Electrical Issues In Ethernet Networking

If you wire your house with Ethernet, you'll have a houseful of computers, all connected to the power system, and all connected to each other through the Ethernet network, and through the electrical system ("mains"). This is an obvious, but not trivial, issue.

With all computers connected within the same building, it's not a major issue. All computers are connected to the same main power supply, fed through the same power feed from the electric company, and grounded at the power distribution panel (electric meter et al). All computers, on properly maintained electrical and Ethernet networks, should have the same ground potential.

If you're lucky enough to have a large property, maybe you have a garage or shed out back of your house, with a separate electrical feed. If you decide to install a computer out there, networking that computer won't be a trivial issue. Getting past the issue of running cable between the two buildings (bury it, and risk underground problems), or string it through the air (and risk birds and other wildlife damage), you have a major code and safety issue.

Two separate buildings will have different ground potentials, amplifying the damage from lightning strikes. To fulfill electrical code requirements, you must ground electrical feeds, to separate buildings, separately. If you run Ethernet cable between your buildings, and lightning were to strike one building, the lightning would possibly travel from one computer to the other, through the Ethernet cable, and eventually to ground at the other building.

If you were unlucky enough to be working at either computer when this happened, you'd probably not live to worry about it. If you were lucky enough to not be in front of a computer, you could at least kiss the computers goodbye.

Even ignoring the possible damage from a lightning strike, a computer network with different computers connected at different ground potential won't do much for network stability. A properly functioning network depends upon ground at every network point having the same (identical) voltage level. Any variances, as can happen between any two separately grounded objects, will cause chronic and intermittent packet loss.

The bottom line? If you can't ground both ends of the Ethernet cable very securely, fiber or WiFi is a much better choice for connecting two separate buildings. Fiber-Optic cable doesn't conduct electricity, just light. And WiFi isn't a physical media at all.

If you have 2 buildings, limit the dangers of lightning to each building alone. Don't tie the two together, inadvertently.

For more discussion:

>> Top

SMB Protection Requires Careful Setup

Server Message Blocks, or SMBs, are the life blood of Windows Networking. On high security networks, you can create secure channels between the server and client, to ensure security of SMBs. You can provide authentication (digital signing) and / or encryption (digital encryption) of SMBs, similar in nature to WPA, as used in WiFi security.

However, just as WiFi connectivity being prevented by improper setup of WPA, necessary use of Windows Networking can be prevented by by improper setup of SMB protection. Both SMB Encryption and Signing must be setup consistently on your network. If any of your clients don't support either protection, it's best that you don't require it on your servers.

When you try to connect a Windows client computer to a server, you may see

The account is not authorized to log in from this station.

If a server requires SMB encryption or signing, all workstations must provide it, if they are going to connect to that server. SMB Signing has been supported since Windows 98 and NT V4.0. Non-Windows operating systems, such as Apple and Linux / Unix, may or may not support SMB Signing. Be consistent in your LAN, however you choose to set it up.

For computers in a workgroup, you configure SMB Encryption and Signing using the Local Security Policy editor. For computers in a domain, the Local Security Policy editor is available, but settings may be overridden by Group Policy.

You will have settings for both the server (incoming SMBs) and the workstation (outgoing SMBs), and settings for encryption (to prevent snooping) and signing (to prevent spoofing). You'll find settings under Local Policies - Security Options. Domain member, Microsoft network client, and Microsoft network server Policy Categories all contain relevant settings.

Note both server and workstation services, and thus these settings, apply to most Windows computers. And note the difference between Enabling SMB Signing (where both computers that enable SMB Signing, and those that don't, will be able to connect to each other) and Requiring SMB Signing (where only computers that enable SMB Signing will be able to connect to each other).

For more detail, see:

>> Top

Beware The Honeypot

Many, Many years ago, when the USA was first settled, nobody worried about the neighbours. Anybody living in the wilderness was happy to see another human being - and if you went out to work in the fields during the day, you'd leave the front door latched (don't want the pigs or chickens wandering through the house), but nobody locked anything. If you had a front porch, you'd have an easy chair or two, and a bucket of water there for your guests. Anybody wandering by was free to "set a spell and have a drink".

When WiFi was first developed, nobody cared about freeloading. If you had a WiFi AP, you connected it to your Internet service, and left it open. Anybody wandering by was welcome to "set a spell, and borrow the connection". Then freeloading got serious - people like Walter Nowakowski, in Toronto, became common.

People would protect themselves, and WEP was developed. And people learned to crack WEP.

Some of the more ingenious WiFi owners became devious.

If I have a WiFi AP that's protected, and my neighbour has an AP not protected, any wardrivers will be using my neighbours, right? Nobody is going to go after a protected AP, when there's an unprotected one nearby?

and continued with
OK, if a wardriver sees 2 APs, he can't tell that's not two different people. I'll setup an unprotected AP, and wardrivers can use that.

Kind of like the front porch with the chairs and water bucket.
Yet there was more.
Why should I let folks use my connection, to download kiddie porn? The FBI will notify my ISP, and I'll lose my service. OK, disconnect the Internet from the open AP.

and the open AP became a Honey Pot. You can connect, but you aren't going anywhere.

Some WiFi security experts even laugh about the wanna be wardrivers. Maybe even keep logs by MAC address. The ones who really have idle time to kill might even use NetStumbler or similar software to seek out, by triangulating, the hapless wardriver, maybe take his picture or taunt him otherwise.

The really nasty ones might attach a computer, with a spoofing DNS server, and let you think (initially) that you're connecting to "www.google.com". Then they will try to serve you the hack of the week, from their computer. An old 486 laying around would be perfect for this task. Who cares if it takes 5 minutes to respond? That wardriver isn't going anywhere. Who cares if he gives up?

So, if you are using WiFi, and you're attached to an easy and seemingly available AP that you don't know about, use common sense.
  • Use PingPlotter or a similar tool to make sure that it actually connects somewhere.
  • And, for heavens sake, protect your computer!
  • And learn the difference between seeing
    Connected to XXXXXXX - Signal quality xxxxx.
    and actually having a connection, to the legitimate Internet.


>> Top