Friday, February 11, 2011

A simple explanation of home networking.

I've been asked by a friend to do a primer on what I could term "Home Networking". That is, as much as possible simple plug and play by people who are not, and have no interest in, running things like web servers or mail servers.

Let me introduce to you, The Router:

Some people connect their computer directly to their ISPs hardware, be it by cable, DSL or sometimes even dial-up, whwhere their system acquires a unique IPv4 address and becomes directly reachable to the world. Without robust security on that system, it will get cracked.

This is where a router belongs, between the big bad outside world, and your nice, comfortable, warm and friendly local area network, even if that is just one PC. Here's what mine looks like:


As I've mentioned before, IPv4 addresses are a scarce resource. Your ISP is granted with only a limited number of public IP addresses to give to customers. A business may choose to pay for a block of public addresses for use with web, email and other servers that they run directly, but that can get expensive in every way. The Home Networking user gets one. Yes, just one, and this is how IPv4 has lasted so many more years than anyone thought it would In The Beginning.

Your router acquires a world-reachable public address from your ISP and assigns it to its Wide Area Network (WAN) interface, and then serves private addresses to systems connected to its Local Area Network (LAN) interface. It keeps track of who is talking to whom through a process called Network Address Translation (NAT). That's why it seems like every home network is 192.168.1.0, because that is the default on so many different manufacturer's routers.

What this means to you and me is that NAT acts as a sort of "accidental" firewall between the various computers on the LAN and the rest of the world. This is NOT a quality firewall, it should NOT be depended upon solely for security. Many routers and even dedicated firewalls have had vulnerabilities over the years that would allow access directly to every system behind it. Security must be enabled on every single system, or there is no security.

Basic Router Settings:


The default settings on your Home Networking router are almost always perfectly suitable to "plug it in, turn it on, and it works."

BEFORE YOU PLUG IN THE WAN CABLE! There are a few details that should be looked into, just to make sure.

If you use Windows, then most routers come with a software disk that you can run and add yet more software to your PC. Go ahead and do that if you want, and drop in a step or two lower down for basic settings to look for.

When running something other than Windows, don't worry. Every router I've used in the last 10 years is also configurable through a web browser. They serve dynamic addresses on the LAN ports by default, so just plug it in, turn it on, plug an ethernet cable from your PC to a LAN port, and let the interface be autoconfigured. It will almost certainly get either 192.168.0.2 or 192.168.1.2 , just point your web browser to whatever the first four numbers are, then .1 as so: http://192.168.1.1/

If the PCs interface does NOT autoconfigure, check the router's manual to see if you need to set your PC interface address by hand and then turn on DHCP in the router configuration. Some Cable Modems will allow you to plug directly into them with your PC's port set for 192.168.0.2 and you can then use a web browser to do its configuration if your ISP requires it. Very convenient, these web browsers.

Ok, you're doing configuration. Good. Here are the basic settings I suggest:

1) Give your router a GOOD password.

SAVE YOUR CONFIGURATION every time you make a change. Sometimes the router will ask, "Do you want to save your changes?" but don't count on that. Every time you make a change, save it. You don't want to have to do that all over again, do you?
1.5) Turn off "Remote Configuration" or "Remote Login". This is a Home Networking router, and unless your expensive IT consultant needs to access your router remotely, there is no reason to have this turned on. How many of you Home Networking people have expensive remote IT consultants on the payroll? Right. Just turn it off.

2) Turn off "Wan Ping Response". It may be referred to as "Respond to ICMP Requests" or a few other variations on those names. Basically, set your WAN interface to NOT respond to someone outside trying to see if it exists. Only turn this on if you need to, like your ISP requires it for testing, or you have an IPv6 tunnel.

3) Make sure the DMZ setting is OFF. If you don't know what it is, you don't need it, and if you do need it then you also know that whatever machine you configure the DMZ to point to is going to get treated like there is no firewall between it and the Cold Dark Evil Outside World. Please don't use Windows, any Windows, as a DMZ system, unless you're just trying to see how quickly they get cracked.

4) Ensure that there are enough DHCP addresses for all the computers you expect to run at the same time on your LAN. Yes, I have had this come up as an issue. Admittedly it was a business, but check it anyway.

5) Use encryption on your Wireless LAN, and use WPA if you can, WEP 128 if you must. While WEP encryption is easier than WPA to crack, for either one it's not really worth the time to do so. Leaving your wifi wide open, however, is an invitation to get a visit from the kind and generous folks at the MPAA who will demand to know why you've downloaded 70 copies of major Hollywood blockbusters in the last 10 days.

5.5) In case I need to mention it, use a good random passphrase for your wifi.

6) Verify with your ISP what settings you need on your WAN interface. Very likely, the defaults will do just fine, but go through and look at them to be sure.

Power off the router AND the Cable Modem, DSL modem, or whatever your ISP's hardware is, if there is any. Yes, power off the Cable/DSL Modem. This Is Important, and if you get on a call to your ISP's tech support people, it's the first thing they will ask you to do.

Now you can plug in your router's WAN port to the modem.

Power on the ISP's hardware, then your router, wait for them to finish their self tests. Try to load a remote site and, I expect, it will work just fine.

If not, go back into the router configuration, with the piece of paper from your ISP that tells you the settings, and re-verify that it's set right. That will usually do it, but seriously your ISP has seen it all before. Don't hesitate to call them if you have questions about what the settings should be.

1 comment:

  1. Anonymous12/2/11 07:27

    Since you have a linux versus Windows security post maybe you should do a Steve Jobs is a big fat liar entry. i.e. Yes, Virgina, you should take security precautions on a Mac too - including running Anti-Virus.

    I know I sound like a broken record, but AV for Mac is important too.

    Sophos has a free version:
    http://www.sophos.com/products/free-tools/free-mac-anti-virus/

    This article has a video with a mal-ware attack "caught" on film
    http://nakedsecurity.sophos.com/2010/11/02/anti-virus-mac-free/ (of course, it is a lab setting, they won't want dangerous mal-ware out there loose).

    ReplyDelete