Your thoughts on my network security.

Hi all,

Right, I have been reading up on wan/lan security and have setup what I think is a secure environment and would like your opinions.

First I have a router connected to my cable modem, which is connected to a second wireless router. I use one of the lan ports on the second router for my Internet connection with a software firewall on my PC. The wireless part of the second router has a 63 character, ascii, numbers random key using WPA TKIP(PSK) for my laptop. Also when I'm doing online Banking I use VPN to connect to my Banks site and they use SSL also.

For spyware, adware, malware and viruses I use spybot,ad-aware and AVG pro edition.

I'm I secure enough ?

Jimmy White

Reply to
Jimmy White
Loading thread data ...

Can you use WPA2 or at least change TKIP to AES.

63 characters is max. Maybe somebody will hope that max key is used (exeactly what paranoid unexperienced people do) so he might bruteforce only 63 character keys. Change lenght for ex. 55, 57, 52 etc. If you used key offered by Windows there is no symbols and capital letters you should change that. So somebody will have to bruteforce higher range (that will take too much time). If you are home user, probably no one will spent too much time on you.
Reply to
alf

Did you change the default subnet on the first NAT Router?

Did you change the default subnet on the Wireless Router?

Did you change the SSID, Disable broadcasting of the SSID, change the default channel?

Did you enter a strong admin password for both routers?

What PFW solution are you using and do you check the rules frequently to make sure that nothing has been created without your permission?

WPA is old an weak, you should be using WPA.

What bank allows users to VPN into it? SSL should be enough without the VPN.

Only if you don't do questionable things.

Are you running as a local admin?

Are you visiting questionable sites?

Do you allow anyone else to use the same computer?

Do you block all attachments in email?

Do you ban the use of IM type applications?

Do you ban the use of P2P Applications?

And the list could go on for pages...

Reply to
Leythos

That's worthless as the Bank site must have a valid VPN end point. In order for there to be a valid VPN connection, there must be two valid VPN end points. One VPN end point is on your side and the other one is on the bank's side. The bank side doesn't have VPN for a customer contact with its network or Website. What the bank has is HTTPS on their side and your browser goes into a HTTPS session with their Web site and your browser.

Other than AVG, the anti virus, the rest of the stuff is snake-oil running on the machine that can be circumvented and defeated, easily, even the personal FW. Anything that's running with the O/S can be fooled, circumvented, attacked and defeated.

As long as you have wireless in the mix, you're never going to be secure enough as a wireless hacker, with any expertise, can hack the wireless side of your network and join it with them being all over the top of your machines wired or wireless.

As long has you are depending upon snake-oil solutions to protect the machine, then you're never going to be secure enough.

Where you need to start is with the O/S, secure the O/S as much as possible to attack.

formatting link
You should practice safehex as much as possible.

formatting link
You should use other tools to help you in the detection and look around on the machine with the tools from time to time, instead of depending upon the snake-oil 100%, everything is okey dokey.

Long

formatting link
Short
formatting link
If the router can broadcast the syslog, then use something like Wallwatcher or something similar, to watch the traffic too and from the network, instead of flying blind.

formatting link

Reply to
Dr. Abraham van Helsing

Yes

Yes

Yes, disabled.

Yes, very strong

Kerio personal firewall

Ok, I VPN to an anonymous proxy, which then allows me onto the net, this hides what I'm doing to my ISP, BUT I'm not doing anything but surf and online banking, I just dont like people watching what I'm doing. I know the connection from the anonymous proxy to my Bank is open until the SSL link is made, but that's ok.

No

No

No

No

No

No

Jimmy White

Reply to
Jimmy White

Good.

Good

Good.

Good.

Can be good - I've used it and Tiny and never had a compromised system.

I don't like anon proxy services, you never really know what the owner of the proxy is capturing or what they have setup to monitor - and law enforcement can force them to provide records/logs.

Unless you're doing something unethical you don't need one.

Good.

Good.

Good.

You might want to get your email filtered or scanned for malware BEFORE it reaches your system. We block all attachments that could contain malware.

IM apps are the most common infection method I've seen (other than email and bad websites) in years - in fact, since most people have a buddy list they tend to over-trust links sent by friends - and that gets them compromised.

Many P2P apps and files downloaded contain malware, we ban/block their use/installation on all computers.

Reply to
Leythos

secure for what ? for the NSA to break in ? for the BFSA (Burkina Fasso Security Agency) to break in ? for your neighbor to use your wireless access ? for you using the computers for MSN chat ? for your 4-year old daughter to get out on the net ?

Reply to
Osiris

Now installed K9 and removed attachments in OE

Removed from PC

Now blocked and removed as I don't use them.

Jimmy White

Reply to
Jimmy White

Where are you secure? You open remote security holes and privilege escalation with a "software firewall" which most likely is none, you mess up your computer with Spybot S&D and Ad-Aware, and you obviously don't have any real security concept against malicious code.

Neither didn't you understand key management in WPA. Or the problems with SSL-Cas.

Reply to
Sebastian Gottschalk

Well from what I've read about internet and home network security (over 200 documents), also from the advice of 2 internet security experts, one works for Telewest broadband and the other sets up bank security both have said that the my connection is unhackable from the internet side and as I'm using a completely random 63 character password WPA-PSK (example key: C>KgRiKC_1ftZ:_]\\!1T6`Q]>OX,3|92P.AdCXiZFy!c%bn4mR?SC i3W-BeLOq) mean that my wireless setup is also uncrackable, as it would take someone sniffing your connection years to even get near that type of password. Also listened to

formatting link
security now which he also confirms that a password like the above is currently uncrackable.

However I know that it's still easy to get viruses,spyware,adware etc by simply surfing the net, I reduce this by not using Internet Explorer, I also disable JAVA script on all but sites I believe to be safe.

In regards to Spybot, ad-adware they are recommended by 100s of sites to help find and remove problems with spyware etc and with my anti virus I am well covered.

In regards to SSL-Cas, I've not really read enough about this concept so I won't comment until I've read up on the subject ;)

Jimmy White

Reply to
Jimmy White

Jimmy White wrote: > a completely random 63 character password WPA-PSK (example key:

This is sample of good key. But note that there are others ways to hack you.

formatting link
You are never uncrackable.

Reply to
alf

Your choice of those programs is fine - Sebastian is one of several in this group that will always tell anyone that their system is not good enough, that their choice is always wrong, that unless he's set it up that it's not secure, but he's never been outside his little fantasy world where people have to protect their systems in the wild.

WEP is the last choice, you should be using WPA-PSK or some other WPA version.

If you want to see him run and hide (Sebastian) present him with a detailed list of your machine setup and then ask him for detailed instructions on what to change while still allowing you to do what you need to do.

Reply to
Leythos

You should pint a finer at them and laugh.

Never questioned that, expect that you don't obviously understand the key management. WPAv2 uses AES256, thus a 256 bit key, which is normally entered as 64 hexbytes. An alternative approach is to derive it from a pass phrase via hashing, whereas only the input entropy and not the actual length matters. As well this method is not standardized and one passphrase won't likely work on another computer - that's why one does not do this nonsense, and rather enters the key directly as described above.

password like the

Which means exactly nothing, since neither password verification works (hint: how is entropy defined?) nor grc.com would be respectable in any way (for a quick overview see ).

Well, that's a preliminary.

Please stop twisting Java and JavaScript.

Actually just the claim of removal makes them totally unserious. At any rate, why don't read a nice article about Ad-Aware on , which describes how f***ed up this thing actually is?

And why do you assume that the signature for detection would exist earlier than a fresh-written piece of malware? There is a difference between protection and detection - so please don't claim the latter being the first one.

Very simple: Do you think that VeriSign or any Root-CA would issue a certificate on the Name and Domain of your bank to a malicious guy? No? But they did so, way to often. So, at best, looking at the SSL cert of your bank's website doesn't tell your anything - it could be genuine, or it could be malicious because the signing CA has once again violatet its own policies and your trust.

Reply to
Sebastian Gottschalk

The fact that you have even mentioned that *clown* Gibson says it all.

And about your wireless security and your key, why don't you hope over to alt.internet.wireless where the wireless experts and hackers frequent.

No you're not as malware can circumvent and defeat every last bit of it.

Reply to
Dr. Abraham van Helsing

I checked this site, and I think that, beside this one, you should read something else as well.

For wireless security, this might be good start

formatting link
For network security I belive that you can start from here

formatting link
If somebody have better suggestions just shoot, I'm no expert or hacker, only a home user.

Reply to
alf

Fear has the evolutionary function to keep living entities alive.

So the minute you think you are safe, you become vulnerable.

Reply to
Osiris

From what I've read and learnt your statement is correct, I'm just trying to make myself and my family safer while online.

I think I've done all I can for a home user account?

Jimmy White

Reply to
Jimmy White

Got a link? I searched through the blogs and forums and found nothing on Adaware.

Reply to
Kinski

Reply to
Sebastian Gottschalk

I see there is only one PC in the house. That is neat, for now you can put it in the living room, for all to see the screen. So the kids can't surf to p*rn sites.

rules of thumb:

0: backup, but not too often. You might overwrite a good backup with a bad one. 1: Don't give anyone the admin password or access to the FW settings. 2: trust the kids, but verify. 3: Give em all their own id and password 4: nobody can get anywhere unless you say so. not: they all can go everywhere unless you stop them. 5: no P2P 6: put up something like Netnanny or whatever. 7: have virusscan scan anything that comes in. 8: nobody installs software but you. 9: fear, but don't let it keep you from being happy. there are no VERY many people that are interested in the contents of your HD, unless you work for the CIA. 10: backup.
Reply to
Osiris

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.