Nov 19

Routers and DNS and Firewalls! Oh My!

Category: Uncategorized

Back in the day when the internet was safe… who am I kidding? It’s the Internet! Wild animals and bored hackers have been roaming the net since kurt cobain was still alive. Be afraid, be very afraid. So how can we cruise the internet jungle without getting attacked by trojan lions, tiger worms, or malware bears? The honest answer is we can’t, and we are even more vulnerable when we are in charge of the safety of others. Allowing your public (or even private) wifi to be accessed by friends, family, or customers can put your computer and your network at risk of damage, data loss, and even identity theft.┬á Is there a perfect way to secure it? Sure, unplug your computer from the wall, the internet, and turn off then wifi, then stick a big, angry magnet on the hard drive. Granted, this approach will make your computer a great paperweight, but not very operational. Access to the internet comes with many advantages and many pitfalls. The Internet should contain a warning from the Surgeon General. We all want wifi, so what can we do to make is safer for our clients and ourselves?

Encrypt it. Yes I know you have all heard this about a million times, but it is the first and best way to protect your privacy and long term sanity. Wireless antennas broadcast information in a 360 degree pattern from the base station, then means that when your wifi is near your neighbor’s window, he has just as good reception as you do. Encrypt access to your wireless, starting with a MAC block is a start, it would be best to also use WPA2 encryption as it has been proven that WEP encryption takes about 45 seconds to crack if you know the right tools. If you allow customers to acces your wifi, passwords and MAC addition can make using your wifi more trouble than it is worth. For these types of networks, I suggest obtaining a router or AP that offers wireless client isolation, this at least will prevent a wifi user on your network from easily attacking another user. Also, make sure that the business network is separate from the customer wifi, as this could give your customers access to all the business financial documents. When I say seperate, I mean behind a firewall that does not allow any access between the two.

Use a better router. I have found that an old computer with a P3 or comparable processor can be made into a very powerful router. Free software like PfSense, IPCop, or Clarkconnect, are designed to act as a firewall/router/server geared toward the professional or hobbyist that is willing to learn a little about what makes a good service. Computer based routers make things a lot more controllable because you can add software to meet your needs, and offer stateful packet inspection (SPI). Another advantage is the firewall configuration options, I use PfSense and have more options than I can think of using.

Block certain services. One of the more useful services that good routers provide is port blocking, I know that some of the better linksys routers offer the same service, but I have found that if you have more than about 5 people using it at once, it can overwhelm the router and leave it ‘bricked’. I block ports 6667-6999 because these are the standard bittorrent ports, while I have no personal issue with bittorrent, I have a legal problem with getting sued over a customer downloading music illegally. Also, someone using your wifi for bittorrent will end up bogging down your surfing as well as put you at risk. I also block 53 with the exception of the openDNS servers so users can’t easily bypass my content filtering. Which brings up our next subject.

Use a DNS server that offers content filtering. The reason for this is twofold, it provides you with details about what services your users are surfing, which might affect advertising, and it prevents unwanted activity from affecting your network or your users. I use a free service provided by openDNS.com that gives me a choice of 50 different block options and allows me to blacklist or whitelist sites as I see fit. An infected computer behind a firewall makes the firewall pretty much useless as the infected computer is already past the firewall, a malicious program accidentally found on an unsavory website can be the cause, so rather than wait until it is too late, I try to prevent my users from visiting sites that could be a potential risk.

There is no real way to make the internet safe and completely accessible, it is a constant balance between accessibility and security, one that never seems balanced to everyone. As long as the steps you take are reasonable, they are steps that you can defend when you do have a grumpy user, very few of us get it right the first time.

Ta!

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
Comments are off for this post

Comments are closed.