.

So if you or a friend is looking to share your cable or DSL broadband connection and there’s a CompUSA nearby, it’s worth a look.

Network infrastructure for a small office

We talked earlier this week about servers, and undoubtedly some more questions will come up, but let’s go ahead and talk about small-office network infrastructure.
Cable and DSL modems are affordable enough that any small office within the service area of either ought to get one. For the cost of three dialup accounts, you can have Internet service that’s fast enough to be worth having.

I’ve talked a lot about sharing a broadband connection with Freesco, and while I like Freesco, in an office environment I recommend you get an appliance such as those offered by Linksys, US Robotics, D-Link, Netgear, Siemens, and a host of other companies. There are several simple reasons for this: The devices take up less space, they run cooler, there’s no need to wait for them to boot up in case of power failure or someone accidentally unplugging it, and being solid state, theoretically they’re more reliable than a recycled Pentium-75. Plus, they’re very fast and easy to set up (we’re talking five minutes in most cases) and very cheap–under $50. When I just checked, CompUSA’s house brand router/switch was running $39. It’s hard to find a 5-port switch for much less than that. Since you’ll probably use those switch ports for something anyway, the $10-$20 extra you pay to get broadband connection sharing and a DHCP server is more than worth your time.

My boss swears that when he replaced his Linksys combo router/100-megabit switch with a much pricier Cisco combo router/10-megabit switch, the Cisco was faster, not only upstream, but also on the local network. I don’t doubt it, but you can’t buy Cisco gear at the local office supply store for $49.

For my money, I’d prefer to get a 24-port 3Com or Intel switch and plug it into a broadband sharing device but you’ll pay a lot more for commercial-grade 3Com or Intel gear. The cheap smallish switches you’ll see in the ads in the Sunday papers will work OK, but their reliability won’t be as high. Keep a spare on hand if you get the cheap stuff.

What about wireless? Wireless can save you lots of time and money by not having to run CAT5 all over the place–assuming your building isn’t already wired–and your laptop users will love having a network connection anywhere they go. But security is an issue. At the very least, change your SSID from the factory default, turn on WEP (check your manual if it isn’t obvious how to do it), and hard-code your access point(s) to only accept the MAC addresses of the cards your company owns (again, check your manual). Even that isn’t enough necessarily to keep a determined wardriver out of your network. Cisco does the best job of providing decent security, but, again, you can’t buy Cisco gear at your local Staples. Also, to make it easier on yourself, make sure your first access point and your first couple of cards are the same brand. With some work, the variety pack will usually work together. Like-branded stuff always will. When you’re doing your initial setup, you want the first few steps to go as smoothly as possible.

I’d go so far as to turn off DHCP on the wireless segment. Most wardrivers probably have the ability to figure out your network topology, gateway, and know some DNSs. But why make life easier for them? Some won’t know how to do that, and that’ll keep them out. The sophisticated wardriver may decide it’s too much trouble and go find a friendlier network.

Why worry about wireless security? A wardriver may or may not be interested in your LAN. But that’s one concern. And while I don’t care if someone mooches some bandwidth off my LAN to go read USA Today, and I’d only be slightly annoyed if he used it to go download the newest version of Debian, I do care if someone uses my wireless network to send spam to 250,000 of his closest friends, or if he uses my wireless network to visit a bunch of child porn or warez sites.

Enough about that. Let’s talk about how to wire everything. First off, if you use a switched 100-megabit network, you can just wire everything together and not give much thought to anything. But if you’re using hubs or wireless to connect your desktops, be sure to put your servers on 100-megabit switch ports. The servers can then talk to each other at full speed if and when that’s necessary. And a switch port allows them to talk at full speed to a number of slower desktop PCs at once. The speed difference can be noticable.

Linux network diagnostics

I was doing a little research for Gatermann about Linux networking. I didn’t find what I was looking for, but I found something interesting: a pair of tools co-written by Donald Becker called mii-tool and mii-diag.
The source code for it is available at scyld.com but Debian includes a package for it (mii-diag). It allows you to force your network card to re-negotiate its speed with your hub or switch, which is useful if it’s constantly negotiating the wrong speed. In Windows you can usually open the network control panel and force duplex operation and speed. In Linux, that requires playing around with module options, which aren’t always consistent across drivers (because they’re not all written by the same people) or, if you compiled your driver into the kernel, passing boot parameters. Either way, you’re forced to reboot.

Run mii-diag to find out the status of your card (and commentary on the situation from the authors, in some cases). You can run mii-tool -r to force a renegotiation nicely, or run with the -f parameter to force it to a certain speed (if you’re interested in forcing a speed, you’re probably chasing 100 megabit, full duplex).

If your system is mysteriously not connecting, like my Web server was yesterday after I moved it, this tool can be useful in fixing it. I wish I’d known about it yesterday. I eventually solved the problem by rebooting until it worked right. (I don’t think my server’s 3Com NIC likes my Linksys router/switch much.)

So if you want to change your network’s speed for any reason without rebooting, this is the tool to do it (and it doesn’t make you hunt the Web and Usenet for the module parameters).

More wireless networking

Well, I took the plunge. What good is credit when you don’t use it, right? I didn’t want to run CAT5 Ethernet cable everywhere and I didn’t want to spend hours playing with Linux drivers for phone-line networks that have been in beta for a year. Especially not with what few Usenet posts mention those drivers also mentioning kernel panics. No thanks.
Dan Bowman pointed out that JustDeals had good prices available on wireless gear. So I picked up a plain-old access point for $70 (I don’t want a combo access point/router/switch because I want something I can turn off when I’m not using it–can’t beat that for security) and a PCMCIA NIC for $29 and a pair of USB NICs for $29. That’ll let me put a computer in the front room and a computer in the spare room and it’ll let me wander around with my work laptop.

Dirt-cheap prices, no rebate hassles. Gotta love it. CompUSA’s prices on Netgear kit are good, but there are rebates involved, which is always a pain.

My plan for security, besides powering off the access point when I’m not using it, is to turn off DHCP, hard-code it to my NICs, turn on 128-bit WEP, use obnoxious passphrases, and place the access point as far from the outside wall as possible. That should give me acceptable security, especially considering the physical location of my house. Neither of my next-door neighbors has a wireless LAN, and I seriously doubt the neighbors behind me do either, and they’re pretty far back and might even be out of range anyway. I’m at the end of a street deep in a residential area, so most wardrivers probably won’t bother. And if they do, I’ll be home and I’ll probably see them.

One thing I learned today, which reveals my ignorance yesterday, is that most wireless NICs accept the “Any” parameter that we used to get a Linksys NIC talking with a 3Com access point so we could configure it. But your documentation may or may not mention it.

Let’s talk wireless networking

When I was at church tonight looking at a power supply they asked me to help them set up a wireless network. I didn’t go about securing it just yet because I was paranoid about locking myself out.
I learned enough anyway.

The first thing I learned was that mix-and-matching your stuff for initial setup isn’t the best of ideas. We had a 3Com access point, a D-Link PCMCIA NIC, and a Linksys USB NIC. The D-Link and the 3Com didn’t want to talk to each other. Differing SSIDs turned out to be the culprit. The 3Com’s SSID was “3Com”. The D-Link’s SSID was “default”. The Linksys’ SSID was “Linksys”. But the Linksys setup program hinted that if you changed the SSID to “Any”, it would work with anything. It was right. It linked right up to the 3Com access point, while the D-Link just kept blinking away, looking for something. So we used the Linksys to configure the 3Com access point and changed the D-Link’s SSID. We had to reboot a couple of times before it kicked in, but then the D-Link connected up and held a link.

So the moral of that story is to make sure your access point and at least one of your cards match. And if you can’t match brands, get one Linksys, since you can set its SSID to “Any” and it’ll connect to anything. (I couldn’t figure out how to make the D-Link do that; maybe if I’d set it to “Any” it would have found the 3Com too.) Of course the only way to find out the 3Com’s SSID was to connect to it, so if we hadn’t had that Linksys, we’d have been up a creek.

So now I just have to figure out how to secure the network and they’ll be set. The plan is to only break the wireless stuff out during events, so it’s not like they’ll become much of a wardriving target, but I’ll still feel better if it’s secure. I’m a little bit afraid to just connect to the access point, enter a passphrase and turn on 128-bit encryption, because I couldn’t figure out how to give the cards themselves the passphrase and I didn’t want to take the chance of whether it’ll ask for it upon initial connection.

Time for more research.

And I think I’ll be getting some wireless stuff for myself soon. I’ve thought about phone networking, but Linux support is spotty. Wireless is less secure and more expensive, but it’s a whole lot easier. And it’ll be nice to be able to take a laptop anywhere I want and still be connected. CompUSA has their wireless gear on sale right now.

A semi-easy firewall

A single-floppy firewall mini-distribution can be a quick and easy way to save yourself some money if you’ve got an old PC in a closet not doing anything, assuming you stumble across a combination of hardware that works right.
If you don’t stumble across a combination of hardware that works together, you can just as easily spend a weekend and accomplish nothing but uttering strings of four-letter words in combinations never before heard by mankind.

In case you came here looking for hardware that works, here are a few hints. A 10-megabit PCI NE2000 clone in combination with virtually any 10/100 PCI card ought to work fabulously. A pair of 10/100 PCI cards based on the RealTek 8139 chipset, which includes the majority of today’s inexpensive cards, probably will not. If you’re buying new stuff and want ease of use, get a 3Com card and a cheapie. If you want cheap and a little inconvenience, get a Netgear FA311 or 312 and a Realtek 8139-based card, such as a D-Link DFE-530+ or a Linksys. You’ll have to hunt down and install the natsemi.o module to get the Netgear working; most other inexpensive cards on the market will work with the rtl8139.o driver.

Freesco doesn’t supply a driver for the Intel EtherExpress Pro series out of the box. If you’ve got an EEpro, you can make it work by downloading the module and copying it to the floppy, but don’t rush out to buy one. And yes, the 3Com and Intel chipsets are high-performance chipsets, especially compared to the 8139, but remember, routers are machines that pull packets out of a 1.5-megabit pipe (if you’re lucky) and shove packets down an even smaller pipe. In this application, a $40 big-brand card doesn’t give you any advantage over a no-name card that costs $6 at Newegg.com

While these firewalls will technically work fine even on a 386sx/16, trying to make them work with ISA cards can be a long, difficult road. Used Pentium-75s are dirt cheap (and Pentium-60s and 66s are even cheaper, when you can find them) and they’re a lot less trouble because PCI cards don’t require you to rejumper them or hunt down a plug-and-play configuration disk to find out its IRQ and address. I’ve had the best luck with Pentiums that used an Intel Triton chipset or newer (the 430FX, HX, VX, or TX). I’ve tried a couple of boards that had a SiS chipset of 1995 vintage or so, and I could get one network card or the other working, but not both. I don’t want to generalize and say that based on two isolated incidents that all Taiwanese chipsets are junk for this application–for all I know, the problem could have been the BIOS on those boards–but I’ve done this on a handful of Triton-series boards and done well on all of them, and on two SiS boards and failed. Your mileage will probably vary.

How much memory do you need? 16 megs is sheer luxury.

Once you put all this together, the question becomes whether you use a floppy distribution or a full-blown distribution. If you want peace and quiet and cheap, the answer is pretty easy–use a floppy and pull out whatever hard drive was in there.

A full-out distribution like Red Hat or Debian will give you more versatility. You can run meaningful Web and FTP servers if you want (and your ISP allows it). You can run a caching nameserver to speed up your Web browsing. If you feel adventurous, you can even install the Squid caching proxy and speed up your browsing even more (but either use a SCSI drive or put in a bunch of extra memory and run Squid’s cache out of a ramdisk–Squid’s performance on IDE is, to put it mildly, terrible).

I’m having a hard time finding the documentation on how to set up a second network interface quickly. I believe it involves the file /etc/interfaces and the files /etc/sysconfig/ifconfig.eth0 and .eth1, but I don’t have a Linux box handy to investigate at the moment.

Anyway, I like Debian for this application (of course) because I can easily fit a minimal Debian on a 100-meg hard drive.

Once you get your network cards all working and talking to each other, you can build your firewall using this online tool. I just copy it, then Telnet into my Linux box using PuTTY, fire up a text editor, and right-click in the window to paste.

If you want versatility and quiet and don’t mind spending some cash, pick up a CompactFlash-to-IDE adapter and a CompactFlash card of suitable size. Don’t create a swapfile on the CF card–you’ll quickly burn it up that way. Your system will recognize it as a small IDE drive, giving you silent and reliable solid-state storage on the cheap.

Milestone!

I’m writing this from my new house, connected via DSL to my Web server, running off my DSL connection at my apartment. Let me say this: DSL was much easier in the early days when you just got a DHCP connection. Configuring PPPoE is a royal pain.
But I’ve got an old Pentium with a pair of NICs in it running Coyote Linux, with an old Celeron PC running Windows 98 connected via a crossover cable, since the Linksys router is still at the apartment keeping the magic alive there.

DSL works most reliably from my front room, which isn’t what I want to use as a computer room, so I guess I’ll be running some Ethernet cables.

But most importantly, I can now respond to late-night pages and pcAnywhere into the network at work and fix things. So I guess that means I can start sleeping here. That’ll be nice. This neighborhood is a lot quieter than my apartment complex.

Interestingly enough, as I cobbled together some PCs from parts to get this stuff up and going, I found some Pentium motherboards that wouldn’t even boot Windows 98 properly (the DSL setup has to run from Windows). Linux installs effortlessly on them.

Getting back into business…

My mail’s working again. My mail server problems seem to be mostly solved. It was indeed a hardware problem–with my Linksys router. My mail server couldn’t talk to the outside world, and my Windows boxes couldn’t talk to (couldn’t even ping) the mail server. But my Web server could. But since my Web server is a Web server, it doesn’t have a mail client on it. Oh well. So I pulled the plug on the Linksys router, called it a few names, then plugged it back in. Soon I had a flood of mail, telling me all about how I can make $5K a month online, get high legally, drive my Web counter ballistic, get out of debt… And a really weird one: I love you and I don’t want you to die! I had to check that one. Weight-loss spam. Hmm. I guess that spammer doesn’t know that if I lost 40 pounds, I probably would die…
You know, I wonder if maybe I liked my mail server better when it didn’t work. Nah. There was some legit stuff buried in it, and I’m slowly replying to it all.

The funeral was yesterday. Since I wasn’t quite the only one who had trouble figuring out when to sit and when to stand, I take it I wasn’t the only Protestant there. It was a very nice service.

And there’s this, courtesy of Dan He sent me the first installment in a series about using Linux as a thin client. Well, technically, I suppose the machines he’s describing are fat clients, since they do have some local storage. No importa. Dan asked if I’ve made this point before. I think I have. I know I started to make it in my second book, The Linux Book You’ll Never Read, but it was cancelled before I started on the research to tell how to implement it.

So here’s the story. You get yourself a big, honkin’ server. Go ahead and go all out. I’m talking dual CPUs, I’m talking 60K RPM Ultra1280 SCSI drives (OK, you can settle for 15K RPM Ultra320 SCSI, since that’s all they make), I’m talking a gig or two of RAM if you’ve got the slots–build a powerhouse.

Then you go round up the dinkiest, sorriest bunch of PCs you can find. Well, actually, since video performance is fairly important, the ideal system would be a P100 with 24 MB RAM, a fairly nice PCI video card, a smallish hard drive, and a network card. The most important component is the video card, far and away. The fat clients connect to your network and run applications off that honkin’ server. The apps run on the server and display on the fat client. Data is stored on the applications server.

Yes, you’ll want a good sysadmin to keep that honkin’ applications server happy. But desktop support virtually ceases to exist. When you have problems with your PC, someone comes, swaps out the unit, and you get back to work. You’re supposed to have one desktop support guy for every 25 end users (in reality most places have one for every 75). That’s 40,000 smackers plus benefits annually for an army of people whose job it is to make sure NT keeps running right. These people are expensive, hard to find, and if they’re any good, even harder to keep.

Move to fat clients, and you can probably replace desktop support with one desktop support guy (to play Dr. Frankenstein on the dead systems and support the remaining few who can’t get by with a fat client) and a kick-butt sysadmin.

Let the revolution begin…

I was called in to an emergency meeting yesterday morning. I was up to my eyebrows in alligators, but my boss was insistent. I had to be there. So I went. When we sat down, the tone was somber and slightly meandering. The guy who called the meeting just didn’t want to get to the point. Finally it hit me: Layoffs. That’s what this has to be about. So… Who’s gone? I’m not the highest-paid guy in my group, I’m probably the most versatile, and I’m not the most recent hire, so I’m probably safe. I was right about layoffs, or, more accurately, one layoff, followed by a restructuring. And the layoff wasn’t me.
I think we’re a better fit in our new structure (under our old organization we were married to a group that really didn’t like my group, or at least they didn’t like me, and now we’re married to a group that does, for the most part, like my group), and my boss’ new boss is so busy we shouldn’t have to worry about him messing with much. But I don’t like change, and my Scottish clan’s motto, “Fide et Fortitudine” loosely translates into “loyalty and guts” today. The loyalty side of me has some problems with what happened yesterday, but looking at it strictly from a business standpoint, I sure can’t argue with it.

Meanwhile, I needed about three minutes’ worth of quality time with that indignant hard drive to get the data I so desperately wanted. I got it. Next struggle: Getting Windows NT to work properly with eighth-rate hardware. This PC has a generic RealTek 8139-based card (so we’re talking a generic clone of a Linksys or D-Link card here… A clone of a clone), Trident Blade 3D video, ESS 1868 sound, and an AOpen 56K modem (at least it wasn’t a Winmodem). The AOpen modem is, by a longshot, the best component in the machine outside of the Gigabyte motherboard and Pentium II-450 CPU. I’ll say one thing for brand-name hardware. Drivers are easy to come by and they generally install correctly the first time, every time. It took me an hour to track down Blade 3D drivers that work, then it took me a good 30-45 minutes to get those working. The Realtek drivers at least worked the first time. I never did get the ESS drivers working. The AOpen modem driver went off without a hitch, mostly because it’s actually a controller-based modem. I stand by my assertion that you can buy $10 components and spend $100 worth of time trying to get each of them working right, or you can buy $50-$75 components from a reputable maker and make them work the first time. Seeing as the more expensive components will probably work well together too and give better performance, it’s a no-brainer for me. Gimme Creative or Guillemot video and sound cards and pair that up with a 3Com or Intel NIC and I’ll be a happy camper.

Tomorrow I’ll talk about my bookstore adventures. I want to go read for a while.

OK, I’m back for a second. I can’t resist. Not quite four years ago, I had a conversation with another Journalism major/history minor (one who, unlike me, actually finished his history minor, if I recall correctly). Over dinner with my then-significant other, he told me all about his theory of generations, as she looked on, entranced. The nasty breakup that soon followed that conversation overshadowed it, and I didn’t think of it again until last night, when I spotted the book Generations, by William Strauss and Neil Howe, on the shelf of a used bookstore. Curious, I looked at it, and sure enough, this was where that guy got his ideas. It was marked six bucks. I bought it, started reading, and gained some insight on myself. Why do I go ga-ga over the writings of F. Scott Fitzgerald, and get chills whenever I read about his personal life because it all feels so familiar? He and I are from parallel generational cycles. His generation thought like mine does, so we grew up in similar peer environments. Why do I understand people 10 years older than me so much better than people 10 years younger than me? I was born 7 years before the end of my generational cycle.