Forgot your password?
typodupeerror
Wireless Networking Hardware

A Comparison of 802.11g Firewalls? 51

Posted by Cliff
from the protecting-your-airborne-packets dept.
peoria kid asks: "Does anybody know how to compare the firewall effectiveness between the different providers of 802.11g networking solutions? I am considering purchasing a base station for my parents and I do not know if the Apple Airport base station or others such as Lynksys, or Lucent have better encryption and firewall protection."
This discussion has been archived. No new comments can be posted.

A Comparison of 802.11g Firewalls?

Comments Filter:
  • by Anonymous Coward
    They do NAT, and it's a side effect. If you want a real firewall, you need a real firewall or a computer running a real software firewall.
    • Yah, and so you should test them out first - they aren't really firewalls.

      If the attacker has direct access to the network of the external interface of the NAT box, the attacker can often make connections to the internal supposedly protected network.

      Detail: With a number of NAT boxes if you send a packet to the external interface with an internal IP address as destination, the box forwards the packet. The source addresses of returning packets often do get translated, but you should be able to detranslate
  • ...go with software. Get the best base station you can afford, then get either zonealarm or tiny firewall - free solutions, great security. These are your parents, not a huge corporation - you don't need to worry about ubersecurity.
  • Zyxel (Score:4, Informative)

    by astrashe (7452) on Tuesday December 30, 2003 @12:31AM (#7832845) Journal
    Take a look at Zyxel [zyxel.com].

    It's a NAT device, not a real firewall, but it's in the same category as the products you've mentioned, and it's more secure.

    I haven't used it, and can't vouch for it. But it's gotten some good press.

    As I understand it, if you can sniff enough packets that use the same key, you can crack the crypto. This thing uses a better (and standard) protocol that keeps changing the keys, so no one can sniff enough packets to recover the key.

    I'm not sure I understand why they've kept the weak algorithm and shored it up by changing keys. My guess is that the cyrpto is built into a lot of wireless card hardware, and you can still use the built in hardware by rotating keys. A new algorithm would offload all of the crypto to the processor. That's just a guess, though.

    In any event, I think this is believed to be secure now. I think that recent patches to XP support the new protocol with most wireless net adapters -- if you run XP, you don't have to worry about vendor support on the client side.

    • I can vouch for it! Great, easy to config and you don't even have to modify anything in an out of the box situation.
      You can add a switch or router, this includes a DSL router for connections, to the back, so you don't even have to config an ip, just raw frames passed from one to the other.
      If you want to tweak it has lots of options.
    • Re:Zyxel (Score:3, Informative)

      by PapaZit (33585)
      Cisco (commercial) wireless APs do the same trick.

      Essentially, the WEP key that you type into the client is only used to get a new randomly-generated "session" key. It IS a part of the 802.11b/g spec, but many wireless cards don't expect the key changes, so you need to be careful about which products you buy (or, at least, you had to be careful when I looked at this stuff a year or so ago).
  • by DA-MAN (17442) on Tuesday December 30, 2003 @12:38AM (#7832881) Homepage
    It just happens to be a side effect of doing network address translation. Nothing comes in that isn't requested or related to connections made.

    They also have a default DENY policy which means that they are all about as secure as the other. The only problem would be if they came out with a new teardrop-like exploit that crashes the tcp/ip stack of the little routers, and that wouldn't affect security internally and would probably be solved by a firmware update.

    Because most are black boxes, you have to take whoever the manufacturers word for it that they have a solid tcp/ip stack that won't be susceptible to this sort of attack.

    Main thing I would worry about is the speed, find out what wireless firewalls are rated as the fastest. Make sure WEP is enabled and you have Mac Address filtering. It's still not going to be nearly as secure as a cable.

    If you want to be secure, get a software firewall as well (ZoneAlarm, Tiny Personal, Norton, etc.), run Spybot or Ad-Aware, run a Virus Scanner and keep your software up to date.
    • WEP isn't that great at all. Use WPA. Also, my two cents... the Linksys WRV54G wins those hands down. Intel Xscale proc, embedded Linux, VPN endpount. Backed by Cisco. (And supports WPA) Nobody ever got fired......
      • by DA-MAN (17442) on Tuesday December 30, 2003 @02:11AM (#7833269) Homepage
        WPA isn't all that great either. But you are right, WPA is better than WEP.

        Wireless is never going to be all that secure, so long as it is transmitted in the airwaves, someone will be able to pick it up. The best line of defense is knowing this and changing your habits accordingly. I always use encryption at the protocol level, when there is important data whizzing by.

        imaps, instead of imap
        pop3s, instead of pop3
        ssh, instead of telnet or ftp
        https, instead of http

        The list goes on and on. By using these protocols you are also not nearly as susceptible to man in the middle attacks.

        SIDE NOTE: The latest WPA patch from Microsoft (KB826942) broke my wireless capability severly. I could no longer connect to any wireless access point that had encryption disabled, like coffee shops or T-mobile. If anyone else is having problems connecting to unsecured access points, try uninstalling this. Just passin on the knowledge...
        • SIDE NOTE: The latest WPA patch from Microsoft (KB826942) broke my wireless capability severly. I could no longer connect to any wireless access point that had encryption disabled, like coffee shops or T-mobile. If anyone else is having problems connecting to unsecured access points, try uninstalling this. Just passin on the knowledge...

          Thanks for the tip. I think that could explain the problems I have been having.
    • Because most are black boxes, you have to take whoever the manufacturers word for it that they have a solid tcp/ip stack that won't be susceptible to this sort of attack.

      The Linksys WRT54G actually runs Linux [linksys.com]

      A few people have been able to compile custom versions [sveasoft.com] of the firmware that include some extra (and very cool) functionality. If the tcp/ip stack is part of Linksys' GPL'd packages (I'm not sure if it is), it can be examined.
      • I would still consider that a black box because the sources that they have released are not sufficient to build a working kernel.

        In addition, we do not know the quality of the 801.11g driver it comes with because the source has not been released. There are many layers to the security onion, and simply knowing it runs Linux doesn't tell us much.

        Was it hardened? What iptables rules does it have? Where is the driver for the wireless card? Has the tcp/ip stack been modified? Why was the dev series kernel used
        • So go to this page from Seattle Wireless [seattlewireless.net] and start modifying your WRT54G to your heart's content.

          There are posted methods for either permanently replacing the firmware (but possibly frying it if you do it wrong) or simply overwriting it in RAM and if you reboot simply reloading it without risk of messing up the factory defaults.

          You don't even need the sources from Linksys, you can cross-compile.

          Linksys may not have -intended- this, for instance you do need an older firmware than is probably shipping on n
          • Just because you can change the firmware out and replace it with a custom built image does not make it any less of a black box.

            In addition making your own kernel/etc. has the distinct disadvantage of losing access to the 802.11g wireless card because there are currently no available linux drivers. So no matter what, even building your own kernel, etc would still leave you with a bit of black box'ed-ness which is what I was trying to say.

            Besides this guy doesn't seem to know the differences between all the
  • Bilkin' (Score:5, Funny)

    by orthogonal (588627) on Tuesday December 30, 2003 @01:14AM (#7833000) Journal
    Get a Belkin.

    It'll securely interupt your parent's networking once every eight hours to show them an ad, ironically for "parental controls".

    Three times a day, your parents will know someone cares about them. What more could they ask for from their son?
    • Don't forget. Belkin now comes with ads for no additional charge. I know they have "corrected" their mistake, but I still feel the need to not buy from them to make others learn that we are not just a profit margin.

      KevG
  • D-Link (Score:3, Interesting)

    by Tumbleweed (3706) on Tuesday December 30, 2003 @01:38AM (#7833069)
    D-Link is what I'd recommend. They, like other Aetheros (sp?) -based equipment, has 'turbo-g' mode at double the normal rate of 54mbps. Just as long as you aren't within interference range of another turbo-g network, of course. :)
    • One D-Link product to watch out for is the DI-624. I have one, and while it makes a reasonably good WAP (range isn't so great, but that's probably due to my house being full of copper heating pipes and wire mesh holding concrete for ceilings and walls), the router bit is just HORRIBLE. I had to demote it from router to WAP because it would crash and reboot every 20 or so minutes from the amount of traffic I was pushing through it. I wasn't even saturating my (1024/256 kbps) cable line, but I did have hundre
    • It is mainly a marketing snare for the unwary. Not a lie, exactly, but being a nonstandard rate, your next piece of gear probably won't support it. Also, most g units will have to shift down from rate 54 just to reach into the next room, making a faster mode quite moot.
  • linksys... (Score:3, Informative)

    by josepha48 (13953) on Tuesday December 30, 2003 @02:19AM (#7833291) Journal
    I think that the linksys has ipsec, which is about as secure as you are gonna get when doing wireless.

    The real important thing is to change the ssid and add a password. That will force someone to be scanning for the wireless and also require them to spend 20 minutes craking the wpa / wep encryption. But if you get teh BEFW11P1 it has ipsec too. Not sure which ones of their products also have this. If you need wireless then try the WRV54G. Look for VPN capability as most vpn systems out are using ipsec.

    • The real important thing is to change the ssid and add a password.

      That is, until your AP or your cards start dropping connection. Call or email tech support & they'll tell you to set everything back to default for a few days to see if the problem goes away. If it does, well thats "..your solution.."

      The only secure LinkSys WAP is one that's unplugged.
  • All of the combined routers/ap's provide the basic firewalling between the internet and the home network. You still need a software firewall on each pc.

    The worst threat in this setup are other people using your ap to get to the internet, using your bandwidth and making you liable for their abuse. None of the small devices can stop that without some sort of authentication server beside it.

    Either accept that risk or put a wireless nic in a dedicated pc and use that as firewall and ap with ipsec to the clien
  • I might have missed it, but it seems nobody has mentioned restricting access to the wireless network by MAC address. Every access point I've used from D-link and Netgear have had this ability. Though it's a pain to add new machines to the network and kills one of the benefits of wireless, it's certainly going to keep people from abusing your network.... spying is a different story altogether. But like everyone else has said, this is not enough. Software firewalling is your best bet.
    • Shit, I forgot to mention... I don't know the exact model #s of the ones I've used but the D-link one is a access point/dsl router/print server with modem backup... and the Netgear one is a access point/dsl router/vpn router ... but none of them were 802.11g - only 802.11b. I'd assume a newer .11g model would only have more features.
  • I've got two airports. One original and one of the g/b ones.

    I also ran a mac as a server (not mail) on the net for 4 years without a hack. OS 9 even.

    The airports have decent range and I have tested the g transmission speed as fast as 10 base T or better - up to 3394 Kbps for g/g peer to peer. No foolin. Divide by 10 for b/g or b/b speeds. No foolin. This is way faster than I can connect to the internet but get your connection speed and do the math.

    NAT and DHCP work as billed.

    Never been hacked so I
    • Well, there aren't many hacks available for services running on MacOS 9, I don't think even a "Ping Of Death" DoS attack. There's a theoretical posibility of sniffing passwords from AppleTalk over IP, FTP, HTTP, or POP (but you're not running a mail server), so that someone could get some files or relay a little spam.

      However, this is small potatoes, easily fixed. About the worst anyone can do is fill your file system and/or hang the machine. Since there's no root to root, it would take a very sophisticated

  • One feature I miss in my Linksys 802.11b device is the ability to reserve dynamically allocated IPs for certain computers. This means that I can't easily use DHCP and static name resolution because there is no guarantee that the computer will have the same IP address. (i.e. I'd have to run a DNS server.)
  • Most people have mentioned the need for WEP, WAP, MAC filters, etc., but some of the access points/routers have the capability of doing 802.1x authentication [wi-fiplanet.com].

    Has anyone set up their wireless access point this way, and if so, is it straight-forward? I assume one can do it with OpenRadius? [xs4all.nl]

    • I didn't see anything on the OpenRadius site that indicates that package will do EAP authentication over RADIUS which is a requirement for doing 802.1x. Freeradius [freeradius.org] has some support for EAP authenticaiton in CVS, but I've not gotten it to work properly yet. Hopefully it will settle down soon, I would very much like to start using it on my home network.

      If you have some money to throw at the wireless security problem, I would suggest looking into the Odyssey server from Funk software. It's much easier to setup

  • by singularity (2031) *
    I am in an environment that could be considered "wireless hostile". I live with high school students gifted in math and science (and therefore usually computers, as well). They have ethernet in their rooms, but this gets shut off between 1am and 6am.

    I bought a PowerBook not too long ago and would like to set up wireless access for my apartment. Knowing that I have to keep others from accessing the WAP, I have been researching possibilities.

    So my big dilemma is not making sure crackers do not access the tr

A failure will not appear until a unit has passed final inspection.

Working...