cellio: (avatar)
Monica ([personal profile] cellio) wrote2012-05-13 04:31 pm
  • Add Memory
  • Share This Entry
Entry tags:

but those were useful features!

A very helpful (yes, really!) technician at Verizon diagnosed our network problems as a flaky router, so he sent us a new one and we swapped it in today. The old router had two features that I found useful: I could name devices on the network, and the "my network" list showed me everything that had connected since the last router restart, not just the currently-connected devices. These, particularly in combination, were useful for monitoring my network. (Why yes, since I can be punished for anything done from my IP address even if I didn't do or authorize it, and since no security that is still usable is perfect, I do care.)

The new router lacks both of these features; it shows currently-connected devices by MAC address (and IP address), but short of my maintaining the name-MAC mappings externally, that's of limited utility. And it doesn't tell me if a neighbor found his way onto my network while I wasn't watching. Now my neighbors seem like decent folks, and in a different legal environment I'd rather be the sort of person who shares my spare bandwidth with anybody who needs it, but that's not the point.

Oh well. I guess I am now relying more strongly on decent neighbors and passwords, as I haven't found anything like router logs that tell me this stuff.

I know that some of my readers are pretty security-conscious. How do you handle this?
Flat | Top-Level Comments Only

[identity profile] miz-hatbox.livejournal.com 2012-05-13 08:47 pm (UTC)(link)
Passwords and not sharing our network connectivity with people we don't know super-well.
cellio: (avatar)

[personal profile] cellio 2012-05-13 08:50 pm (UTC)(link)
Do you do any monitoring? If your password were to be compromised, would you know?

[identity profile] miz-hatbox.livejournal.com 2012-05-14 04:43 am (UTC)(link)
Oh, we just check the logs. That's about it.

[identity profile] goldsquare.livejournal.com 2012-05-13 09:19 pm (UTC)(link)
We have a Sonicwall firewall, and review the logs on a regular basis. It also provides excellent wireless connectivity for us.
cellio: (avatar)

[personal profile] cellio 2012-05-13 11:14 pm (UTC)(link)
Thanks!

[identity profile] brokengoose.livejournal.com 2012-05-13 10:12 pm (UTC)(link)
WPA2 is an essential minimum. WEP can be cracked in minutes.

Once you've done that, I'm a big fan of ridiculously long passwords. This site (https://www.grc.com/passwords.htm) is a decent place to start.

Reason: every wireless device that we have saves the password. So, you only have to enter it once. Yes, you have to write it down and you need to pay attention to ambiguous characters (zero versus capital-o, 1 versus lowercase L, etc.), but it's not going to be showing up in anybody's rainbow tables (http://www.renderlab.net/projects/WPA-tables/).

A lot of routers, even cheapie models where you wouldn't expect it, can be configured to use SNMP and/or syslog. If you have a computer in your house that's usually on, you can probably find a syslog implementation for it.

Logs are fantastic, but so long as your network isn't named Linksys, Netgear, or default and you have a good password, the bored crackers will find an easier target elsewhere.

[identity profile] http://users.livejournal.com/merle_/ 2012-05-13 10:44 pm (UTC)(link)
This. Although whenever my Roku decides it can't see the network I have to re-enter a ridiculously long password using a UI designed in 1950.

I also don't use DHCP and bind my router to the MAC addresses, then the devices to particular internal IP addresses. On a subnet that is not a standard one. Really, when (example IP range) are you going to go to 1.1.1.[17-32]?
cellio: (avatar)

Roku

[personal profile] cellio 2012-05-13 11:21 pm (UTC)(link)
Yeah, whoever thought to lay their "keyboard" out alphabetically should be sent back to HCI 101.

I've tried restricting by MAC address in the past and it was a big pain -- aided, I'm sure, by my difficulty in reading the things on some devices. But that might be worth looking at again; we don't get guests who need our wireless that often. (These days most people carry internet access in their pockets, after all.)

[identity profile] http://users.livejournal.com/merle_/ 2012-05-14 11:49 am (UTC)(link)
The MAC filtering is an enormous pain. But with the rate of new devices being under two per year (for me) it is bearable (especially now that many things have a label with the MAC). Not that it is perfect, as someone with the right hardware can spoof their MAC and if they catch you during an outage get onto your network, but whether this is a problem greater than a mere loss of bandwidth depends on other measures, like not sharing drives without an additional password layer.
cellio: (avatar)

[personal profile] cellio 2012-05-13 11:19 pm (UTC)(link)
Thanks for all the good info. Yes, we're using WPA2 and we renamed the network. (I considered naming it something like "NSA Observatory" but didn't.)

That's a good point about only having to enter the passwords once per device. Even on the terrible Roku interface ([livejournal.com profile] merle_ is right about that) that's manageable.

Do you happen to have a recommended syslog application for OS X? (Asking only because I know you're a Mac user; if not that's what Google is for.)

[identity profile] brokengoose.livejournal.com 2012-05-13 11:54 pm (UTC)(link)
OS X has a built-in version of syslogd, though like most modern unixes, it doesn't accept remote logging by default. There are a few web pages out there that seem to describe the process. This one looks like what I remember doing:

http://meinit.nl/enable-apple-mac-os-x-machine-syslog-server

[identity profile] yuggazogy.livejournal.com 2012-05-13 10:40 pm (UTC)(link)
Replace the router with one you own that has the features you want; only the modem portion from the ISP is needed. Chances are Verizon sent you a combo modem/router unit, so you essentially would have to disable wireless and DHCP functionality on their combo unit's router settings to use your own.
cellio: (avatar)

[personal profile] cellio 2012-05-13 11:23 pm (UTC)(link)
Oh good point; I thought I was stuck because I need their modem, but there's no reason I can't separate the functions again. Thanks!
dsrtao: dsr as a LEGO minifig (Default)

[personal profile] dsrtao 2012-05-14 02:50 am (UTC)(link)
Wide open wireless network, connected with a not off-the-shelf firewall to the hardened machines within.
cellio: (avatar)

[personal profile] cellio 2012-05-14 03:00 am (UTC)(link)
Huh, interesting. You're not worried about somebody using your service to, say, surf child porn?

(I'm not worried about the machines on my network; those are reasonably hardened. It's the wireless itself -- or, more specifically, the data trail that could be subpoenaed from my ISP -- that I worry about.)
dsrtao: dsr as a LEGO minifig (Default)

[personal profile] dsrtao 2012-05-14 03:16 am (UTC)(link)
No. First, it's incredibly uncommon. Second, it would look fairly suspicious for anyone to park in my driveway or on the busy street in front of the house for long periods of time.

Third: AFAICT, most such criminals are caught because they are (a) reported by someone with access to their computer/s, (b) caught in a sting, or (c) involved in production. It's not random sampling of ISP traffic.

And all my porn prefences are strictly over 18, so I have no personal fear.
goljerp: Photo of the moon Callisto (Default)

[personal profile] goljerp 2012-05-14 12:08 pm (UTC)(link)
Does anyone know if the "my wireless is wide open, it wasn't me doing ZZZZ on my IP address" defense has been used successfully?

(I know, I could probably just search Slashdot's archives... but my wireless does have a password.)
Flat | Top-Level Comments Only