Prev: Trouble connecting to Internet through my D-Link router
Next: Linksys or Netgear
From: Mike Easter on 17 Apr 2010 09:23
AndyHancock wrote:

> see "Home Networks" page at
> http://speedtouch.lan/cgi/b/lan/?ce=1&be=0&l0=3&l1=-1

The speedtouch has internal webpages accessed at the speedtouch.lan
address such as what you pasted above or http://192.168.1.254

Those pages aren't useful to post here for us because they are in your
router which we can't access.

// To access the SpeedTouch via the Web interface - In the address bar,
type your SpeedTouch�s IP address or DNS host name
(http://speedtouch.lan or 192.168.1.254 by default) //

> I thought I could set "Allow New
> Devices" to "New stations are not allowed" without preventing
> established devices from connecting

According to the manual (at Thomson's site), you should be able to
register your LAN devices to the ACL either by using the router's
register/association button on the front or by using the speedtouch
webpage interface.

That excluding setting is called "Not allowed: Only allowed stations in
the ACL have access." but it requires that the/your desired stations be
properly registered in the ACL accesscontrollist and it only works
properly until there is a factory default reset.

However, if you reset the router to factory defaults, all of the
settings are lost and it reverts to a very insecure and promiscuous
mode. That reset can take place from its webpage interface or with the
reset button on the back.

There are also other security measures you can take, such as not
broadcasting the router's SSID.



--
Mike Easter
From: AndyHancock on 17 Apr 2010 11:10
On Apr 17, 8:01 am, Mike Easter <Mi...(a)ster.invalid> wrote:
> AndyHancock wrote:
>>> Mike Easter
>>>> You should either use the encryption strategy or you should use
>>>> the described 'registering wireless clients' section 2.2.4 in the
>>>> manual.
>> After scanning for devices, it takes me to the HomeNetwork page,
>> which I posted in my original post.
>
> That page is on your system, not mine or 'ours', this newsgroup
> readership.

Understood. I was thinking of the internal "URL" might be informative
for people who own my model of ST, and saw the article.

I forgot to mention that I use the most secure encryption option on
this modem, which is WPA-PSK (from what I've read on the web).
Upgrading the firmware might provide a more secure option, but it's
not something I'm comfortable doing.

>> I note, however, that WiFi access does work when new stations are
>> allowed with registration (not my preferred option).
>
> That is the way 'everyone' else does it most often. That is, they
> setup for WPA encrypted access. What is it you don't like about
> that popular method?
>
> Do you have an 'adversary' in range who is cracking WPA?

I'm not sure, but a couple of weeks ago, my modem became inaccessible
by WiFi. When I logged in by ethernet, it turns out that all the WiFi
settings were changed, and all the control widgets to change settings
weren't available to change them back. Encryption had also been
turned off. After days of putzing around, I found and uploaded a
previously saved configuration, which brought the proper settings and
functionality back (and brought back the widgets that would have
allowed me to make those settings on the web GUI). Of course, I
changed the encryption key.

I'm not sure how long it takes to crack WPA-PSK if the interface is
always enabled, but if it's just a matter of running a monitoring
program, then I suppose it doesn't matter how long it takes.

From your other response posting:
> According to the manual (at Thomson's site), you should be able to
> register your LAN devices to the ACL either by using the router's
> register/association button on the front or by using the speedtouch
> webpage interface.
>
> That excluding setting is called "Not allowed: Only allowed stations
> in the ACL have access." but it requires that the/your desired
> stations be properly registered in the ACL accesscontrollist and it
> only works properly until there is a factory default reset.

That's exactly it...my devices are in the ACL. I assume the ACL is the
page shown at "Home Network" or "Home Network -> Devices", since those
are the pages described in the manual for registering clients. My
devices are listed in boths. In the latter, they are listed as
allowed to connect.

> However, if you reset the router to factory defaults, all of the
> settings are lost and it reverts to a very insecure and promiscuous
> mode. That reset can take place from its webpage interface or with
> the reset button on the back.

Well, somehow it did get reset, but not to factory defaults (I
think...certainly not to the state I got the modem in, and without the
GUI settings widgets normally found on the modem web pages). Now that
I have the modem working again, the proper devices are listed in both
the pages above. Unless ACL means something different than the pages
I described above, my laptop should be able to connect.

> There are also other security measures you can take, such as not
> broadcasting the router's SSID.

I researched the web about that, but the impression I get is that it
doesn't help much. Perhaps the same could be said about not allowing
automatic connection -- I'm not sure.
From: Mike Easter on 17 Apr 2010 12:27
AndyHancock wrote:
> Mike Easter

> I forgot to mention that I use the most secure encryption option on
> this modem, which is WPA-PSK (from what I've read on the web).
> Upgrading the firmware might provide a more secure option, but it's
> not something I'm comfortable doing.

>> Do you have an 'adversary' in range who is cracking WPA?
>
> I'm not sure, but a couple of weeks ago, my modem became inaccessible
> by WiFi. When I logged in by ethernet, it turns out that all the WiFi
> settings were changed, and all the control widgets to change settings
> weren't available to change them back. Encryption had also been
> turned off. After days of putzing around, I found and uploaded a
> previously saved configuration, which brought the proper settings and
> functionality back (and brought back the widgets that would have
> allowed me to make those settings on the web GUI). Of course, I
> changed the encryption key.

I don't know about this 'previously saved configuration' if someone else
has been resetting your router. I will say that it is 'common practice'
for wardrivers who find an insecure router - say the default user/pass -
to 'mess with it'.

To me, the best thing to do under those circumstances would be to reset
to the factor defaults. This is an insecure condition which needs to be
logged into and then immediately secure it with changing its name,
changing the pass, turning off the SSID and so forth.

Of course it needs to be reconfigured for the wireless security and you
can do that with the ACL business if you like.

> I'm not sure how long it takes to crack WPA-PSK if the interface is
> always enabled, but if it's just a matter of running a monitoring
> program, then I suppose it doesn't matter how long it takes.

You create one more layer of security if you will change the router's
SSID and not broadcast it.

I suspect that you had not changed the router's pass and that it was
broadcasting its SSID and someone found it wardriving and checked the
default pass and it worked and they got in and messed with it.

>> That excluding setting is called "Not allowed: Only allowed stations
>> in the ACL have access." but it requires that the/your desired
>> stations be properly registered in the ACL accesscontrollist and it
>> only works properly until there is a factory default reset.
>
> That's exactly it...my devices are in the ACL. I assume the ACL is the
> page shown at "Home Network" or "Home Network -> Devices", since those
> are the pages described in the manual for registering clients. My
> devices are listed in boths. In the latter, they are listed as
> allowed to connect.
>
>> However, if you reset the router to factory defaults, all of the
>> settings are lost and it reverts to a very insecure and promiscuous
>> mode. That reset can take place from its webpage interface or with
>> the reset button on the back.
>
> Well, somehow it did get reset, but not to factory defaults (I
> think...certainly not to the state I got the modem in, and without the
> GUI settings widgets normally found on the modem web pages). Now that
> I have the modem working again, the proper devices are listed in both
> the pages above. Unless ACL means something different than the pages
> I described above, my laptop should be able to connect.
>
>> There are also other security measures you can take, such as not
>> broadcasting the router's SSID.
>
> I researched the web about that, but the impression I get is that it
> doesn't help much. Perhaps the same could be said about not allowing
> automatic connection -- I'm not sure.

If your router isn't working right about the ACL and if someone else has
also been messing with it, I would reset to the factory defaults and
start all over again with your securing the router as I described above
and use the WPA process to get your clients registered and then set your
'not allowed' condition.

I don't think your usage of some 'previous configuration' is the best
approach.


--
Mike Easter
From: AndyHancock on 17 Apr 2010 14:35
On Apr 17, 12:27 pm, Mike Easter <Mi...(a)ster.invalid> wrote:
> AndyHancock wrote:
> > Mike Easter
> > I forgot to mention that I use the most secure encryption option on
> > this modem, which is WPA-PSK (from what I've read on the web).
> > Upgrading the firmware might provide a more secure option, but it's
> > not something I'm comfortable doing.
> >> Do you have an 'adversary' in range who is cracking WPA?
>
> > I'm not sure, but a couple of weeks ago, my modem became inaccessible
> > by WiFi. When I logged in by ethernet, it turns out that all the WiFi
> > settings were changed, and all the control widgets to change settings
> > weren't available to change them back.  Encryption had also been
> > turned off.  After days of putzing around, I found and uploaded a
> > previously saved configuration, which brought the proper settings and
> > functionality back (and brought back the widgets that would have
> > allowed me to make those settings on the web GUI).  Of course, I
> > changed the encryption key.
>
> I don't know about this 'previously saved configuration' if someone else
> has been resetting your router.  I will say that it is 'common practice'
> for wardrivers who find an insecure router - say the default user/pass -
> to 'mess with it'.
>
> To me, the best thing to do under those circumstances would be to reset
> to the factor defaults.  This is an insecure condition which needs to be
> logged into and then immediately secure it with changing its name,
> changing the pass, turning off the SSID and so forth.
>
> Of course it needs to be reconfigured for the wireless security and you
> can do that with the ACL business if you like.
>
> > I'm not sure how long it takes to crack WPA-PSK if the interface is
> > always enabled, but if it's just a matter of running a monitoring
> > program, then I suppose it doesn't matter how long it takes.
>
> You create one more layer of security if you will change the router's
> SSID and not broadcast it.
>
> I suspect that you had not changed the router's pass and that it was
> broadcasting its SSID and someone found it wardriving and checked the
> default pass and it worked and they got in and messed with it.
>
>
>
> >> That excluding setting is called "Not allowed: Only allowed stations
> >> in the ACL have access." but it requires that the/your desired
> >> stations be properly registered in the ACL accesscontrollist and it
> >> only works properly until there is a factory default reset.
>
> > That's exactly it...my devices are in the ACL. I assume the ACL is the
> > page shown at "Home Network" or "Home Network -> Devices", since those
> > are the pages described in the manual for registering clients.  My
> > devices are listed in boths.  In the latter, they are listed as
> > allowed to connect.
>
> >> However, if you reset the router to factory defaults, all of the
> >> settings are lost and it reverts to a very insecure and promiscuous
> >> mode.  That reset can take place from its webpage interface or with
> >> the reset button on the back.
>
> > Well, somehow it did get reset, but not to factory defaults (I
> > think...certainly not to the state I got the modem in, and without the
> > GUI settings widgets normally found on the modem web pages). Now that
> > I have the modem working again, the proper devices are listed in both
> > the pages above.  Unless ACL means something different than the pages
> > I described above, my laptop should be able to connect.
>
> >> There are also other security measures you can take, such as not
> >> broadcasting the router's SSID.
>
> > I researched the web about that, but the impression I get is that it
> > doesn't help much.  Perhaps the same could be said about not allowing
> > automatic connection -- I'm not sure.
>
> If your router isn't working right about the ACL and if someone else has
> also been messing with it, I would reset to the factory defaults and
> start all over again with your securing the router as I described above
> and use the WPA process to get your clients registered and then set your
> 'not allowed' condition.
>
> I don't think your usage of some 'previous configuration' is the best
> approach.

Mike, I followed most of your suggestions...I didn't quite muster the
courage to reset to factory settings because there is such a plethora
of settings beyond Home Network and WiFi. Furthermore, the previous
configuration that I used as a baseline was from long, long ago. I
haven't seen any devices aside from my own connected to my WiFi, which
is no guarantee that the encryption wasn't compromised until at least
recently (if at all), but gives me a bit of confidence. Further
confidence is obtained from the fact that I have always been pretty
high up on a highrise, making my WiFi inaccessible from street level.
As well, there is sometimes unsecured WiFi nearby, making my network
unattractive.

I changed the password, the SSID, and stopped broadcasting the SSID.

Funny run of good luck: After using the front panel button to register
my PDA, I found that I could set the modem to not accept other
devices, but both the laptop and the PDA could still access dis/re-
connect to access point. I had avoided using the button to register
devices because nowhere in the documentation I found on the web could
I find a picture confirming what was the front of the modem, and the
registration button on the front. I didn't want to be pressing a
factory reset button in err. Well, I took a guess, and it turned out
to be the right button.

One think I find about not broadcasting SSID is that (surprise) it no
longer shows up "View Available Wireless Networks" on Windows XP.
This means I cannot initiate a connection at a time of my choosing. I
have to set that network's properties so that I automatically connect
to that network when the access point is in range, and then wait for
connection to start. If I disconnect from the network (or access
point), the checkbox for automatic connection becomes unchecked until
I check it again. I suppose this is just a clunkier way to manually
controlling the connection.

Thanks for your insightful advice, and if you have any further
comments on the above, I appreciate your sharing them.
From: alexd on 17 Apr 2010 16:05
On 17/04/10 19:35, AndyHancock wrote:

> One think I find about not broadcasting SSID is that (surprise) it no
> longer shows up "View Available Wireless Networks" on Windows XP.
> This means I cannot initiate a connection at a time of my choosing. I
> have to set that network's properties so that I automatically connect
> to that network when the access point is in range, and then wait for
> connection to start.

IMHO, 'hiding' one's SSID is futile; all it does is inconvenience
legitimate users, and it doesn't deter the bad guys one bit.

"Wireless LAN security myths that won't die":

http://blogs.zdnet.com/Ou/?p=454

--
<http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm(a)ale.cx)
20:57:20 up 8 days, 10:11, 2 users, load average: 0.16, 0.19, 0.18
It is better to have been wasted and then sober
than to never have been wasted at all
First  |  Prev  |  Next  |  Last
Pages: 1 2 3
Prev: Trouble connecting to Internet through my D-Link router
Next: Linksys or Netgear