Author Topic: Network infrastructure setup help  (Read 11440 times)

0 Members and 1 Guest are viewing this topic.

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Network infrastructure setup help
« on: December 01, 2008, 04:58:00 am »
I just bought a house (closing in < 2 weeks!) and want to set up a better network than I have right now.  Having never wired a house or anything substantial for internet, I'd like some validation on what I'm planning. 

I've done some math and figured out that there would be 7 ports throughout the house that I'd want to set up:
* 1 in each of 3 bedrooms
* 1 in an outside "bonus" room
* 1 in a living area
* 2 in a common area - 1 for the Xbox and 1 for general use (like a desk)

I currently have a 4-port Linksys wireless N router, but I don't believe I want to use this as a primary router for a couple reasons:
* I want to install the networking hub in my utility room inside of cabinets.  This would put the wireless signal coming from a non-central part of the house, AND it would be close to electronics that could disrupt it, specifically, the washer/dryer.
* It only has 4 ports; to get this setup I'd need at least 7.

I still want people plugging into wired networking to get a dynamic IP address unless otherwise configured, so here's the final setup I've come up with:

Cable company -> Cable modem -> Wired router -> 8-port switch

The switch has cabling to each room connected to it and is the central point.  However, with an 8-port switch I'm not able to connect any additional devices (7 rooms plus connection to the router).  The connection to the Xbox will then go through my wireless-N router which will be configured as a gateway (so DHCP functions are disabled).  All DHCP assignment should be handled through the main wired router.

Ultimately, connections might look like this:

* Cable company -> Modem -> Wired router -> Switch -> PC
* Cable company -> Modem -> Wired router -> Switch -> Wireless Router -> Wireless Network -> PC
* Cable company -> Modem -> Wired router -> Switch -> Wireless Router -> Wired port -> Xbox

Is this correct?
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Network infrastructure setup help
« Reply #1 on: December 01, 2008, 05:25:02 am »
Two questions:

1. Is the XBox plugged into a wired port on the wireless router? If so, is it going to be able to access the rest of your network? I've had problems where wireless routers pretty much have to do NAT -- they won't act like switches no matter how hard you try.
2. Is your wireless network going to talk with your wired network? My dad has it set up where the wireless networks are on a 192.168.1.x subnet, and wired connections are on their own network. I have them on the same subnet.

As an aside, it wouldn't hurt to buy a 16-port switch if you feel you'll be adding onto your network at any time. I bought a 5-port switch when I thought I would only need 2 or 3 of the ports, and I ended up with two 5-port switches attached to each other, both completely full..

But yes, basically: Cable Modem -> Wired Router -> [whatever you really want to do]. Wired router should have two different IPs (one is the IP your ISP will serve you, the other is your own internal LAN IP) and should do NAT.

What I personally do is: Cable Modem -> Wired Router -> Switch -> rest of house, which is wired and eventually runs back into the switch.

I also recommend setting up an older PC as your wired router, using an operating system like FreeBSD. It gives a lot more flexibility. You can also set up a wireless network on it too, if you so desire. You could even give ISA a try; my dad runs it and loves it. I prefer FreeBSD and pf as my gateway/NAT/firewall/router system, though. :)
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline sdfg

  • Newbie
  • *
  • Posts: 29
    • View Profile
Re: Network infrastructure setup help
« Reply #2 on: December 01, 2008, 08:25:44 am »
my dad runs it and loves it.
Wow, my dad doesn't know how to turn on a computer :P!
L33T must run in the family...
dey see me trollin'
dey hatin'

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Network infrastructure setup help
« Reply #3 on: December 01, 2008, 10:39:57 am »
1. Is the XBox plugged into a wired port on the wireless router? If so, is it going to be able to access the rest of your network? I've had problems where wireless routers pretty much have to do NAT -- they won't act like switches no matter how hard you try.
My Linksys WRT54g (pretty standard) works fine as a switch. As long as devices on the network can talk to each other, there's no reason it shouldn't. Just don't use the uplink port.


As a general comment (on this thread), it really depends what you're going for. If you just want all your computers to talk, then yeah, a switch + wireless router in some combination is all you need. If you want to run servers or run a secure portion, then things get a little more tricky.

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Network infrastructure setup help
« Reply #4 on: December 01, 2008, 11:06:07 am »
@Newby: Yes, the plan is to have everything on the same subnet talking to each other.  What's tricky?
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Network infrastructure setup help
« Reply #5 on: December 01, 2008, 12:49:08 pm »
I've had problems where wireless routers pretty much have to do NAT -- they won't act like switches no matter how hard you try.
Linksys routers are unilaterally exempt from this problem. They have an option to isolate the wireless network, but it is disabled by the default settings. The switch in all linsys routers are physically independent from the CPU and the WAN port; even if you fry the CPU, the switch will still work (NAT/DHCP/etc will not; that's done by iptables/dhcpd in CPU land). Some of the linksys N routers have a second CPU (and separate OS!) for the radio (my 350N does; the 54G does not), but I'm not clear on how that CPU is physically connected to the main CPU and switch.

[edit] @MF: your setup sounds fine to me; what ISP are you going for? I just got FiOS, and they gave me a retarded modem/router combo which has ridiculous security restraints on it, and the default WEP key is the BSSID.
« Last Edit: December 01, 2008, 12:56:04 pm by Camel »

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Network infrastructure setup help
« Reply #6 on: December 01, 2008, 01:18:26 pm »
@Newby: Yes, the plan is to have everything on the same subnet talking to each other.  What's tricky?

If you're plugging your XBox into a wireless router (emphasis on router) it may not work that way.

For instance: your network is 192.168.1.xxx. Your wireless router's IP is 192.168.1.200. Your XBox's IP is whatever the LAN side of that wireless router is, so the rest of your network interfaces with the XBox via 192.168.1.200. And any computers on your wireless network talk to the wireless computers via 192.168.1.200.

But I honestly haven't dealt with much in the way of wireless routers recently. I just remember, from my limited experience, that's how they worked. Sure, those on the LAN side of the wireless router will have no issues talking to your 192.168.1.xxx computers, but those computers won't be able to talk directly to wireless computers/the xbox without some port forwarding on the router side. That's part of the main reason I set up a wireless network on my router (the one right after Cable Modem) so that I could guarantee they were both on the 192.168.1.xxx subnet.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Network infrastructure setup help
« Reply #7 on: December 01, 2008, 01:38:30 pm »
If you're plugging your XBox into a wireless router (emphasis on router) it may not work that way.

For instance: your network is 192.168.1.xxx. Your wireless router's IP is 192.168.1.200. Your XBox's IP is whatever the LAN side of that wireless router is, so the rest of your network interfaces with the XBox via 192.168.1.200. And any computers on your wireless network talk to the wireless computers via 192.168.1.200.

No. The router's IP address exists to provide a gateway and a web-based configuration tool; it is a completely independent computer which is connected to the switch. If you wish to reach the internet via NAT, you go through the gateway. If you wish to speak to other computers on the network, you needn't communicate with the gateway -- and the switch won't even forward traffic to it.


[edit] Technically speaking, calling a wireless router a 'router' is imprecise; it's a router, AP, and switch. These are (or, at least, could be) three physically distinct entities. The router has an input and an output; the WAN and the LAN connections. The LAN connection is hardwired in to the switch, and the WAN connects to your modem. The AP is another independent thing (though it's usually piggybacked in to the router's CPU, and shares a LAN connection to the switch -- it needn't necessarily be that way) which bridges the LAN in to the radio network -- but do not be confused, the AP does not have an IP address; it's just the wireless equivalent of a switch.

Bringing down the router's LAN interface will not disable the radio, and it will not disable the switch. The web configuration utility on the router will be unreachable, but the radio will still bridge network traffic (unless it's sharing the router's ethernet port, which is often the case). If the router is running a DHCP server, that will be unreachable, but this does not mean that the LAN is down.
« Last Edit: December 01, 2008, 01:54:20 pm by Camel »

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: Network infrastructure setup help
« Reply #8 on: December 01, 2008, 02:37:22 pm »
I've never had an issue using a Linksys router as a switch, either, iago.
And like a fool I believed myself, and thought I was somebody else...

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Network infrastructure setup help
« Reply #9 on: December 01, 2008, 05:02:32 pm »
@Camel: So I should not connect the wall switch to the wireless router via the special port?
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Network infrastructure setup help
« Reply #10 on: December 02, 2008, 12:33:20 am »
@Camel: So I should not connect the wall switch to the wireless router via the special port?

Do you mean the WAN port? The question only seems to make sense if you've got two routers (one non-wifi router on the modem, and another wifi AP). That would create a secondary (wireless) LAN inside of your primary (wired) LAN using NAT. That would prevent your wireless clients from appearing in your primary LAN, and I don't think that's what you want.

Since that doesn't even sound like your scenario (you have one switch and one wifi router, right?), I'm going to assume I didn't understand the question. Just plug your switch in to the LAN ports of your router, which will simply increase the number of wired ports available to your LAN. Use a gigabit link between the two if possible (100mbit switches sometimes come with 2 1gbit ports, allowing you to daisy-chain them without creating a massive bottleneck).

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Network infrastructure setup help
« Reply #11 on: December 02, 2008, 11:20:53 am »
No, I'm going to have two routers:

* Router 1 will be my primary firewall and will live between the cable modem and the switch.  This will be a wired-only router.
* Router 2 will be a Wireless router that I already have, a Linksys WRT300N. 

I don't want the wireless to be on a separate network using NAT from my main wired network.  I want them all to be together on a single subnet.

To answer your question from earlier, I currently have Cox internet and plan on keeping them.  15mbps I think is what I get right now.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: Network infrastructure setup help
« Reply #12 on: December 02, 2008, 01:01:53 pm »
You will want to setup Router 2 as an Access Point (Wireless Gateway) to ensure the NAT and DHCP functions are disabled.  I'm honestly not sure if the wired ports will still work in that mode because I've never had any desire to use this configuration, but they probably will.  I'm not sure if your Linksys router will have an easy option to switch to this configuration, but my WRT54G does and you could always install DDWRT or Tomato (assuming it is compatible). Your configuration may work with just the DHCP/NAT functions disabled on the wireless router, but I have no idea how the router would handle wireless connections with those turned off unless it is in Access Point mode.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Network infrastructure setup help
« Reply #13 on: December 02, 2008, 01:36:54 pm »
On a WRT54g, you have to turn off the DHCP but NAT doesn't matter. If you plug everything into the switched ports and ignore the uplink ("wan") port, you should be good to go. As long as the switched ports/wireless ports can talk to each other, and your actual gateway is plugged into one of them, then there's no reason you wouldn't be able to use your actual gateway.

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Network infrastructure setup help
« Reply #14 on: December 02, 2008, 02:33:13 pm »
Why do you want to use two routers, anyways? Personally, I'd just use the 300N - it's a badass router! I've got a 350N, because I wanted to run DD-WRT extreme. That said, there's no reason you can't do what you described - just turn off DHCP on the 300N and don't use its WAN port.

@Chavo, Linksys firmware doesn't even have a special "gateway" mode as some do -- probably because such a mode doesn't really do anything, anyways (it's just a preset).

[edit] Be wary of firmware modification of any kind -- the 3xxN series have a really cheap flash chip that has severe hysteresis. I had to flash my 350N 3 times before it would boot DD-WRT. The bootloader has a TFTP server that will write to flash, so you can't really brick them, but getting it in to that mode is a bit of an ordeal.
« Last Edit: December 02, 2008, 02:45:45 pm by Camel »

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: Network infrastructure setup help
« Reply #15 on: December 02, 2008, 02:37:26 pm »
From OP:
Quote
* I want to install the networking hub in my utility room inside of cabinets.  This would put the wireless signal coming from a non-central part of the house, AND it would be close to electronics that could disrupt it, specifically, the washer/dryer.

I figured there wasn't a real difference between an Access Point and a router with NAT/DHCP turned off (again, I've never checked because I've never had a use for it), but it does leave the open question (that I'm sure a good answer exists for) of how the AP manages the DHCP router <-> AP <-> Wireless Client connections.

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Network infrastructure setup help
« Reply #16 on: December 02, 2008, 03:09:15 pm »
I would think that if the wireless AP is not assigning addresses, the wired router would.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: Network infrastructure setup help
« Reply #17 on: December 02, 2008, 03:11:58 pm »
Well obviously :)

The question is just my curiosity regarding the underlying procedure.

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Network infrastructure setup help
« Reply #18 on: December 02, 2008, 03:14:17 pm »
Well, so an interesting question here: should I connect my switch to my wired router with multiple connections?  Will there be a bottleneck between 8-12 DHCP clients being served through one wire?
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Network infrastructure setup help
« Reply #19 on: December 02, 2008, 04:10:14 pm »
...but it does leave the open question (that I'm sure a good answer exists for) of how the AP manages the DHCP router <-> AP <-> Wireless Client connections.

Your question crosses OSI layers, so it's unanswerable. The AP doesn't know or care what DHCP is, or what IP addresses are. They have no relationship whatsoever.

Skip this if you already know what an AP is, and how that relates to the OSI model:
>>>


An AP (and I don't mean a router that has an AP in it; I mean the singular entity) doesn't operate at the network layer. It operates on the physical layer, in that it converts between "wired" and "wireless" traffic. There's also another entity that is usually (incorrectly) grouped in with the AP that converts between 802.1 and 802.11 (data-link layer) traffic. The reason that this is incorrect is that there's no reason you can't have 802.11 data on a wired network. This work is done on the CPU of the router in the case of the 300N, but it's important not to confuse the idea that they are separate entities.

An example of wired 802.11 traffic is those wireless things you could buy for the original XBox - when the box detected one connected, it would speak 802.11 instead of 802.1 over the wire, and then all the wireless dongle had to do was blast the signal over the radio. If those things could auto-negotiate channels (some of them could, but the cheaper ones required manually selecting the channel), they'd have been full-fledged APs.

Even if you use AP to mean both of these entities (and I will do so, going forward in this post), there's still no bearing on DHCP or IP - those are network layer protocols, and reside inside of the 802 (data-link) tunnel. The AP considers that stuff to be payload, and will never attempt to read in to what those packets mean.
<<<

An AP is the wireless equivalent of a switch. It knows about the data-link layer because it has to send the frames to the right physical location (in 802.11N, the 3 antennas are used to "direct" the wireless traffic), just as a switch uses MAC addresses and a routing table to send frames to the right physical port. This is why a MAC address is called a physical address.

By disabling DHCP on the router, and not using the WAN port, the router is effectively disabled, reducing it to a switch and AP. Placing a crossover between the 300N's switch and the other box's switch creates a larger switch, and makes the AP accessible to the entire LAN, including the router with the enabled DHCP server that's performing NAT. The wireless clients will be bridged in to the same LAN as the wired clients.

Well, so an interesting question here: should I connect my switch to my wired router with multiple connections?  Will there be a bottleneck between 8-12 DHCP clients being served through one wire?
Yes, there will be a 100MBit or 1GBit bottleneck, depending on the speed of the slowest port the crossover is connected to. Using multiple links won't help; the switch will pick whichever one it thinks is faster, but will not use both at the same time.
« Last Edit: December 02, 2008, 04:30:52 pm by Camel »

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Network infrastructure setup help
« Reply #20 on: December 02, 2008, 08:10:01 pm »
So I need to run a crossover between the wireless AP and the wired switch?
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: Network infrastructure setup help
« Reply #21 on: December 02, 2008, 11:03:45 pm »
So I need to run a crossover between the wireless AP and the wired switch?
You don't need (or want) a crossover cable anywhere in this configuration.  A normal cat5/6 Ethernet cable in one of the non-uplink ports of your AP to any of the client ports of your router will be fine.

@Camel, that doesn't address my "question" at all but instead spouts of a bunch of network structure I'm already familiar with.  My efforts to dismiss my curiosity as just that and let the thread continue have obviously been fruitless so far.  You don't seem to understand what I was pondering and I don't have any desire to clarify it.

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Network infrastructure setup help
« Reply #22 on: December 02, 2008, 11:04:27 pm »
So I need to run a crossover between the wireless AP and the wired switch?

Only if you live in 1995. These days, switches will automatically compensate.

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Network infrastructure setup help
« Reply #23 on: December 03, 2008, 12:12:13 pm »
So I need to run a crossover between the wireless AP and the wired switch?

Only if you live in 1995. These days, switches will automatically compensate.
Then why'd you say it?
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Network infrastructure setup help
« Reply #24 on: December 03, 2008, 01:19:04 pm »
It's still called a crossover, even if you don't use a special cable.

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: Network infrastructure setup help
« Reply #25 on: December 04, 2008, 01:26:29 pm »
Myndfyre, you strike me as a power user who likes control of his equipment.  Don't buy a home-grade router! Either build your own (e.g. Intel Atom, Soekris, etc...) or if you have some Ethernet/Wireless cards in your spare parts drawer, go to your nearest dumpster and fish out an old P1/P2/P3. 
I use FreeBSD 7-STABLE on a Pentium 2 and it works better and is more solid than any cheap home-grade router from Best Buy.
My Pentium 2 machine has a 6GB harddrive, 96MB of RAM, 2 Ethernet cards and 1 Wireless card (Atheros-based).  The embedded boards generally have less!
1 Ethernet card goes out to the cable modem.  The other goes out to a 16-port switch.  I use ISC dhcpd as my DHCP server, FreeBSD's named as my DNS server, hostapd for managing 802.11 station mode (WPA2) and of course, sshd.  I have configured it to use a serial console lest the network breaks (it hasn't).  I use if_bridge to bridge my LAN ethernet interface and wireless interface.  I use pf with hardened rules for NAT and firewall, and securelevel=3 to harden the kernel from rootkits, prevent crucial userland tools from modifcation, and prevent firewall rule changes.  It is rock solid stuff!
I subscribe to FreeBSD-security mailing list for vulnerability announcements (generally there are a couple every 6 months).  I use portaudit to assess vulnerabilities in any and all installed applications.  I haven't had a chance, but FreeBSD also provides trusted computing mechanisms such as Apple/McAffee's audit (for fine grained logging), and Sun's OpenBSM, and capable of remote logging.  The kernel ensures that audit logs cannot be modified.
An adorable giant isopod!

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Network infrastructure setup help
« Reply #26 on: December 04, 2008, 04:24:50 pm »
I did something along the lines of what nslay is suggesting for my fraternity house - but only because it was seriously necessary: home-grade routers can't handle 40 users. MF doesn't have that many users, and he's already got the home-grade hardware, so it would be rather pointless to beef up something that isn't the weakest link.


On a side-note, learning iptables is fun. Gives you a much better understanding about how NAT actually works, behind the scenes.

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: Network infrastructure setup help
« Reply #27 on: December 04, 2008, 04:38:53 pm »
I did something along the lines of what nslay is suggesting for my fraternity house - but only because it was seriously necessary: home-grade routers can't handle 40 users. MF doesn't have that many users, and he's already got the home-grade hardware, so it would be rather pointless to beef up something that isn't the weakest link.


On a side-note, learning iptables is fun. Gives you a much better understanding about how NAT actually works, behind the scenes.
Yeah but MF is a power user.  I'd think he would want a Ferrari instead of Pinto.  Not like he lacks the technical expertise to do it either.
An adorable giant isopod!

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Network infrastructure setup help
« Reply #28 on: December 04, 2008, 04:51:26 pm »
Do you think he would commute to work in a Ferrari?

If he wants to use any of the things you've listed, there's no reason he can't do that on his linksys router; enabling SSH is trivial on every model they've ever released (they do this intentionally). The only advantage to having a powerful machine instead of a dinky home router is the capacity of traffic that it can handle, and it is already unlikely that he will meet the limits of the dinky home router.

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Network infrastructure setup help
« Reply #29 on: December 04, 2008, 05:27:11 pm »
Just because he _can_ do it doesn't make it a valuable use of his time/money.

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: Network infrastructure setup help
« Reply #30 on: December 04, 2008, 05:36:41 pm »
Do you think he would commute to work in a Ferrari?

If he wants to use any of the things you've listed, there's no reason he can't do that on his linksys router; enabling SSH is trivial on every model they've ever released (they do this intentionally). The only advantage to having a powerful machine instead of a dinky home router is the capacity of traffic that it can handle, and it is already unlikely that he will meet the limits of the dinky home router.
The difference between buying a cheap Linux WRT54G and an old PC or embedded board is that the latter two are expansible and you largely have control of whats under the hood.  What if you want to beef up your WRT54G with the newest Ethernet and or WiFi technology a couple years from now?  You're out of luck.  These home-grade routers are disposable.  You're also largely limited what you can run on WRT54G ... Linux and NetBSD.  At least with a board like Intel Atom, you not only get an x86 processor, you get a beefy 1.6GHz processor for about the same price as WRT54G!
I also think Linux is dangerous to use as a router unless you keep a sharp eye on Linux security community.  Security on home routers is a serious issue, I kid you not!  We're talking about risking your identity, your bank/credit card account numbers, and also bot nets (which can commit serious crimes in your name!).  ISPs like Comcast will also restrict your Internet usage if it finds your computer is compromised.  Comcast in particular will not help you diagnose and fix your problem.  Removing these limitations is also near impossible - for me, it took a complaint to the FCC to receive a call from a head network admin at Comcast to remove the SMTP port block!  You don't play games when it comes to security...using the disposable home-grade routers is dangerous because the hardware and software they use are often proprietary! You trust the manufacturer (which are NEVER Linksys, D-Link, Netgear!) to audit their products and to issue patches.  Linux is probably far worse and boy you are really asking for it when you opt to use a Linux distributions that is not designed to be hardened (e.g. You DO NOT use Ubuntu as a router!).
With regards to Linux, your only line of defense is to compile a kernel that disables loadable kernel modules.  That's it!  There are no mechanisms to combat rootkits, no mechanisms to make the system immutable (e.g. kernel denies access to /dev/mem, /dev/kmem, /dev/io and other sensitive devices, as well as protects crucial userland tools and libraries from modification), and no mechanisms to enforce immutability of firewall rules.  You are literally asking for it by using Linux!  Don't take my word for it, check Linux's security track record.  My department's Linux servers have been hacked many times in the past.  I mean, the fact that most Linux distributions don't even have a notion of a wheel group is already quite frightening. 
An adorable giant isopod!

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: Network infrastructure setup help
« Reply #31 on: December 04, 2008, 05:42:52 pm »
My Linux rant was totally pointless
An adorable giant isopod!

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Network infrastructure setup help
« Reply #32 on: December 04, 2008, 06:07:57 pm »
Especially because you can mitigate every risk you mentioned by setting the "INPUT" table to "DROP". If nobody has a local account and no ports are open, then it doesn't matter what it is, you're probably safe (unless there's a kernel-level vulnerability in iptables).

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Network infrastructure setup help
« Reply #33 on: December 05, 2008, 12:10:30 am »
I did something along the lines of what nslay is suggesting for my fraternity house - but only because it was seriously necessary: home-grade routers can't handle 40 users. MF doesn't have that many users, and he's already got the home-grade hardware, so it would be rather pointless to beef up something that isn't the weakest link.


On a side-note, learning iptables is fun. Gives you a much better understanding about how NAT actually works, behind the scenes.
Yeah but MF is a power user.  I'd think he would want a Ferrari instead of Pinto.  Not like he lacks the technical expertise to do it either.
While I appreciate the sentiment, unfortunately these days I've found that I have to pick the battles for which I'm a power user.  I don't see my home network cutting it - especially because eventually I'll have to sell the house and it's easy to explain to someone how to work a Linksys router.  Not so easy to explain iptables. ;)
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Network infrastructure setup help
« Reply #34 on: December 05, 2008, 12:57:06 pm »
unless there's a kernel-level vulnerability in iptables
They have unit tests that send random crap at it, and see if anything is able to get through. Obviously, it's not a leak-proof test, but it's good enough for me!

[edit] @nslay, I thought they were using a semi-hardened kernel on these embedded devices, anyways?
« Last Edit: December 05, 2008, 12:59:11 pm by Camel »

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: Network infrastructure setup help
« Reply #35 on: December 05, 2008, 01:42:28 pm »
unless there's a kernel-level vulnerability in iptables
They have unit tests that send random crap at it, and see if anything is able to get through. Obviously, it's not a leak-proof test, but it's good enough for me!

[edit] @nslay, I thought they were using a semi-hardened kernel on these embedded devices, anyways?
The disposable routers' OS is almost always proprietary and it is not necessarily hardened.  My cable modem (I know its not a router, but its a similar situation), for example, uses VxWorks, an RT OS...which is scary as hell because RT OS' have no VM! It has a debug prompt and because there is no VM, I can jump to any address to do anything I want (and I have, I used it to get the cable operator password for the modem and to bypass menus that would ordinarily be disabled to a user!).  Not only do you rely on the manufacturer and vendor to audit and patch their own software, but many of these network devices also use [other] proprietary software.  My cable modem for example, runs a telnet daemon, an SNMP daemon, a webserver, and countless other pieces of software that might also be exploitable [none of which are made by the vendor].
In short, don't put proprietary network devices directly on the Internet.
An adorable giant isopod!

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Network infrastructure setup help
« Reply #36 on: December 05, 2008, 02:07:55 pm »
Or do your research before buying a shitty box? The 300N's OS is open-source and is Linux.

Given enough time, Solar flares are going to hack in to your beefy hardened kernel. You're being paranoid.
« Last Edit: December 05, 2008, 02:14:05 pm by Camel »

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: Network infrastructure setup help
« Reply #37 on: December 05, 2008, 03:38:44 pm »
Or do your research before buying a shitty box? The 300N's OS is open-source and is Linux.

Given enough time, Solar flares are going to hack in to your beefy hardened kernel. You're being paranoid.
Like I said, when you expose a system to the Internet, you are risking a lot more than you think.  That's why I exclaimed that even security on a home LAN is no push over.
Solar flares don't steal information that can ruin your life, or commit serious crimes on your box that can potentially land you in prison. You may think I am paranoid, but look around at many of your battle.net peers, whom as teenagers, single handedly reverse engineered the battle.net binary protocols, including the encryption for CD keys and recognizing Battle.net's broken SHA1 implementation - this is harmless.  There are some very smart people just like said battle.net peers who hack, crack and reverse engineer with malicious intent and they are more common than you may realize.  Hell, you came across these guys on a gaming network!
An adorable giant isopod!

Offline topaz~

  • Full Member
  • ***
  • Posts: 292
    • View Profile
Re: Network infrastructure setup help
« Reply #38 on: December 05, 2008, 09:03:39 pm »
You may think I am paranoid, but look around at many of your battle.net peers, whom as teenagers, single handedly reverse engineered the battle.net binary protocols, including the encryption for CD keys and recognizing Battle.net's broken SHA1 implementation - this is harmless.  There are some very smart people just like said battle.net peers who hack, crack and reverse engineer with malicious intent and they are more common than you may realize.  Hell, you came across these guys on a gaming network!
There are only two people I can think of that could manage that as teenagers, and Skywing and iago weren't teenagers when they did it. The vast majority of reverse engineering was done by a small group of intelligent and capable people, and mediocre (and less than average) programmers merely took advantage of their work.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Network infrastructure setup help
« Reply #39 on: December 06, 2008, 01:27:47 am »
You may think I am paranoid, but look around at many of your battle.net peers, whom as teenagers, single handedly reverse engineered the battle.net binary protocols, including the encryption for CD keys and recognizing Battle.net's broken SHA1 implementation - this is harmless.  There are some very smart people just like said battle.net peers who hack, crack and reverse engineer with malicious intent and they are more common than you may realize.  Hell, you came across these guys on a gaming network!
There are only two people I can think of that could manage that as teenagers, and Skywing and iago weren't teenagers when they did it. The vast majority of reverse engineering was done by a small group of intelligent and capable people, and mediocre (and less than average) programmers merely took advantage of their work.
I didn't start till I was 19 or so, but Skywing was doing it when he was much younger than that.

Offline Rule

  • x86
  • Hero Member
  • *****
  • Posts: 1588
    • View Profile
Re: Network infrastructure setup help
« Reply #40 on: December 06, 2008, 03:27:36 am »
Adron, Yoni, Arta, TechWarrior, Azure, ...
I could list about 20 others.
« Last Edit: December 06, 2008, 04:06:46 am by Rule »

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: Network infrastructure setup help
« Reply #41 on: December 06, 2008, 03:35:03 am »
You may think I am paranoid, but look around at many of your battle.net peers, whom as teenagers, single handedly reverse engineered the battle.net binary protocols, including the encryption for CD keys and recognizing Battle.net's broken SHA1 implementation - this is harmless.  There are some very smart people just like said battle.net peers who hack, crack and reverse engineer with malicious intent and they are more common than you may realize.  Hell, you came across these guys on a gaming network!
There are only two people I can think of that could manage that as teenagers, and Skywing and iago weren't teenagers when they did it. The vast majority of reverse engineering was done by a small group of intelligent and capable people, and mediocre (and less than average) programmers merely took advantage of their work.
What about Adron and a handful of those really old WoLF` guys like Azure?  How about all those ]I[nfinite Deaths guys and friends like Flameboy?  
Let me give you a time frame when all these guys were around: before vL existed and when WoLF` unveiled the very first binary bots, WoLF`C`Bot was just released (Winters bot either didn't exist, or was a very early version, let alone anything most of you have even heard of).  Topaz Chat and Battle Chat were the shit.  All the regional battle.net servers were still linked, and the "magic" servers sometimes unsplit (they were almost always split) and landed you ops in even channels like Dark and dk187.  You could still dupe people offline with Diablo Shareware.  You could still load 8 CHAT bots, each continually trying to connect until each luckily logged onto a split server (Or you could use Illuminator, which logged 10 bots on very quickly!... but was utterly useless).  Massbot! was popular.  Way before /beep was temporarily a feature of telnet connections, a byproduct of a failed attempt at Interbot communication between Winters and Ultimatebot.  Way before /rejoin was disabled for everyone but channel operators.  Way way before telnet connections were restricted to Public Chat channels.  Way way way before telnet connections were disabled.

Battle.net in those days was essentially a cock-fighting arena, except people did it with bots in nerd gangs (called clans for some reason).  It became less so as Blizzard fixed problems and disabled features.  Ah well, it was fun while it lasted, and a motivation to learn to program.
An adorable giant isopod!