Network Paranioa

5 pts.
Tags:
Firewalls
Wireless Access Points
I have WEP enabled on my wireless router. However, I have a small 4 port firewall that I want to use in addition to wireless router firewall and my software based firewall. Is this doable?

Answer Wiki

Thanks. We'll let you know when a new response is added.

First thing I would do is <b>change from WEP to WPA</b>, it is <b>MUCH</b> stronger protection, and does not have the vulnerabilities of WEP. That alone will secure the wireless network.

Putting a firewall between the wireless and wired networks is perfectly feasable. If in ‘normal’ mode then the wireless network will be one subnet, and the wired network a differnet subnet, and the firewall routes between them. Some firwalls can also work in transparent mode, which means that the wireless and wired networks are on the same subnet, and the firewall operates at layer 2.

However, I am not sure what you think the firewall will do for you. Unless it also has virus/trojan/malware scanning capability, and the wireless clients are thought to be likely to be infected from connection to other networks, then the firewall is not really going to increase the security of your network (providing you changed to WPA from WEP).

The firewall restricts what can be accessed. In normal deployment, it sits between your network and the Internet, and allows you to access anything on the Internet, remembers what conversations you are having, and allows back the replies. What it stops is anything initiated from the Internet back to you, unless you make exceptions in the rules, such as when you host a webserver, or mailserver. That is how it protects your network, so putting it between a trusted wireless and trusted wired networks is not a particularly good place for it to go.

I cannot stress this enough. <b>CHANGE FROM WEP TO WPA</b>. Then you can sleep easy in your bed at night, and all the paranoia will go :-)

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Kevin Beaver
    Good point BlankReg, however you should never, ever assume that just because WPA or WPA are being used that you're automatically secure from wireless attacks. Elcomsoft's Wireless Security Auditor (EWSA) takes WPA and WPA2 pre-shared key cracking to an entirely new level. Using the mathematical acceleration provided by the certain video cards (several from NVIDIA and ATI are supported) EWSA can be used to perform a dictionary crack of your pre-shared keys at a rate up to 50,000 keys per second. So, WPA and strong pre-shared keys are a must....even if you've tested your wireless encryption and have come up with no weaknesses there's still likely room for improvement.
    16,610 pointsBadges:
    report
  • Rklanke
    Yes, change from WEP to WPA with strong encryption, but use strong keys as well. Weak keys are the failure point in any encryption scheme. See Steve Gibson's https://www.grc.com/passwords.htm, and it is free. I, too, don't see the point of multiple firewalls. Unless, perhaps, you're hosting a server. You're not hosting a server, are you? (That includes peer-to-peer file sharing, by the way.) There are products sold as firewalls and there's the concept of the firewall. Conceptually, a firewall filters (drops, ignores) network traffic. What did you want filtered? Remember that you are concerned with inbound and outbound traffic. Without a server, "ignore unsolicited inbound traffic" and "don't install any trojan horses" are your goals. This you can implement using a single firewall. With a server, your goals are more complicated and could require additional traffic filtering (additional firewalls).. Don't advertise your SSID. Some things you don't advertise. You know your SSID (and your key). Do not leave plug-and-play enabled on your wireless router. Do not configure your wireless router (and your firewall) to enable peer-to-peer file sharing. Too often people enable unsolicited network traffic to reach the end device. Too often the wireless router is breached and the firewall is breached because they are someone has configured them to leave little protection. See the Microsoft Technet article Secure Wireless Access Point for additional considerations. Not security related, but: Is that a b/g router? Bear in mind that when an 802.11b device connects (at up to 11 Mbps), the 802.11g devices operate at reduced throughput (up to 11 Mbps, not the desired 54 Mbps). Get rid of your 802.11b devices and switch the router to 802.11g only. Not security related, but: On the client, add Xirrus WiFi tools. Great information, free, ultra-nerdy, important information. Back to security: Is that a corporate, not home implementation? Have a concern about your perimeter? Don't like the idea of someone sitting in your parking lot, sniffing your traffic? You've implemented WPA with strong encryption AND strong keys (because an easily guessed password defeats any encryption) and you're not broadcasting your SSID, so you should be safe. Just in case, though, take that old b/g router and put it a little way into the parking lot, just far enough that eavesdroppers get this router; just far enough that it has the strongest signal. These "honey-routers" would be configured like production routers. They get power but they don't get a network drop. Don't put these "honey-routers" on your corporate network. The trick you're exploiting is: eavesdroppers cannot choose the device they connect to; they get these nearby "honey-router" devices. When connect successfully (because they're disgruntled ex-employees, perhaps), they cannot get interesting information. They get stuck on these "honey-routers". Now you need a way to protect these "honey-routers" from being disconnected from power or stolen. They will be discovered. Alarm them and include them within the range of your security cameras. Do not give in to the temptation of connecting them to the facility network to send an alert when they go off-line. Do not give eavesdroppers a way to acquire more information.
    1,250 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following