How to Protect your wifi-Lan

Triplejolt · February 7, 2007, 9:56am

Don’t forget IP Unnumbered, which allows IP traffic without an IP address…
(:NRD)

pandlouk · February 9, 2007, 1:11am

Thanks Triplejolt,
but the problem is that if I add the IP unnumbered configuration how will I explain it at the novice users? 88)

d_squared · February 9, 2007, 3:57am

For most home user that have a factory firmware in their wireless router, I don’t think that they would even be able to select the option. And those that are using aftermarket firmware probably know how to handle that particular scenario.

Using a WRT54GS as an example, all of the subnets that it will allow can be selected via a drop down menu. So going into IP Unnumbered is not even an option.

Triplejolt · February 9, 2007, 9:49am

Don’t put IP unnumbered in there Pandlouk… I was just trying to be funny
IP unnumbered is a feature used by Cisco to be able to conserve IP addresses. Normally, home DLS routers don’t support this as this rely on tunneling protocols and Layer 2 capability.

system · March 1, 2007, 1:12pm

Is it correct to say that my ADSL router’s firewall also protects my wife’s
laptop which connects to the net via a wireless access point ? The access
point is connected to my aforementioned router. Her wireless AP is secured
with WPA2-PSK encryption key and uses the AES encryption algorithm.
Strong passwords were used for both the AP login and the encryption key.
Plus SSID is not broadcast and MAC access control (only my router’s LAN port).
We are not networked i.e. no sharing is allowed and both have software firewalls etc.
Is my wife’s laptop secure ?
PS. I have the free Comodo Pro PF and wife still uses Sygate 5.5

Triplejolt · March 1, 2007, 1:45pm

Yes. You are both “protected” by the routers firewall. The computer firewall is another matter

sputnik365 · April 8, 2007, 4:45pm

disable wireless management

Triplejolt · April 11, 2007, 11:16am

Why?

imsoc · April 25, 2007, 4:34pm

Could someone please explain step #3 in a bit more detail?

My current network setup is as follows:

PC #1 - ethernet connection to wireless router (and modem)

PC #2 - wireless connection

PC #3 (my computer) - wireless connection

How do I isolate my computer from the other two, using the network zones and/or the firewall rules?

EricCryptid · April 29, 2007, 9:16am

Ok… One quick question on the subnet mask thingy. I’m using a Linksys WAG354G (Annex A) Wireless Gateway as my router. When I try to change the Subnet to 255.255.255.252 it says:

DCHP Start IP Address with Lan isn’t in the same network

What am I doing wrong?

EricCryptid · April 29, 2007, 9:28am

Attached is a pic of my router’s setup, maybe that’l help everyone answer my questions.

[attachment deleted by admin]

Triplejolt · May 3, 2007, 11:39am

Your starting IP address is beyond the subnet you’ve set for yourself. When you employ subnetting, you need to use the IP addresses within the same subnet. Otherwise it is treated as a different network. Thats what subnetting is, you further divide the network into smaller, independent segments.
If you plan to use 192.168.1.1 with the subnetmask 255.255.255.252, your starting address has to be either 192.168.1.1 or .2

When using the mask 255.255.255.252, you only have 4 IP addresses. The rule of thumb is that the 1st and the last address can’t be used, hence you only have 2 left to use for routers and computers.

You’re IP scheme will look like this:
192.168.1.0 255.255.255.252 - Network ID
192.168.1.1 255.255.255.252 - Router IP address
192.168.1.2 255.255.255.252 - PC IP address
192.168.1.3 255.255.255.252 - Broadcast address

Using this scheme you’re using the smallest possible subnet. For more information, look up the topic Subnetting in the Wikipedia.

Hope this answers your question

EricCryptid · May 11, 2007, 2:32pm

That’s a great help! Thanks! Got it working now!

I do have one other question at the moment… When Adding my router address as TRUSTED (Firstly creating a zone and then defining a trusted network) Due I set to Trust just 192.168.1.1 OR do I set to Trust 192.168.1.0 - 192.168.1.1 ???

Eric

Triplejolt · May 25, 2007, 7:38pm

Set trust to 192.168.1.0 255.255.255.252. That should cover both your computer and the router. When using the .0, you indicate the entire subnet (remember .0 being the ID, .1 and .2 the usable hostaddresses).
If you only want to enable trust for the router, enter .1 and the same mask.

Raccoon · July 18, 2007, 12:11am

I use my laptop on a number of different wireless networks, each with their own ip network masks. I would like to add rules (Trusted Zones, but more specific criteria) for each one, without having to create an individual rule for each one.

Might I request that Network Control Rules include the option to select multiple Zones as Source/Destination IP when creating rules? This would permit me to create a single rule that applies to all my “Trusted Zones”. Such as 192.168.0., 192.168.1., 10.0.0., 10.10.10., 239.255.255.0, 172.16.0.*, so on and so forth.

At present, it is only possible to select a single Zone when creating a rule.

This would be desired because I don’t want to trust ALL inbound/outbound connections, only for specific services such as File/Printer sharing, games, ICMP Echo, etc. I have created one rule for each of these and it’s all nice and tidy, but I have to duplicate each of these rules for each network I use, making the rule count increase exponentially. It would be nice to group them all together.

panic · July 18, 2007, 1:21am

The alpha version of V3 does exactly this!

Raccoon · July 18, 2007, 3:50am

Excellent! Now what about Zones that allow all possible IP masks/range/single/hostname that Rules do? :>

And would it be possible to have a Virtual Zone or Zone Variable called “ME” that automatically detects the machine’s local IP(s)? And it can be masked 255.255.255.255 or 255.255.255.0 or 255.255.0.0 etc

panic · July 18, 2007, 8:06am

Sort of. In CFP V3 you define a zone and then you can add multiple entries or qualifiers to that zone. For example, you can define a zone called “Trusted” and then add a series of entries fro that zone. One could be a range of IP addresses (192.168..0 - 192.168..255), another could be a netmask and a third could be a host name (don’t know whether hostnames support wildcards, but I suspect they would). Once these are defined, all you need to do is to use the zone name “Trusted” in a rule and that rule is then tested against all the qualifiers you’ve added to the zone.

Hope this helps,
Ewen

Raccoon · July 19, 2007, 1:38am

That does help, thanks. And it confirms the first part of my last reply.

As for the second part, where Comodo recognizes the machine’s own IP address(es), I would find this useful to trap inbound packets that reach my computer with a destination other than my computer’s IP address. This could detect malformed packets being flung at me or block attempts to use my computer as a gateway by unauthorized users. This might be particularly useful in a WiFi environment where I’m running my wireless card as an accesspoint, intended only for local file sharing and not web access.

Yet another question: Is Comodo capable of creating rules dependent on a specific device, not IP mask/zone (multiple devices can be connected to matching Zones (192.168.0.1 subnets).)?

Triplejolt · July 19, 2007, 6:17am

Could you specify what you mean by device please? A device can hold several identifiers: IP address, hostname (NetBIOS name) and MAC address. Can’t think of any others at the moment

If I’m not too mistaken, I think you can employ filters for all three of them now.

As for your second question, using rule sets that filters out IP addresses not directed at your computer will drop those packets. Unless someone is spoofing its source and destination address to compromise your computer. But this requires skill and an opertunity