Linksys router - how to block wired/LAN access

Block them for what reason?

Duane :)

I work in a shared office space, so it's to stop people just plugging their PC straight into our router and using our internet connection.

Paul

Duane Arnold wrote:

On 3 Aug 2006 15:13:56 -0700, snipped-for-privacy@gmail.com wrote in :

MAC filtering is essentially *useless* because valid MAC addresses are so easily spoofed. For real security you need to use WPA.

Really controlling wired LAN access takes something like enforced authentication (which could also be used for wireless), but that's non-trivial to set up.

Well, someone may have another suggestion for you, but I would disable the DHCP server on the router. I would then assign a static IP on the router to each wireless machine's NIC, which you'll have to manually assign the IP and configure each NIC manually to access the WAN/Internet or LAN machines via the router.

You do it manually instated of letting the router's DHCP server issue an IP to a machine wire or wireless that has the NIC configured to obtain an IP from the router automatically.

That means anyone with a wire NIC machine wouldn't be able to just plug the machine into the router and gain access to the WAN or LAN, because they would have to configure the NIC to use a static IP on the router.

They wouldn't be able to do it if the computer's NIC was set to obtain a DHCP IP from the router with the DHCP server on the router disabled. The router will not issue the IP(s).

Most are not savvy enough to know how to configure the computer's NIC for static IP usage on the router.

You can disable the router's DHCP server and make the machines use static IP(s).

Duane :)

On Fri, 04 Aug 2006 01:44:48 GMT, Duane Arnold wrote in :

But many are, especially those you want to keep out. I personally don't think that provides any meaningful level of security. No offense intended.

You do know that it has nothing to do with the wireless side of it. It has to do with someone walking up to that router and plugging in a wire computer right is someone's face.

I think it's an effective measure to prevent that. As for the wireless side of it, anyone can get a DHCP IP or use a static IP on the router. It's not stopping anything, but it will stop the average Joe Blow on the wire.

I'll tell you right now, 90% of the people that post to this NG don't know how to do it. They can barely turn the computer *on*.

I am sorry but I disagree.

Duane :)

On Fri, 04 Aug 2006 07:12:52 GMT, Duane Arnold wrote in :

The assumption that wired is more secure that wireless isn't necessarily valid. All too many switches and hubs and cables aren't physically secured. I know of a case where a "foreign" laptop was found in a wiring closet merrily gathering data. Never did find out who did it. I've seen other cases where employees inserted small switches or hubs in accessible cable runs to create more connections that were unknown to computer people. Not to mention rogue wireless access points. Moral: Wired networks also need to be carefully and completely secured. Just using manual IP assignment instead of DHCP provides no real security.

The major worry isn't Joe Blow -- it's those with bad intent and some skill, who won't even be slowed down by manual IP assignment.

The worry isn't those that can't, it's those that can, and if you stop them, then you stop those that can't as well. Going after those that can't still leaves you vulnerable to those that can, which makes no sense, particularly since you'll be making life more difficult for legitimate users.

Security is a balancing act because convenience and robustness. Make the system inconvenient, and people will rebel, sometimes in obvious ways, sometimes in subtle ways, defeating that security (e.g., the PostIt with password stuck to a monitor). Using manual IP assignment for security fails that tradeoff IMHO.

Is that a personal opinion or a professional opinion?

Yep, then they'd have to know the subnet range in order to configure their own stuff. Move the router to an address OTHER than x.x.x.1 while you're at it. That way your workstations are on 172.16.88.x/255.255.0.0 with the router on 172.16.88.100 (as an example) as the gateway. And if you're using WPA on the wireless it'd be more work than the casual abuser would be likely to tackle.

Private networks can use more than just the 192.168.x.x/255.255.255.0 subnet. You can use Class A (10.x.x.x/255.0.0.0) and Class B (172.16.x.x/255.255.0.0) ranges. For either of those ranges you replace the 'x' with a number between 0 and 254. It's unlikely someone trying to guess static addresses is going to try non-192.168.x.x ranges. Not impossible, but pretty unlikely for casual users.

So start by moving the router to a different subnet and IP address. Then manually configure the workstations (wired and wireless) to use that new subnet/mask/gateway. Then go back to the router and disable DHCP services. Set up WPA for the wireless. Then just ditch MAC filtering entirely as it's a weak method, at best. Prevent wired connections by just locking it in a box, drawer, cabinet or something else that doesn't also block the signal.

What you might also want to consider is arpwatch. That way you could at least get notified if unexpect MAC addresses start connecting to your devices.

-Bill Kearney

Lock it in a cabinet. Why bother burdening the router with the added tasks of packet filtering? It's not like there's CPU power to spare on residential-grade devices like the WRT54 series.

MAC filtering is a joke, all they need to do is get the address of one of your allowed addresses and use that for their device. If they do this while your device is active you'll have a helluva time trying to figure out what's causing the trouble. Using MAC filtering alone will not stop them. You'd have to go a step further and use some sort of security like RADIUS to add another layer. They'd have to possess both the MAC address AND the username/password used to authenticate the session.

Of course you should be using WPA security for the wireless anyway. That'd make MAC filtering rather pointless too.

I'd start by just putting the router in a locked cabinet or box of some kind. That'd at least stop them from jacking into it directly. But also consider that if they're close enough to the box to jack into it, what's to stop them from using the ethernet jack on the wall? Assuming there is one, of course. They could just plug a hub or switch into that and leech connectivity from there. So make sure there's decent physical security on that too.

-Bill Kearney

Whose fault is that? If someone was to be so stupid as to let it happen, there is nothing that can be done about that kind of stupidly.

Not in front of someone who is aware of the situation. The router is right there in that person's face I'll assume that has made this post.

In this person's case, I think it is unless the person is blind, can't read the logs and can't see a cable plugged in that was not there before.

The person is walking up to a router in a small LAN situation. Unless this person is James Bond, I wouldn't worry about it too much.

That's the price that will have to be paid, if the OP wants some kind of control of the situation, which I'll assume the OP knows what's on the network for the most part in a small LAN situation.

We're talking a small LAN situation here. If the person cannot stay on top of it, then the company should get someone who can.

The person is not the admin at Rockwell International.

Well, I suggest you provide some type of solution here and put it on the table, because it's better than nothing.

Nothing is 100%. But the solution I have put on the table is better than nothing and the OP is going to have to way the pros and cons.

It's his call and it's not yours or mine. That's the bottom line here.

?????

Duane :)

On Fri, 04 Aug 2006 15:01:12 GMT, Duane Arnold wrote in :

My solution is to physically secure the network, but assume it _will_ be compromised, and protect clients accordingly, using managed switches rather than cheap hubs, strong authentication, encryption, internal VPN, internal firewalls, active/passive scanning, etc. Small businesses that set up LANs without a proper budget and expert advice are just asking for trouble, like driving without a seatbelt, or even an airbag.

Your solution isn't even close to that, particularly since it does nothing about the more serious threats.

Not much, and much less than is needed IM(ns)HO.

True. Sadly, most business pay way too little attention to security, which is why it's such a serious problem. But good for me, since I get paid to come in and clean up the messes.

Why don't you make this post to the other poster in the thread. I think we're on the same page on disable the DHCP server, issue static IP(s) and lock the router up in a cabinet. That way James Bond won't walk into the office and plug a cable into it.

Sorry, but I'll have to say this is much to do about *nothing*.

Duane :)

On Thu, 03 Aug 2006 23:08:20 GMT Duane Arnold wrote: | snipped-for-privacy@gmail.com wrote: |> Hi all, |> |> I have a LinkSys WRT54G Wireless-G Broadband Router. I have |> successfully managed to only allow access to the wireless network for a |> series of MAC addresses using the Wireless MAC filter. |> |> I can't apply the same rule for wired/LAN access (i.e. PCs plugged |> directly into the router). Has anyone had any success blocking wired |> access? |> | | Block them for what reason?

How about "company security policy".

On Fri, 04 Aug 2006 02:09:50 GMT John Navas wrote: | On Fri, 04 Aug 2006 01:44:48 GMT, Duane Arnold wrote in | : | |> snipped-for-privacy@gmail.com wrote: |>> I work in a shared office space, so it's to stop people just plugging |>> their PC straight into our router and using our internet connection. |>

|>Well, someone may have another suggestion for you, but I would disable |>the DHCP server on the router. I would then assign a static IP on the |>router to each wireless machine's NIC, which you'll have to manually |>assign the IP and configure each NIC manually to access the WAN/Internet |>or LAN machines via the router. |>

|>You do it manually instated of letting the router's DHCP server issue an |>IP to a machine wire or wireless that has the NIC configured to obtain |>an IP from the router automatically. |>

|>That means anyone with a wire NIC machine wouldn't be able to just plug |>the machine into the router and gain access to the WAN or LAN, because |>they would have to configure the NIC to use a static IP on the router. |>

|>They wouldn't be able to do it if the computer's NIC was set to obtain a |>DHCP IP from the router with the DHCP server on the router disabled. The |>router will not issue the IP(s). |>

|>Most are not savvy enough to know how to configure the computer's NIC |>for static IP usage on the router. | | But many are, especially those you want to keep out. I personally don't | think that provides any meaningful level of security. No offense | intended.

It's worse if staffer's children can come with them to work at various times. They tend to be the ones that know how to do whatever it takes to get on the net, access AIM, MySpace, etc.

| You do know that it has nothing to do with the wireless side of it. It | has to do with someone walking up to that router and plugging in a wire | computer right is someone's face.

What if the router is being attached to the office LAN which every computer is already attached to, but only certain computers are to be allowed full access to the net or to the wireless side?

| I'll tell you right now, 90% of the people that post to this NG don't | know how to do it. They can barely turn the computer *on*.

But their children know exactly what to do.

| Security is a balancing act because convenience and robustness. Make | the system inconvenient, and people will rebel, sometimes in obvious | ways, sometimes in subtle ways, defeating that security (e.g., the | PostIt with password stuck to a monitor). Using manual IP assignment | for security fails that tradeoff IMHO.

I totally agree.

I do use manual static IP in most case. But it's not a mechanism of security. I also know MAC based access control isn't secure, but it can be enough in many cases on the wired side.

|> Well, someone may have another suggestion for you, but I would disable |> the DHCP server on the router. I would then assign a static IP on the |> router to each wireless machine's NIC, which you'll have to manually |> assign the IP and configure each NIC manually to access the WAN/Internet |> or LAN machines via the router. | | Yep, then they'd have to know the subnet range in order to configure their | own stuff. Move the router to an address OTHER than x.x.x.1 while you're at | it. That way your workstations are on 172.16.88.x/255.255.0.0 with the | router on 172.16.88.100 (as an example) as the gateway. And if you're using | WPA on the wireless it'd be more work than the casual abuser would be likely | to tackle. | | Private networks can use more than just the 192.168.x.x/255.255.255.0 | subnet. You can use Class A (10.x.x.x/255.0.0.0) and Class B | (172.16.x.x/255.255.0.0) ranges. For either of those ranges you replace the | 'x' with a number between 0 and 254. It's unlikely someone trying to guess | static addresses is going to try non-192.168.x.x ranges. Not impossible, | but pretty unlikely for casual users.

Using 255 is fine unless it is the very last IP address in a range, however large the range happens to be. 172.25.73.255 is fine in

FYI, I use 169.254.0.0/16. Hint: RFC3330

| So start by moving the router to a different subnet and IP address. Then | manually configure the workstations (wired and wireless) to use that new | subnet/mask/gateway. Then go back to the router and disable DHCP services. | Set up WPA for the wireless. Then just ditch MAC filtering entirely as it's | a weak method, at best. Prevent wired connections by just locking it in a | box, drawer, cabinet or something else that doesn't also block the signal.

If the office also has a wired LAN which all the non-wireless computers are connected, and some of them need internet access, then in effect all of the computers are conneced in some way, depending on the topology of the infrastructure.

| What you might also want to consider is arpwatch. That way you could at | least get notified if unexpect MAC addresses start connecting to your | devices.

Which won't help on MAC spoofers.

Let me tell you something, if someone came into work with their child and they did it, they would be reprimanded. If they did it on their own and I found out about it, they would be reprimanded.

It's your show and not their show. If you can't control the situation, then maybe, you shouldn't be trying to do anything. They are not going to listen to you anyway.

Who is in charge of the network there, you or them.

Duane :)

Yeah it's called I sat the thing up and if you step out of line, your out of here.

Duane :)