SOCNET

Go Back   SOCNET: The Special Operations Community Network > Areas of Expertise > Technology and Communications

Reply
 
Thread Tools Display Modes
  #1  
Old 11 April 2018, 11:03
MixedLoad's Avatar
MixedLoad MixedLoad is offline
Been There Done That
 
Join Date: Aug 2003
Location: NORCAL
Posts: 8,658
Routers - A conversation

I know that this may seem like a basic question but work with me on this one for the sake of everyone reading this thread.

Routers are an entry level point for our internet connections. We cannot access the net without them and yet most people do not have a clue how to really configure them and let their friendly ISP tech set them up for them.

This would be an interesting topic to cover a few different points.

1. How to properly configure a router so it is as secure as possible, without making it a PITA for a friend coming to the house to login to the network. (i.e. establishing guest networks etc)

2. What are the advantages of buying a different router than the one that was given to you by the ISP? For example, Comcast and ATT often hand you a router. Everyone "in the know" bitches about them, but why? Is it worth it for a normal user to purchase something like a Motorala Surfboard? If yes, why? What does it do differently?

3. Is it worth it to run multiple routers in a house? Should some connections be hard wired rather than wireless?

Looking forward to the responses here.
__________________
“Suaviter in modo, fortiter in re"

"Operator much like rock and roll, is dead." - ClearedHot
Reply With Quote
  #2  
Old 11 April 2018, 11:31
Stretch Stretch is offline
The atomic zit
 
Join Date: Dec 2008
Location: Capital of the Old North State
Posts: 3,597
The only time I hard wire is when I have to access the company hard drive. It is notoriously slow, and if there’s more than one person on the wireless it bogs down everybody.
Reply With Quote
  #3  
Old 11 April 2018, 12:01
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 13,142
I would *NEVER* take an ISP supplied router for privacy reasons AND because they rape you for $X.xx a month for a device that costs, at most, $100.

Buy your Cable Modem for $150 ONCE, and buy your Router for $100 ONCE.

I can't speak to factory firmware, as I don't run it, but either look for one that comes with OpenWRT installed already, or have a friend/family flash it once for them.

I use Asus Routers and flash MerlinWRT firmware myself.

IMO, your average mother/father user would have a melt down in the router settings page - you need to learn some stuff. The good thing is that it usually just needs to be set up ONCE.
Reply With Quote
  #4  
Old 11 April 2018, 12:33
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,266
I run a Buffalo OpenSource router, factory installed with DD-WRT. For guest access, I have an old Linksys that I plug in to one of the LAN ports, only when I have a guest at the house...so, generally speaking, there is no guess access unless there is a guest.

For obvious reasons, my own setup is a bit more complex than most, but I have a network tap between the router and modem, feeding into a SecurityOnion machine with Bro and CriticalStack, that fires off alerts in my OSSIM instance. I also have the WRT router configured to send rflow off to a logging server, so I can pin activity back to a specific internal machine if I see an alert.
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #5  
Old 11 April 2018, 12:41
MixedLoad's Avatar
MixedLoad MixedLoad is offline
Been There Done That
 
Join Date: Aug 2003
Location: NORCAL
Posts: 8,658
Great responses so far. While I'm fairly technically capable, let's please keep this conversation at a level where you could teach someone who does not know much about this.

Spell out the acronyms etc.

Thank you for the great comments so far. This is going to be a good resource for folks who are interested or completely unaware of their existing vulnerabilities.
__________________
“Suaviter in modo, fortiter in re"

"Operator much like rock and roll, is dead." - ClearedHot
Reply With Quote
  #6  
Old 11 April 2018, 12:45
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 7,760
Edit: I'm not being cheeky with the following. I don't know your overall technical knowledge, so I break it down a bit:

DD-WRT is a type of open-source (open to the world, free) program that sits on the router. It is like software but at a much lower level, called firmware. The firmware interacts with the hardware components of the physical device to make it work.

When you use the router from your ISP, you're using their custom, closed-source (no one can audit it) firmware. In that firmware could reside things that compromise your privacy. That's why folks like us recommend either DD-WRT or OpenWRT (different projects, but the same concept).

You can buy a commercial router from ebay or Amazon, and then install (flash) that firmware to the device. That overwrites what was there and replaces it with firmware that you have more control over, and is usually vetted and audited. Win win.

The process for flashing your router can be difficult if you're not familiar, but there are many sites out there that can help you through the process. Alternatively, you can purchase a router with the firmware already flashed.

Let me know if this helps any.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #7  
Old 11 April 2018, 12:49
Sharky's Avatar
Sharky Sharky is offline
Administrator
 
Join Date: Dec 1999
Location: SOCNET
Posts: 19,747
Quote:
Originally Posted by BOFH View Post
I have a network tap between the router and modem, feeding into a SecurityOnion machine with Bro and CriticalStack, that fires off alerts in my OSSIM instance. I also have the WRT router configured to send rflow off to a logging server, so I can pin activity back to a specific internal machine if I see an alert.
Oh yeah? Well, మనం ఈ గీతాన్ని సాధారణంగా ఉంచుకోవాలనుకుంటాము, కాబట్టి మాకు గీక్స్ అర్థం చేసుకోగలదు back at you.
__________________
I was born my papa's son
When I hit the ground I was on the run
I had one glad hand and the other behind
You can have yours, just give me mine
When the hound dog barkin' in the black of the night
Stick my hand in my pocket, everything's all right

-ZZ Top
Reply With Quote
  #8  
Old 11 April 2018, 13:24
MixedLoad's Avatar
MixedLoad MixedLoad is offline
Been There Done That
 
Join Date: Aug 2003
Location: NORCAL
Posts: 8,658
Thumbs up

Quote:
Originally Posted by CV View Post
Edit: I'm not being cheeky with the following. I don't know your overall technical knowledge, so I break it down a bit:
I posted this thread for others to read so that SOCNET's brain trust can serve our membership. FTR, I'm not at your level, but you can consider me competent.

Thank you for your posts. Keep them up.
__________________
“Suaviter in modo, fortiter in re"

"Operator much like rock and roll, is dead." - ClearedHot
Reply With Quote
  #9  
Old 11 April 2018, 13:50
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,266
To follow up:

OSSIM is the Open-source security information manager from AlienVault. Essentially, it's a place where you can track, organize, work, and close security alerts.

Security Onion is an operating system with several built in tools for generating security alerts based on bad or unknown activity.

Rflow is a Cisco implementation of netflow, which is basically metadata about network connections. It will say "this internal IP connected to that external domain and transferred X number of bytes," and is useful in determining which specific machine on my network triggered a security alert.



Also, yes...I'm paranoid.
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #10  
Old 11 April 2018, 14:19
Paul85 Paul85 is offline
I still think I'm fooling everyone
 
Join Date: Aug 2013
Location: Poland
Posts: 1,379
It's been years since I played with DD- WRT on venerable linksys wrt54 and its derivatives. In proper hands it's a great firmware.

As to the topic at hand, you can always use a pretty good database to assess general known vulnerabilities of the router you'd like to buy/use. However, there's 0day exploits and tricks with window of opportunity between white hats tipping off the producer (if they even catch the vulnerability) and said producer releasing fixed firmware (if ever), and black ones are not keen on giving up knowledge about the vulnerabilities they catch. Heres where intrusion detection comes into play. That requires knowledge.

I'd say that learning basics of network protocols and routing will be the most valuable thing for anyone trying to harden their edge router. I'm a firm believer in that a tool is as good as your knowledge about it. You have to know and fully understand what happens with packets and what typical venues or methods of attack are. In most cases, a consumer-level router with tight control over ports/protocols plus decent SPI should be g2g. What many people forget IMO is that you've got to monitor your internal network from the endpoint POV as well, since the payload might not necessarily be injected by circumventing router defenses, it might be dropped from email attachment, USB stick, etc and start communicating from the inside. So taking a good hard look at what your computer sends and receives and when is also a valuable tool.

Last edited by Paul85; 11 April 2018 at 14:27.
Reply With Quote
  #11  
Old 11 April 2018, 15:36
cedsall's Avatar
cedsall cedsall is offline
giving you a number
 
Join Date: Aug 2010
Location: Washington, DC
Posts: 444
It takes some time to get yourself familiar with how an ip network works. Without that understanding, you're probably better off using the "high, medium, low" security settings on your router and crossing your fingers/hoping nothing untoward happens.

Network taps, intrusion monitoring, proxy and vpn offsets are a bridge too far for most folks. If you've got time for them, go for it. To the router topic, there are 65,535 ports in both the tcp and udp ranges (16 bit fields in both headers). Out of that 131K available ports, most home users use less than 10.

But here's the trick - the primary infection vector into your network isn't your router, it's your PC. Those 10 ports, primarily 443/TLS are highly exploited.

These days it's more about what you do online (think Facebook/Cambridge Analytica). That's the larger threat. We compromise ourselves because of what we do, not how we get there.
Reply With Quote
  #12  
Old 11 April 2018, 15:48
Paul85 Paul85 is offline
I still think I'm fooling everyone
 
Join Date: Aug 2013
Location: Poland
Posts: 1,379
Quote:
What are the advantages of buying a different router than the one that was given to you by the ISP?
First, most ISPs don't give that much of a choice to their client when it comes to router models (if any at all).
Second, they usually block some config options so the router plays their ball and they execute C&C over it even though you can still login and set password/basic settings. It's their router, after all.

Quote:
Is it worth it to run multiple routers in a house?
If you don't want issues with NAT and all PITA with dropped/delayed packets and do everything as Machine God ordered, you should have one edge router plus rest as access points. Many routers have a soft switch that allows them to serve as router or access point. You can also buy dedicated access points.
Also remember about setting up proper level of wireless security. Wardriving still happens.

If you want to use your own router behind the one supplied by ISP, the ISP router should have public IP (work in modem mode). If you have a dedicated modem only, things get simpler as it's already got the public address.
Quote:
How to properly configure a router so it is as secure as possible
Like I wrote before, proper configuration requires knowledge (and in enterprise class routers, sometimes targeted vendor specific knowledge). Most modern devices are able to hold the line well with the options accessible from their factory OS. You can flash custom firmware on some of them (Tomato, DDWRT, whatever) but this software is usually aimed at enthusiasts who know what they are doing.
Reply With Quote
  #13  
Old 11 April 2018, 21:10
SVDuckman SVDuckman is offline
Confirmed User
 
Join Date: Jul 2007
Location: US
Posts: 124

1. How to properly configure a router so it is as secure as possible, without making it a PITA for a friend coming to the house to login to the network. (i.e. establishing guest networks etc)


-Read the instructions that come with your router/modem (or combo).
-Log in to the appliance and change the default admin password.
-Regularly check for updates to your router's firmware
-Enable WPA2+AES
-Disable WPS (Wi-Fi Protected Setup)
-Use strong passwords

2. What are the advantages of buying a different router than the one that was given to you by the ISP? For example, Comcast and ATT often hand you a router. Everyone "in the know" bitches about them, but why? Is it worth it for a normal user to purchase something like a Motorala Surfboard? If yes, why? What does it do differently?

I wouldn't use the router from your ISP simply because they're going to charge you for it or you will be paying a monthly fee. I use a Modem/Router combo but that's because I'm cheap.

My house is small (1200 sq ft) and I get coverage in all rooms with no dead spots. Another argument could be that you want a higher-end option than what your ISP offers.

3. Is it worth it to run multiple routers in a house? Should some connections be hard wired rather than wireless?

If your house is big enough you might have to run multiple routers or at least an extender or even a mesh wifi setup.

My argument is that some connections are better/more stable if you run hardwired instead of wireless. Basically it just depends on your application. For example, most gamers I know run a wired connection instead of wireless to their gaming rigs (when possible). My son's Xbox One is plugged in to the router just because it is so close to it.
Reply With Quote
  #14  
Old 11 April 2018, 21:53
Akheloce Akheloce is offline
Six Minutes!
 
Join Date: Sep 2012
Location: Alaska
Posts: 481
FWIW, not all ISP's charge a fee for the router and/or modem. My ISP (the one I work for) requires the use of our VDSL modem/router/WAP to be the first device facing our network for management and troubleshooting purposes. We don't charge anything for it. However, it's no big deal, and somewhat common for the customer to put their own router behind it. It's somewhat common for us to disable wifi and set up NAT remotely for the customer to do whatever they want on the inside. While I'm not on the residential side of the house, my understanding is that our guys push firmware updates regularly for security issues.
__________________
RIP Sitka 43 and ICY 33

Seven … six … eleven … five … nine-an’-twenty mile today
Four … eleven … seventeen … thirty-two the day before —

"Just remember son, 80% of the people in this world are fucking idiots"- My Dad
Reply With Quote
  #15  
Old 12 April 2018, 06:23
Purple36's Avatar
Purple36 Purple36 is offline
Swimming Upstream
 
Join Date: Nov 2002
Location: East Coast
Posts: 9,521
Quote:
Originally Posted by Sharky View Post
Oh yeah? Well, మనం ఈ గీతాన్ని సాధారణంగా ఉంచుకోవాలనుకుంటాము, కాబట్టి మాకు గీక్స్ అర్థం చేసుకోగలదు back at you.

Thank you for that translation! I was wondering what language he was speaking. :-)
__________________
- Faith involves believing in the veracity of the unprovable and unobservable, whether that consists of religion or theoretical physics, which at the very subatomic level start looking rather similar. -ET1/SS Nuke
Reply With Quote
  #16  
Old 12 April 2018, 06:27
Purple36's Avatar
Purple36 Purple36 is offline
Swimming Upstream
 
Join Date: Nov 2002
Location: East Coast
Posts: 9,521
Quote:
Originally Posted by CV View Post
Edit: I'm not being cheeky with the following. I don't know your overall technical knowledge, so I break it down a bit:

DD-WRT is a type of open-source (open to the world, free) program that sits on the router. It is like software but at a much lower level, called firmware. The firmware interacts with the hardware components of the physical device to make it work.

When you use the router from your ISP, you're using their custom, closed-source (no one can audit it) firmware. In that firmware could reside things that compromise your privacy. That's why folks like us recommend either DD-WRT or OpenWRT (different projects, but the same concept).

You can buy a commercial router from ebay or Amazon, and then install (flash) that firmware to the device. That overwrites what was there and replaces it with firmware that you have more control over, and is usually vetted and audited. Win win.

The process for flashing your router can be difficult if you're not familiar, but there are many sites out there that can help you through the process. Alternatively, you can purchase a router with the firmware already flashed.

Let me know if this helps any.
CV,

This is precisely the level I need to hear, the rest is like speaking at a 2/2 level of Chinese when I haven't even started on the language yet! You just keep breaking down what the rest of these nerds are posting for us tech handicapped folks.

__________________
- Faith involves believing in the veracity of the unprovable and unobservable, whether that consists of religion or theoretical physics, which at the very subatomic level start looking rather similar. -ET1/SS Nuke
Reply With Quote
  #17  
Old 12 April 2018, 06:46
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 7,760
Thumbs up

Quote:
Originally Posted by Purple36 View Post
CV,

This is precisely the level I need to hear, the rest is like speaking at a 2/2 level of Chinese when I haven't even started on the language yet! You just keep breaking down what the rest of these nerds are posting for us tech handicapped folks.



These three tasks will put you ahead of 99% of the world:
  1. Keep your computer up to date (patches)
  2. Be mindful of websites that don't use HTTPS (oops, SOCNET )
  3. Scrutinize any message or email you receive (Social Engineering)
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #18  
Old 12 April 2018, 08:33
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 13,142
Quote:
Originally Posted by Akheloce View Post
It's somewhat common for us to disable wifi and set up NAT remotely for the customer to do whatever they want on the inside. While I'm not on the residential side of the house, my understanding is that our guys push firmware updates regularly for security issues.
And I understand this for Josephine Q Public, I really do - but this is exactly the problem for some of us: You are inside the private network with the ability to manage the router. And just like a good firewall should "Default-Deny", private businesses should, unfortunately, be "Default-Do Not Trust".

I can't remember the exact details, but IIRC, at one point, Comcast was allowing guest access on every modem/router combo they installed - so that there would be "WiFi Everywhere!" PHUCK THAT!

Edit: Here's one: http://money.cnn.com/2014/06/16/tech...pot/index.html

But yeah, those basics posted above ^ are it: Update to latest factory firmware release and stay on top of it, Change User/Pass on router from default (admin/admin usually) to a good one with a good pass, Disable any remote management, Use WPA2 AES with a good pass, and disable WPS "One Touch Connection" BS. That's your mom and pop info right there.

I'd use a hardwired connection (including keyboard) for anything I absolutely couldn't have compromised - like anything to do with money.

Your convenience/security posture is dictated by your geography: Live in a 4,000 sq/ft house in the middle of 10 acres? You can WiFi your ass off. Live in an apartment next to the DefCon conference hall? I'd wire everything. Most will be somewhere in between.

Guest access is pretty easy these days - most newer routers have separate segments for Guest Access only. They can't "see" anything. You can put an easy but strong password on it and be done. "Hey, just connect to 'FBI Surveillance Drone' (fun with SSIDs) and the pass is 'when in the course of human events'..."
Reply With Quote
  #19  
Old 12 April 2018, 09:36
8654maine 8654maine is offline
Another pool cleaner
 
Join Date: Dec 2012
Location: Maine
Posts: 4,727
This thread is another reminder of the talent here.
Reply With Quote
  #20  
Old 12 April 2018, 11:40
Paul85 Paul85 is offline
I still think I'm fooling everyone
 
Join Date: Aug 2013
Location: Poland
Posts: 1,379
Quote:
some connections are better/more stable if you run hardwired instead of wireless
Since WIFI is a radio connection (fun fact for the uninitiated, WI-FI is just a pun on HI-FI), limitations and dangers of using radio connections for communication apply. It would be prudent to check whether the area one deploys his WIFI is crowded and on what channels and adjust accordingly. I am of the older school and use good, Cat 6E/Ea wiring in most cases if I can avoid wireless. Of course I have WIFI in my house too, one single router that has a transmit radius calculated so it covers the house but does not extend much beyond its walls.

As to the guest network. I haven't used this since loong time, maybe ebcause people who visit me have smartphones/tablets/laptops with 4G sufficient enough for them not to give a damn about any guest networks.

For the client companies who want advice and deployment of WIFI for guests, however, I follow a simple rule. The entire route (physical and logical) is totally spearated from main network. No sharing mumbo jumbo, no VLANs, nothing. Separate modem, separate internet access, separate router placed in a way that no one unauthorized can access it without raising quite a lot of fuss in the room it's in. Single cable route without cascades on its way. Hack away if you want.

As to the HTTPS, all it means is that the communication between you and the site is secure (or fakes that security, yes it's no deal to make fake SSL certs and set fake frontends to honeypot "suckers", perhaps with except of Extended Validation certs). That's all there is to it. Site can be as malicious as you like, with SSL cert or without it. If anything, think before you click (I know I repeat myself) and never visit links without checking them out first. The guys who set this crap count on you clicking and then wondering, instead of doing it the other way.


I apologize if I over-nerd any of my posts, I try to keep the nerd level at minimum.
Reply With Quote
Reply

Thread Tools
Display Modes

Our new posting rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -4. The time now is 12:15.
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2018, vBulletin Solutions Inc.
Socnet.com All Rights Reserved
© SOCNET 1996-2018