WiFi Networking And Static IP addresses

When your computer connects to a WiFi access point, one of the first things that it normally does is to request an IP address, so it can connect to the router and / or to the other computers in the LAN. One of the earliest ways to stop intruders from connecting to your LAN, through your WiFi access point, was to restrict access by MAC address. A second way was to disable DHCP, and stop issuing IP addresses automatically.

Such a simple procedure - and so useful (or so thought those who tried it). Not so useful, thought the hackers when they would encounter a WiFi LAN, without DHCP to issue IP addressing. Part of hacking a WiFi LAN involves monitoring the packets for useful MAC addresses, and a small additional effort is then expended in extracting IP addresses. It's just radio.

If your neighbour, who just bought his first wireless computer, can't get an IP address when he connects to your otherwise open LAN, he can't access the Internet through your service. You're safe from him leeching your Internet service.

But what of his son, who hacks as a hobby? Once he gets past your MAC address filter, finding out what IP addresses are being used is trivial. He probably won't even notice that you disabled DHCP. And since he hacks, he's probably got nefarious intent, maybe leeching WiFi so he can hack a distant Internet server, using your service of course.

Maybe the FBI is targeting his activities, so he's borrowing your service. When they see his new IP address (your service), who gets blamed? Probably you.

Oh yeah - if you have DHCP disabled on your LAN, and you carry your laptop to your friends house, how are you going to get an IP address? Are you going to manually setup an address there? Then change it back when you come home again? Have fun. What about to your local hotspot, where DHCP is the only way that you can get an address?

I know who I would worry about, when I assess the dangers associated with Internet connectivity, and with WiFi networking. Static IP Addresses, when used as a security device on a WiFi LAN, are just another form of security by obscurity, plus inconvenience to you. Use WPA / WPA2, not WEP, and properly layered security, and forget about other WiFi security devices. Any hacker who can get through WPA (and that will happen one day) won't be fazed in the slightest by fixed IP addressing.

>> Top

Diagnosing A WiFi Problem Requires Proper Tools

A WiFi connectivity problem can cause many symptoms - from inability to access other computers on the LAN, to lack of bandwidth when downloading files from Internet servers. But there are many factors that can cause those symptoms, and more. Diagnosing WiFi problems by observing bandwidth or connectivity symptoms is just not proper procedure.

You need the right diagnostic tools, and I start with Netstumbler, and PingPlotter.

>> Top

Powerline Networking - A Cabled Network Without Ethernet Cables

When it comes to networking your home or small office, I like to say "Ethernet for security and stability, WiFi for convenience". Unfortunately, you'll occasionally have a problem where you can't run Ethernet cables, and WiFi won't do the job either. Fortunately, any building with computers, and most without, has a third possibility - one that uses cables already installed - the power cables in the walls.

Ethernet Over Power, or Powerline Networking, is pretty simple. At each location where you need a network connection, you plug an EOP bridge into the wall, and an Ethernet cable connects to that. The other end of the Ethernet cable you connect to a single computer, or to a hub, switch, or router.

There are several vendor choices for EOP bridges, and here are 3 examples.


Ethernet Over Power has its disadvantages, of which you must remain aware.
  1. They have a limited market, so you'll have less choices and you'll find them relatively pricey, as compared to WiFi.
  2. They are proprietary - each of the 3 choices above will only work with others in the same product line.
  3. They use the 120V power circuits, and on a typical 240V service you will have to ensure that all units are plugged in to the same 120V half of the 240V.
  4. Like WiFi, they are half duplex. All EOP devices, even if they will not network together, will still have to share the powerline signal spectrum.



Issue 1 is simple economics. More WiFi components are sold than Powerline Networking / Ethernet Over Powerline. More sales volume = more competition = lower prices = more sales volume. Look at the choices for WiFi, and compare that to EOP.

Issue 2 is unfortunate. The HDX101 and the XE102, even with both made by Netgear, will not participate in a network.
An HDX101 may coexist with HomePlug 1.0 products, but is not compatible nor interoperable with NETGEAR’s XE104, XEPS103, XE103, XE102 or WGXB102 Powerline products.


Issue 3 is a fascinating concern. In a typical domestic wiring system in the USA, you'll have a 240V service, which includes 2 hot leads providing the 240V. There will be a third lead, neutral, such that the neutral and either one of the hot leads, in combination, provides 120V. This is a 240V split service, providing 2 "legs" of 120V each.

Small appliances and light bulbs, in the USA, use 120V. With a 240V split service, half of the appliance / lighting circuits will be on one hot lead (1 "leg" of the service), and the other half on the other leg, providing a balanced load. When you setup your EOP bridges, they will all have to be on the same 120V leg, or there will be no signal between the bridges.

Essentially, you could (unreliably) have two EOP broadcast domains. All EOP devices on one leg will irregularly receive signals from the EOP devices on the other leg. When you turn on your kitchen stove, or other 240V appliance, you may get signals from one leg to the other; at other times, both legs will be isolated. If you don't plan for this to happen, you will learn it the hard way.

To identify which legs your prospective EOP bridge locations are on, examine your circuit breaker box. First, identify the breaker servicing each location. Verify the proper breaker, by plugging a lamp into the outlet, flipping the breaker, and watching the lamp go off then on. Having verified the breakers, examine their relative locations. Most breaker boxes will have the breakers arranged in two vertical columns, with alternating rows of breaker slots on different legs.

If you have two breakers vertically adjacent (in either column), it's likely that the two circuits will be on different legs. With breakers separated by 1 breaker slot, they will be on the same leg. With breakers separated by 2 breaker slots, they will be on different legs. And so on.

Note that two breakers, separated by a double width breaker (240V circuit, occupying 2 slots), will still be on opposite legs. Two slots (one double width breaker) is the same as two slots (two single width breakers); and the two breakers on opposite sides of the two slots will be on different legs.

Issue 4 is similar to WiFi. All EOP devices on the same service will have to asynchronously share the powerline signal spectrum, regardless of product line, and only one device can transmit at any time. The more EOP devices you have, the less efficient your powerline network will be. Despite different product lines being incompatible with each other, they all still have to share the powerline spectrum, as peers.

Despite the above problems, though, Powerline networking is a good solution when you can't run Ethernet cables, and when you can't get a WiFi signal to reach.

Note that EOP, for computer networking, is a relatively new technology. X-10 Remote Control Appliances / Lighting, which also sends signals over the AC power grid, is not. The problem of signal propagation on a 240V split service has been a long time problem for X-10 owners. There may be X-10 solutions that are usable in EOP scenarios. It's also likely that EOP and X-10 may be incompatible, on the same service or in the same neighbourhood. X-10 also makes remote (wireless) stereo speaker systems, which may present the same challenge.

>> Top

Bots And You #2

Computers controlled by somebody who is not their legal or physical owner, aka "bots" or "zombies", have been a known fact of life in the Internet, for several years. Successful hackers, though, don't bother with individual computers, they control armies of botted computers, each numbering in the thousands.

One of the defenses against bots is the use of CAPTCHAs, or puzzles that "humans can solve, but computers can't". If you use the Internet much at all, you've seen, and solved, more than one. Unfortunately, CAPTCHAs are easily solved by scripts and online users. The people who produce web products like email, online forums, and blogging platforms may not yet realise that detail, however.

This is not an academic issue, it's commercial, and it's very real. Here's the specifications for a commercial product used to manage attacks against online forums, and place spam posts there. I've viewed an online movie which showed XRumer in action (movie since removed), and my computers haven't been attacked, but I would still visit that web site only from a computer carefully protected with a good layered security strategy.


Let's "make a new project".



Having setup the content and style of the attack, let's see what it will look like when placed in a typical forum.



Posting to multiple forums, simultaneously, is the key here. We need the ability to determine how many forums to attack, simultaneously. Here, we see hundreds of forums under attack.



Here we have a very matter of fact demonstration of how useless captchas are. Note the log entries "captcha recognized", showing that the forums in use asked for captcha entries, which were simply resolved by the XRumer script. Not even worthy of a feature balloon in the demo.



This product, XRumer (note "Version 3.0"), appears to be a Windows XP application. It's well designed, with plenty of features that make it persistent, robust, and versatile. It's apparently designed for placing spam posts into online forums. Note that the demo doesn't show us any detail about posting into any one forum, it simply shows the spam posts being placed to the forums. This is simply an advertising demo, for a mature and probably popular product.

And the individual forum postings are being processed, simultaneously, by bots. Presumably "one thread" = "one bot". Note the URL: www.botmaster.net.

I have no doubt that similar products are marketed, to generate and deliver spam through email, to register and generate splog farms in the Blogger world, and even to send comment spam to blogs and web sites. Note that this demo is several years old - surely shinier, more robust, and more versatile products are available today. And just as surely as "Coca-Cola" has a competitor "Pepsi-Cola" (with neither outshining the other for very long), "XRumer" has competitors too.

This is why you see spam in online forums, spam in your email box, and spam blogs on the Internet. It's a commercial process, with automated tools.

>> Top

New Equipment In Your LAN

Every week, someone writes for advice

I just got a new router, and now I can't access my computers from each other.

or
I just got a new router, and none of my computers can access the Internet.

Frequently, the cause of these problems will fall in two categories - new features, and settings.

New Features
Many new, and high end, routers come with protection that emphasise Internet access, and make file sharing an optional activity, to protect the individual computers from each other. Look carefully in the Owner's Manual, for a "DMZ", "Isolation Mode", "Virtual Server", or "VLAN" setting - either on a single port, or affecting the entire LAN.

And if you are setting up a WiFi router, make sure that the radio is turned on. Some WiFi equipment is delivered with the radio turned off, to ensure that you will intentionally activate it, and be prepared for when this is done.

Settings
Any time that I was changing my network equipment, I would take a snapshot of all network settings from all computers. You can never tell when this might be a life saver. Logs from "browstat status", "ipconfig /all", "net config server", and "net config workstation" could all be useful when troubleshooting. Make a set before, and after, any change. Compare each, line by line, and if you spot any differences, explain or fix them before continuing.

If you're having trouble accessing the Internet, check to see if your computers are using manual assignments. New equipment will probably include an IP address change for the router - some vendors provide a default LAN on 192.168.0.0/24, others 192.168.1.0/24, and others have additional variations. Maybe the router handles DNS differently too.

If you're having trouble with Windows Networking, either an Error 5 aka "Access Denied" or an Error 53 aka "Name not Found" may be seen, or you may simply not see any computers in Network Neighbourhood. If this is the problem, check the security components on the computers - since a new router will probably result in a new subnet address, check personal firewalls and anti-worm programs, for settings that are IP address sensitive.

If All Else Fails
Get into Troubleshooting Internet Connectivity, or into Troubleshooting Network Neighbourhood, depending upon the problem being observed.

And of course, make sure that the new router has the current firmware, obtained from the vendor.

>> Top

MAC Address Filtering

The Media Access Control, or MAC, Address is one of the most universally present identity features in computer networking. Whether your computer uses Internet Protocol (the default and preferred protocol) or IPX/SPX or NetBEUI (possible alternates), as its Layer 3/4 transport, each networking device on your computer will have a MAC Address. Some devices will even have 2 MAC addresses, and here's where a problem starts. Besides the Universally Administered Address (UAA), which is assigned to a network device when it is assembled at the factory, some devices will be assigned a Locally Administered Address (LAA) by the network administrators, when a network is being setup.

Setting up an LAA is trivial in nature. The hard part is deciding what address to use. Once you decide that, just run the Network Adapter Settings Wizard. Depending upon the vendor, the ability to assign a LAA will be somewhere in the wizard. For 3Com, for instance, the Advanced tab will have a value "Network Address". TYpe in the LAA that you wish to use on the adapter in question, hit the OK buttons a couple times, and you're good to go.

If you change the MAC address of the WAN connection on your NAT router, you're setting a LAA there.

One of the most common security selections, when you setup a router, is the ability to filter by client MAC address, and permit network access to a select few addresses. Like hiding the SSID beacon, filtering by MAC address is just another form of security by obscurity. It's similar in effect to disabling DHCP, and manually issuing IP addresses to all computers.

An attacker who is interested in connecting to your WiFi network has only to learn the MAC address of a device on your network, and assign the observed address. As described above, assigning an address is a trivial exercise; and learning an address is the same. Learning an address is simply a prerequisite in interesting exercises such as a Man In The Middle attack, or WEP cracking.

The bottom line? MAC address filtering is probably the lamest form of WiFi security that you can try. It's easy to do, but easy to bypass too.

>> Top