Belt and Suspenders

[JimS]

Now that I've converted from wap11 access point with
file/printer sharing to a WRT54G router in gateway mode I
wonder about using wep64 encription and Norton Internet
Security. I'm running wifi with xp/2k/98se plus HP2510
wireless printer. (Actually I've got Norton's firewall
turned off because I cannot make it work by programming
the Trusted Zone.) My question is:

Should I just turn off encription and leave Norton's
firewall off and depend on the WRT54G gateway to protect
me?

 

[Steve Winograd [MVP]]

Now that I've converted from wap11 access point with
file/printer sharing to a WRT54G router in gateway mode I
wonder about using wep64 encription and Norton Internet
Security. I'm running wifi with xp/2k/98se plus HP2510
wireless printer. (Actually I've got Norton's firewall
turned off because I cannot make it work by programming
the Trusted Zone.) My question is:

Should I just turn off encription and leave Norton's
firewall off and depend on the WRT54G gateway to protect
me?

You need encryption to keep un-authorized users from connecting to
your wireless network. Whatever an intruder does on the Internet
through your network would appear to come from you. If illegal
activity occurs, the authorities will come knocking on your door. Use
the highest level of encryption that your equipment supports, which is
probably wep128.

The WRT54G gateway protects you against undesired incoming traffic
from the Internet. It can't protect you against undesired outgoing
traffic from spyware or hacker programs on your computer. If you want
that protection, you need a firewall program. If you can't get Norton
to work (and I've had trouble configuring it to allow local area
network access, too), use another firewall, like ZoneAlarm.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[JimS]

Thanks, Steve.

I'm using wep64 since my 98se machine won't support
wep128. What do you think about using mac filtering
and/or disable SSID broadcast as another way to get
security without encription? I feel that my internet
access is slower since I enabled it. Also, transferring
files between computers is very slow. Is it worth while
to go to other methods in order to turn off encription?
I'm reluctant to charge into mac filter or SSID disable
because I've spent a lot of time around the web lately at
forums like this one and no one ever talks about them.
Should I just leave well enough alone?

-----Original Message-----

 

[Steve Winograd [MVP]]

Thanks, Steve.

I'm using wep64 since my 98se machine won't support
wep128. What do you think about using mac filtering
and/or disable SSID broadcast as another way to get
security without encription? I feel that my internet
access is slower since I enabled it. Also, transferring
files between computers is very slow. Is it worth while
to go to other methods in order to turn off encription?
I'm reluctant to charge into mac filter or SSID disable
because I've spent a lot of time around the web lately at
forums like this one and no one ever talks about them.
Should I just leave well enough alone?

You're welcome, Jim.

I recommend using MAC address filtering as an additional security
measure. If you add a new wireless card to the network, remember to
add it to the list of allowed MAC addresses -- I've forgotten to do
that more than once, making it appear that the new wireless card was
defective.

I don't think that disabling SSID broadcast is particularly useful,
and it can cause problems connecting to your own network using XP's
Wireless Zero Configuration service.

I've read that encryption can slow down the transfer rate of some
wireless network equipment. However, I think it's almost certain that
the network will still be faster than the feed from your ISP. When I
want to transfer large files on my home network, I set up a temporary
wired connection between the computers. I don't know if that's
possible in your setup.

I wouldn't turn off encryption under any circumstances, even with MAC
address filtering.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[JimS]

Steve, I'm going to give mac filtering a try. My router,
Linksys wrt54g, wants mac addresses for each pc. I assume
that these are the 12 hex digit physical addresses which I
can get with ipconfig, right? I'll enter one for each of
the 3 pcs and one for the hp2510. Any other advice?

-----Original Message-----

 

[Steve Winograd [MVP]]

Steve, I'm going to give mac filtering a try. My router,
Linksys wrt54g, wants mac addresses for each pc. I assume
that these are the 12 hex digit physical addresses which I
can get with ipconfig, right? I'll enter one for each of
the 3 pcs and one for the hp2510. Any other advice?

Yes, use the physical address from ipconfig.

Here are some other possible security measures, but I don't usually
implement them when using encryption and MAC address filtering:

1. Limit the pool of available addresses from your router's DHCP
server to the number of computers/printers that you have.

2. Turn off your router's DHCP server and assign static IP addresses
to the router's LAN interface and all of the computers/printers. Use
an obscure private IP address range like 172.16.23.x.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[JimS]

Steve, you are a tremendous help!

I have enabled mac filtering and all is well. I also have
reduced my "Maximum number of DHCP users" to 5 which is
one more than the number of computers and wireless
printers. The reason I've set it at one more is that the
router does not always start at the base and count up by
one. In fact right now I'm not using the 192.168.1.100
starting IP at all. I think that this is why you also
recommend using static IP, right?

Before switching to static, please answer this:
1. Do I just go to the router and disable DHCP Server,
Program in the static IP, physical address, and host name
for each computer and the printer.
2. Then go to each computer and under Network Connections
select Internet Protocol->properties and select Use the
following IP address. Then restart.
3. For the printer it is configured over the network from
a computer. Should I first configure it with a static IP
before step 1? I'm very worried about the order of doing
these things since I'll lose network access to the printer
when I change IP.

For the static IPs can I choose anything I want? Are
there certain IPs reserved for other things? Of course my
router is at 192.168.1.1 so I'll avoid that.

-----Original Message-----

 

[Steve Winograd [MVP]]

Steve, you are a tremendous help!

I have enabled mac filtering and all is well. I also have
reduced my "Maximum number of DHCP users" to 5 which is
one more than the number of computers and wireless
printers. The reason I've set it at one more is that the
router does not always start at the base and count up by
one. In fact right now I'm not using the 192.168.1.100
starting IP at all. I think that this is why you also
recommend using static IP, right?

It doesn't matter whether the DHCP server starts allocating addresses
at 1 or 100 or whatever. If you want to keep using DHCP and limit the
DHCP pool to the number of computers and printers that you have, shut
down all the computers and printers first, then set the limit, then
start them up again.

Before switching to static, please answer this:
1. Do I just go to the router and disable DHCP Server,
Program in the static IP, physical address, and host name
for each computer and the printer.

You connect to the router's web interface and disable the router's
DHCP server

2. Then go to each computer and under Network Connections
select Internet Protocol->properties and select Use the
following IP address. Then restart.
Right.

3. For the printer it is configured over the network from
a computer. Should I first configure it with a static IP
before step 1? I'm very worried about the order of doing
these things since I'll lose network access to the printer
when I change IP.

That sounds right.

For the static IPs can I choose anything I want? Are
there certain IPs reserved for other things? Of course my
router is at 192.168.1.1 so I'll avoid that.

These address ranges are reserved for private networks by the Internet
Assigned Numbers Authority:

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

I suggested static IP addressing because it's one more obstacle that a
potential intruder would need to overcome: determining what IP
addresses your network uses. With DHCP, an intruder could
automatically get an IP address assignment.

However, I normally rely on just WEP encryption and MAC address
filtering, and I don't recommend using static IP addresses.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[JimS]

Thanks for all your replies, Steve. You are very helpful.

I think I'll not go to static IP since I'm a little afraid
of getting everything assigned right without losing
control of something. So I will stick with DHCP but I
will shift the Starting IP address away from the standard
192.168.1.100 to something in the ranges you suggested.
I'll follow these steps:
1. Turn off the wireless computers and printer.
2. Use the computer which is wired to the router.
3. Disable mac filtering.
4. Change Max DHCP IP to 4 (no extras).
5. Change Starting IP address.
6. Boot wired computer.
7. Enable mac filtering with the new range.
8. Turn on wireless computers and printer.
9. Reset NIS trusted zones on each wireless computer.
10. See if everything still works.

By the way, today my NIS trusted zones started working so
I've had it enabled all day. I don't know why it wouldn't
work before.

I think that I will be about as secure as possible with
two exceptions:
1. If one of my computers is off someone could sneak in
and use the IP if he could somehow figure out what it is.
But maybe my router will broadcast it to him.
2. If someone achieves 1. then he'd only have to deal with
wep64 since that's the best encription I can do across my
xp/2k/98se network.

What do you think?

-----Original Message-----