Router help please

Hi Louise,

Here are some answers, an overview on wireless security technologies and some links.

"Is one router faster than the other? If so, what specs should I look for to get the fastest possible?"

Different access points use different wireless standards and thus are different speed-wise. The speed also depends on the wireless standard of the wireless adaptor. AFAIK, the highest standard nowdays is Super-G that reaches up to 108mbps.

"And will one router go greater distances (penetrating walls etc.), than another?"

Yup. There's a technology called XR - extra range - but using this technology is also confined by wireless adaptor abilities. It requires an XR compatible wireless adaptor.

"Should I keep my desktop connected to the new router by wire and therefore, keep it better protected while the other two laptops will use it wirelessly?"

That depends on the type of wireless router you're getting and type of protection you're using. Obviously, wired is safer than wireless, but if you use encryption, SSID hiding and MAC filtering on your wireless network, hacking into it would be quite tricky. Note also that most low-end wireless routers do not seperate the wireless network from the wired (so the wired computer is no more protected than the wireless one).

"My desktop has all the peripherals attached (printers, scanner etc.). Is there any way to keep my desktop secured with no printer and file sharing, while have it active on the laptops? Or, can I just turn on printer sharing without turning on file sharing?"

Some wireless access points have a built-in USB print server. Which means you can connect your printer directly to the appliance and use it from any computer in the wired or wireless network without depending on your computer and without opening file-sharing to the rest of the network.

The level of wireless security you want to use it up to you.

- WEP encryption that is no longer considered particularly safe as it can be hacked quite easily. Note: wireless encryption encrypts ONLY the authentication. The data is still sent in cleartext and can be sniffed using a packet sniffer.

- SSID hiding - hiding your network name from regular area scans and thus allowing only users who know your network name access. Easily discovered with slightly more advanced software so not good as a single means of protection, but can compliment other methods.

- MAC filtering - allowing only specific wireless adaptors access to the network. This method is hackable but required quite a bit of effort.

- WPA encryption - Similar to WEP but AFAIK harder to hack.

- IPSec encryption - this is for the business user or paranoid home user. Some wireless appliances allow you to use internal VPN that encrypts ALL the communication (authentication and data sent and recieved). The disadvantage of this strong protection is slower performance of the network and a bit of a strain on the network machines as they have to have a client installed and running locally.

Personally, I use SSID hiding, WPA/PSK authentication and MAC filtering for my wireless network.

I use Check Point Safe@Office 500W that gives very good protection with built-in firewall, IPS, antivirus and of course comprehensive wireless security. In addition it has a USB printer, XR and Super G technologies.

And since you asked for links: Safe@Office 500W $100 mail in rebate promotion:

security guide: for wireless home security: Feel free to ask if you have any more questions.

I picked up one of these last week, based on your recommendation. Very pleased with what I got. Thanks.

Thanks so much for the detailed explanations - and now I have a few more questions :-)

If I use a wireless router which is XR and Super G: Will it work ok (if slower) on the portables which do not have this technology built in? Will it work as well as my wired router if I use a wired attachment to the desktop or will my desktop be slowed down by the other computers on the network?

Would it be possible (and practical) to leave my desktop connected to my regular wired router (BEFSR41 Linksys), and connect the wireless router to the wired router? My theory is that then I would have the exact same performance I have now on my desktop and only the portables would be using the wireless router.

Re the Safe@Home router - is the AV in software? If so, is there a way not to install it? I'm using NOD32 and I am delighted - would like to keep it that way. And, is the firewall in software (Zone Alarm?) - or is it in hardware. I don't see anything about NAT or SP1 - am I trying to compare apples and oranges?

Thanks again.

Louise

The latter is wrong, but generally WEP is totally b0rken. One can even proof that the protocol itself is unsafe so any secure cipher wouldn't help either.

It basically creates frustation through problems and more log entries due to people accidently stumbling into your network.

What effort? This is a 4 lines bash script involving tcpdump and iwconfig.

So far it's impossible to hack better than bruteforce.

Sound like the common bullshit.

Given that I want speed and to cover a large area through thick walls, I was looking at the Linksys WRT54G it's the Wireless G router with SRX.

Thoughts?

Louise

SSID hiding and MAC filtering does not help with security at all, while having WPA or another good encryption method, this will help.

True.

Wrong.

Wrong, when a computer in this network communicates.

It's completely useless.

If WPA-PSK is used, and the PSK is chosen wisely, then there is no known atack on it.

There are other VPNs, too.

Yours, VB.

Alternative firmware which boosts the signal strength by factor 3. Add a better antenna and you'll gain another 10 db.

WPAv2 will be just fine. You don't need anything else.

Wrong. When WEP or WPA is used, you first need to break the encryption layer to obtain the SSID. Anyway, it just means that SSID doesn't add any additional security.

Yes and no. Using the Deassocation Attack one can launch bruteforce attacks on the session key of the TKIP by playing man-in-the-middle on the reauthentication. That's neither a break nor any serious weakness, just a little flaw that has been fixed on WPAv2. But it is an attack, as one design goal was that such a thing shouldn't be possible at all.

Wikipedia even tells about a passive bruteforce search at the same point, but I didn't find any references. Well, it also recommended MAC filtering and SSID Broadcast Disable as effective measure against WLAN sniffing :_)

Hi Louise,

Here are some more answers:

"If I use a wireless router which is XR and Super G: Will it work ok (if slower) on the portables which do not have this technology built in?"

Of course. Unless you configure your router to work ONLY with Super G clients. But if you have slower adaptors, I think you wouldn't want to.

"Will it work as well as my wired router if I use a wired attachment to the desktop or will my desktop be slowed down by the other computers on the network?"

The wired desktop would not be slowed by the wireless machines as the two use different interfaces to connect to the network.

"Would it be possible (and practical) to leave my desktop connected to my regular wired router (BEFSR41 Linksys), and connect the wireless router to the wired router? My theory is that then I would have the exact same performance I have now on my desktop and only the portables would be using the wireless router."

I think there's no point in doing this as wireless connectivity does not impact the wired connectivity in the wireless router. At least not in any of the routers I've worked with.

"Re the Safe@Home router - is the AV in software? If so, is there a way not to install it? I'm using NOD32 and I am delighted - would like to keep it that way. And, is the firewall in software (Zone Alarm?) - or is it in hardware."

It's all hardware, running a firewall, AV and IPS on it. There's absolutelly no installation required on the client computers, unless you want to use IPSec encryption on the wireless and then you need the VPN client. The Safe@ is basically a plug-play solution that requires no configuration on the computers and minimal configuration on the box itself - Internet connection, internal networks, security settings (if you don't want to use the default).

"I don't see anything about NAT or SP1 - am I trying to compare apples and oranges?"

NAT is network address translation. It's just taking one extrnal address, and putting behind it a local network or a number or local networks. It provides VERY basic protection. I am not sure what you mean by SP1 (Windows XP Service Pack 1?).

Also, I noticed people commented that I was wrong about wireless encryption. I looked into it and you guys are right. Mea Culpa. WEP and WPA do encrypt data not just authentication. You live you learn. :)

I believe in wearing out the enemy - the more "walls" they have to break through, the more chances are they'll give up.

Even if MAC filtering alone, and SSID hiding alone are useless (which they pretty much are), when combined with a strong WPA-PSK key they're an additional means of protection. Also, my Safe@Office lets me create firewall rules that prevent any machine in the WLAN except for pre-defined network objects to access the Internet. So even if someone gains access to my wireless network, he has no where to go - the wired computer is protected from WLAN by a stateful inspection firewall, and the wireless machines both run firewalls (one is a Check Point client with security policy and the other is just a WINXP SP2 firewall).

I believe in layering security - the more they have to work, the more exhausted they are.

Either there is a known attack or not. Please decide, what you mean.

Yes, of course, bruteforce. Sebastian, please return to sensible statements.

Yours, VB.

No.

A strong WPA-PSK implementation and wisely chosen keys means being secure against every known attack. MAC filtering or SSID hiding don't add any extra security then.

Yours, VB.

It is an attack as a design goal was violated. I didn't claim it to be practical. :-)

If you add zero, the number will change? The only thing it will create are technical problems, nothing more.

Fine, but IP adresses can be easily spoofed.

Zero security measures exhausting trivial scripts?