Protection within wireless network

Which firewalls offer the best protection within the wireless network, as in from other pcs on the network which might be infected or from hackers who have hacked into the network? Thanks.

Anyone know any other protection I could use in such a situation?

 

Comodo Internet Security Pro has TrustConnect which gives you that protection plus more. It's a free 30 day trial (They won't charge your credit card for 30 days when you sign up), and then you can choose to pay $39 bux a year for that, And the pro package also has more services like Comodo Experts Remote help for malware removal, tuneup, and 24x7 live support.

Others might be aware of a free solution.

 

Both ZA free and Online Armor free have the ability to set IPs\computers as either trusted or not. The manner\naming changes from one to the other but the idea is the same. You can also disable file and printer sharing which is a small but good step in the right direction concerning security on a LAN.

 

3xist, could you explain to me exactly how trust connect works and what kind of protection it offer?

 

I assume that the firewall will then block any and all communications from those computers. What about if someone hacks into the network without my knowledge? What IP address will their computers use? How do I block against this? What if they have their connection setup so I cant see their IP address?

 

With ZA on the Firewall\Zones tab you will see the IP of your wireless NIC. Simply set it to "Internet" as opposed to "Trusted". I do not have as much experience with OA but should be similar.

Be aware that nothing will protect the data, except encryption, once it leaves your PC.

 

Ah I get it, so doing this will protect me from malware from any computer in the network. Will it also protect me from hacking attempts by someone who has infiltrated the home network?

What if the hacker tricks my pc into believing that he is the gateway will he then be able to steal my info? Will he be able to hack into my system? How compromised will I be if the hacker succeeds in tricking my computer into thinking he is the gateway?

Sorry but I am not very educated on this subject and I am hoping you could help me understand exactly how vulnerable I am with and without the network set to internet as opposed to untrusted.

 

http://www.comodo.com/trustconnect/

As you can see there, It's 50 $/year stand a lone with a 7 day trial, But with CIS Pro it's just 39 $ a year.

You can read all about it there.

 

Trying to understand some things better. We are talking about a home\private network not a public\wi-fi hot spot?

You are the owner of the WAP, wireless access point and are in physical control of it?

There is more then one computer you wish to allow to use the WAP but wish to exclude\keep out anyone else in close proximity from accessing your LAN and\or using your band width.

Do you mean trusted? I believe untrusted and internet would give you about the same results as far as protection. I run an older vers. oz ZA free. The options are either Internet or Trusted.

 

It sounds like you're talking about your own wireless network, right? If so, do you have WPA2 encryption set? If you use WPA2 with a strong key it's extremely unlikely that someone will be able to connect to your wireless network. I don't know that WPA2 has ever been successfully cracked in the "lab" using super-computers let alone in the field. Even if it were possible someone would have to be incredibly motivated - are you guarding "state secrets"?

Regarding getting infected by other PC's on your network, do you have file sharing turned OFF? You can also set your LAN as "untrusted" in your firewall settings.

 

Yea Im refering to my own wireless network. I have wpa and I was wondering what other security measures were needed or could strengthen my protection. Thanks for the advice so far guys.

 

Oh and how do I get a strong key?

 

Make one up of your own. Make it 63 characters long mixing numbers with upper and lower case letters. Make sure you write it down just in case you should ever need to reinsert it.
There are some online services that will generate one for you but I will not use them. I believe Roboform can generate one as well, not sure about the free vers.

 

You could harden your Router/SPI FW (hardware) levels 1 to 3A do cost any performance drop, 3B could cost some ping-time loss depending on the quality of your router/hardware FW

Level 1: basic

Enable WPA(2) protection and TKIP/AES encryption using a shared key (longest possible). Enable the FW. Add a password for ADMIN and USERS to connect to router console. Next rename your wireless network name to something private (not the default producer/router model name).

Level 2: advanced

Look for Ddos attack and ARP spoofing/cache protection protection to and enable them, also disable respond to PING from wan side and disable UPnP.

Add a PIN-code needed for adding Wifi and lock Wireless Security these settings

Check whether your router supports hiding the SSID choose yes after you have succesfully installed/checked all wireless stations to work properly.


Level 3: paranoid
A
Make it more difficult for hackers more difficult to guess the IP adrees of your router/SPI FW and use another IP address for your router. This is the IP address you have to type in to access the routers console.

An easy counter measure which does not cost any performance : search for wlan partitioning option in your advanced wireless setup. This means that the router denies access from one PC within the network to another PC within the network. This is the one you are looking for


B
Following four measures shoul be implemented all four, otherwise it has no real use against hack attempts (Mac addresses fi can be spoofed)

(1) Add MAC address filtering, add the macc addresses of each wireless wokstation to this list. This will allow only workstations to connect with these MAC addresses.

(2) Look for DHCP reservation options in your router. With this feature you will have dynamic IP allocation, but within the available list the same IP address will be assigned to a workstation in the network (wireless and wired).


(3) Look whether you have got access control, Add a POLICY RULE for the existing workstations (on IP adddres often) and choose log as only policy. Add a policy (often the option) for ALL OTHERS and block access for these IP addresses.

(4) Last step of this is to go to inbound filtering and DENY access of your own IP addresses from the WAN side (from the public internet side)


Cheers Kees

 

Wow! That's a Bit Strength of 372 according to Roboform - I've rarely seen one that strong recommended, but I'm open, I just would hope not to have to do that one more than a few times in the next 10 years. LOL

 

It is the max supported. Even under a constant brute force attack it is estimated that it would take many years (forget the exact amount) to crack.

I have my key written down as well as copy and pasted into a simple txt file on one of my flash drives. Should I ever need to re-enter it a simple copy and paste does the trick.

 

Yes, I guess Roboform has me spoiled so that sometimes I miss the simple solutions - I have a TrueCrypted key I could put that text file on but can't bring myself to go farther than a 49 bit-strength password for that - nevertheless, keeping the key on my person helps secure it too.

 

Wow thanks for all the info Kees. Anywhere here are some questions I have.

Level 1:

When you say enable the firewall are you refering to the firewall in my router? What if my router doesnt have a hardware firewall? Similarly for adding password for ADMIN and USERS to connect to router console this is to access the router settings and not to connect to the wireless network itself right? In other words this should only be done for computers actually able to access the settings. Or are you refering to connecting to the actual network itself? And should there be two different passwords, one for ADMIN and one for USERS? And should I have different passwords for every machine connecting to the network?

Level 2:

Should these be enabled on the personal firewall or on the router itself? Im assuming this is for the router itself.

PS: Do all routers come with a hardware firewall?

 

Yes, ,most routers are now sold with internal FW which are capable of statefull packet inspection at the header level (abbreviation is SPI, FW which are able to interpreatet the complete packet are called , DPI = Deep Packet Inspection)

Then you can skip the rest of the post

The console is for the settings of the router itself to tune/setup firewall and network settings.

In most casses it is a webbased program which can be accessed by tying your main IP address (often first or last of the assigned IP range) from any PC within the network side. For Home usage I have never understood the use of an Admin and User setting. I guess these low end router/FW's were targetted at small offices in the past. I have assigned two different passwords (just out of habit)

No one password for accessing network id

Depends on your console, you problably will find a 'firewall setting' tab or section in the router management console, some times the router related settings are found under 'network settings' depending on brand of the router.

In the past definitely not. With current price drops, most will have (when they are targetted at home/soho market). But thwy will market when they contain FW functionality also.

 

Mr

Just curious because I was looking this up only this morning. Microsoft seems to say this is actually a bad thing unless maybe I'm not understanding it right.
http://technet.microsoft.com/en-us/library/bb726942.aspx

Thanks,

Chris

 

Re: Mr

This is the reason "it does not substitute for either authentication or encryption" That is why I ranked it level 2, absolutely essential is level 1. With the levels it is intended to build your way up. Leaving a lower level untouched is asking for problems. Hope this explains.

 

you can created within you router configuration and create your secure key of 12 digits,disable file/printer sharing and not allow anybody in your secure network
wpa2 apply to very secure option if you get ask
secure
very secure
not secure
sort of
note:network wireless configuration:find your router and make it there(the secure strong key password)if they want to connect to your they need you strong encripted key(almost imposible)

 

Hi Kees, I cant find any option on my router to enable wlan partitioning is there something else I can do to achieve this?

 

I'm a bit confused on how does this increase security?

Also, what does this do for security?

What about really quick IP scanners which would automate this so they would get the address in less than 1 minute? Is this just more of an annoyance for the person setting up the network having to remember the super secret IP address?

Another question for security, I mean, if the attacker can so easily clone MAC addresses, then isn't it kinda well, not necessary to do all these steps because they will assign the static dhcp based off of MAC addresses, so once cloned, the attacker just applies for a DHCP address and gets one of the allowed ones?

Cheers,

Alphalutra1

 

Ok, I am clearly missing something, nothing new there Surely a bog standard firewall will protect a computer within a network, no? Surely a firewall such as Comodo, or OA simply protects the computer it is installed on from all and any network activity, or when I use a wireless hotspot am I at a lot more risk than I realize?