Re: Suggestions for a secure home network

[James Harless <jharless () kidwellcompanies com>]

> > > Use a firewall and setup ACLs/rules that enable access only for known
> > > MAC/IP addresses?

I also wouldn't put too much belief that this will provide security
benefits, either.  It may, if coupled with other measures but, most people
deploying MAC Filtering by itself are getting nil benefit from it.  One
could argue that it's actually worse because it *forces* the intruder to
mask himself as one of your legitimate users.

James Harless



On 4/14/06 1:23 PM, "Phunkodelic" <phunkodelic () gmail com> wrote:

> > > As far as minimizing SSID broadcast, I'm concerned that you would say
> > > it does 'not' have any security merit.
>
> You are crorrect in that.  Trying to hide behind your SSID is like
> using WEP and saying its secure.  Anybody with a wireless sniffer can
> pull the SSID out EVEN IF ITS NOT BROADCASTED.   If you have wireless
> traffic sniffing software finding the SSID is like stealing candy from
> a kid.
>
> On 4/13/06, Alexander Bolante <alexander.bolante () gmail com> wrote:
> > Thanks for the clarification. That was a typo on my part. My brain was
> > thinking WEP encryption, therefore I meant frequency of changing WEP
> > key, policies for establishing that WEP key, etc. In that regard, my
> > questions do have security merit, unless you wanna challenge that as
> > well :-)
> >
> > As far as minimizing SSID broadcast, I'm concerned that you would say
> > it does 'not' have any security merit. You are correct in saying
> > 'there are several wireless devices that will not work properly unless
> > you broadcast the SSID' however my statement was abstract for that
> > very reason. My purpose was to get Edmund to think about it as a
> > possibility if technically feasible, then he can determine whether or
> > not that's how we wants to setup his wireless devices.
> >
> > Thanks!
> >
> >
> >
> > On 4/13/06, Phunkodelic <phunkodelic () gmail com> wrote:
> > > > > Frequency of changing SSID?
> > > > > Policies for establishing that SSID?
> > > > > Minimizing SSID broadcast?
> > >
> > > I don't think the above 3 items have any security merit, as trying to
> > > "hide" your SSID is not a security measure at all.  Anybody who can
> > > sniff wireless traffic can grab the SSID very easily broadcast or
> > > non-broadcast.  There are seveal wireless devices that will not work
> > > properly unless you broadcast the SSID.
> > >
> > > On 4/12/06, Alexander Bolante <alexander.bolante () gmail com> wrote:
> > > > From a design perspective, I think it would also be good for you to
> > > > have a security checklist:
> > > >
> > > > WLAN Security:
> > > > Frequency of changing SSID?
> > > > Policies for establishing that SSID?
> > > > Minimizing SSID broadcast?
> > > > Access point location to reduce eavesdropping?
> > > > Locking management interfaces?
> > > > Use static IPs vs. DHCP?
> > > > MAC-based access restrictions?
> > > >
> > > > Network Security:
> > > > Placement in a DMZ?
> > > > Use a firewall and setup ACLs/rules that enable access only for known
> > > > MAC/IP addresses?
> > > > Consider using an IDS if you plan on maintaining the solution?
> > > >
> > > > That's a start. Hopefully then your solution's risk will really just
> > > > boil down to physical security.
> > > > Good luck, but have fun!
> > > >
> > > > Thanks!
> > > > Alexander
> > > >
> > > >
> > > > On 4/9/06, Edmond Chow <echow () videotron ca> wrote:
> > > > > Hello List,
> > > > >
> > > > > I am looking to put together a home network for a high-end client of mine
> > > > > and would like your opinion on what type of equipment to use.
> > > > >
> > > > > Here's an overview of his requirement:
> > > > >
> > > > > - Two MACs (for his kids) on a wireless network
> > > > > - Two PCs on a wired network - these two PCs have sensitive information on
> > > > > them.  These computers would not be used for remote access but only for
> > > > > internet and email access.  I am thinking of adding hard drive encryption
> > > > > to
> > > > > these two computers.
> > > > >
> > > > > I'm thinking of three approaches and would like your thoughts:
> > > > >
> > > > > #1 - Use a cable modem with non-wireless router for his two PCs and use a
> > > > > separate DSL modem with wireless router for his two MACs. Double the
> > > > > monthly
> > > > > cost for internet access but there is no chance that hackers entering
> > > > > through the MACs will be able to access his PCs.
> > > > > #2 - Use a router (I was thinking of something like an Astaro router or
> > > > > Cisco router) for the PCs and then connect a Linksys wireless router with
> > > > > WPA security to the first router.  The wireless router would be used for
> > > > > the
> > > > > two MACs.
> > > > > #3 - Use a wireless router with WPA security for the wireless MACs and
> > > > > then
> > > > > hard wire the two PCs to the non wireless router ports on the back of the
> > > > > wireless router.
> > > > >
> > > > > Any thoughts you would have would be greatly appreciated.  Any
> > > > > manufacturers
> > > > > and or models you could suggest would also be much appreciated.
> > > > >
> > > > > Thanks.
> > > > >
> > > > > Regards,
> > > > >
> > > > >
> > > > > Edmond
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -------------------------------------------------------------------------
> > > > > This List Sponsored by: Webroot
> > > > >
> > > > > Don't leave your confidential company and customer records un-protected.
> > > > > Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
> > > > > obligation. See why so many companies trust Spy Sweeper Enterprise to
> > > > > eradicate spyware from their networks.
> > > > > FREE 30-Day Trial of Spy Sweeper Enterprise
> > > > >
> > > > > http://www.webroot.com/forms/enterprise_lead.php
> > > > > --------------------------------------------------------------------------
> > > >
> > > >
> > > >
> > > > --
> > > > Alexander Bolante | Alexander.Bolante () gmail com
> > > >
> > > > -------------------------------------------------------------------------
> > > > This List Sponsored by: Webroot
> > > >
> > > > Don't leave your confidential company and customer records un-protected.
> > > > Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
> > > > obligation. See why so many companies trust Spy Sweeper Enterprise to
> > > > eradicate spyware from their networks.
> > > > FREE 30-Day Trial of Spy Sweeper Enterprise
> > > >
> > > > http://www.webroot.com/forms/enterprise_lead.php
> > > > --------------------------------------------------------------------------
> >
> >
> > --
> > Alexander Bolante | Alexander.Bolante () gmail com
>
> -------------------------------------------------------------------------
> This List Sponsored by: Webroot
>
> Don't leave your confidential company and customer records un-protected.
> Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
> obligation. See why so many companies trust Spy Sweeper Enterprise to
> eradicate spyware from their networks.
> FREE 30-Day Trial of Spy Sweeper Enterprise
>
> http://www.webroot.com/forms/enterprise_lead.php
> --------------------------------------------------------------------------


-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------