Router Hardware firewall

Hi,

I would like some comments on my router setup.

Security settings
- enable DoS attacks protection and ARP checking
- changed passwords of admin and users of the Firewall console
- disabled remote administration
- assigned a PIN code to add wireless clients to the network
- EDIT: turned off UpnP
- disabled WAN-ping respond
- enabled WAN-partitioning (I do not want my Son's gaming box to access our home and two business PC's)
- Changed the default IP address of my routers make (D-link) to access the Router's console
- Changed name of the network
- Enabled advanced wireless protection (need to restrict protocols to 802.11g and n)
- WPA2 access protocol with AES encryptie and password
- Enabled Mac address control
- Enabled DHCP reservation (so the clients can use DHCP, but get the same IP address needed for access control to work)
- Added access control filters on IP address
a) known PC's to log only without filtering on IP/Ports or web content
b) all other Machines to block any IP address and any Port
- Added an inbound filter (from WAN side) denying our own IP addresses (under normal operation they should access the router from the LAN side),


Quality settings
- enabled QoS
- enabled WISH
- set coms to only operate with 802.11g
- WMM enable
- disabled multi cast streams
- disabled short GI


We don't use a shared printer or files. So we need not communicate with each other (via our PC's that is ). [WAN partitioning reason]

I do not have a static ARP rule section. The ARP checking has a default feature to drop communicaton when coming from an illogical direction, so ARP spoofing can only be done from a PC already in the network. so I hope (please give feedback), that with ARP checking, Mac control (on Mac addres) and Access Control (on IP address) plus inbound filter from WAN side on internal IP addresses we have established complete ARP spoofing protection.

With the PIN for hardware and WAP2 password for connection, it would also be hard to break in with a Wifi card in the neigbourhoud. The only security option I did not choose to enable was making the network invisible.

Regards Kees, feedback/sugestions appreciated

 

Hi,
I think your setup is quite reasonable.
Even 'too' reasonable
Mrk

 

Thx,

I became curious due to the (now closed thread) on ARP spoofing protection.

My router only has a user friendly option (set on or off) ARP checking, with this it checks the ARP cache, but some members claim that those user friendly options do not provide enough security.

Regards

 

The only thing you didn't mention was UPnP. I've read that it should be turned off since it can be exploited. Just Google "turn off UPnP" for more information.

 

Victek,

Thanks done now. I really like routers with build in FW, because they are so simple to configure. From a security perspective a properly configured hardware FW also takes care that the network stack of your PC is also cleaned from most garbage.

Regards Kees

 

What router firewall are you using?

 

You don't mention the complexity of the password... so far only short simple password (less than 25 characters) have been cracked on WPA2 using brute force (dictionary attack).

So, it is usually suggested you have long (more than 25) random generated password.

Cheers,
Fax

 

Good tip, but what about this seamingly random password

It are three dates which I should not forget in relation to my wife. One of which is not known to the public, One is maybe known by a few friends of hers, one can be traced using public archives. All are not in Julian date format.

Next the alfa character string is converted to ASCII binaries.

Then a binary shift one and result is converted back to EBCDIC two hex code

Is over 25 characters, e.g.

C8C1E5C56086A495 etc

 

I'll 2nd that......

 

This may be firvoulous but did you change the default SSID ? since you have not made the network invisible.

Some other tips, for the more secure paranoist (like me) is to change the default IP of the router (usually 192.168.1.1) to something else in the public subnet and also change default password of router to a secure password.

All this makes it harder for someone to find your router make/model. And then use any exploits that may be available for them.

 

Sounds good and safe to me!

Cheers,
Fax

 

Yes, you are right. I have come across this potential UPnP issue before. Mine is turned off too.

 

Yes changed the name/SSID, others done as listed, so yes also

 

--
I too most humbly request Kees1958 to hint at what brand / range of routers he may be using, as I look for top quality router(with firewall) supporting ADSL2+ for 4 users. Presently use Billion 7300GA which quite slow.

If Kees1958 prefers not to disclose, I do understand, then hope others may suggest suitable brands.

Thanks in advance.
SKA

 

For ADSL2+ router, its best to ask your ISP, since there must not be compatibility issues. The ADSL CPE and ISP DSLAM must have same DSL chipset for compatibility.

For ex: Netopia (Motorola) have IKANOS chipset. So your ISP must also use IKANOS chipset based equipment, for them to work in-conjuction.

So in my option, use the ADSL CPE that the ISP offers. But connect a home/wireless router of your choice.

 

SKA,

VIJAYIND's remark is true, my ISP supports three main brands (netgear, D-link, Sitecom). I asked our IT operations manager and he said to look for a router wich has known decent QoS (Quality of Service) features, some user friendly intrusion features (like deny Wan side Ping, DoS attacks, ARP spoofing), a minimal SPI capacity on package header level (DPI is better), and advertised specific features important for our usage. Then visit websites (with simular usage specifics) to get feedback on the effectiveness of these advertised features

Since my son is a gamer and I do not want him to drag all bandwith away (currently 8 Gbit [edit] Mbit connection) I choose (at that time) a few former top-models now overrun by newer models. Backround info on this long list was provided by user feedback given on gamer's web sites. Next I tried to find the user manuals and checked the downloaded PDF's on ease of use and providing background info to understand the options. D-link also provided a D-link wireless information % security guide (even in Dutch), so therefore I had two D-link models in my shortlist.

Through this selection process I had a few options left (3 or 4), then a web site wanted to get rid of its stock of former top models and I purchased a D-Link DIR635 for a reasonable price (at that time).

Hope this helps.

 

Thanks Kees1958 , vijayind

I have dumped the simple ADSL modem given by the ISP and use a combined ADSL-modem-cum-router instead.

Will check out similar from D-Link , Linksys , Netgear - thanks !

SKA

 

8 gig connection..holy smokes!

 

Eh not 8 Gigabit but 8 Megabit

I now also did HIDE the SSID from publishing