how-to block ads
|
|
Uniqs:
3983 |
Share Topic
 |
 |
|
|
|
 Blue2Premium
join:2004-04-14
France
kudos:1 | Router security-changed pwd,SSID,disabled wireless, now what My ISP has moved to fiber optic and that's brought the possibility of upgraded equipment. Up to now, I've been using a simple broadband cable modem (30MB). I've now been provided a modem-router-wifi (100MB), and since I know nothing about networks, I'm not sure where to start.
(1) Would it have been more secure to get them to just upgrade to a 100MB modem (not a modem-router-wifi) and then connect a Zyxel X-550 wifi router to it ?
(2) If that wouldn't make much difference, what are the basic steps to secure the modem-router as it is a Castlenet CBV734EW, came with one page of lame instructions in French (connect the AC adapter, connect the RJ45 cable...), and there isn't much info on the net?
I'll be connecting two notebooks under XP Pro via wired connection, and they won't need to share any other network devices other than the router. I accessed the router configuration page and did the following immediately:
-- Changed the password (though it doesn’t permit me to change the user ID)
-- Disabled wireless
-- Changed the SSID
Other than that, what basic steps should I take as the menu is long and not self-explanatory:
BASIC Setup
- Do I need to manually enter the DNS servers? (they seem to be automatically recognized)
- Do I need to enter something for “Spoofed MAC Address”?
DHCP - Configuration and status of the optional internal DHCP server for the LAN.
- Number of CPEs ? (not sure what this is)
- WINS addresses
DDNS - This page allows setup of Dynamic DNS service.
ADVANCED
Options:
- WAN blocking (enabled)
- Ipsec PassThrough
- PPTP PassThrough
- Multicast Enable (enabled)
- UpnP Enable
- Rg PassThrough
- Pass Through Mac Addresses
IP Filtering - Configuration of IP address filters in order to block internet traffic to specific network devices on the LAN.
MAC Filtering - Configuration of MAC address filters in order to block internet traffic to specific network devices on the LAN
Port Filtering - Configuration of port filters in order to block specific internet services to all devices on the LAN.
Forwarding - Incoming requests on specific port numbers to reach web servers, FTP servers, mail servers, etc. so they can be accessible from the public internet.
Port Triggers – xx not necessary
DMZ Host – xx not necessary
FIREWALL
- Filter Proxy
- Filter Cookies
- Filter Java Applets
- Filter Active X
- Filter Popup Windows
- Block Fragmented IP Packets
- Port Scan Detection
- IP Flood Detection
- Firewall Protection
Are any of these firewall options helpful or would they conflict with Kerio?
PARENTAL CONTROL
WIRELESS
- Network type (Open / Closed ?)
- Country (Worldwide ?)
- Channel
- Interface (DISABLED, but should I set up a WPA2 key first and then disable wireless?)
- Create SES (SecureEasySetup) Network
Sorry for the long post and any suggestions would be welcome and appreciated. | |
 nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7
 ·AT&T U-Verse
| What you have already done should be sufficient.
Do I need to manually enter the DNS servers? Only if you are having problems with the ones assigned by the ISP.
Do I need to enter something for “Spoofed MAC Address”? Only if you are having problems. This is typically needed when your ISP recognizes you by MAC address, and you later install the router. Then you need to set that router to use the MAC address that your ISP recognizes (or contact the ISP and have them change their settings).
Number of CPEs ? (not sure what this is) CPE = Customer Premises Equipment. Enter the number of computers you expect to have on the home LAN. Be generous, and allow for later expansion. The chances are that the default is already sufficiently generous.
WINS addresses If you don't know what that is, then you don't need it. It's only needed in a complex Windows environment.
DDNS - This page allows setup of Dynamic DNS service. If you don't know whether you need that, then you don't need it. There are some sites that will assign you a hostname, and setup DNS so that it points to your address. This setting is so that the router will inform that site when your public IP changes, so that it can update its DNS settings.
UpnP Enable If you are not using that, I would suggest you disable. If you are an internet game player, then you probably need it.
The others should be okay at the defaults.
IP Filtering If there are children in the house, and you want to restrict the sites they can access, then use this. Otherwise don't bother.
MAC Filtering If you have a computer that you want to block from internet access, but allow it LAN access, then use this. Otherwise don't bother.
Port Filtering Only needed if you are paranoid.
Forwarding Only needed if you are running a server on one of your systems, and want that server to be accessible from the internet.
Are any of these firewall options helpful or would they conflict with Kerio? They should not interfere, since they are running on the router rather than the PC. Unless you are paranoid, I wouldn't bother.
Interface (DISABLED, but should I set up a WPA2 key first and then disable wireless?) You could. That would provide protection in case it was accidently enabled.
--
AT&T dsl; Speedstream 5100b modem; Zyxel NBG334W router; openSuSE 11.0; firefox 3.0.14 | |
Blue2Premium
join:2004-04-14
France
kudos:1 | Wow.
What an amazingly helpful post. This was like a crash course on configuring a home network. I am extremely appreciative and hope that others will benefit from it as well.
The ISP network technician who dropped off the equipment (handling the tv network equipment) didn't even know the difference between WEP and WPA, so I figured I should come here with my security questions.
Thanks again nwrickert. | |
Blue2Premium
join:2004-04-14
France
kudos:1 | reply to Blue2
I'm really confused by the Castlenet wireless configuration page. I thought I could just create a WPA2 key.
Given this interface, what's the securest method? I assume I don't have to select all of this, so which selections do I need to make?
-- WPA2 or WPA2-PSK?
-- Do I use the WPA Pre-Shared key and select "show key"?
-- Does a home user even have access to a RADIUS server?
-- What about group key rotation and WPA/WPA2 interval?
-- Do I ignore the WEP section ?
-- Do I ignore SESWPS or is it better/easier to use it?
Are all router configuration interfaces this confusing? As my first home network setup, I have nothing to compare this to. But I'm curious if I would have been better off requesting a new cable modem (rather than this not well supported router modem), and then connect a Zyxel X550 router to it? Does having a separate modem and router provide a safer network setup than an all-in-one device? | |
nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7 Reviews:
·AT&T U-Verse
| Be aware that I am not familiar with your Castlenet router.
WPA2 or WPA2-PSK Go with WPA2-PSK.
Do I use the WPA Pre-Shared key and select "show key"? That's fine. The "show key" probably means that it will display the actual key on that page, rather than a row of asterisks. If your router is secure, that should not be a problem. But since you are disabling WiFi, it doesn't much matter.
Does a home user even have access to a RADIUS server? Only if you run a radius server. There's no need to do that. It's really an option for business. If you are using WiFi at home, sharing the key between 2 or 3 computers is no big deal. If you have 100 users at a business, then a key shared with 100 people is sure to leak out. So a radius server allows individualized passwords.
Take the defaults for other WPA stuff. And ignore the WEP section. The WEP section might become greyed out, once you enable WPA2-PSK.
Are all router configuration interfaces this confusing? I didn't find it confusing. But, yes, the first time you see it, then it is likely to seem confusing.
Does having a separate modem and router provide a safer network setup than an all-in-one device? There's probably not a lot of difference in safety. But there is more flexibility, and the separate router might be a bit more robust under heavy load (or maybe not). I'm currently using separate modem and router with my DSL line. I had previously been using a combination in one box. The home network is a lot more reliable with the separate units. It's mostly a matter that the separate router had a feature that would improve reliability in my circumstances.
--
AT&T dsl; Speedstream 5100b modem; Zyxel NBG334W router; openSuSE 11.0; firefox 3.0.14 | |
Blue2Premium
join:2004-04-14
France
kudos:1 | said by nwrickert:Be aware that I am not familiar with your Castlenet router. Nor am I and there's no documentation, not with the router, not on their website. The Castlenet homepage is in Taiwan, has few words in English, indicates nothing, and provides a pdf with modem specifications that is blank. How reassuring. So this is probably an el cheapo cheapo router.
Ha, this is pretty funny. I couldn't get the key to be accepted and kept getting a message that it could not connect to the RADIUS server. Then I realized that noscript was enabled. It blocked the scripts on the page. Gee, it only took me 30 minutes to realize that.
I selected WPA2-PSK, chose TKIP + AES (in case my hardware won't support AES) and applied a random 63 character key.
I set this up via a wired connection on a PC that doesn't have wireless, so I will have to test this tomorrow on the portables with WiFi to at least confirm that WPA2 is working before disabling it.
Thanks again for walking me through this. Without your help I would have been staring at that configuration page for hours. | |
nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7 Reviews:
·AT&T U-Verse
| Ha, this is pretty funny. I couldn't get the key to be accepted and kept getting a message that it could not connect to the RADIUS server. Then I realized that noscript was enabled. It blocked the scripts on the page. Yes, routers tend to use scripting.
I put 192.168 in my whitelist for noscript. Well, that's on my desktop. I won't do that on my laptop, because I might be using it away from home on an untrusted network.
--
AT&T dsl; Speedstream 5100b modem; Zyxel NBG334W router; openSuSE 11.0; firefox 3.0.14 | |
|
