Gilles' WebLog : Non computer

Wireless Networking and Security

gzunino — Thu, 19 Aug 2004 17:16:00 GMT

Yesterday, I did put the last touch to my home wireless network. Thanks to my D-LINK DI-624 and a G650 card, I have been enjoying a 108Mbps link. They do this through a proprietary extension called "Super G".

During the configuration of the network, the Wireless Zero Configuration Service scanned all available networks and I was surprised to see that among the 4 networks found (not including mine) only 2 were secured so maybe this is a good time to remember owners of wireless networks that a minimum of security should be setup. I am not a network security expert so take the following list as a starting point for further discussion: I'd be happy if you can suggest more best practices.

Change the default password and IP address of the router. The bad guys know the defaults of every equipment so you will make it harder to access critical points (router, administration page...) by changing the defaults,
Disable remote administration of the router (on the WAN side), especially over wireless links, if possible. This way, only somebody wired to the router from within your home network can administer the router,
Enable MAC address filtering to allow only the computers you know and control to connect. It is trivial to find the MAC address of an active wireless card and many wireless cards allow you to change their MAC address but MAC address filtering puts a severe speed bump on the way of a potential attacker,
Disable DHCP and assign static IP addresses. If someone manages to get in, it will be harder to get an IP, DNS servers...,
Enable encryption. I suggest WAP-PSK (AES) if your hardware supports it. If not, perhaps WAP-PSK (TKIP). Ensure that you enter a string pass phrase (63 characters which do not contain words in English or any other language to slow down dictionary attacks). Use WEP with a 128bits key only if you cannot enable WPA. WEP should never be used with key < 128 bits. There are WEP keys generators on the web (https://www.wireless.org.au/~jhecker/wepgen/index.php for instance),
Configure your wireless clients to connect only to Access Points, not to other wireless clients. Two wireless clients can communicate directly, bypassing the access point station,
Configure your clients to not automatically connect to available networks,
Disable SSID broadcast. While it is possible to discover SSIDs of networks when the Access Point does not broadcast it, disabling it will make you invisible to casual inspection in your neighborhood,
Turn your router's firewall on if it provides one. Also, if your operating system provides a firewall,. you want to turn it on. Most OS vendors offer a firewall: Windows XP SP2, Mac OS X, Linux ...),
Turn off DMZ on your router, if this is possible. DMZ (De Militarized Zone) allows you to run servers visible from the Internet),
Turn off 802.1b compatibility if all your components run with "g",
Drop ping packets coming from the WAN. Attackers will ping your system to analyze it,
Disable SNMP if your wireless access point offers it. SNMP (Simple Network Management Protocol) has had several security issues in the past,
Run NetStumbler against your own network to assess its security.

There should be no surprise with this list: everything is pretty standard. Most of these are designed to slow down a potential attack rather than preventing intrusion. However, with all these speed bumps in place, it is likely that attackers will shift their attentions to less protected networks. Can anyone think about something I missed?

Blue Angels at SEAFAIR 2004

gzunino — Tue, 10 Aug 2004 19:00:00 GMT

This weekend, the SEAFAIR took place in Seattle, WA. I enjoyed the performance of the Blue Angels over Lake Washington. I was standing on I-90, on the Seattle side of the bridge, nearby the viewpoint (Quicktime Required). Jets passed right above us and I was able to take some pictures:

O-Zone, Dragostea Din Tei is PHAT 1 this week on Seattle C89.5

gzunino — Thu, 05 Aug 2004 16:27:00 GMT

Adrian, one of my co-worker, pointed out a few weeks ago that Seattle C89.5 (Official web page) broadcasts O-Zone, Dragostea Din Tei very often. C89.5 was recently voted best High School radio station by the New York Daily Magazine. In this paper, the Seattle Times describes their style as "snappy, edgy, hybrid of Top 40, rhythmic and contemporary dance music". I prefer to name their style as "hi-NRG". This is, it seems, the perfect place for O-Zone.

Like many other radio stations, C89.5 receives requests to play records and maintains the "top 5" of the most requested tunes:

Listen Saturdays at 7:00pm as we count down the 5 most requested songs of the week based on your requests. The PHAT 5 at 7 happens only on C89.5

It seems that this week most requested record is O-Zone, Dragostea Din Tei. I already talked about this band a long time ago and apparently, it is now "PHAT 1" on Seattle C89.5. Tune in now and listen to their live feed by pointing your Windows Media Player 9 here and perhaps pledge to help them.

PPPoE and Verizon DSL

gzunino — Fri, 30 Jul 2004 00:12:00 GMT

I have been very busy working on the future of BizTalk. Currently, this is mostly attending meetings and writing prototypes. This has been exciting and has not left me much time to post here.

Aside from this, I managed to find some time to setup my Verizon DSL. At the end of June (June 30th to be price), I ordered DSL from Verizon Online. They tested my line and sent me the equipment. Well, I had to call their customer service to "remind" them that they should have sent me the modem and the filters. I received the modem but no filters. As a result, I currently have to choose between my phone or the DSL.

Anyway, I currently run Mac OS X (10.2.8) at home and I had no problem getting this machine online. I used the well known trick of power cycling the DSL modem right after running setup and I started to enjoy a fast access to the internet in less than 5 minutes. Things started to get more interesting when I tried to hook up my D-Link wireless router DI-624.

This is by no mean a complex task, I thought. Well, it turned out that it was not immediately obvious to me. Verizon sent me a dual modem: Ethernet and USB. The model is a Westell "WireSpeed". After hooking up the Ehternet output of the modem to the WAN input of the D-Link router, I configured the WAN side to do PPPoE (Point to Point Protocol Over Ethernet) with my username and password. Of course, it did not work. The DI-624 could not establish a PPPoE connection.

I then inspected my unit a little more closely and noticed the part number of the modem: B90-210015-04. Basically, this is supposed to mean that this is a Westell 2100 modem, provided by Verizon (the "15" part. If it was Bell, it would have been "30"). Actually, the Verizon part number on the cardboard box says that the modem is actually a B90-211015-04. Oh well .... Westell (official web site) uses Verizon (among others) as distributors and allow them to customize the firmware so this might be why they are kind of sloppy on the part numbers.

There were essentially two solutions: either way the modem was acting as a DSL router or my configuration on the D-Link was wrong. A quick search on the internet revealed that a Westell 2100 is a bridge and cannot be configured to be a router therefore setting up PPPoE is required. Being 100% sure that my PPPoE configuration was right, I pulled the heavy artillery: I hooked up the modem output to a computer and ran netmon in promiscuous mode.

I very quickly understood what happened. I saw DHCP and TCP frames. My modem is in fact a Westell 2110 which allows two computers to be connected at the same time (via Ethernet and USB). To achieve this, it contains a little DHCP server and the line negotiation is handled by the modem. I configured the DI-624 to acquire an dynamic IP address (as I would have for a cable connection) and got connectivity.

I am a little unhappy with this situation. I'd rather disable the PPPoE and DHCP capabilities of the modem and have my D-Link do PPPoE. However, neither the Westell 2100 nor the Westell 2110 can be setup this way.

George Goble's famous charcoal grill experiment

gzunino — Mon, 24 May 2004 06:05:00 GMT

Here, in the Northwest, the weather is becoming adequate for barbecues. Since I dislike waiting for charcoals to become warm enough, I looked for possible ways to accelerate this. Well, George Goble seems to have found a slightly extreme way to light up a charcoal grill.

George became an instant Internet celebrity when he released videos and pictures of himself lighting a charcoal grill by pouring approximately 3 gallons of liquid oxygen (LOX) at cryogenic temperature. George was asked to remove all the materials but a few sites still have pictures of this memorable experiment (http://www.vwauditeamwetterau.de/Witziges/grillen.htm - in German).

George is seen below using a 3 meters long pole to pour LOX. According to his calculations, the temperature rose to 10,000 degrees Fahrenheit. Unfortunately, the intense fire consumed the steel grill and only a small pile of ashes remained as shown by the picture on the right.

Gobles cautioned against allowing even a single charcoal briquette to soak in liquid oxygen because he calculated that it would explode with the energy of a stick of dynamite when ignited. One more reason (if one was needed) to not attempt to duplicate this at home.