Main Area and Open Discussion > Living Room
Tough Router Question
raybeere:
First, I need to explain the situation. I need to help my daughter & son-in-law set up their new laptop on the Internet. Simple enough, in itself. The problem is their roommate. I don't know if anyone heard of the study where someone put up a link that said something like "Click here to infect your computer with a virus" - but if she came across that site, she would have clicked on the link. (As I recall, almost 400 people did, in a depressingly short time...). Her computer is actually more screwed up than any public access computer I've ever encountered, and for a few years public access computers were my only link to the Net... No point cleaning out the crapware and any malware lurking among it - she'd just mess it right back up again.
In fact, they got a laptop so they can use it wirelessly, as they don't dare leave a computer out where she might get her hands on it. (She is also hell on hardware: her keyboard is gummed up with peanut butter, she thinks slapping the CPU around is a great move to resolve any technical issues :o you get the idea.) My s-i-l is trying to manage his dairy farm remotely (it is several thousand miles away, outside the US), so they need to keep their computer secure. I've already been over-ruled on the obvious non-technical solutions. ;) My daughter would have no idea what to do, and my s-i-l has never even used a computer before. So I really have no choice but to figure something out.
I know just enough to do some research: I figured out my best hope is a wireless router with OS firmware so I can set up the LAN ports as one VPN (the roomie's - might as well give her all, as she's the type who is just as likely to unplug her computer and stick it back in anywhere) and the wireless connection as another VPN (my daughter and s-i-l's). The best available choice seems to be the Linksys WRT54GL (as it happens, I just bought one myself, as my router is ailing). I was hoping to use Tomato, but looking over the documentation that exists online, I don't see how it would be possible to do this with Tomato. Or that could just be my ignorance... :-[
Which leaves me with DD-WRT. I have two problems with that: first, the documentation I looked over didn't even leave me quite clear which file to download for that router (I think I know, but I do know enough to be aware when updating firmware that is an awfully risky assumption). Second, I have the definite feeling DD-WRT is going to prove a bit more than I'm prepared to take on, or, to be exact, more than I can quickly master. I could probably figure it out, given time. But my daughter already bought the computer, and wants it hooked up ASAP. (They do really need it, so I can understand her urgency.) I really don't think I have the knowledge to get up to speed with DD-WRT that quickly.
Any suggestions on anything else I might be able to do? Also, one further problem. As the roommate has a boyfriend of dubious honesty and at least some technical knowledge, the "factory reset" option seems a very obvious danger (Internet connection, and, thus, the router are in an area everyone has access to). I presume there is no way to disable or password protect this (that would more or less defeat the point) and I can't even figure out a way to monitor the router and pop up an alert if settings reverted to factory default. (Even if I puzzle out how to write a script to do it, once the settings are reverted, the script wouldn't be run, so it would be pointless to run it to check for the one condition under which it won't be run...)
I suspect there are other issues I haven't even thought of; I don't do a lot with networking, so it isn't an area I know much about. I do know wireless security is shaky (again, that factory default issue makes me nervous - that, and the fact they live in an area where everyone tries to get everyone else to install wireless so they can steal a connection). So any thoughts, information, resources, whatever you can offer would really help. I'm sorry for asking questions I ought to be able to find answers to myself - I just don't think I can find and absorb it all quickly enough (especially since some bits of information I've found contradict others, leaving me with the need to learn enough to figure out which ones were written by idiots).
Carol Haynes:
For security and the reset button issue why not set it up and lock it in a a cupboard. If it fails they can always unplug the mains adapter wait a while and plug it in again. If it is a wooden cupboard the wireless connection shouldn't lose too much power over a short distance.
For security make sure you enable WPA2+AES if possible in the router and give it a very long unguessable key. Then switch off broadcasting the SSID (network ID) so that no one can see the router and the only way to log into it is to use the invisible SSID and the unguessable key. Make sure you also change the default router password so she can't log in to change settings. You can also set the router to only accept specific MAC addresses so that even if she guesses the WPA key you can restrict the router to the computer containing her wireless card only.
Now on her computer set her up as a a user (not an admin) and encrypt the admin account, giving it a long unguessable password. That way she will only have basic user rights to the system and won't be able to access system settings and devices etc. If you set up her wireless connection there is no need for her to know the WPA key at all unless the connection is lost or damaged.
40hz:
Is your sister's Roomate-from-Hell using her own computer, or will she have access to that new laptop?
If she can't use the laptop, it doesn't matter what she gets up to on her own machine. It can't infect or cause problems on your sister's laptop because you're not sharing any files like she might be if she was connected to the same server as your sister. Merely sharing the same router shouldn't cause problems.
Just make sure you keep her grubby mitts off your sister's laptop and all should be well. Use a BIOS bootup password along with a decent Windows password and you should be all set. Change the workgroup name on the laptop from the default WORKGROUP to something nonsensical so that it's hidden from casual net browsing. For extra security you could also disable File and Print Sharing on the laptop since you won't be needing it anyway.
raybeere:
For security and the reset button issue why not set it up and lock it in a a cupboard. If it fails they can always unplug the mains adapter wait a while and plug it in again. If it is a wooden cupboard the wireless connection shouldn't lose too much power over a short distance.-Carol Haynes (February 06, 2009, 02:56 PM)
--- End quote ---
Thanks, that's one I hadn't thought of, although I'm not sure the spot where the connection comes in allows many options along that line. And even wooden cupboards use metal fittings, so I suppose it would depend on the exact construction / location of fittings just how much trouble I'd have with any given enclosure. Running wires in / out would also be a huge pain. Still, it is at least another avenue to consider.
Right now, I'm trying to figure out if there's some way to monitor the router's settings from Windows. It won't matter much what the roomie does if my daughter and son-in-law are not connected, and as long as their computer can warn them when they connect... Assuming I can figure out a way to do this. I do find it odd no one ever seems to have considered the built in factory reset as a potential vulnerability. What use is it to set passwords for access when anyone with a finger can override the setting? So I wonder if, somewhere out there, this problem has been conquered already, and I just haven't found the answer yet.
For security make sure you enable WPA2+AES if possible in the router and give it a very long unguessable key. Then switch off broadcasting the SSID (network ID) so that no one can see the router and the only way to log into it is to use the invisible SSID and the unguessable key. Make sure you also change the default router password so she can't log in to change settings. You can also set the router to only accept specific MAC addresses so that even if she guesses the WPA key you can restrict the router to the computer containing her wireless card only.-Carol Haynes (February 06, 2009, 02:56 PM)
--- End quote ---
Yes, I will do all that, at least. AFAIK, though, the MAC address is easy to spoof if you have any idea what you're doing, and it is just a matter of time before WPA2 crumbles. Still, I think that's the best I can do for wireless security at the moment. I'll have to hope if WPA2 is replaced by a better standard, I can find a firmware update that will address that. That, at least, is safely in the future. :) If I can get this up, working, and secure for now, I've at least won the initial battle.
Now on her computer set her up as a a user (not an admin) and encrypt the admin account, giving it a long unguessable password. That way she will only have basic user rights to the system and won't be able to access system settings and devices etc. If you set up her wireless connection there is no need for her to know the WPA key at all unless the connection is lost or damaged.
-Carol Haynes (February 06, 2009, 02:56 PM)
--- End quote ---
I may be thick, but I'm not sure I'm clear what you're suggesting here. On my daughter's computer, there's no reason not to let her access an admin account, although her husband isn't ready for that. He hasn't learned what not to touch yet. ;D On the roommate's computer, if I could lock her out of most settings I certainly wouldn't object, ;D but if I could do that this whole thing wouldn't be such an issue.
Yes, I have suggested just telling the roommate she can't use the Internet from there. I would really prefer that, myself, but it isn't my apartment so I can't make that choice. :( Somehow, I have to face the machine from hell long enough to get it working on the new router. Just touching that keyboard is going to have me soaking my hands in alcohol for hours afterward. :'( Of course, if I can't get it to work, roomie is out of luck - and even playing fair, that thing isn't what you'd call highly functional. It spends most of its time displaying little messages like "Uploading your credit card info to Russian Mob now: Confirm / Surrender All Cash Now" (Yes, I exaggerate, but not as much as I wish I were - the woman spends her life on the kind of porn site where they keep telling you to download their "special" viewers... The thing has so much crap loading on it now it has started throwing up "out of memory" errors when you start it up.)
raybeere:
Is your sister's Roomate-from-Hell using her own computer, or will she have access to that new laptop?
If she can't use the laptop, it doesn't matter what she gets up to on her own machine. It can't infect or cause problems on your sister's laptop because you're not sharing any files like she might be if she was connected to the same server as your sister. Merely sharing the same router shouldn't cause problems.
Just make sure you keep her grubby mitts off your sister's laptop and all should be well. Use a BIOS bootup password along with a decent Windows password and you should be all set. Change the workgroup name on the laptop from the default WORKGROUP to something nonsensical so that it's hidden from casual net browsing. For extra security you could also disable File and Print Sharing on the laptop since you won't be needing it anyway.
-40hz (February 06, 2009, 03:16 PM)
--- End quote ---
The roommate is going nowhere near the laptop. If she was going to be allowed to touch it, there'd be no point in having any security at all... And, yes, I'd disable File and Print Sharing on the laptop. But on the sharing a router issue: I keep hearing that alone "shouldn't" be a problem, but here's the thing. Both computers can access this one device, which is handling all the traffic in or out to either machine. So how can anyone be sure one machine can't 'observe' that data flow and collect data from it? What protects the data sent to and from one machine from observation by some app on the other machine? Has anyone actually tested the possibility?
I don't mean any offense. It's just that "I don't know how to do it, and I don't know anyone who knows" is not at all the same thing as "No one can do it". And when the possibility seems as obvious as it does with two machines sharing one connection, I have to wonder. It isn't as though the creeps who write malware and spyware advertise their capabilities; as far as I know, they go to great lengths to hide what they can do / are doing. And if that second machine isn't part of a zombie network already, it sure will be one of these days - I don't think the security researchers who try to collect malware on their machines could do a better job than this woman. ;D
Navigation
[0] Message Index
[#] Next page
Go to full version