D-Link Forums
The Graveyard - Products No Longer Supported => D-Link Storage => DNS-323 => Topic started by: Sincere1 on October 18, 2009, 08:20:42 AM
-
I'm an intermediate level computer user, but completely new to NAS, don't know a thing about Linux, and am dangerously under educated about home networking security. I have read all the basic stuff, but network communications and security layers gets pretty deep very quickly.
I have a DNS-232 running FW 1.07, behind a D-Link 2640B wireless router/DSL modem. Setting options in the 2640B reminds me of reading MOBO instructions: 1000 options, zero guidance.
How secure is my NAS sitting behind the default 2640B firewall? I should add that also behind the firewall are my wireless laptop using WPA2, my desktop machine (wired), and my son's desktop (wired) that is a viper's nest of malware, adware, trojans, etc.
Thank you!
-
Well, your son's machine seems to be the issue here. ;)
If you want real security, I think I'd get a firewall between him and the rest of your network. ::)
-
Can you steer me to some education on dividing a home network up? I have to share the internet connection, but I don't have to share the network - only I'm not sure how to set up my "mini-network" to exclude him from it. All machines are using Win XP.
Also, I'm curious about how secure the NAS is from the outside world. I get the general idea that the firewall using NAT pretty much hides my NAS from the internet. Is there anything that weakens that security? Or is there anything I should do to strengthen the default security?
Thank you
-
Any port forwarding through the router will weaken your security.
If you want to be secure, here's my recipe.
Buy a second router and connect it's WAN port to one of the LAN ports on the primary router. Connect all the "insecure" machines (like your son's) to the first router. Connect all the network devices you wish to have protected from him and the Internet on the secondary router.
-
Instead of having 2 routers, you could also snap on an "AlphaShield" external firewall, it's cheap and...Has been proven to be unhackable up to know. There was a 2M$ contest to hack it, no one won. The only thing is, this firewall is so safe...It can be hell with some softwares such as msn.
You see, this alphashield doesn't let data in unless you have "asked" for it. Let's say you're on msn, people won't be able to write to you unless you have started the conversation. Your computer becomes a vault on the inbound side, but this doesn't affect the outbound. It just makes you unreachable from outside, but if you let a virus in your network (downloads), then the firewall isn't going to be much help. The alphashield is good if you want to totaly secure your PC because you have confidential data and don't use it for gaming or chating, but only for surfing websites.
If this is what you want, I suggest you get it by ebay, usualy around 60-80$.
On the other hand, for something less intrusive I recommend using a GOOD anti-virus with a firewall also on each computer. I swear by Eset's Nod-32. You can get their SmartSecurity kit wich includes an anti-virus and firewall, or just the anti-virus wich a separate free firewall such as PC tools, wich is free and well rated for windows XP (on Vista it wasn't rated as well). There are other good firewalls like Outpost and Online Armor also, and anti-viruses such as Kapersky and Bitdefender wich are all very respected.
Usualy mixing a router (better if you have one with SPI firewall) plus a GOOD RATED anti-virus and firewall on each computer, then you're pretty much as protected as can be. Of course, there could be some other small tweaks that could help, but for what it's worth, the solutions above should do the trick.
Like said above, every port open is a breach.
-
The two routers are cheaper, easy to install, and require no fooling around with the software or allowing each package access. As long as you don't forward any ports, you are quite safe behind almost any SOHO router, SPI is pretty standard nowadays. Remember, he already has one router. ;)
-
You see, this alphashield doesn't let data in unless you have "asked" for it. Let's say you're on msn, people won't be able to write to you unless you have started the conversation. Your computer becomes a vault on the inbound side, but this doesn't affect the outbound. It just makes you unreachable from outside, but if you let a virus in your network (downloads), then the firewall isn't going to be much help. The alphashield is good if you want to totaly secure your PC because you have confidential data and don't use it for gaming or chating, but only for surfing websites.
You could apply this description equally well to any NAT router even my old Linksys BEFSR11 which had NO firewall - you see, that is exactly how NAT works - NAT allows all outgoing connections and keeps track of where (which host) they came from and uses that information to direct the incoming response - however - if the incoming data does not match an existing outgoing request, the NAT router has no clue where to send it and simply discards it.
So what you have is nothing more than some slick advertising copy.
More to the point - gunrunnerjohn's solution is really the only inexpensive way to deal with his particular problem, which quite simply is that he already has a compromised host on the inside of his perimeter firewall, so, what a cracker would do is take control of the compromised host and use it to attack the other "unprotected" targets on the LAN.
-
Yes, I see what you mean. Here I had been thinking I could somehow create my own private XP home network and exclude my son. I hadn't thought about the fact that once they're past the NAT firewall, my best defense is gone.
Too bad I didn't think to ask these questions before I shelled out good money for my 2640B, because I intentionally bought it as an "all-in-one". I'll now have to start pricing another wireless G router since the expensive first router converts my DSL.
Can I split the DSL line and just stick him on his own router? I'd still have to spend for a DSL/router combo, but I could keep the modern features and wireless of my 2640B. Or does my ISP provide only one IP address at a time, so nixing the "two dsl modems" idea?
Thank you
-
You can't use two modems, one modem to a DSL line.
You just need a secondary router to do what I suggested. What's so special about the D-Link 2640B, looks like a pretty standard DSL gateway to me.
-
The 2640B has modern wireless features like WPA2. It also allows specific port forwarding which I understand not all routers do (but most?), and I believe UPnP. I'm not interested in the last two but my son is.
I suppose I'm undereducated on this subject also, but when I was shopping for the current router, it seemed like router/DSL modem combos were harder to find.
If I'm going to keep my secure wireless, I'll need to place the 2640B second in line. So is it hard to find a modem/router with port forwarding capability to place first in line?
Thank you
-
Actually, WPA2, uPnP, and port forwarding are standard features of almost any current generation router. Since you already have that router in place and your son's connecting through it, my previous suggestion seems made to order for you. I can't think of a new router that doesn't offer WPA2. I'd suggest the D-Link DNS-615, it's available regularly for $40 or even less, and it's a decent 802.11n router. I have one here, and it's worked well for some time.
-
Under NO circumstances should you give your son access to uPnP unless you figure out a way to get a firewall between his system and the rest of your network.
uPnP provides a mechanism where the software on his computer can automatically configure the router permitting all sorts of mayhem to be achieved. Personally I would disable uPnP.
-
With the secondary router, all uPnP is going to do is allow him to nuke himself faster on the Internet. :) Obviously, you don't enable uPnP on the secondary router! :o :)
-
With the secondary router, all uPnP is going to do is allow him to nuke himself faster on the Internet. :) Obviously, you don't enable uPnP on the secondary router! :o :)
That would qualify as the "firewall between his system and the rest of your network" that I am advocating.
-
That would qualify as the "firewall between his system and the rest of your network" that I am advocating.
100% correct, it's the cheapest way I know to totally isolate yourself from such a situation. I have a similar arrangement here for the wireless network. I actually have two wireless networks, the "public" one that I really don't care what happens on, and my private one that is restricted to my connections.
-
I actually have two wireless networks, the "public" one that I really don't care what happens on, and my private one that is restricted to my connections.
Just my $0.02 - you should care - you're responsible for any attacks that originate at your public ip address.
Many people feel that, because of the dynamic nature of things on the internet, that such attacks cannot be traced back to the source - this is incorrect and your ISP will have logs that show which subscriber had a given ip at a given time, even with dynamically assigned addresses.
I like to "illustrate" things, so if you'll just allow me ...
I live in a fairly small third world country where not every one has a computer in their home, and small "internet cafes", where you can buy a few hours of online time for a small fee are quite popular. DHCP addressing is the norm here, static address are available for a fee, and due to an unreliable power utility, the norm is to shut down everything and unplug, when you close business at the end of the day - I mention this so that you know the ip addresses change pretty much on a daily basis.
Someone used one of these cafes, located in a small town outside of the capital city, to send a threatning email to an airline, copying to the US state department - and even though neither state nor FBI has any jurisdiction here, within 24 hours of the email being received, the FBI, with support from the local police had raided the cafe, seized equipment and detained the owner & operator of the cafe to assist in the investigation.
The owner was released after a couple of days, and the equipment eventually returned, as there was no way to identify who actually sent the email - since no records of identity were kept at that time, legislation has since been past requiring cafe operators to keep such records.
Think about it - someone, parked outside your place, connects to your public WiFi and starts snooping around TSA or Homeland Security - or for that matter, someone, who knows where on the internet, takes control of a bot in your "DMZ" and does the same.
Where does the trace point to? Whose door are the Feds knocking on? Who are they going to detain "to assist in the investigation?
-
Just my $0.02 - you should care - you're responsible for any attacks that originate at your public ip address.
Well, just for clarity, my "public" network is WPA2 encrypted, it's not for anyone to use. My point is that for guests here and when I'm working on a potentially infected machine, I use that connection to isolate them from my network. So, "public" is pretty limited in my context.
I would have thought that from my posts you'd have a better opinion of my knowledge, apparently not. Gad, I didn't just fall off the turnip truck!
-
Last night I ordered a D-Link 2540B DSL Modem/Router (no wireless). Sometime after that I read your post about the DIR-615 and remembered that I had almost purchased it originally, until I found that it wasn't a DSL modem (and at that time I needed an all-in-one). Had I read your post prior to placing my order, I might have saved $20. Oh well, it was a choice between two wireless routers or two DSL modem/routers at this point, so the second wireless network is now moot for my case.
I will place the 2540B first in line, and let my son do limited port forwarding from it. I read some pretty authoritative articles saying that the security of port forwarding was mostly relative to the program you are using it for, that if the program was well patched and a secure program like Bit Torrent, and you pick an unusual port number for good measure, that you're reasonably secure. The idea being that a program on your computer must request the data on the given port or the NAT will drop it. If the program doesn't have a hitchhiker secretly requesting data, then you're ok. If either of you has a link to a good site that supplies contrary info, I'd appreciate it. I've gotten my son to run the basic security measures on his machine: a good antivirus and a bidirectional firewall. If port forwarding is really a major security breach, I'd like to know before some agent knocks on our door.
Thank you
-
What router are you putting behind it? That one can't also be a DSL modem/router.
-
Well, just for clarity, my "public" network is WPA2 encrypted, it's not for anyone to use. My point is that for guests here and when I'm working on a potentially infected machine, I use that connection to isolate them from my network. So, "public" is pretty limited in my context.
I would have thought that from my posts you'd have a better opinion of my knowledge, apparently not. Gad, I didn't just fall off the turnip truck!
You really shouldn't take things so personally - this is a discussion forum, where people from all walks of life and all levels of experience participate.
What if someone comes along and reads your post and thinks - this guy didn't just fall off the turnip truck - and replicates what he thinks is your safe configuration, only to have a rude awakening ? Sometimes a little more detail is necessary to ensure that more people have a better understanding.
-
Sometimes a little more detail is necessary to ensure that more people have a better understanding.
Yep, and there's your detail. ;)
-
Boys, boys. gunrunnerjohn, I agree with fordem that your reaction was a bit harsh. He has a good point, and I'm the newbie who provides the case in point. You'd be best to assume I know nothing. For example, I rushed out and bought a second DSL modem/router, not wanting to give up the fine features of my more expensive D-Link 2640B. Then I read your post gunrunnerjohn, and immediately realized the foolish mistake I made. I called Techforless.com today, and even though the modem is in transit, they were kind enough to offer to take it back for full refund incl. shipping. They deal mainly in open box goods, which might be fine for guys like you and fordem. Book mark their site! Sorry, that's my sales pitch for them being kind to me.
So I now have a DIR-615 on it's way from another vendor (techforless didn't have them). I'll have to waste some of what I paid for in the 2640B, but as you say, it's already configured for my ISP, the DSL is functional, so that's certainly worth something.
The guy at techforless happened to previously do router support, and mentioned that I'll have to change the IP address of one router to get them to talk to each other. If he said which one I wasn't listening closely enough. Does it matter?
-
Yep, it's a simple process. If both of them have a base address of 192.168.2.1, which is typical for D-Link routers, you'll have to configure one (I recommend the new one) to have a a base address in another subnet, say 192.168.1.1 or 192.168.2.1, etc. This is done on the Network Settings link from the SETUP screen of the DIR-615. It's the Router IP Address that you want to change.
-
I received the DIR-615 and have it networked in. I haven't moved the wireless laptop to the DIR-615 yet, but the my desktop machine is working there. Gunrunner John, I followed your instructions to connect the WAN port of the DIR-615 to a LAN port on the 2640B. I didn't need to change the IP address because the 2640B uses 192.168.1.1 and the DIR-615 uses .0.1
The DIR-615 instructions had a section on connecting to another router, but they were intended for adding to your network as opposed to creating a 2nd network behind the first. It instructed me to plug into a LAN port on the 615 instead of the WAN. I ignored that part & followed your instructions.
But they also said to disable UPnP (I agree), and DHCP, which seems to make sense: you can't have both routers trying to assign IP addresses can you? Leave DHCP off?
Thanks!
-
If you want to connect the DIR-615 and eliminate it's NAT layer (making it into a WAP), here's the recipe.
Connecting two (or more) SOHO broadband routers together.
Note: The "primary" router can be an actual router, a software gateway like Microsoft Internet Connection Sharing, or a server connection that has the capability to supply more than one IP address using DHCP server capability. No changes are made to the primary "router" configuration.
Configure the IP address of the secondary router(s) to be in the same subnet as the primary router, but out of the range of the DHCP server in the primary router. For instance DHCP server addresses 192.168.0.2 through 192.168.0.100, I'd assign the secondary router 192.168.0.254 as it's IP address, 192.168.0.253 for another router, etc.
Note: Do this first, as you will have to reboot the computer to connect to the router again for the remaining changes.
Disable the DHCP server in the secondary router.
Setup the wireless section just the way you would if it was the primary router, channels, encryption, etc.
Connect from the primary router's LAN port to one of the LAN ports on the secondary router. If there is no uplink port and neither of the routers have auto-sensing ports, use a cross-over cable. Leave the WAN port unconnected!
This procedure bypasses the routing function (NAT layer) and configures the router as a switch (or wireless access point for wireless routers).
For reference, here's a link to a Typical example config using a Netgear router (http://"http://kbserver.netgear.com/kb_web_files/N101236.asp")
-
I'm confused. The idea was to create a second network behind the first. My son's would be the sole computer connected to the first network, my wired desktop and my wireless laptop on the second. This was to keep my machines secure from any attacks using his computer.
You earlier said to connect the 2nd router via its WAN port, now you say use the LAN port. And why would I want to eliminate the NAT layer? Isn't that half the security?
The instructions sound similar to the D-Link instructions, but that doesn't create a second firewall does it? It just makes an extension of the first.
-
I received the DIR-615 and have it networked in. I haven't moved the wireless laptop to the DIR-615 yet, but the my desktop machine is working there. Gunrunner John, I followed your instructions to connect the WAN port of the DIR-615 to a LAN port on the 2640B. I didn't need to change the IP address because the 2640B uses 192.168.1.1 and the DIR-615 uses .0.1
The DIR-615 instructions had a section on connecting to another router, but they were intended for adding to your network as opposed to creating a 2nd network behind the first. It instructed me to plug into a LAN port on the 615 instead of the WAN. I ignored that part & followed your instructions.
But they also said to disable UPnP (I agree), and DHCP, which seems to make sense: you can't have both routers trying to assign IP addresses can you? Leave DHCP off?
Thanks!
You're right, the idea is to have two networks, so you are going to connect the second router's WAN port to the first router's LAN port - and since you have two separate networks, you need DHCP on on both routers - the first router will issue ip addresses on it's network (call it OuterLAN) and the second router, will issue addresses on it's network (call it InnerLAN)
-
You're right, I lost sight of the original problem. :o
My original instructions were correct.
-
Sorry for the long delay! Had way too much going on lately to go back to this issue. I currently have the DIR-615 daisy chained thru the 2640B, my desktop machine wired to the DIR-615 and have internet there. The laptop still has internet wirelessly thru the 2640B, and I've been trying to connect it to the wireless AP of the DIR-615. The laptop does see the DIR-615 as an available network, but I think won't finally connect due to IP address conflicts. The 2640B uses a default gateway of 192.168.1.1 where the DIR-615 uses 192.168.0.1, each with their expected IP address range.
I'd like to know: how does a Windows XP machine establish it's IP address (using DHCP)? When it boots?
Thanks and hope you guys are both still there!
-
I did a little playing around, and now believe that the Windows machine aquires an IP address not from its own internal workings but from the DHCP server, which is the router in this case. Correct?
So earlier tonight my laptop had an IP address of 192.168.1.2 while it was connected to the 2640B, because the 2640B has a range of 192.168.1.2 to 192.168.1.154 so it "gave out" the 192.168.1.2 address to my laptop. Correct again?
I can't get the DIR-615 to connect to the laptop. The settings in both the router and the laptop for WPA2-PSK with AES are pretty simple so that's not the problem I don't think. I suspect the trouble is related to the laptop not being able to aquire the IP address.
On the advice of a D-Link support tech (nothing else he had me try worked) I upgraded the FW to 3.11
Any thoughts?
-
Windows can be configured to use either static or "automatic" (Dynamic/DHCP) addressing - the default is DHCP, and in most home networks, the router is the DHCP server.
Also - the most common reason for a "wirelessly connected" computer not to get an address by DHCP is mismatched encryption keys - so disable the encryption and verify that you have a connection and then re-enable it and reconfigure.
-
I don't know if anyone has mentioned it, but sticking RUBotted on your 32 but machines will pick up pretty quickly if something is running on your machine that you don't want. If your son uses a 32 bit OS then using this might make him more aware (or even interested in security) as it will show him what's going out.
Are you so sure that your son has got security isses on his net? I noticed a lot of people are very quick to jump on the bandwagon of assuming young=irresponsible. You might find he knows more about it and is already a couple of steps ahead of you ;)
-
Unfortunately I'm painfully aware of just how little my son knows about security, we've had too many conversations about it leading up to this. That's precisely why I decided the best option was to exclude his machine from my network. He has gotten better, and now runs an antivirus and a firewall. But he only came to that after his computer slowed to the point of almost stopping. I'm washing my hands of it and moving on.
Fordem, thank you for the sterling advice. So simple I should have thought of it myself - but I didn't. After playing around with attempting completely unsecure, open connections, I took the matter to D-Link, who decided I have a bad DIR-615. It appeared to me that it couldn't seem to dish out an IP address, but I can't confirm that.
The unit is being shipped back to D-Link, I should have a replacement in a week or two. I'll post back then.
Thanks again...
-
Fordem, I hope you're still watching this thread. I got the replacement DIR-615 and tried again, to no avail! I get the same thing as with the last machine. Setting both the router and my laptop to SECURITY DISABLED, I still can't connect. The laptop can see the router signal (strong), tries to connect for a minute or so and quits. It will connect to the other router, the DSL 2640B just fine. I dread calling D-Link again. Any ideas?
-
Connect from the LAN port of the internet connected device to the WAN port of the second router.
Leave DHCP *enabled* on both routers.
-
Can we have a recap? Are you daisy-chaining the routers? If so, DHCP indeed MUST be enabled on both of them.
-
Yes, I am daisy chained, with the second router's WAN connected to first router's LAN. I had internet right away through my desktop machine, connected to the second router. The trouble was wireless connectivity. But a solution was posted here (http://forums.dlink.com/index.php?topic=8415.0) and it works! Bad firmware in the DIR-615, but a workaround!
Apologies for all this being essentially in the wrong forum. It probably should have been in the DIR-615 forum in the first place, but when I started, my concern was protecting my new DNS-323 from the bad things my son might let in, so I asked my first question here.
Thank you all very much, and Merry Christmas!!