Firewalls

Cameron D

Has anyone used the Netgear FWG114P
ProSafe Wireless 802.11g Firewall/Print Server.
As am trying to stop people getting access to our network on the wireless side of it but only let the MVP8400 use it.

I?m using WEP 128 and MAC Address access.
But the clients network we our installing it on thinks this is not good enough for them.
My question is what ports do I open on the firewall to let the MVP only work on the WAN side.But i need to access the MVP from the LAN side to program it.

This is all new to me as I have no experience on Firewalls.

Any suggestions

Cameron

DHawthorne

I think you client needs a little education on the subject. If you have enabled MAC address filtering and only entered the MAC address of the MVP, that is nearly as secure as it can get. With 128bit encryption, the only other step I would take in this case is to turn off SSID broadcast.

If, however, they insist on the firewall, you don't need to have the MVP opened on it at all, but rather your NetLinx master. All G4 connections go through the master (except G4 web control, more on that further down). Forward port 1319 and 23 to your master's IP for programming and troubleshooting. If you have a NetLinx application that requires FTP, open up 21 as well.

If you are also providing remote access for the customer, you will need to forward port 80 to the master, or 443 if you turn on SSL (which is what I would recommend). Activate master security on the master through the web interface. If the panel needs G4 web control, you will also need to open up port 5900; I generally make the panel a static IP and forward this port to the panel directly, bypassing the master's web interface. Others may be able to tell you what steps to use it through the web interface if this is a concern. If you are using G3 web control, you need to open port 10500 to the master.

Spire_Jeff

Ok, I think I understand what you are trying to accomplish, but let me make sure. The client has a network with sensitive data and they don't want your equipment to have access to it.

If that is the case, you will need to seperate your equipment from theirs. I am going to give an example of what would be needed based on a business with a single static ip on say a DSL line. First you will need a router(Router A) without the wireless access point for the existing network. Then you will use the current router(Router for your processor, touchpanels and any other IP devices you need access to. You connect the DSL connection to Router B and then connect Router A to Router B. You have to make sure the Router B and Router A are using two different IP networks. If you want to access the processor and the touchpanels without going through port forwarding configuration on Router B, you will have to assign a routable IP address scheme to the AMX network. This will let you access the AMX network from the Client network without giving the AMX network direct access to the client network.

On a seperate note, unless you go with a higher end router, I don't think you can seperate the builtin wireless from the LAN.

I hope something here helps. If you can give me more information on the situation I'll see if I can be a little more specific. Also, understand that the above suggestion is only one of a couple possible solutions I can think of to accomplish the same thing. There are other options that offer varying degrees of security.

Jeff

Cameron D

Re Firewalls

Thanks Guys,

The clients network has access to the internet so i can program the system from anywhere.
The trouble is he does not want anyone to get into his network using the wireless access point.

He keeps saying that there are programs on the internet that would grab MAC address from kit which is on there network and use that MAC address.As well as programs for getting WEP keys.

So you see what iam in for.

Thomas Hayes

A project that I worked on a few years back, the client had 1/4" thick lead walls to prevent any leakage from the room. Just a thought.

Spire_Jeff

In my opinion, the wireless access point is the most secure portion of what you are mentioning. In order to use the wireless access point to gain access to the LAN, someone has to be within range of the access point.

There are a couple things you can do to make it even more difficult. First would be to disable the SSID Broadcast (and use something other than the default). Next would be to either reduce the antenna power so that you only get a usable signal inside the house/building or switch to the AMX WAP with the optional antennas and setup only specific areas that receive wireless signal. The theory behind that being: If someone is within range of the signal, the client has bigger problems. Yet another thing would be for the client to change the network keys every week. These are but a few suggestions and coupled with my earlier 2 router solution should make for a decently secure setup... unless this client has ticked off a very bored and rich entity or the client is housing extremely valuable info on their network. If the later was true, then they had better have ATLEAST one full time on staff IT administrator with all of the normal network security tools and techniques in place.

I guess what this comes down to is the question of what is sufficient for the realistically predictable threat? How much money is the client willing to spend on security? How much convenience is the client willing to give up in the name of this security?

Here is another question: Why would the client care so much about access from the wireless access point and not ask at all about the security of the devices being opened to the outside world? Unless you are planning on setting up a VPN to access the processor across the internet, most of the communication is going to be in clear text and easily sniffable(as I recall). To a hacker, the hardline would be a much more viable target. There are so many ways to attack the network from a safe distance and with the added security of disguising one's true location that it just wouldn't make sense to A. be within physical range of the wireless access point, B. Find out the SSID, C. Find and clone a MAC address, D. break the 128bit Encryption.

These are just some random thoughts I had and hopefully you can grab one or two points and present them to your client in a way that helps you. I just had another thought..... If you want a very simple way to give yourself access to the AMX system without touching your clients network, have the client get a second highspeed connection and build your own network for the AMX. (This is essentially the same thing as the 2 routers)

Hope something here helps.

Jeff

jeffaco

Another opinion ...

Actually, I totally understand where the customer is coming from ...

In my view, Wireless AP's are really not terribly secure. They can be made to be secure (Cisco has done this), but rarely is that done, and Cisco solutions are expensive (and incompatible with the Modero).

Wireless AP's keep honest people honest. But: If you can get a wireless signal (not generally too difficult - depends on security around your building), and someone is interested "getting in", it can be done with software freely available on the Internet. What you need is traffic. The more traffic, the better. If the keys aren't changing, then you can see what the traffic is over time and use some compute power (not all that much, all said and done) to break the keys, and you're in.

In my case, I have a Cisco 2621XM with an NM-4E Ethernet card (I managed to score it cheap off Ebay). It has a total of 6 Ethernet ports that can be set up with any security that you want. I also have a Cisco switch (2950) that supports multiple VLan's (multiple "virtual" LANs on a single piece of hardware).

My wireless LAN pretty much gives you the same access that you get from the Internet with a single exception that specific pieces of hardware are allowed access to specific ports on the "protected" LAN. So, for example, my MVP-8400 can get to the NetLinx controller on the specific ports it needs, but nothing else. Other than that, if you want access to the LAN for something other than encrypted E-Mail, then you need to use SSH (with an encrypted certificate - passwords not allowed).

End result: security can be had between the wireless network and a protected LAN. And it can be pretty secure. But it does take more than consumer grade off-the-shelf components to make it happen.

BTW, the way Cisco solved this: They track the amount of traffic that occurs. If traffic gets within 50% of what it takes to be able to computationally break the keys, then they regenerate the keys to new keys and update all network devices. In this way, you can never gather enough traffic to be able to computationally break the keys ...

Spire_Jeff

I am glad to hear that there are definately products out there that do allow better control over the wireless end of the network. (I figured there would be, just wasn't personally familiar with them)

I think an important question here is.... is this a residential client or a commercial client? This can be a good place to start risk assessment and then you can work out realistic budgets and expectations. The only other thing I can suggest is... If you aren't familiar with network security, try to find a contractor that can handle the network configuration for you. It may mean a little less money on the job, but it could also mean a LOT less liability in the event that sensitive data gets comprimised.

Ok, I think I am done having opinions for the day.

Jeff

Thomas Hayes

I was thinking this over last night and just a thought; here on campus we have WAP's in each room that are switched on/off by the prof. To prevent or lower spillage we place the WAP's in specific locations, highly direction antenna's, lower outputs. You may have to add an extra WAP but we have had good results with this technic.