The next 3 frames are entries that were presented on another thread. But, there seemed to be level of understanding that was missed and this thread intends to collect the posts in a way that PUP members can see the several approaches mentioned.
This thread, can also serve as a "base" thread for PUP members who are looking for connectivity options or have connectivity options they would like to present for user use or review.
The intent is to provide consideration that member need to plan a safe home network while delivering the greatest ease of service to match their philosophy in home LAN device management and use.
Please feel free to ask questions and to offer your ideas for smooth Home LAN services.
This thread is for assisting members.
Ideas and approaches to providing wireless Home services
-
gcmartin
Ideas and approaches to providing wireless Home services
Last edited by gcmartin on Fri 26 Dec 2014, 23:16, edited 1 time in total.
-
gcmartin
1st post - One way viewing safe LAN practices & wireless
Firstly, I should comment that security is based upon environment and ones anticipated use of their own network for private and public use. That being said, one then goes about taking the steps to setup one's router to match his/her home needs.
2 important understanding that most who venture into the area of changing router internals is
But, I am aware, that this may be changed or is changing.
OK, here is what I have done over the past 20 years of wireless:
Most installations do NOT want to get personnel involved in internet only accesses with ordinary people and DO NOT want to track users at that level for those users have no ability to access sensitive data. But, password level security is required for wireless LAN data accesses.
So, for example, anyone visiting my home gets access to my pathway to Internet. This includes family, friends, associates, etc. I do not concern myself with what GUEST users are doing. In my case, because of how my devices are configured, it is easy to see whether use came from someone authorized or unauthorized. Unauthorized, i am NOT responsible according to my jurisdiction's laws. So I don't care about their use. If I give them a password, I am inherently authorizing them. The fact that its open is not an authorization, here.
In my 16 years of this in my home, I have NOT found any need to change or raise concern. I do, periodically, review the access logs and so far, I have not seen any accesses from any wireless user outside of my home premise....ever. I live is a area with many homes and lots of walkers, young and old and constant traffic in and out of the neighborhood.
Also, syslog is available in many routers, today. If you have one and you have a syslog location to stream to, it can be useful in allowing you to see how your router is acting to support your intentions.
If you can find anything of value in this kind of openess along with its security, then use what you would feel is comfortable while matching your requirements and needs.
P.S. There is one other item that I do as a matter of course. Routers that I setup give the ability to assign IPs to devices it knows of when they request DHCP service from the router, so for past 30 years, each person gets a sheet which show the grouped areas that the router will assign known devices by type. Group areas for preconfigured IP assignments I user, within a given subnet, are
On the unsecured outside, for wireless guest, depending upon router arrangement, no such plan is used. In some cases, printer(s) may be available to Guest users.
Use any of this that makes sense. There are other things which can be done, but, more advance routers would be a part of that discussion.
No matter what, to this community I say "Wishing All, Very Worthwhile Holiday Season"!
2 important understanding that most who venture into the area of changing router internals is
- NO vendor's or ISP's routers comes preconfigured to allow any ordinary users to gain control from the internet to exploit/damage router usefulness. The ability that you might use to do so REQUIRES you to access your router from your LAN and to turn ON the ability for remote management.
- Most vendor's routers do not comes preconfigured to allow wireless users to gain access. To do so, REQUIRES you to access your router from your LAN and to turn ON the ability for wireless access.
But, I am aware, that this may be changed or is changing.
OK, here is what I have done over the past 20 years of wireless:
- setup an unsecured pathway for wireless users to get to the Internet
- setup a secured pathway for needed (authorized) wireless users to access LAN services as well as the internet.
Most installations do NOT want to get personnel involved in internet only accesses with ordinary people and DO NOT want to track users at that level for those users have no ability to access sensitive data. But, password level security is required for wireless LAN data accesses.
So, for example, anyone visiting my home gets access to my pathway to Internet. This includes family, friends, associates, etc. I do not concern myself with what GUEST users are doing. In my case, because of how my devices are configured, it is easy to see whether use came from someone authorized or unauthorized. Unauthorized, i am NOT responsible according to my jurisdiction's laws. So I don't care about their use. If I give them a password, I am inherently authorizing them. The fact that its open is not an authorization, here.
In my 16 years of this in my home, I have NOT found any need to change or raise concern. I do, periodically, review the access logs and so far, I have not seen any accesses from any wireless user outside of my home premise....ever. I live is a area with many homes and lots of walkers, young and old and constant traffic in and out of the neighborhood.
Also, syslog is available in many routers, today. If you have one and you have a syslog location to stream to, it can be useful in allowing you to see how your router is acting to support your intentions.
If you can find anything of value in this kind of openess along with its security, then use what you would feel is comfortable while matching your requirements and needs.
P.S. There is one other item that I do as a matter of course. Routers that I setup give the ability to assign IPs to devices it knows of when they request DHCP service from the router, so for past 30 years, each person gets a sheet which show the grouped areas that the router will assign known devices by type. Group areas for preconfigured IP assignments I user, within a given subnet, are
- PCs (real and virtual)
- Printers
- Cameras (drones are just now coming into play within the wall of dwellings)
- NAS and iSCSi
- smartPhones
- smartDevices
- others (drones with differing sensors are just now coming into play within the wall of dwellings)
On the unsecured outside, for wireless guest, depending upon router arrangement, no such plan is used. In some cases, printer(s) may be available to Guest users.
Use any of this that makes sense. There are other things which can be done, but, more advance routers would be a part of that discussion.
No matter what, to this community I say "Wishing All, Very Worthwhile Holiday Season"!
Last edited by gcmartin on Fri 26 Dec 2014, 23:07, edited 2 times in total.
-
gcmartin
2nd post - An approach f/setup wireless safety and services
Just want to add an idea for understanding. Seem my earlier post was misinterpreted slightly. ALL of my setups have been networks which offer a clear unsecure path to internet use while having a secured internal network.
This allows friends and family in my home (and elsewhere) to get on the internet without me having to have them struggling with access keys and passwords.
The idea is that this leads to a kind of security in its own right as members who can get to the internet and cannot see internal LAN devices are prone to do just that...go to the internet. Setup of this sort is an SOP method that every Network admin knows to do.
Yes, the internal networks pass the security tests and checks,while the external network is left outside, unattended, and unfenced (so to speak).
For an implementation offering I provide this for your own evaluation and consideration. (There are numerous implementations some of which are similar, starting with multiple routers, or use of hotspot implementations, or alternate firmwares, or etcs which can also be deployed to facilitate a similar approach where an open network is available while at the same times a closed network is NOT available.)
One simple implementation involves using one used recently where a cheap modem router with wifi from the DSL provider allows Wifi but DOES NOT have Guest Wifi as an option. This called the MAIN. In the MAIN, Wifi is secured. In this case, because of the lack of functionality in the MAIN, a 2nd cheap Wifi router that the user has is setup and attached to one of the MAIN's LAN ports. In the MAIN, I DMZ the LAN port that the 2nd router attaches. In the 2nd I setup WIFI with disable security open for unauthorized WiFi attachment. There is NO WAY that any user on the 2nd router could ever cross to the MAIN for any useful service. DMZ does NOT provide any internal services on the MAIN to the DMZ device other than a mere internet path.
Hope this is useful as one means of having security for sensitive information while offering pathways to friends and family as more and more Wifi handhelds are in possession of home visitors.
Edit: I had time, so I would draw a simple picture. Looking at a picture you might see why this is a useful approach. Further, syslogs can be viewed to get an even clearer understanding.
Again, there are many ways to set this kind of arrangement up and reduce any paranormal fears.
Test it for yourself. Even go so far as to try to figure how to breach. Crash the router and try to penetrate that, as well. And offer ideas for the same to others if you find this as one means of having safety while providing service to your family.
Here to help
BTW: This discussion is about someone with a PC or a handheld trying to get wireless service in a healthy way with good security planning. Wireless use has absolutely NOTHING to do with whether someone/group can or will attack you from the internet. In the case of wireless, it has to happen within a reasonable line of sight distance and it will happen with someone using a MAC address. Routers are equipped to capture connections.
This allows friends and family in my home (and elsewhere) to get on the internet without me having to have them struggling with access keys and passwords.
The idea is that this leads to a kind of security in its own right as members who can get to the internet and cannot see internal LAN devices are prone to do just that...go to the internet. Setup of this sort is an SOP method that every Network admin knows to do.
Yes, the internal networks pass the security tests and checks,while the external network is left outside, unattended, and unfenced (so to speak).
For an implementation offering I provide this for your own evaluation and consideration. (There are numerous implementations some of which are similar, starting with multiple routers, or use of hotspot implementations, or alternate firmwares, or etcs which can also be deployed to facilitate a similar approach where an open network is available while at the same times a closed network is NOT available.)
One simple implementation involves using one used recently where a cheap modem router with wifi from the DSL provider allows Wifi but DOES NOT have Guest Wifi as an option. This called the MAIN. In the MAIN, Wifi is secured. In this case, because of the lack of functionality in the MAIN, a 2nd cheap Wifi router that the user has is setup and attached to one of the MAIN's LAN ports. In the MAIN, I DMZ the LAN port that the 2nd router attaches. In the 2nd I setup WIFI with disable security open for unauthorized WiFi attachment. There is NO WAY that any user on the 2nd router could ever cross to the MAIN for any useful service. DMZ does NOT provide any internal services on the MAIN to the DMZ device other than a mere internet path.
Hope this is useful as one means of having security for sensitive information while offering pathways to friends and family as more and more Wifi handhelds are in possession of home visitors.
Edit: I had time, so I would draw a simple picture. Looking at a picture you might see why this is a useful approach. Further, syslogs can be viewed to get an even clearer understanding.
Again, there are many ways to set this kind of arrangement up and reduce any paranormal fears.Test it for yourself. Even go so far as to try to figure how to breach. Crash the router and try to penetrate that, as well. And offer ideas for the same to others if you find this as one means of having safety while providing service to your family.
Here to help
BTW: This discussion is about someone with a PC or a handheld trying to get wireless service in a healthy way with good security planning. Wireless use has absolutely NOTHING to do with whether someone/group can or will attack you from the internet. In the case of wireless, it has to happen within a reasonable line of sight distance and it will happen with someone using a MAC address. Routers are equipped to capture connections.
Last edited by gcmartin on Fri 26 Dec 2014, 23:11, edited 3 times in total.
-
gcmartin
final post - Clarification of a misinterpretation
Yes! And BTW for those who see the router as some kind of deficient pathway, WHICH IT IS NOT, please stop momentarily to understand ... I offer safety and security simultaneously! A picture has been added, 1 post away, to assist in its understanding. This works on all cable, fiber, AND all DSL ISP offerings I have assisted in those cases where it was selected as a safe offering or there was NO Wireless Guest option in the modem-router from the ISP. If a Guest option exist in your modem-router, you may find it preferable to having to manage 2 physical devices.So you are providing free WIFI to anyone around your location that can pick up your WIFI signal. ...
A wireless threat in the cases I set up, is NOT going to target my router(s) as there is no pathway to affecting ANY information I have in the secured LAN.
This is a rather safe and secure approach, along with the others I mention which insure this kind of safety at the router level.
Our threats, no matter who you are, is not from a wireless user attacking my router configurations as they get NOTHING there. SO, OUR WIRELESS USER THREATS, are going to be those wireless users who attack real LAN devices....for breaches to access secure information you might have. Any wireless user will NEVER bother themselves attacking a pathway to the internet. That's just not where the money is. (Of course breaching to my camera in my bedroom instead of my router might be worth something on the internet. "If the stars can show bedroom scenes for money, why shouldn't we too!" If you do breach my bedroom camera, dont tell the women in the scene. And, please split the royalties with me, please.
)Unless, of course, if you are a BANK: or PAYPAL or etc. that's different. You and I don't count from someone walking around looking for open internet ports. Besides, what is the profile and means of accomplishing of the wireless people/threats you have actually seen, anyway?
Exercise what I share with an eye for understanding. If you find value for your own situation and environment, use it for any safety it presents.