Newer Networking Features - Virtual LANs

One of the shinest features in WiFi networking, this year, is routers with dual LANs. One LAN provides access to the Internet, and all computers to each other, like a normal router. The second LAN provides access only to the Internet.

You connect all of your personal computers to the first LAN. When you have guests, they can bring their personal computers, connect to the second LAN, and surf the Internet without having any access to your personal computers.

You can even lower the security level on the "Guest LAN" to accommodate your guests, without exposing your personal computers to abuse by possibly malicious neighbours. Or possibly, to your guests computers themselves - which may not be secured to satisfy your personal standards, and may have malware infestations.

Virtual LANs, or "VLANs", used to be features available only on advanced, enterprise grade networks. With computers being a common item in the home, simple VLANs (multiple LANs provided by a single router) are now available to Small Office / Home Office ("SOHO") networks.

Last year, if you wanted equivalent protection for your home computers, you'd be advised to buy 3 routers. You would connect one router directly to the modem, and connect the other 2 routers to the first router as peers. One of the secondary routers would provide your "Personal", secure LAN; the other, the "Guest", less secure LAN. This arrangement, while providing more security for your computers, will have disadvantages.

• Complexity. Three routers will require more cabling, and more physical space than one router.
• Cost. Three routers are going to cost more than one router.
• Networking side effects. Look up discussions about "double NATting", for more about this problem.

A modern, dual LAN router has none of the latter disadvantages, just improved security for you, and increased convenience for your guests.

>> Top

Windows Vista and Explicit Congestion Notification

With one of the most popular use for computers being Internet access, changes in Windows Vista, to support improved TCP networking, are significant. I've written about Scalable Networking, which contains 3 identified options - Receive-Side Scaling, TCP AutoTuning, and TCP Offload. Scalable Networking contains changes that are implemented from the client, and only require support from the client equipment.

There are more changes to the Vista TCP stack, though, and some of them require support from equipment outside the client network. Explicit Congestion Notification (ECN) is an option that reduces network problems caused by dropped packets, by letting the routers in the network (which drop packets, when overloaded) warn the client and server that they are approaching overload ("congestion").

Rather than experience packet drop (and require packet retransmission), the client and server can be warned before packet drop is necessary, and voluntarily reduce network use. If the endpoints (client and server) reduce network use, the routers in the network path between the endpoints become less overloaded, and are less likely to drop packets. This reduces network problems, and benefits all members of the network, including other endpoints and routers in other connections. By reducing packet retransmission, ECN can reduce Internet congestion in general.

Used inappropriately, however, ECN can actually increase Internet congestion. All Internet equipment is not ECN friendly, and WikiPedia mentions how enabling ECN might actually cause a problem, rather than preventing one.

Some outdated or buggy network equipment drops packets with the ECN bit set, rather than ignoring the bit[1].

ECN isn't granular - either you enable it, or you don't - and it potentially affects access to all web sites that you wish to visit. It may be more useful in specialised computers, that are intentionally used for high speed communication with specific web sites. It doesn't appear too useful for web surfing in general, right now.

For this reason, Vista is installed with ECN Disabled. If you try ECN Enabled, and you lose access to one web site, you'll have no choice but to Disable ECN, or face loss of access to the web site in question. As network hardware is upgraded, and becomes ECN friendly, enabling ECN will become a more practical option.

If you wish to use ECN, enter in a Vista command window (Run as Admin)

netsh interface tcp set global ecncapability=enabled

If you detect problems, such as lack of access to various web sites, enter similarly

netsh interface tcp set global ecncapability=disabled

>> Top

How To Break A CAPTCHA

A CAPTCHA, or Completely Automated Public Turing test to tell Computers and Humans Apart, is what the many online services like email, forums, and free web site hosts use to prevent their services from being misused. Were it not for CAPTCHAS and similar controls, various known and unknown criminals could otherwise easily setup thousands of email accounts, forum memberships, and personal web sites for themselves, and send millions of bits of email spam, post millions of forum spam messages, and publish millions of spam web sites, all in the amount of time that it will take me to write this article. And in March 2009, we see a new frontier in spamming - comment spam.

So thank heavens for the CAPTCHA (from pioneers like Luis Von Ahn), which protects us from the hacking, porn, and spam that would otherwise overwhelm the Internet.

Oh crap. The Internet is already overwhelmed. Maybe CAPTCHAS, actually, aren't accomplishing a thing - except stopping us, the honest Internet user, from setting up an email account, a forum membership, or a free web site, without raising our blood pressure another 20 points in 10 minutes.

No, CAPTCHAS do not work, Luis. Allegedly.

So, Chuck, how do you break a CAPTCHA? Well, I can think of 3 ways.

1. Expensive high tech automated, CPU intensive, CAPTCHA breaking software. Right. I don't know about you, but my CAPTCHA solving skills are maybe .500 on my best day. How is a computer program going to break CAPTCHAs, reliably?
2. Semi expensive hiring of personnel intensive CAPTCHA breaking staff (workers, supervisors, managers, communications lines, technology??) in third world countries (5:00). Staff that does nothing but look at CAPTCHAs, over and over, all day? Is that going to be reliable?
3. Relatively cheap acquiring of volunteer labour, gathered through the Internet, completely ignorant of their role, who just want to look at the dancing pigs. Each volunteer collaborates with 2 or more other volunteers for one CAPTCHA, then is done, and never knows what he just did. Any porn merchant can get all of the volunteers that he needs.

Which is it? Door 1, 2, or 3?

For my money, it's got to be Door 3 - volunteer labour (5:45). Watch the video, and despair.


»http://www.youtube.com/v/tx082gDwGcM
Human Computation (Luis Von Ahn: July 26, 2006)

No, Luis, this isn't allegedly happening (6:10).

Hacking, porn, and spam distribution is big business (6:20). Hackers, porn merchants, and spammers are making big bucks. Door 3 is the only possibility that makes any business sense. Volunteer labour - that's the trick (6:30).

So, yes, Luis, you could use these games to break the CAPTCHAs (51:10).

>> Top

Windows Vista and Scalable Networking

Over a year ago, I explored an issue of Windows Vista and its problems with using default networking settings relevant to Windows Scaling. The first known problem with Windows Scaling was an exciting networking option called Receive Window AutoTuning, which became a problem when an older router was in use.

Besides AutoTuning, which is a problem with older routers, there are two additional networking options - TCP Offload ("Chimney") and Receive-side Scaling ("RSS"), which are a similar problem with older networking adapters. If your computer suffers from symptoms similar to the well known MTU setting problem, and you get no relief from disabling RWin AutoTuning, consider disabling TCP Offload and Receive-side Scaling.

In a Vista command window (Run as Admin), enter

netsh interface tcp set global chimney=disabled
netsh interface tcp set global rss=disabled

TCP Chimney Offload takes a portion of the TCP/IP network stack, currently run on your computer as part of the Windows operating system, and runs it in a dedicated processor on a TOE capable network adapter. Less work for the operating system + processing as part of the physical networking adapter = better performance.

Receive-side Scaling allows processing of incoming network traffic to be properly run on a multi-processor computer, by ensuring that all packets from a single TCP network connection are consistently processed by the same processor. All incoming packets for each TCP connection processed by the same processor = packets never getting out of sequence, which can be a problem otherwise with multiple processors. Obviously, you'll need a multiple processor system, to get any benefit here.

Try Internet access with TCP Offload and Receive-side Scaling disabled, and see if network performance improves. If it does, see if you can upgrade or replace your network card with one that is TOE capable, which was stated to cost $25 - $50 earlier this year. Once you have the right network hardware, or if the above change doesn't provide any relief from your symptoms, you can re enable TCP Offload and Receive-side Scaling

netsh interface tcp set global chimney=enable
netsh interface tcp set global rss=enable

If you do see a bandwidth improvement and / or network utilisation drop after enabling chimney and / or rss, restart the system. You may see still more improvement after restarting. Use of proper tools for objective measurement of bandwidth and network utilisation, access to high speed Internet service, and use of high bandwidth network applications like streaming video, will make the success of this change a bit easier to assess.

Besides Scalable Networking, look at other possible problems with Windows Vista Networking Innovations, in Windows Vista and Explicit Congestion Notification.

For more details about this issue, see

• Dana Epps Find your bandwidth in Vista really slow?
• Microsoft The Cable Guy Microsoft Windows Server 2003 Scalable Networking Pack Overview
• Microsoft TechNet New Networking Features in Windows Server 2008 and Windows Vista
• Smallvoid NDIS 6 hardware features that increases network performance

Windows Vista, and Network Location Awareness, With Multiple Network Adapters

Some owners of laptop computers, running Windows Vista, are reporting an inaccurate network status indicator when the computer is first started, and connected to the network.

When a Vista computer is started, the network status indicator - the little globe icon in the tooltray - will indicate "Local Only" status. If you go ahead and start a browser, or other Internet client component, you'll get a connection, but it may be very slow for a while. Eventually, the network status indicator will change to show "Local and Internet", and connectivity will return to normal.

This is a problem with the Network Connectivity Status Indicator (NCSI) component of the Network Location Awareness (NLA) service, and how it determines Internet connectivity when there is no active network traffic. Even if the NLA is able to verify Internet connectivity, when there is more than one network adapter on the computer, NLA can't determine which adapter has connectivity, so NCSI shows all adapters as being connected locally only. This is a problem when connectivity is through a router, and a DNS probe is used to determine connectivity.

Many late model (which is what you would want running Vista, after all) computers have an IEEE 1394 (Firewire) port. Similar in function to USB (but receiving less consumer support), a 1394 Firewire port is supported as a network adapter in many desktop and laptop computers. If your desktop or laptop computer has the problem with "Local Only", and it has only one network adapter, run "IPConfig /all", and examine the log.

If you see an entry for "IEEE 1394", this could be a problem. You can disable this device from the Network wizard (called in Windows XP, "Network Connections"), or using the Device Manager under System Properties, if you don't intend to use a 1394 network. Not a lot of us use (or intend to use) 1394 networking.

Firewire is the best known alternative networking adapter, which is part of what is being called Personal Area Networking (PAN). Two other possibilities include InfraRed and USB.

Another possible contribution to the problem would be the IPV6 Tunnel adapters. You may get relief from the problem by (KB929852): disabling IPV6.

Microsoft Help and Support: (KB947041): The network connectivity status incorrectly appears as "Local only" on a Windows Server 2008-based or Windows Vista-based computer that has more than one network adapter describes the problem in more detail, and should eventually identify a solution.

>> Top

Online Analysis Of Suspicious Websites

One of the neatest ways to distribute malware nowadays is by serving it from a web site. Why push malware by files to the victims computer - just put the bad stuff on your web site, and entice the victim to surf there. If he does so, intentionally, he's more likely to trust you, and badda bing, download your malware to his computer.

The classic way of protecting us from malicious web sites was stopping us from surfing there, generally using Hosts file based web site blocking.

Besides web site blocking, and malware protection (both active and passive) on your computer, you need malware scanning of any web site that you access. And what better way to do this than by using the power of the web?

• AVG / Exploit Prevention Labs provides LinkScanner, which can be accessed as a browser add-on or queried online. LinkScanner does a live scan on Google, Yahoo and MSN search results, rather than querying a database of previous scan results.
• FireTrust provides SiteHound, which can be accessed as a Firefox or Internet Explorer toolbar.
• McAfee provides Site Advisor, which can be accessed as a Firefox add-on, or queried online. SiteAdvisor has an accumulated database, a web site popularity meter ("nitecruzr.net" shows a 2 of 4 - "some users"), plus does real-time evaluation when requested. They also accept comments from site readers, and from site owners.
• A partnership between top academic institutions, technology industry leaders, and volunteers provides StopBadware.org, which feeds the Google search engine results pages. Google uses the StopBadware database, and accepts input by site owners through Google Webmaster Tools.
• Symantec provides Norton SafeWeb, which appears to be intended as a plugin to a Norton security suite, though it does provide for web based queries. SafeWeb accepts comments from site readers.

So there are choices. Try them, and see which one suits your needs to the best degree.

---

(Update 2009/09/18): Today, we note a significant increase in vigilance.

---

>> Top

Event ID 2021 Caused By IRPStackSize Problem

Microsoft, in their article (KB317249): How to troubleshoot Event ID 2021 and Event ID 2022, provides a fairly robust assortment of diagnostics, for us to run when we see an "Event ID 2021" or "Event ID 2022" in our System Event Log.

The KnowledgeBase article advises us

Event 2021 is logged when there is accumulation of work items in the server service. But you must understand that the most common cause of the accumulation of work items in the server service is because the disk subsystem does not keep up with the number of requests.

Nowhere, however, does the article mention a very commonly known problem in Windows Networking, the IRPStackSize error. Yet, in one case presented in Windows XP Networking and the Web: Mapped file share unavailable within seconds, the problem mentioned was resolved in that well known way

I solved this problem by further increasing IRPStackSize, to 45 decimal ...

We should note that the KnowledgeBase article mentioned above was purposed for server operating systems, not stated to include Windows XP Home. But in this case, the client found the content of the article sufficiently interesting that he was motivated to increase IRPStackSize, and thus reached his solution.

>> Top

Windows Vista And The Network Map

Most of us who have computers in our homes also have Internet service (what else is the computer for anyway?). Many of us who have computers have more than one computer, and some of us who have more than one computer need a network management product, like The Dude (what a name for something priced so nicely) to keep track of our computers.

Auto discovery, which automatically generates a graphical display and inventory of the computers on the network, is an expected feature in many network management products like The Dude. Now Auto Discovery is a built in feature of our favourite new operating system, Windows Vista. One of the shiniest features of Windows Vista is The Network Map - its ability to show you a semi graphical display of all of the computers, routers, and switches on the network.

The Network Map uses a new protocol - Link-Layer Topology Discovery (LLTD). Regardless of what firewalls, or other hardware or software protective devices we have on our network, LLTD discovers all devices connected. LLTD has basically the same strengths and weaknesses as other well known alternate protocols IPX/SPX and NetBEUI (neither of which are available for Vista).

• Regardless of what Windows Networking protocol you're using - IP, IPX/SPX, or NetBEUI, LLTD will show you a map of all computers running Windows Vista and Windows XP (when equipped).
• Regardless of what firewalls or routers you may have setup to segment your network, and protect some computers from others, LLTD will pass through to each segment, and will inventory all computers on the segment.
• Regardless of whether LLTD shows you a computer, you won't necessarily have the ability to access that computer, or even determine its network address, for Windows Networking.

The Network Map presents additional challenges.

• It is only available on Windows Vista (and Windows XP, with (KB922120): the optional LLTD Responder).
• Its availability, and the fact that "it simply works", can cause confusion among computer owners, who can't get Windows Networking to work, when a Windows Vista computer is installed.
• People confuse the Network Map with the "Network" wizard (previously known as Windows Explorer in Windows XP and previous Windows editions), which provides a similar functionality, but will display different information.

It's a great tool, but you need to be aware of its limitations.

>> Top

Analyse Your WiFi Environment Objectively #2

When you have a WiFi LAN, and want to find out why it doesn't perform as well as you'd expect to, the first thing most folks will instruct you is

Do a WiFi site survey. Find out what your neighbours are doing.

When a site survey must be done, the best known procedure is to run NetStumbler.

But NetStumbler, for all its highlights of being easy to use, and well known, has shortcomings.

• It doesn't support 802.11n client equipment.
• It doesn't reliably detect 802.11n networks.
• It doesn't run under Windows Vista.

Fortunately, there are new WiFi spectrum analysers, available now, that may provide help where NetStumbler fails. Two such products are InSSIDer (from MetaGeek), and the Xirrus Wi-Fi Monitor Gadget for Windows Vista.

>> Top

WiFi Networking And Static IP addresses

When your computer connects to a WiFi access point, one of the first things that it normally does is to request an IP address, so it can connect to the router and / or to the other computers in the LAN. One of the earliest ways to stop intruders from connecting to your LAN, through your WiFi access point, was to restrict access by MAC address. A second way was to disable DHCP, and stop issuing IP addresses automatically.

Such a simple procedure - and so useful (or so thought those who tried it). Not so useful, thought the hackers when they would encounter a WiFi LAN, without DHCP to issue IP addressing. Part of hacking a WiFi LAN involves monitoring the packets for useful MAC addresses, and a small additional effort is then expended in extracting IP addresses. It's just radio.

If your neighbour, who just bought his first wireless computer, can't get an IP address when he connects to your otherwise open LAN, he can't access the Internet through your service. You're safe from him leeching your Internet service.

But what of his son, who hacks as a hobby? Once he gets past your MAC address filter, finding out what IP addresses are being used is trivial. He probably won't even notice that you disabled DHCP. And since he hacks, he's probably got nefarious intent, maybe leeching WiFi so he can hack a distant Internet server, using your service of course.

Maybe the FBI is targeting his activities, so he's borrowing your service. When they see his new IP address (your service), who gets blamed? Probably you.

Oh yeah - if you have DHCP disabled on your LAN, and you carry your laptop to your friends house, how are you going to get an IP address? Are you going to manually setup an address there? Then change it back when you come home again? Have fun. What about to your local hotspot, where DHCP is the only way that you can get an address?

I know who I would worry about, when I assess the dangers associated with Internet connectivity, and with WiFi networking. Static IP Addresses, when used as a security device on a WiFi LAN, are just another form of security by obscurity, plus inconvenience to you. Use WPA / WPA2, not WEP, and properly layered security, and forget about other WiFi security devices. Any hacker who can get through WPA (and that will happen one day) won't be fazed in the slightest by fixed IP addressing.

>> Top

Diagnosing A WiFi Problem Requires Proper Tools

A WiFi connectivity problem can cause many symptoms - from inability to access other computers on the LAN, to lack of bandwidth when downloading files from Internet servers. But there are many factors that can cause those symptoms, and more. Diagnosing WiFi problems by observing bandwidth or connectivity symptoms is just not proper procedure.

You need the right diagnostic tools, and I start with Netstumbler, and PingPlotter.

>> Top

Powerline Networking - A Cabled Network Without Ethernet Cables

When it comes to networking your home or small office, I like to say "Ethernet for security and stability, WiFi for convenience". Unfortunately, you'll occasionally have a problem where you can't run Ethernet cables, and WiFi won't do the job either. Fortunately, any building with computers, and most without, has a third possibility - one that uses cables already installed - the power cables in the walls.

Ethernet Over Power, or Powerline Networking, is pretty simple. At each location where you need a network connection, you plug an EOP bridge into the wall, and an Ethernet cable connects to that. The other end of the Ethernet cable you connect to a single computer, or to a hub, switch, or router.

There are several vendor choices for EOP bridges, and here are 3 examples.

• Linksys PLEBR10
• Netgear HDX101
• Netgear XE102

Ethernet Over Power has its disadvantages, of which you must remain aware.

1. They have a limited market, so you'll have less choices and you'll find them relatively pricey, as compared to WiFi.
2. They are proprietary - each of the 3 choices above will only work with others in the same product line.
3. They use the 120V power circuits, and on a typical 240V service you will have to ensure that all units are plugged in to the same 120V half of the 240V.
4. Like WiFi, they are half duplex. All EOP devices, even if they will not network together, will still have to share the powerline signal spectrum.

Issue 1 is simple economics. More WiFi components are sold than Powerline Networking / Ethernet Over Powerline. More sales volume = more competition = lower prices = more sales volume. Look at the choices for WiFi, and compare that to EOP.

Issue 2 is unfortunate. The HDX101 and the XE102, even with both made by Netgear, will not participate in a network.

An HDX101 may coexist with HomePlug 1.0 products, but is not compatible nor interoperable with NETGEAR’s XE104, XEPS103, XE103, XE102 or WGXB102 Powerline products.

Issue 3 is a fascinating concern. In a typical domestic wiring system in the USA, you'll have a 240V service, which includes 2 hot leads providing the 240V. There will be a third lead, neutral, such that the neutral and either one of the hot leads, in combination, provides 120V. This is a 240V split service, providing 2 "legs" of 120V each.

Small appliances and light bulbs, in the USA, use 120V. With a 240V split service, half of the appliance / lighting circuits will be on one hot lead (1 "leg" of the service), and the other half on the other leg, providing a balanced load. When you setup your EOP bridges, they will all have to be on the same 120V leg, or there will be no signal between the bridges.

Essentially, you could (unreliably) have two EOP broadcast domains. All EOP devices on one leg will irregularly receive signals from the EOP devices on the other leg. When you turn on your kitchen stove, or other 240V appliance, you may get signals from one leg to the other; at other times, both legs will be isolated. If you don't plan for this to happen, you will learn it the hard way.

To identify which legs your prospective EOP bridge locations are on, examine your circuit breaker box. First, identify the breaker servicing each location. Verify the proper breaker, by plugging a lamp into the outlet, flipping the breaker, and watching the lamp go off then on. Having verified the breakers, examine their relative locations. Most breaker boxes will have the breakers arranged in two vertical columns, with alternating rows of breaker slots on different legs.

If you have two breakers vertically adjacent (in either column), it's likely that the two circuits will be on different legs. With breakers separated by 1 breaker slot, they will be on the same leg. With breakers separated by 2 breaker slots, they will be on different legs. And so on.

Note that two breakers, separated by a double width breaker (240V circuit, occupying 2 slots), will still be on opposite legs. Two slots (one double width breaker) is the same as two slots (two single width breakers); and the two breakers on opposite sides of the two slots will be on different legs.

Issue 4 is similar to WiFi. All EOP devices on the same service will have to asynchronously share the powerline signal spectrum, regardless of product line, and only one device can transmit at any time. The more EOP devices you have, the less efficient your powerline network will be. Despite different product lines being incompatible with each other, they all still have to share the powerline spectrum, as peers.

Despite the above problems, though, Powerline networking is a good solution when you can't run Ethernet cables, and when you can't get a WiFi signal to reach.

Note that EOP, for computer networking, is a relatively new technology. X-10 Remote Control Appliances / Lighting, which also sends signals over the AC power grid, is not. The problem of signal propagation on a 240V split service has been a long time problem for X-10 owners. There may be X-10 solutions that are usable in EOP scenarios. It's also likely that EOP and X-10 may be incompatible, on the same service or in the same neighbourhood. X-10 also makes remote (wireless) stereo speaker systems, which may present the same challenge.

>> Top

Bots And You #2

Computers controlled by somebody who is not their legal or physical owner, aka "bots" or "zombies", have been a known fact of life in the Internet, for several years. Successful hackers, though, don't bother with individual computers, they control armies of botted computers, each numbering in the thousands.

One of the defenses against bots is the use of CAPTCHAs, or puzzles that "humans can solve, but computers can't". If you use the Internet much at all, you've seen, and solved, more than one. Unfortunately, CAPTCHAs are easily solved by scripts and online users. The people who produce web products like email, online forums, and blogging platforms may not yet realise that detail, however.

This is not an academic issue, it's commercial, and it's very real. Here's the specifications for a commercial product used to manage attacks against online forums, and place spam posts there. I've viewed an online movie which showed XRumer in action (movie since removed), and my computers haven't been attacked, but I would still visit that web site only from a computer carefully protected with a good layered security strategy.


Let's "make a new project".



Having setup the content and style of the attack, let's see what it will look like when placed in a typical forum.



Posting to multiple forums, simultaneously, is the key here. We need the ability to determine how many forums to attack, simultaneously. Here, we see hundreds of forums under attack.



Here we have a very matter of fact demonstration of how useless captchas are. Note the log entries "captcha recognized", showing that the forums in use asked for captcha entries, which were simply resolved by the XRumer script. Not even worthy of a feature balloon in the demo.



This product, XRumer (note "Version 3.0"), appears to be a Windows XP application. It's well designed, with plenty of features that make it persistent, robust, and versatile. It's apparently designed for placing spam posts into online forums. Note that the demo doesn't show us any detail about posting into any one forum, it simply shows the spam posts being placed to the forums. This is simply an advertising demo, for a mature and probably popular product.

And the individual forum postings are being processed, simultaneously, by bots. Presumably "one thread" = "one bot". Note the URL: www.botmaster.net.

I have no doubt that similar products are marketed, to generate and deliver spam through email, to register and generate splog farms in the Blogger world, and even to send comment spam to blogs and web sites. Note that this demo is several years old - surely shinier, more robust, and more versatile products are available today. And just as surely as "Coca-Cola" has a competitor "Pepsi-Cola" (with neither outshining the other for very long), "XRumer" has competitors too.

This is why you see spam in online forums, spam in your email box, and spam blogs on the Internet. It's a commercial process, with automated tools.

>> Top

New Equipment In Your LAN

Every week, someone writes for advice

I just got a new router, and now I can't access my computers from each other.

or

I just got a new router, and none of my computers can access the Internet.

Frequently, the cause of these problems will fall in two categories - new features, and settings.

New Features
Many new, and high end, routers come with protection that emphasise Internet access, and make file sharing an optional activity, to protect the individual computers from each other. Look carefully in the Owner's Manual, for a "DMZ", "Isolation Mode", "Virtual Server", or "VLAN" setting - either on a single port, or affecting the entire LAN.

And if you are setting up a WiFi router, make sure that the radio is turned on. Some WiFi equipment is delivered with the radio turned off, to ensure that you will intentionally activate it, and be prepared for when this is done.

Settings
Any time that I was changing my network equipment, I would take a snapshot of all network settings from all computers. You can never tell when this might be a life saver. Logs from "browstat status", "ipconfig /all", "net config server", and "net config workstation" could all be useful when troubleshooting. Make a set before, and after, any change. Compare each, line by line, and if you spot any differences, explain or fix them before continuing.

If you're having trouble accessing the Internet, check to see if your computers are using manual assignments. New equipment will probably include an IP address change for the router - some vendors provide a default LAN on 192.168.0.0/24, others 192.168.1.0/24, and others have additional variations. Maybe the router handles DNS differently too.

If you're having trouble with Windows Networking, either an Error 5 aka "Access Denied" or an Error 53 aka "Name not Found" may be seen, or you may simply not see any computers in Network Neighbourhood. If this is the problem, check the security components on the computers - since a new router will probably result in a new subnet address, check personal firewalls and anti-worm programs, for settings that are IP address sensitive.

If All Else Fails
Get into Troubleshooting Internet Connectivity, or into Troubleshooting Network Neighbourhood, depending upon the problem being observed.

And of course, make sure that the new router has the current firmware, obtained from the vendor.

>> Top

MAC Address Filtering

The Media Access Control, or MAC, Address is one of the most universally present identity features in computer networking. Whether your computer uses Internet Protocol (the default and preferred protocol) or IPX/SPX or NetBEUI (possible alternates), as its Layer 3/4 transport, each networking device on your computer will have a MAC Address. Some devices will even have 2 MAC addresses, and here's where a problem starts. Besides the Universally Administered Address (UAA), which is assigned to a network device when it is assembled at the factory, some devices will be assigned a Locally Administered Address (LAA) by the network administrators, when a network is being setup.

Setting up an LAA is trivial in nature. The hard part is deciding what address to use. Once you decide that, just run the Network Adapter Settings Wizard. Depending upon the vendor, the ability to assign a LAA will be somewhere in the wizard. For 3Com, for instance, the Advanced tab will have a value "Network Address". TYpe in the LAA that you wish to use on the adapter in question, hit the OK buttons a couple times, and you're good to go.

If you change the MAC address of the WAN connection on your NAT router, you're setting a LAA there.

One of the most common security selections, when you setup a router, is the ability to filter by client MAC address, and permit network access to a select few addresses. Like hiding the SSID beacon, filtering by MAC address is just another form of security by obscurity. It's similar in effect to disabling DHCP, and manually issuing IP addresses to all computers.

An attacker who is interested in connecting to your WiFi network has only to learn the MAC address of a device on your network, and assign the observed address. As described above, assigning an address is a trivial exercise; and learning an address is the same. Learning an address is simply a prerequisite in interesting exercises such as a Man In The Middle attack, or WEP cracking.

The bottom line? MAC address filtering is probably the lamest form of WiFi security that you can try. It's easy to do, but easy to bypass too.

>> Top