Router Hardware firewall

Discussion in 'other firewalls' started by Kees1958, Jul 26, 2008.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    I would like some comments on my router setup.

    Security settings
    - enable DoS attacks protection and ARP checking
    - changed passwords of admin and users of the Firewall console
    - disabled remote administration
    - assigned a PIN code to add wireless clients to the network
    - EDIT: turned off UpnP
    - disabled WAN-ping respond
    - enabled WAN-partitioning (I do not want my Son's gaming box to access our home and two business PC's)
    - Changed the default IP address of my routers make (D-link) to access the Router's console
    - Changed name of the network
    - Enabled advanced wireless protection (need to restrict protocols to 802.11g and n)
    - WPA2 access protocol with AES encryptie and password
    - Enabled Mac address control
    - Enabled DHCP reservation (so the clients can use DHCP, but get the same IP address needed for access control to work)
    - Added access control filters on IP address
    a) known PC's to log only without filtering on IP/Ports or web content
    b) all other Machines to block any IP address and any Port
    - Added an inbound filter (from WAN side) denying our own IP addresses (under normal operation they should access the router from the LAN side),


    Quality settings
    - enabled QoS
    - enabled WISH
    - set coms to only operate with 802.11g
    - WMM enable
    - disabled multi cast streams
    - disabled short GI


    We don't use a shared printer or files. So we need not communicate with each other (via our PC's that is :D ). [WAN partitioning reason]

    I do not have a static ARP rule section. The ARP checking has a default feature to drop communicaton when coming from an illogical direction, so ARP spoofing can only be done from a PC already in the network. so I hope (please give feedback), that with ARP checking, Mac control (on Mac addres) and Access Control (on IP address) plus inbound filter from WAN side on internal IP addresses we have established complete ARP spoofing protection.

    With the PIN for hardware and WAP2 password for connection, it would also be hard to break in with a Wifi card in the neigbourhoud. The only security option I did not choose to enable was making the network invisible.

    Regards Kees, feedback/sugestions appreciated :thumb:
     
    Last edited: Jul 27, 2008
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hi,
    I think your setup is quite reasonable.
    Even 'too' reasonable :)
    Mrk
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Thx,

    I became curious due to the (now closed thread) on ARP spoofing protection.

    My router only has a user friendly option (set on or off) ARP checking, with this it checks the ARP cache, but some members claim that those user friendly options do not provide enough security.

    Regards
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    The only thing you didn't mention was UPnP. I've read that it should be turned off since it can be exploited. Just Google "turn off UPnP" for more information.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Victek,

    Thanks done now. I really like routers with build in FW, because they are so simple to configure. From a security perspective a properly configured hardware FW also takes care that the network stack of your PC is also cleaned from most garbage.

    Regards Kees
     
    Last edited: Jul 27, 2008
  6. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    What router firewall are you using?
     
  7. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    You don't mention the complexity of the password... so far only short simple password (less than 25 characters) have been cracked on WPA2 using brute force (dictionary attack).

    So, it is usually suggested you have long (more than 25) random generated password.

    Cheers,
    Fax
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Good tip, but what about this seamingly random password

    It are three dates which I should not forget in relation to my wife. One of which is not known to the public, One is maybe known by a few friends of hers, one can be traced using public archives. All are not in Julian date format.

    Next the alfa character string is converted to ASCII binaries.

    Then a binary shift one and result is converted back to EBCDIC two hex code

    Is over 25 characters, e.g.

    C8C1E5C56086A495 etc

    :)
     
  9. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I'll 2nd that...... ;)
     
  10. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    This may be firvoulous but did you change the default SSID ? since you have not made the network invisible.

    Some other tips, for the more secure paranoist (like me) is to change the default IP of the router (usually 192.168.1.1) to something else in the public subnet and also change default password of router to a secure password.

    All this makes it harder for someone to find your router make/model. And then use any exploits that may be available for them.
     
  11. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Sounds good and safe to me! :)

    Cheers,
    Fax
     
  12. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Yes, you are right. I have come across this potential UPnP issue before. Mine is turned off too.
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yes changed the name/SSID, others done as listed, so yes also
     
  14. SKA

    SKA Registered Member

    Joined:
    Aug 2, 2002
    Posts:
    154
    --
    I too most humbly request Kees1958 to hint at what brand / range of routers he may be using, as I look for top quality router(with firewall) supporting ADSL2+ for 4 users. Presently use Billion 7300GA which quite slow.

    If Kees1958 prefers not to disclose, I do understand, then hope others may suggest suitable brands.

    Thanks in advance.
    SKA
     
  15. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    For ADSL2+ router, its best to ask your ISP, since there must not be compatibility issues. The ADSL CPE and ISP DSLAM must have same DSL chipset for compatibility.

    For ex: Netopia (Motorola) have IKANOS chipset. So your ISP must also use IKANOS chipset based equipment, for them to work in-conjuction.

    So in my option, use the ADSL CPE that the ISP offers. But connect a home/wireless router of your choice.
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    SKA,

    VIJAYIND's remark is true, my ISP supports three main brands (netgear, D-link, Sitecom). I asked our IT operations manager and he said to look for a router wich has known decent QoS (Quality of Service) features, some user friendly intrusion features (like deny Wan side Ping, DoS attacks, ARP spoofing), a minimal SPI capacity on package header level (DPI is better), and advertised specific features important for our usage. Then visit websites (with simular usage specifics) to get feedback on the effectiveness of these advertised features

    Since my son is a gamer and I do not want him to drag all bandwith away (currently 8 Gbit [edit] Mbit connection) I choose (at that time) a few former top-models now overrun by newer models. Backround info on this long list was provided by user feedback given on gamer's web sites. Next I tried to find the user manuals and checked the downloaded PDF's on ease of use and providing background info to understand the options. D-link also provided a D-link wireless information % security guide (even in Dutch), so therefore I had two D-link models in my shortlist.

    Through this selection process I had a few options left (3 or 4), then a web site wanted to get rid of its stock of former top models and I purchased a D-Link DIR635 for a reasonable price (at that time).

    Hope this helps.
     
    Last edited: Aug 27, 2008
  17. SKA

    SKA Registered Member

    Joined:
    Aug 2, 2002
    Posts:
    154
    Thanks Kees1958 , vijayind

    I have dumped the simple ADSL modem given by the ISP and use a combined ADSL-modem-cum-router instead.

    Will check out similar from D-Link , Linksys , Netgear - thanks !

    SKA
     
  18. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    8 gig connection..holy smokes! :eek:
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    :oops: :oops: :oops: Eh not 8 Gigabit but 8 Megabit :oops: :oops: :oops:

    I now also did HIDE the SSID from publishing
     
    Last edited: Aug 28, 2008
Loading...
Thread Status:
Not open for further replies.