Security Basics mailing list archives
Re: Suggestions for a secure home network
From: James Harless <jharless () kidwellcompanies com>
Date: Mon, 17 Apr 2006 15:36:49 -0500
Use a firewall and setup ACLs/rules that enable access only for known MAC/IP addresses?
I also wouldn't put too much belief that this will provide security benefits, either. It may, if coupled with other measures but, most people deploying MAC Filtering by itself are getting nil benefit from it. One could argue that it's actually worse because it *forces* the intruder to mask himself as one of your legitimate users. James Harless On 4/14/06 1:23 PM, "Phunkodelic" <phunkodelic () gmail com> wrote:
As far as minimizing SSID broadcast, I'm concerned that you would say it does 'not' have any security merit.You are crorrect in that. Trying to hide behind your SSID is like using WEP and saying its secure. Anybody with a wireless sniffer can pull the SSID out EVEN IF ITS NOT BROADCASTED. If you have wireless traffic sniffing software finding the SSID is like stealing candy from a kid. On 4/13/06, Alexander Bolante <alexander.bolante () gmail com> wrote:Thanks for the clarification. That was a typo on my part. My brain was thinking WEP encryption, therefore I meant frequency of changing WEP key, policies for establishing that WEP key, etc. In that regard, my questions do have security merit, unless you wanna challenge that as well :-) As far as minimizing SSID broadcast, I'm concerned that you would say it does 'not' have any security merit. You are correct in saying 'there are several wireless devices that will not work properly unless you broadcast the SSID' however my statement was abstract for that very reason. My purpose was to get Edmund to think about it as a possibility if technically feasible, then he can determine whether or not that's how we wants to setup his wireless devices. Thanks! On 4/13/06, Phunkodelic <phunkodelic () gmail com> wrote:Frequency of changing SSID? Policies for establishing that SSID? Minimizing SSID broadcast?I don't think the above 3 items have any security merit, as trying to "hide" your SSID is not a security measure at all. Anybody who can sniff wireless traffic can grab the SSID very easily broadcast or non-broadcast. There are seveal wireless devices that will not work properly unless you broadcast the SSID. On 4/12/06, Alexander Bolante <alexander.bolante () gmail com> wrote:From a design perspective, I think it would also be good for you to have a security checklist: WLAN Security: Frequency of changing SSID? Policies for establishing that SSID? Minimizing SSID broadcast? Access point location to reduce eavesdropping? Locking management interfaces? Use static IPs vs. DHCP? MAC-based access restrictions? Network Security: Placement in a DMZ? Use a firewall and setup ACLs/rules that enable access only for known MAC/IP addresses? Consider using an IDS if you plan on maintaining the solution? That's a start. Hopefully then your solution's risk will really just boil down to physical security. Good luck, but have fun! Thanks! Alexander On 4/9/06, Edmond Chow <echow () videotron ca> wrote:Hello List, I am looking to put together a home network for a high-end client of mine and would like your opinion on what type of equipment to use. Here's an overview of his requirement: - Two MACs (for his kids) on a wireless network - Two PCs on a wired network - these two PCs have sensitive information on them. These computers would not be used for remote access but only for internet and email access. I am thinking of adding hard drive encryption to these two computers. I'm thinking of three approaches and would like your thoughts: #1 - Use a cable modem with non-wireless router for his two PCs and use a separate DSL modem with wireless router for his two MACs. Double the monthly cost for internet access but there is no chance that hackers entering through the MACs will be able to access his PCs. #2 - Use a router (I was thinking of something like an Astaro router or Cisco router) for the PCs and then connect a Linksys wireless router with WPA security to the first router. The wireless router would be used for the two MACs. #3 - Use a wireless router with WPA security for the wireless MACs and then hard wire the two PCs to the non wireless router ports on the back of the wireless router. Any thoughts you would have would be greatly appreciated. Any manufacturers and or models you could suggest would also be much appreciated. Thanks. Regards, Edmond ------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php ---------------------------------------------------------------------------- Alexander Bolante | Alexander.Bolante () gmail com ------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php ---------------------------------------------------------------------------- Alexander Bolante | Alexander.Bolante () gmail com------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php --------------------------------------------------------------------------
------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php --------------------------------------------------------------------------
Current thread:
- Internet port scanning - access as a definition Craig Wright (Apr 07)
- RE: Suggestions for a secure home network Edmond Chow (Apr 11)
- Re: Suggestions for a secure home network Aaron Rohyans (Apr 11)
- RE: Suggestions for a secure home network David Gillett (Apr 11)
- Re: Suggestions for a secure home network paul.johnson8 () gmail com (Apr 12)
- Re: Suggestions for a secure home network Alexander Bolante (Apr 12)
- Re: Suggestions for a secure home network Phunkodelic (Apr 13)
- Re: Suggestions for a secure home network Alexander Bolante (Apr 13)
- Re: Suggestions for a secure home network Phunkodelic (Apr 17)
- Re: Suggestions for a secure home network James Harless (Apr 18)
- RE: Suggestions for a secure home network Edmond Chow (Apr 11)