Post by thread:[OT] Firewalls and other PC protection

> I would personally dispense with any software firewall. I've seen far > too many weird issues crop up because of software firewalls. > > Get a consumer router. They can be had extremely cheaply these days, and > are magnitudes better then any software firewall. TTYL Agreed. If you check out the link below, you can rate your PC's protection. On my system at home, behind a standard off-the-shelf Linksys router, it comes back as being nigh impervious to assault. https://grc.com/x/ne.dll?bh0bkyd2 My linksys is the sort with 802.11 built in, and to secure THAT I turned on the MAC filter, telling it to ignore all devices other than the MACs that I specify. Can't get much more secure than that, I'd imagine, since it's completely passive and won't respond to anything from any other MAC. Mike H. ____________________________________________

On Mon, 13 Dec 2004, Mike Hord wrote: > My linksys is the sort with 802.11 built in, and to secure THAT I turned on the > MAC filter, telling it to ignore all devices other than the MACs that I specify. > Can't get much more secure than that, I'd imagine, since it's completely > passive and won't respond to anything from any other MAC. That's a good start, but I'd caution against complacency. Spoofing a MAC address is trivial to do. You're better off using a firewall between the WiFi and the rest of your net, and set it to only allow encrypted traffic through, SSH at least, preferably a VPN solution. *Then* you can feel reasonably secure. Just turning on WEP or MAC filtering will probably stop anyone under 12 from breaking in to your network, or slow down the others by 10 minutes or so. Those free checking websites don't typically try all the tricks a real attacker would do to get past your firewall... they just look for the usual big, gaping holes that a completely unsecured box would have. -- Steve Willoughby | "It is our choices... that show what we truly <spam_OUTsteveTakeThisOuTalchemy.com> | are, far more than our abilities." | --Albus Dumbledore, in Harry Potter and the | Chamber of Secrets, by J. K. Rowling ____________________________________________

Mike Hord wrote: {Quote hidden}>>I would personally dispense with any software firewall. I've seen far >>too many weird issues crop up because of software firewalls. >> >>Get a consumer router. They can be had extremely cheaply these days, and >>are magnitudes better then any software firewall. TTYL >> >> > >Agreed. If you check out the link below, you can rate your PC's protection. On >my system at home, behind a standard off-the-shelf Linksys router, it comes >back as being nigh impervious to assault. > >https://grc.com/x/ne.dll?bh0bkyd2 > >My linksys is the sort with 802.11 built in, and to secure THAT I turned on the >MAC filter, telling it to ignore all devices other than the MACs that I specify. >Can't get much more secure than that, I'd imagine, since it's completely >passive and won't respond to anything from any other MAC. > > Hmmm. Not true. The MAC addess of your machine is transmitted "in the clear" when communicating with your access point. i.e. you broadcast your MAC address regularly when you access the network through the linksys. It takes very little to alter the MAC address of many network cards. Thus, there is relatively little work required to "spoof" you MAC address, and then wait until your real MAC is switched off, and connect to the linksys with the spoofed device. Using MAC's as an access filter is only a small part of securing a system. Read all about it. http://www.techworld.com/features/index.cfm?fuseaction=displayfeature&featureID=160 Rolf ____________________________________________

On Mon, 2004-12-13 at 12:41 -0600, Mike Hord wrote: > Agreed. If you check out the link below, you can rate your PC's protection. On > my system at home, behind a standard off-the-shelf Linksys router, it comes > back as being nigh impervious to assault. > > https://grc.com/x/ne.dll?bh0bkyd2 I used to recommend that site, no longer. I recommend you do a search on Steve Gibson on usenet, his "advice" sometimes isn't as good as he thinks it is (and IMHO sometimes harbours a false sense of security). > My linksys is the sort with 802.11 built in, and to secure THAT I turned on the > MAC filter, telling it to ignore all devices other than the MACs that I specify. > Can't get much more secure than that, I'd imagine, since it's completely > passive and won't respond to anything from any other MAC. Unfortunately MAC filtering isn't much of a deterrent. If the person interested is running Linux it's a very trivial matter to sniff the network for a working MAC and then use that MAC. While it's true that it isn't possible to completely stop someone from accessing your network, I believe the best hope you have is to simply USE WEP, and rotate the keys. It's not perfect, but it'll deter most people out there. TTYL ----------------------------- Herbert's PIC Stuff: http://repatch.dyndns.org:8383/pic_stuff/ ____________________________________________

----- Original Message ----- From: "Herbert Graf" <.....mailinglist2KILLspam@spam@farcite.net> Subject: Re: [OT] Firewalls and other PC protection > While it's true that it isn't possible to completely stop someone from > accessing your network, I believe the best hope you have is to simply > USE WEP, and rotate the keys. It's not perfect, but it'll deter most > people out there. TTYL Of course, there is no reason not to use MAC filtering and WEP. That and failing to broadcast your SSID will ensure that a successful attacker has to be VERY determined. Depending on your enemies, it probably is more than sufficient to use MAC filtering. Most folks who want to enter your wireless network would just as soon use you neighbor's. If yours is a little tougher to exploit, he'll choose the easier option. There are more of these than you might think, however. I know salesmen who are often on the road, and when they need to do email, they just drive through a residential area with Net Stumbler. Usually only takes a few minutes to find a connection. On the other hand, if you are worried about the NSA you better use all of the above and then some. --McD ____________________________________________

In message <88eca922041213104171e713c8KILLspammail.gmail.com>> Mike Hord <.....mike.hordKILLspam.....gmail.com> wrote: > On > my system at home, behind a standard off-the-shelf Linksys router, it comes > back as being nigh impervious to assault. Same here with my Linux box. Problem is, said Linux box has a problem with.. well.. excessive power consumption. 200W! It's costing £20 a quarter (£80) a year just to run that thing, not to mention the laser printer (which isn't too bad; only 11W in sleep mode, which is what it spends 90% of its time doing), the 17" CRT (65W), RiscPC (100W PSU rating), and my P-III/600 workstation. All in, it comes to just over 600W and (in theory anyway) costs around £63 a quarter, or £250 a year worst-case [ note to self: find cheap 240V AC ammeter ]. What I need is a nice, cheap, energy-efficient Linux system with an onboard IDE/ATA controller. "Four options, you're free to pick any two". Later. -- Phil. | Acorn Risc PC600 Mk3, SA202, 64MB, 6GB, EraseMEphilpemspam_OUTTakeThisOuTphilpem.me.uk | ViewFinder, 10BaseT Ethernet, 2-slice, http://www.philpem.me.uk/ | 48xCD, ARCINv6c IDE, SCSI ... If speed scares you, try Micro$oft Windows. ___________________________________________

On Mon, 2004-12-13 at 16:26 -0500, John J. McDonough wrote: > Of course, there is no reason not to use MAC filtering and WEP. That and > failing to broadcast your SSID will ensure that a successful attacker has to > be VERY determined. No, not determined at all. Turning off your SSID will simply ensure your AP doesn't show up in a casual network scan. Anybody with ANY interest will be using a more efficient tool which simply "sniffs" the channels to see who's out there. A single packet sent by your AP would give you away. > Depending on your enemies, it probably is more than sufficient to use MAC > filtering. Most folks who want to enter your wireless network would just as > soon use you neighbor's. If yours is a little tougher to exploit, he'll > choose the easier option. Sorry, but no. For many people getting into your network is a "challenge", and MAC filtering isn't enough of a challenge to twart almost anybody. Yes, you'll stop grandma trying to get in, but that's it. > There are more of these than you might think, however. I know salesmen who > are often on the road, and when they need to do email, they just drive > through a residential area with Net Stumbler. Usually only takes a few > minutes to find a connection. I know quite a few people who do that sort of stuff. Heck, I have a mental map of "available" APs in the area around the university I went to. TTYL ----------------------------- Herbert's PIC Stuff: http://repatch.dyndns.org:8383/pic_stuff/ ____________________________________________

Steve Willoughby wrote: {Quote hidden}>On Mon, 13 Dec 2004, Mike Hord wrote: > > >>My linksys is the sort with 802.11 built in, and to secure THAT I turned on the >>MAC filter, telling it to ignore all devices other than the MACs that I specify. >>Can't get much more secure than that, I'd imagine, since it's completely >>passive and won't respond to anything from any other MAC. >> >> > >That's a good start, but I'd caution against complacency. Spoofing a MAC >address is trivial to do. You're better off using a firewall between the >WiFi and the rest of your net, and set it to only allow encrypted traffic >through, SSH at least, preferably a VPN solution. *Then* you can feel >reasonably secure. Just turning on WEP or MAC filtering will probably stop >anyone under 12 from breaking in to your network, or slow down the others >by 10 minutes or so. > >Those free checking websites don't typically try all the tricks a real >attacker would do to get past your firewall... they just look for the >usual big, gaping holes that a completely unsecured box would have. > > > AGREED. Even the 12-year old's are running Nessus (http://www.nessus.org/) with the very latest updates against any machines they're interested in messing around with, and probably with updated signatures for it that they've gotten from IRC bots and various "friends" away from the mainstream updates on the website. Even a subscription to Vuln-Dev at SecurityFocus will produce a few new ones before they are released as "official" in even the newest versions of Nessus. The smarter crackers with agendas to pursue don't run Nessus against systems they're interested in attacking (or run it VERY slowly) because they know it's a noisy beast and they'll get caught... anyone with proper Intrusion Detection software watching their network/systems will see a Nessus scan almost immediately, and even if run slowly, many scanners can keep a database and recognize it later if the attacker comes from the same address. The people who really want to break in -- just like houses and locks -- will. And they'll do it quietly. But most of us are just dealing with the overall noise of the vandals... the "script kiddies"... the ones that break in just to do damage and leave. That and evil websites. Malicious code embedded in web pages is rampant, and no hardware firewall will stop that... if you go to the web page and you run a vulnerable browser, it's a done deal. Software host-based firewalls will at least ask you, "Are you sure you want XYZ talking to the Internet?" GRC's Shield's Up site was useful about five to six years ago. It's only doing a portscan and a couple of other boring things (like seeing if you have Windows SMB shares open to the public side). It's a joke today... it makes people feel secure that aren't. Steve should take it down or make it a lot more thourough. I remember reading in separate reports this week that something like 77% of all PC Internet users feel like their machines are "safe" from attack, and yet in a completely different article only 40% or so regularly patched their machines with their OS manufacturer's (or open-source, if using a Free OS) updates. This is illogical and apparently some interesting form of large-group psychological denial. Probably 1/3 of the machines out there are actually patched enough to be relatively secure (assuming some mistakes and lag time in that 40% number), and yet more than 3/4's of computer users think they're "secure". And of course there's always the adage that says 99% of statistics are made up. :-) Nate ____________________________________________

Philip Pemberton wrote: >What I need is a nice, cheap, energy-efficient Linux system with an onboard >IDE/ATA controller. "Four options, you're free to pick any two". > > http://www.viaembedded.com/product/epia_mini_itx_spec.jsp?motherboardId=21 http://www.mini-itx.com - the "fanclub" site that has interesting projects made out of them. Get the fanless ones if you're going for quiet/low-power. If you need two ethernet ports (firewall, etc...) they have those too. It's developed into a complete product line. The really amazing one is the newest in the line... the Epia-N -- 12cm x 12cm - a complete PC on a board: http://www.viaembedded.com/product/epia_N_spec.jsp?motherboardId=221 (The ones in most of the projects at mini-itx.com are the older 16cm x 16cm ones.) These guys make nifty cases for them: http://www.travla.com/Products/mini-ITXCase.html I like the C136/C134/C150 series. Nate ____________________________________________

Electricity here is cheap by those standards. I figured it would take about 5 years to pay-back the use of a solar panel here based on our rates, but based on the prices you suggest, you should be able to pay off a solar panel much sooner. If you mount it well/sturdy enough they should be able to last well over 10years (25 according to some articles, I think). On Monday 13 December 2004 01:26 pm, Philip Pemberton wrote: {Quote hidden}> In message <88eca922041213104171e713c8spam_OUTmail.gmail.com> > > Mike Hord <@spam@mike.hordKILLspamgmail.com> wrote: > > On > > my system at home, behind a standard off-the-shelf Linksys router, it > > comes back as being nigh impervious to assault. > > Same here with my Linux box. Problem is, said Linux box has a problem > with.. well.. excessive power consumption. 200W! It's costing £20 a > quarter (£80) a year just to run that thing, not to mention the laser > printer (which isn't too bad; only 11W in sleep mode, which is what it > spends 90% of its time doing), the 17" CRT (65W), RiscPC (100W PSU > rating), and my P-III/600 workstation. All in, it comes to just over 600W > and (in theory anyway) costs around £63 a quarter, or £250 a year > worst-case [ note to self: find cheap 240V AC ammeter ]. > > What I need is a nice, cheap, energy-efficient Linux system with an > onboard IDE/ATA controller. "Four options, you're free to pick any two". > > Later. ___________________________________________

Hmm.. he was talking GBP, British Pounds.. i.e not much sun for solar panels.... ;-) Rolf Jose Da Silva wrote: {Quote hidden}>Electricity here is cheap by those standards. I figured it would take about 5 >years to pay-back the use of a solar panel here based on our rates, but >based on the prices you suggest, you should be able to pay off a solar panel >much sooner. If you mount it well/sturdy enough they should be able to last >well over 10years (25 according to some articles, I think). > >On Monday 13 December 2004 01:26 pm, Philip Pemberton wrote: > > >>In message <KILLspam88eca922041213104171e713c8KILLspammail.gmail.com>> >> >> Mike Hord <RemoveMEmike.hordTakeThisOuTgmail.com> wrote: >> >> >>>On >>>my system at home, behind a standard off-the-shelf Linksys router, it >>>comes back as being nigh impervious to assault. >>> >>> >>Same here with my Linux box. Problem is, said Linux box has a problem >>with.. well.. excessive power consumption. 200W! It's costing £20 a >>quarter (£80) a year just to run that thing, not to mention the laser >>printer (which isn't too bad; only 11W in sleep mode, which is what it >>spends 90% of its time doing), the 17" CRT (65W), RiscPC (100W PSU >>rating), and my P-III/600 workstation. All in, it comes to just over 600W >>and (in theory anyway) costs around £63 a quarter, or £250 a year >>worst-case [ note to self: find cheap 240V AC ammeter ]. >> >>What I need is a nice, cheap, energy-efficient Linux system with an >>onboard IDE/ATA controller. "Four options, you're free to pick any two". >> >>Later. >> >> > > > ___________________________________________

On Monday 13 December 2004 04:19 pm, Rolf wrote: > Hmm.. he was talking GBP, British Pounds.. i.e not much sun for solar > panels.... ;-) If 600W costs $300 here, wouldn't £250 be considered more expensive? Doing some quick math: $300 x 5years = $1500 Assuming you got 1/2 a day to work with, then you need a 1200w panel, so doing a real quick internet search, let's see what a 1200w panel costs? http://www.partsonsale.com/ ...okay 1000watts @$1399 seems close-enough! ;-) , {Quote hidden}> Rolf > > Jose Da Silva wrote: > >Electricity here is cheap by those standards. I figured it would take > > about 5 years to pay-back the use of a solar panel here based on our > > rates, but based on the prices you suggest, you should be able to pay > > off a solar panel much sooner. If you mount it well/sturdy enough they > > should be able to last well over 10years (25 according to some articles, > > I think). > > > >On Monday 13 December 2004 01:26 pm, Philip Pemberton wrote: > >>In message <spamBeGone88eca922041213104171e713c8spamBeGonemail.gmail.com>> > >> > >> Mike Hord <TakeThisOuTmike.hordEraseMEspam_OUTgmail.com> wrote: > >>>On > >>>my system at home, behind a standard off-the-shelf Linksys router, it > >>>comes back as being nigh impervious to assault. > >> > >>Same here with my Linux box. Problem is, said Linux box has a problem > >>with.. well.. excessive power consumption. 200W! It's costing £20 a > >>quarter (£80) a year just to run that thing, not to mention the laser > >>printer (which isn't too bad; only 11W in sleep mode, which is what it > >>spends 90% of its time doing), the 17" CRT (65W), RiscPC (100W PSU > >>rating), and my P-III/600 workstation. All in, it comes to just over > >> 600W and (in theory anyway) costs around £63 a quarter, or £250 a year > >> worst-case [ note to self: find cheap 240V AC ammeter ]. > >> > >>What I need is a nice, cheap, energy-efficient Linux system with an > >>onboard IDE/ATA controller. "Four options, you're free to pick any two". > >> > >>Later. > > _____________________________________________

In message <RemoveME41BE2563.6080908TakeThisOuTnatetech.com> Nate Duehr <nateEraseME.....natetech.com> wrote: > http://www.mini-itx.com - the "fanclub" site that has interesting projects made > out of them. Yep - seen them. Shame it'd cost upwards of £200 to do that, though :-/ I've got a Fujitsu FDX310 USB ADSL modem at the moment. Shame it's so damn unreliable under Linux, though. Well, that and the fact that the data throughput is atrocious. Webcam + DSL modem + ICD2 + scanner = USB go splat. Later. -- Phil. | Acorn Risc PC600 Mk3, SA202, 64MB, 6GB, EraseMEphilpemphilpem.me.uk | ViewFinder, 10BaseT Ethernet, 2-slice, http://www.philpem.me.uk/ | 48xCD, ARCINv6c IDE, SCSI ... Logic is the art of going wrong with confidence ___________________________________________

Philip Pemberton <RemoveMEpiclistEraseMEEraseMEmit.edu> wrote: > the data throughput is atrocious. Webcam + DSL modem + ICD2 + > scanner = USB go splat. Phil: Going off on a tangent here... But if you have a high-speed (480 Mbps) USB host, changing your hub may improve device throughput dramatically. All high-speed hubs use a logic block called a Transaction Translator (TT) to convert lower-speed USB traffic on the downstream side to 480 Mbps on teh upstream side. If your hub has only one TT, all of your full-speed (12 Mbps) devices are forced to share one 12-Mbps pipe. If, on the other hand, your hub has one TT per port, each full-speed device gets its own 12-Mbps pipe. -Andy === Andrew Warren -- RemoveMEaiwspam_OUTKILLspamcypress.com === Principal Design Engineer === Cypress Semiconductor Corporation === === Opinions expressed above do not === necessarily represent those of === Cypress Semiconductor Corporation ____________________________________________

part 1 1157 bytes content-type:TEXT/PLAIN; charset=iso-8859-1; format=flowed (decoded quoted-printable) On Mon, 13 Dec 2004, Philip Pemberton wrote: {Quote hidden}> In message <RemoveME88eca922041213104171e713c8TakeThisOuTspammail.gmail.com>> > Mike Hord <EraseMEmike.hordspamspamBeGonegmail.com> wrote: > >> On >> my system at home, behind a standard off-the-shelf Linksys router, it comes >> back as being nigh impervious to assault. > > Same here with my Linux box. Problem is, said Linux box has a problem with.. > well.. excessive power consumption. 200W! It's costing �20 a quarter (�80) a > year just to run that thing, not to mention the laser printer (which isn't > too bad; only 11W in sleep mode, which is what it spends 90% of its time > doing), the 17" CRT (65W), RiscPC (100W PSU rating), and my P-III/600 > workstation. All in, it comes to just over 600W and (in theory anyway) costs > around �63 a quarter, or �250 a year worst-case [ note to self: find cheap > 240V AC ammeter ]. > > What I need is a nice, cheap, energy-efficient Linux system with an onboard > IDE/ATA controller. "Four options, you're free to pick any two". DreamCast 7000 ? Peter part 2 79 bytes content-type:text/plain; charset="us-ascii" (decoded 7bit) ____________________________________________

On Mon, 13 Dec 2004, Mike Hord wrote: {Quote hidden}>> I would personally dispense with any software firewall. I've seen far >> too many weird issues crop up because of software firewalls. >> >> Get a consumer router. They can be had extremely cheaply these days, and >> are magnitudes better then any software firewall. TTYL > > Agreed. If you check out the link below, you can rate your PC's protection. On > my system at home, behind a standard off-the-shelf Linksys router, it comes > back as being nigh impervious to assault. > > https://grc.com/x/ne.dll?bh0bkyd2 > > My linksys is the sort with 802.11 built in, and to secure THAT I turned on the > MAC filter, telling it to ignore all devices other than the MACs that I specify. > Can't get much more secure than that, I'd imagine, since it's completely > passive and won't respond to anything from any other MAC. Erm, the second step in cracking a network is setting the MAC to one sniffed from the network in the first step. Don't sleep on your laurels, if you don't use 802.11 turn it off. Peter ____________________________________________

> Erm, the second step in cracking a network is setting the MAC to one > sniffed from the network in the first step. Don't sleep on your laurels, > if you don't use 802.11 turn it off. I do use the 802.11. This is quite disconcerting. I had (erroneously) believed that in order to access that network w/o my permission, an intruder would need to somehow find the MAC of one of my two WAN equipped PCs, and I expected that to not be broadcast open-air. Sigh. Where I live, not many people are likely to be sniffing for available WiFi, and I have nothing behind my house for a goodly distance. Perhaps the simple solution is to put my router toward the front of the house (as it is) and just go buy a largish sheet of metal, ground it, and put it between the router and the street as close to the router as possible. Mike H. ____________________________________________

On Wed, 15 Dec 2004, Mike Hord wrote: >> Erm, the second step in cracking a network is setting the MAC to one >> sniffed from the network in the first step. Don't sleep on your laurels, >> if you don't use 802.11 turn it off. > > I do use the 802.11. > > This is quite disconcerting. I had (erroneously) believed that in order to > access that network w/o my permission, an intruder would need to > somehow find the MAC of one of my two WAN equipped PCs, and I > expected that to not be broadcast open-air. Sigh. > > Where I live, not many people are likely to be sniffing for available WiFi, > and I have nothing behind my house for a goodly distance. Perhaps the > simple solution is to put my router toward the front of the house (as it is) > and just go buy a largish sheet of metal, ground it, and put it between > the router and the street as close to the router as possible. That might achieve the opposite of what you are trying to achieve if the metal sheet's dimensions (one of them is enough) relates in a certain way to a multiple of the wavelegth used. Mirrors for light work very well because they are much larger than the wavelength of light, and that is not the case at 2.4GHz . One thing I have not tried would be to put the WiFi access point in the basement, at the basement's floor level (perhaps with a reflector below it). Assuming no concrete floors and not too bad reflections this should project an upside-down cone-like coverage area including all of the house and *excluding* almost everything outside, at least at ground level. You can try to set the WEP code phrases on the router and on each connected computer and hope for the best. As someone else said, it's like the joke with the two friends and the lion. You don't need to outrun the lion, only your nearest neighbor. Unless the lion is after something you have. I don't like the current 802.11 systems very much and I caught people war-driving at least 3 times so far, which means there's a lot of them, as I am not actively looking (but you can't help noticing a car holding at a traffic light with a guy in the back with a laptop on and peering at several huge and wiggling fieldstrangth bargraphs on his screen). Peter ____________________________________________

----- Original Message ----- From: "Mike Hord" <RemoveMEmike.hordKILLspamgmail.com> Subject: Re: [OT] Firewalls and other PC protection > simple solution is to put my router toward the front of the house (as it is) > and just go buy a largish sheet of metal, ground it, and put it between > the router and the street as close to the router as possible. Step 1: Adequate security on your internal LAN Step 2: WEP Step 3: MAC filtering Step 4: Control the distance I have my WAP in the rafters in the basement. It covers just to the edges of my yard, and not much more. I can surf out back on the swing, but somebody driving by would need to get on the lawn. You can do a lot in the way of control by adjusting the height of the antenna (which is usually attached to the WAP). Also, on many WAPs, you can control the pattern and sometimes the power, from the setup screen. If you have a laptop you can go roaming around with Net Stumbler. The neighbors may look at you funny, but it's good to know just how far you can be heard. My neighbors are used to weird things from this house, so it wasn't much of a problem for me :-) But don't overlook adequate controls on the computers on your LAN. If somebody does manage to get on your WiFi, chances are they want to borrow you Internet connection. Really, is that such a big deal? But don't wave your financial data in their face while they are there, and of course, don't invite them in in the first place. So make sure it's hard for them to connect, but if they do, make sure they can't find anything interesting. Crank down the controls on each of your boxes as if they WERE able to get in. --McD ____________________________________________

> If you have a laptop you can go roaming around with Net Stumbler. The > neighbors may look at you funny, but it's good to know just how far you can > be heard. My neighbors are used to weird things from this house, so it > wasn't much of a problem for me :-) I have neighbors within the radius of regular usage of my laptop; i.e., if I go to the back of my house, my router is at the front, and withing that radius are two other houses (trailers, actually. Hey, it's cheap livin'!). {Quote hidden}> But don't overlook adequate controls on the computers on your LAN. If > somebody does manage to get on your WiFi, chances are they want to borrow > you Internet connection. Really, is that such a big deal? But don't wave > your financial data in their face while they are there, and of course, don't > invite them in in the first place. So make sure it's hard for them to > connect, but if they do, make sure they can't find anything interesting. > Crank down the controls on each of your boxes as if they WERE able to get > in. > > --McD I hate networking, network security, and anything to do with making computers talk to each other or the outside world. But I also hate going to the dentist and I do that, so I'll just have to get over it and learn. It could be a good, marketable talent later on down the line. Anyone have any good books or places to start? Mike H. ____________________________________________

John J. McDonough wrote: > ----- Original Message ----- > From: "Mike Hord" <mike.hordSTOPspamspam_OUTgmail.com> > Subject: Re: [OT] Firewalls and other PC protection > > > >>simple solution is to put my router toward the front of the house (as it > > is) > >>and just go buy a largish sheet of metal, ground it, and put it between >>the router and the street as close to the router as possible. > > > Step 1: Adequate security on your internal LAN > Step 2: WEP > Step 3: MAC filtering > Step 4: Control the distance Another popular way to deal with this issue: After doing all of the above... 5. Require a VPN connection to actually get to the internal network. This is commonly how companies deploy wireless access-points. Getting into the network the WAP is sitting in won't get you to any other devices other than a DNS server, a DHCP server (if they're nice), and the VPN router. Once you authenticate to the VPN router and have an encrypted connection, it routes you into the "real" internal network. Nate ____________________________________________

On Wed, 2004-12-15 at 20:22 -0700, Nate Duehr wrote: > 5. Require a VPN connection to actually get to the internal network. > > This is commonly how companies deploy wireless access-points. Getting > into the network the WAP is sitting in won't get you to any other > devices other than a DNS server, a DHCP server (if they're nice), and > the VPN router. Once you authenticate to the VPN router and have an > encrypted connection, it routes you into the "real" internal network. Speaking of which, anybody have any luck finding and using an open source VPN server that works with the "normal" clients? Nothing fancy, but definitely a "nice" thing to have. Thanks, TTYL ----------------------------- Herbert's PIC Stuff: http://repatch.dyndns.org:8383/pic_stuff/ ____________________________________________

On Wed, 15 Dec 2004, Mike Hord wrote: > It could be a good, marketable talent later on down the line. Anyone > have any good books or places to start? If I'd quote some I'd be accused of advocacy so I won't. So here is a cynical rundown: If you really want to know what is happening on your network you can use tcpdump (or the equivalent for 802.11) and watch for a while. If what you see does not scare you, then you can slowly learn the protocols and how they were adultered by certain commercial entities for their gain & our pain. As you study the relevant protocols you will notice an impressive number of deviations, incorrect descriptions and outright lies wrt the RFC protocol descriptions. After completing this phase you should be able to reinstall a Windows OS and mosty believe that you know what garbage should be choking the otherwise idle network and what shouldn't (and being wrong less often than the average layman when making wild guesses about what is really going on). Peter ____________________________________________

Peter L. Peres wrote: >> Never be ashamed to be an advocate of anything GOOD. > > You don't think much of being politically correct, do you ? ;-) Nope, and most (good) political and business leaders don't either -- they have staff members to remind them to do it, thus showing it's not a normal state for leaders or regular people. Something external is driving it -- and it's becoming (sadly) cultural. A friend and I were talking a bit about this today -- NYC and Tokyo are interesting examples of the extremes... both are overpopulated. One is more openly hostile but with a soft caring underbelly hiding underneath, the other is openly respectful and caring with a quiet (almost hidden) competitive streak underneath. But neither is very "balanced". We were discussing this over lunch and wondering if overpopulation always leads to extreme behaviour like that. That said, (and the reason I brought it up) I'd fit in better in NY than in Tokyo, methinks! ;-) (And I'm glad for both places.) We were also talking about the sad fact that in lower-populated areas, restaurants with "interesting" and culturally diverse food are few and far between because of the economic realities of "McFood" works for most people and the more interesting stuff can't be sustained as a successful business. (Translation: There's no damn "Mongolian BBQ" on this side of town, and we're both too chicken to leave technology jobs and start one!) Nate ____________________________________________