setting up a network in an unsecure environment

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › setting up a network in an unsecure environment

phant0m

21 posts

Geek

#77368 15-Feb-2011 15:50

Hello

I will be moving into a University Residential Hall in about a week and I have been granted permission to have an external ADSL connection.

I have two computers and would prefer to have a wireless network for ease of use. The main problem is that the hall is a former high-rise office building so if I have a wireless network it will be in range of anyone in my floor and for about 1-2 floors above and bellow.

My budget is about $200ish at the moment; I have a TP-LINK TL-SG1008D 8 PORT 1000mb switch & a TP-LINK USB Dongle and a Belkin CAT6 cable. I had a WRT54 but have to leave that for the parents.

My main questions are:

1) how can I increase/maintain good broadband connection speeds? Would buying an aftermarket modem help?

2) For security I'm not sure if I should stick to a wired network or if I could setup a wireless one safely. I want to be able to have LAN's in with other people in the hall (which would possibly involve online gaming) but at the same time I want to prevent them from downloading things and using up my data cap.

I've read some threads were people have been talking about custom firmwares to regulate their networks. could I just use MAC address filtering to only allow certain computers access to the network or is there a better option?

Would it be possible for someone to hack into my network if it was wireless; I had a look at some modem/router options and it seems that Draytek are good for security? It's just that in such an enclosed space it may draw some attention.... or am I just being paranoid

3) what sort of modem/wireless router setup/combo would you suggest? I was thinking of investing in a Draytek Vigor 120 and either keeping the network wired or buying a wireless N router as well. Alternatively I was considering the Draytek 2710ne as it already has wireless built in. I don't really know what I should buy tbh

1 | 2

1473 posts

Uber Geek
+1 received by user: 517

ID Verified

#439867 15-Feb-2011 15:56

How much do you understand about computers and the such?

For the paranoid I would get a ADSL modem running in 1/2 bridge mode and pass the PPP stuff to something like the Mikrotik RB750, Run wired on it and for the wireless put a wireless AP on a ethernet port that's isolated, Dont give it internet access and run a PPtP sever on the RB750 so that once you connect over wireless you have to dial in to the PPtP server for net.

The trouble about uni's is that wireless password's will get broken by the CS students before you have time to even boot up your computer, you really need another layer of security running on the top of it, MAC address's can be spoofed aswell

Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated

kyhwana2

2572 posts

Uber Geek
+1 received by user: 233

#439900 15-Feb-2011 16:58

1) Not really. You're stuck with what you get! Plug whatever modem you get straight into the wall (or the filter, if you need one)

2)
If you want it secure, only used wired connections, get a second NIC for your PC and plug that second NIC into the university network. (Make sure you firewall that interface to hell and back and you aren't doing any kind of ICS on that box!)

If you really want wireless, then get a AP that does WPA2, plug it into your switch/ADSL router and enable WPA2-CCMP (Which is AES) and use a longass password. (Something like "ZmRlMmJjNTRhNmVkZTM0NjBjMWM3ZDJmNGVhMjYxMzQyM2M0MjE5NzdmN2E4MjRjNDI3OGRhOGUw" would be long enough. Don't use any dictionary words at all, etc.)

Then use the first (or 2nd) wired NIC to plug into the university network. Under no circumstances plug your switch (while connected to your adsl modem/router/wifi AP) or router into the university network!

Basically, with ICS off and windows firewall turned on (as a "public" network) you'll probably be safe enough if you use a second NIC to connect to the university network. Make sure you're fully patched though and that your default route is out your ADSL connection.

Forget MAC filtering, you can find out and spoof MACs easy as.

l43a2

1784 posts

Uber Geek
+1 received by user: 591

ID Verified

Trusted

#439916 15-Feb-2011 17:37

a CS student isnt gnna break WPA2/AES over night..

phant0m

21 posts

Geek

#439929 15-Feb-2011 18:07

I know virtually zilch about networking apart from the odd bit I've picked up from wrestling with LAN networks over the years.

Security wise beyond setting up a "longass" password & putting up MAC & IP filtering; none of my friends were really that savvy with code/hacking (apart from Paul

) and even then he only hacked a PC once and it took him the whole LAN

The consensus seems to be that a wireless network will draw CS students like bears to honey. That was the main worry for me. I'm not paranoid about attacks from the internet; more about attacks from within..eeeek

If I used something like ESET (what I use) would they be able to hack into my PC? I'm not to sure how clever they will be as they are first year students... Surely there must something to keep them out of the network altogether? I thought that the Drayteks firewall would be enough. It sounds like I would need a separate hardware firewall or something

?

TBH I'm more confused now than when I first posted

I guess I will just have to cower behind my wired network.....

kyhwana2

2572 posts

Uber Geek
+1 received by user: 233

#439930 15-Feb-2011 18:09

Don't bother with MAC filtering, it's easy to spoof (since the MACs have to be sent unencrypted)

What's ESET? The drayteks firewall would be where in the network though?

You need to draw up a diagram of what will be plugged into where and how you're going to access the uni network.

Beccara

1473 posts

Uber Geek
+1 received by user: 517

ID Verified

#439931 15-Feb-2011 18:10

Dont consider any of the standard wireless encryption scheme's secure, Every month it gets easier and easier to break them :)

AliExpress

Shop now on AliExpress (affiliate link).

Beccara

1473 posts

Uber Geek
+1 received by user: 517

ID Verified

#439932 15-Feb-2011 18:14

phant0m: I know virtually zilch about networking apart from the odd bit I've picked up from wrestling with LAN networks over the years.

Security wise beyond setting up a "longass" password & putting up MAC & IP filtering; none of my friends were really that savvy with code/hacking (apart from Paul) and even then he only hacked a PC once and it took him the whole LAN

The consensus seems to be that a wireless network will draw CS students like bears to honey. That was the main worry for me. I'm not paranoid about attacks from the internet; more about attacks from within..eeeek

If I used something like ESET (what I use) would they be able to hack into my PC? I'm not to sure how clever they will be as they are first year students... Surely there must something to keep them out of the network altogether? I thought that the Drayteks firewall would be enough. It sounds like I would need a separate hardware firewall or something ?

TBH I'm more confused now than when I first posted I guess I will just have to cower behind my wired network.....

Didn't mean to confuse :) To be honest perhaps sticking with wired when you can and a stand alone wireless access point, then just turn the wireless on and off when you need it

rattewisday

205 posts

Master Geek
+1 received by user: 5

#439936 15-Feb-2011 18:24

WPA2-AES is safe at the moment as long as you have a sufficent password/passphrase. I recommend using a randomly generated maximum length key (63 chars I believe) - there are a bunch or generators online. Just to reiterate WPA2-AES with a long random key has not and can not be broken by *anyone* at present without an impossible amount of processing power and time. Don't bother with MAC address filtering or hiding the SSID - these are both virtually pointless assuming someone is trying to break into your connection.

phant0m

21 posts

Geek

#439953 15-Feb-2011 18:55

OK so because this is an old office building the entire cable infrastructure is still in place. I've talked to the guy who did the wiring and from what I can understand they left in provisions to allow students to have their own ADSL connection

it is completely separate from the university network and it can not be monitored or filtered by the university.

so it is basically going to be router > modem > ADSL network or wireless modem > ADSL network

Is there is no way to allow only authorized computers onto the network? I guess I will just have to stick with a wired network for now as wireless seems very complicated

. I may buy the vigor 120 though....

just for your interest this was the wireless modem I was going to get - http://nicegear.co.nz/routers/draytek-vigor-2710ne-adsl2-modemrouter/

[EDIT] eset as in a software firewall, so even if they got onto the network they couldn't get into my PC...

by the sounds of it the best option is to have a very long randomly generated password and to change it regularly.

kyhwana2

2572 posts

Uber Geek
+1 received by user: 233

#439956 15-Feb-2011 18:59

Whats the ADSL network or wireless modem ion the middle for?
Why not get a router/modem combo?

You can authorise a computer by giving them your WPA2 key ;)

Beccara

1473 posts

Uber Geek
+1 received by user: 517

ID Verified

#439957 15-Feb-2011 19:04

phant0m:
[EDIT] eset as in a software firewall, so even if they got onto the network they couldn't get into my PC...

by the sounds of it the best option is to have a very long randomly generated password and to change it regularly.

Thats a good compromise, Keep an eye on your bandwidth usage aswell, any spikes that you cant account for and change the password. It's a good habit to get into :)

New World

Shop on-line at New World now for your groceries (affiliate link).

phant0m

21 posts

Geek

#439965 15-Feb-2011 19:28

If i had a bigger budget would there be something hardware based that could be recommended.

Some way of preventing them access to the modems settings once they were on the network? So even if they could get onto the network they could not access the internet, etc. IE they get through the first wall only to be confronted by...another wall!! :p

kyhwana2

2572 posts

Uber Geek
+1 received by user: 233

#439969 15-Feb-2011 19:31

Uh, you can just change the password on the modem (which you should be doing anyway). As long as it's not guessable, they won't be able to login to your modem router and change your settings. This doesn't stop them from accessing the 'net though.

You could try MAC filtering, but there's nothing stopping them from spoofing your mac address (easy to do!) and then getting online via your DSL connection.

phant0m

21 posts

Geek

#439981 15-Feb-2011 19:40

and I assume there is no way to stop them spoofing my mac address? I can't quite make heads or tails of this but draytek seems to have IP-MAC BIND - http://new.draytek.com/.upload/pdffiles/c0671fe79c540364c1b068d1d87d485b.pdf I don't know if that would help!

quandum

204 posts

Master Geek
+1 received by user: 5

#440063 16-Feb-2011 02:21

l43a2: a CS student isnt gnna break WPA2/AES over night..

+1 and if (s)he does, (s)he's doing the wrong course. :-)

I would love to change the world, but they won't give me the source code

#BOFH

1 | 2