PCCITIZEN.com - SAFE COMPUTING/HOME NETWORKING/COMPUTING TIPS/CLEANUP-FIXUP-ADDUP
WHAT WERE THEY THINKING?
You should really take the Basic Networking Course first, in case you have ....stumbled.... into this page. Go here. I have repeated here the "thirdborn" networking situation described in the Basic Networking Course. We are going to go ahead and add wireless networking to this existing wired networking, and create a "fourth born" network here. There are several options, but I will first describe a technique I describe in more detail here. First I want to have a little discussion on wireless networking, just between you and me, OK!
If you are one of those going to wireless first, instead of going the wired route, then I will translate the "thirdborn" to "wireless thirdborn." It is exactly the same, just that there are no wires connecting the wireless router with your PCs of course. This configuration does not possess any of the security precautions that the "fourthborn" possesses, as discussed below. Nevertheless it is the route many of you are taking. You need to configure the wireless security measures in the NAT/Router, starting with WEP, and then if possible WPA. See here
Let's face it, wireless technologies have invaded our networks. I have never seen something become so commonplace so fast in all my life. Over the space of the last four years [2003 and 2004 and 2005 and 2006], prices on wireless networking gear have plummeted beyond anybody's imagination [well, at least mine]. It may very well be everybody's first choice for home networking now, since it requires pretty much ZERO work in the way of wiring, drilling, sawing, climbing around attics and crawl spaces, fishing wires through walls, etc. Even my enterprise networking friends want to leap into this head first, but they realize how fraught with security concerns current wireless solutions are. So most are delaying and waiting....
This is rather unfortunate...... Now I don't mean to demean wireless technologies for home networking, but this ease of use has come at a potentially devastating cost, the cost of security in our networks. We probably have only ourselves to blame for this, because we demand so much from these vendors, and there is such cut throat competition to get these networking products to market. Vendors absolve themselves from pretty much any responsibility in the security arena, and customers want the latest and greatest, and are very clueless in general, about any security vulnerabilities.
Vendors have brought out the first generation of three separate wireless technologies without much consideration for security at all. And when they did have a security "solution," it was quickly breached. And when you install these wireless products, the default install is to have no security at all! That is shameless, and is only changing VERY SLOWLY.
So before we discuss wireless technologies, I would suggest that if you really care to have the absolute best network, meaning the most secure, the best performance, the most reliable, and the most proven techniques, you should really consider consider going ahead and installing all those wires for an ethernet home network.
You see, we learned over the last 5 years or so the importance of putting a NAT/router, or a firewall on our Internet connection in order to protect us from external probing and hacking. And we learned about keeping our Windows up to date, installing and running current antivirus products, and running anti spyware tools. So we were sitting pretty behind our NAT/router with all these protections.
But now look what has happened with wireless! We want to put wireless technologies on our home network to allow easy access from all over our house, but this very act has opened up the protected ("private" in the diagrams in this course) side of our network to the very dangers that we learned to guard against from external probing and hacking. Now we are liable to probes, hacking from the inside of our home network, unless we take some security precautions with our wireless installs! And the catch 22 is that we want our internal network to be very open in order to do all of our Windows networking!!
So how do we clamp down on wireless security, and yet have our home network be completely open so we can do all the home networking things that we did before once we were safely ensconced behind the NAT/router?
The secret is to be very stringent on who you allow onto the wireless network, using all the techniques at our disposal. We are gonna have to do some sort of authentication at the layer 2, just like you do before you can connect to your ISP! You can go here and read about some of the safe wireless techniques as well.
So here I propose an alternative implementation of our wireless network which fits nicely into many of our already installed wired networks. Let us start with the wired thirdborn:
Let us add the wireless aspect to our wired network and create the "fourth born." As discussed here, the wireless devices actually sit on another private address space behind the NAT/Router. For most applications, this "double NATing" does not present a problem, and it actually prevents casual observation of your wired network. To make this work, we just connect the "WAN" or "upstream" port of the wireless NAT/router to another of the "LAN" ports on our wired NAT/router. We have to make sure that the wireless NAT/router will pick up its private IP address via DHCP into the wired NAT/router, and that the two private networks do not collide. See here for more details on this implementation.
I would seriously recommend that you consider a simple alternative like this. See this page for more info.
A little history....
Now I want to discuss now a little history of the wireless technologies. I remember three or four years ago when vendors first introduced what they called "home RF," which was a precursor to the 802.? technologies. This technology had a very limited range. You can still find these products in operation, but I don't believe you can buy them anywhere (well, probably on ebay...). I can remember having trouble getting a laptop with the NIC to connect to a router 50 feet away if there was a wall in between. Very flaky.
A couple years ago, 802.11b was introduced, and this was a big improvement because it operated at a lower frequency, 2.5 GHz, and thus the range was potentially in the hundreds of feet. It operates at about 10 MHz, much like Ethernet, although you actually wind up with maybe 1-5 MHz, depending on how good the signal is. It still will not penetrate through metal, and has trouble with concrete, and other dense structures. But it was the breakthrough everybody was waiting for. It even had security precautions built-in, using "WEP [Wired equivalent privacy]," using RC4 encryption technology. Well, no sooner had the vendors introduced products with this than the geek community succeeded in breaking the encryption technique. And not only that, but they posted far and wide tools which allow the common ordinary everyday person like you and me to break this encryption. The only "protection" we have is that it takes a few million packets in order to break your encryption scheme. So somebody has to park on your network for a while in order to do this. Depending on your Internet use, a few million packets may or may not be a very long time.
802.11a was actually introduced earlier, but you will find it primarily in corporate environments. Very similar, but operates in a different frequency range, and does NOT interoperate with 802.11b and g.
802.11b products have flooded the marketplace over the past year, and unfortunately people have bought them in truly staggering numbers. And here is where the vendor community [and maybe the standards community] really let us down. All the products were shipped with the security enhancements turned off! The average user just completely ignored the security problems. Even if you turned the security enhancements on, you were liable to have them broken by very determined hackers. But WEP is still a good deterrent against any but determined hackers [unless your neighbor is a hacker!].
Of course once the standards committees realized what they had wrought, they were aghast, so they immediately came out with an interim fix which could work on the same hardware. They called this "WPA." And this security really works, except in a few special cases [like rogue APs - see later discussions]. But at the same time that this was happening, there was an updated wireless technology, called "802.11g," which upped the frequency on the wireless LAN from 10 MHz to 50 MHz. And the vendors stopped making 802.11b products and started flooding the market with 802.11g products. Now the WPA upgrades can be applied to the 802.11b hardware, but the vendors chose to work on including it with the 802.11g hardware first! So the chances of upgrading all the older 802.11b hardware with WPA may be close to zero!!! Thanks a lot, vendors.
So it is really a zoo out there. If you have not purchased wireless networking gear yet, you may be in luck if you purchase 802.11g hardware, since most vendors have included WPA in that product. Even if you find WPA technology, chances are you will have to upgrade your OS and your drivers to handle WPA, so it is not a straightforward solution. XP SP2 does have all this update however.... Several sections here describe how to do this for Linksys wireless products and the Windows XP OS.
There are further security standards in the works, notably 802.11i, which will necessitate new hardware, yet again most likely, to handle the brand new AES encryption scheme! See this section for a discussion of upcoming wireless technologies.
You can start here, and follow the wireless discussion on this site.
This page has the two upgrades you definitely need before you can do wireless networking in an pre SP2 XP environment. SP2 does have the upgrades.
Copyright John D Loop Wednesday October 26, 2005