"Peter" <z123@nospam.com> wrote in message
news:0ek6i29jsshq14o8iidk6f9tiauc76otb8@4ax.com...
: Hi All
:
: I have a standard home network, comprising of a Draytek 2900Gi wifi
: router, a few PCs, etc.
:
: All the PCs need to be able to see each other via windows networking,
: and this works fine.
:
: I would like to add a wifi access point to the network which passes
: only HTTP/HTTPS, plus DHCP.
:
: The reason for this is that my teenage son has a laptop which is
: infected with various viruses. But he won't let anybody touch it.
: Obviously I could just block his wifi access but I probably won't see
: him again if I do that...
:
: It "should" be OK because he doesn't have an admin-level login into
: any of the other computers, so any virus should not be able to login,
: but this is assuming windoze networking is totally secure.
:
: He does have a non-admin login into one of the machines, on which I
: also have an admin account, so if that machine got infected and then I
: logged in, the virus could spread from there. However, that machine is
: running current Kaspersky AV, which is something I suppose.
:
: So I think the best thing is for him to have HTTP-only access on the
: wifi and then his laptop can have whatever viruses. Eventually it will
: get totally trashed and he will have learnt a lesson about downloading
: every piece of software he finds on the internet.
:
: I have some spare routers, but the problem with all the consumer
: routers on the market is that their ethernet ports are on the same net
: as their wifi ports. I need something which will implement the packet
: filtering *between* a wifi port and an ethernet port.
:
: I'd be grateful for any suggestions.


1/Fixed IP then control access from the route..
2/ Stand up to the kid you are the parent sort the laptop or no
internet,this is what a good parent would do.

Chris


--
Cheap As Chips Broadband http://yeah.kick-butt.co.uk
Superb hosting & domain name deals http://host.kick-butt.co.uk

"Peter" <z123@nospam.com> wrote in message
news:at37i215eg9a0vbfpv45tfhl5urhp4pqdd@4ax.com...
:
: "Joker7" <sat_ring@hotmail.com> wrote:
:
: >Fixed IP then control access from the route..
:
: How does a fixed IP help? It avoids the need for DHCP but I can't
: limit the packets to HTTP/HTTPS only on the wireless part of any
: consumer router I know of.
:
: As usual with these products, one cannot control access from this
: router for *only* the wifi portion.
:
: I take on board the stuff about parenting but I can deal with that.
: The problem is that you can't physically prevent a tech savvy kid
: doing naughty things, just like you cannot prevent your cat going next
: door. One can withold internet access but that's not really the
: solution. Kids push boundaries, go to website URLs that spread around
: the school as being "naughty" and they are always just one click away
: from a website that tries to infect your PC.
:

You have a very good router take the time to read the manual ..

NAT Security
SPI Firewall UPnP Support
URL Filtering (Parental control) Built-in Print Server
Block sites by keywords ISDN Failover
Can block Java, Active X code & cookies

Chris


--
Cheap As Chips Broadband http://yeah.kick-butt.co.uk
Superb hosting & domain name deals http://host.kick-butt.co.uk

"Peter" <z123@nospam.com> wrote in message
news:at37i215eg9a0vbfpv45tfhl5urhp4pqdd@4ax.com...
If you use static IPs then you can allow full access for only your PCs
and limited access for other IPs. As all WiFi IPs will fall into the
"other" category this effectively restricts WiFi access.

"Peter" <z123@nospam.com> wrote in message
news:4r87i214o5bnelsq4behmn8jmfej3t7ktf@4ax.com...
:
: "Alastair" <email@address.invalid> wrote:
:
: >If you use static IPs then you can allow full access for only your PCs
: >and limited access for other IPs. As all WiFi IPs will fall into the
: >"other" category this effectively restricts WiFi access.
: >
:
: You must mean something like this:
:
: Set the DHCP server to start at 192.168.1.100 with a blocksize of 10

Blocksize 1

Then allows Port 80 and 443 only for this range

:
: Set the desktop PCs (connected via ethernet) to use fixed IPs which
: are outside that range, e.g.
:
: 192.168.1.50
: 192.168.1.51
: etc
:
Apply rules to each fixed IP

: Then put in an IP filter on 192.168.1.100 to 192.168.1.109 which
: allows Port 80 and 443 only
:
: ?
:
: It will be OK until he works out that a fixed IP will give him full
: access. Also any trojan will scan the whole subnet anyway.

No as you will only allow access from named pc (IPs)
:
: The problem with this is that any wifi computer that wants full access
: will have to use a fixed IP, so it will have to be reconfigured (in
: Network Connections) when used elsewhere.

Only if it needs to connect to the network elsewhere
:
: I am happy to install a separate wifi router or access point for this
: "suspect" laptop.
:

You may want to consider allowing port 53 too or he'll have no DNS
resolution. Also I assume he'll not be sending or receiving any emails
from a client on his laptop.

I don't htink setting up ACL's on an AP is the right way to do it - that
isn't what AP's are for anyway. If you've got a spare router (which I
think you mentioned you had), then why not plug a cable between one of
the LAN ports on your main router and the WAN port on this other router.
Setup this second router to use the IP of the main router as its
default gateway, then setup the firewall rules on the second router to
only allow the outbound ports you've specified.

~P.

On 04 Oct 2006, z123@nospam.com (Peter) wrote:

I'd have thought a cheap 'broadband' router (ie not one with ADSL modem)
linked to your LAN in NAT mode would do the trick. Your 'safe' LAN would
be connected to the LAN side, and the WAN port connected (on some other IP
range) to the wireless access point (cheap one is a tenner, giving 11 Mbps
max) then make the router pass port 80 and port 443 (and port 53 for DNS
lookups) to the router connected to Zen.

Everything else will be dropped rather than coming into your 'safe' LAN,
so it also blocks any other traffic his PC might send out from going to
Zen (if a DMZ was to be used). I'd do a diagram for you if it helps,
and if you have some spare routers (with LAN/WAN RJ45 connections)
you may be able to get your kit set up to do it quite quickly.

DHCP would only be used at the wireless access point to allocate him an IP
and it wouldn't matter what IP he had, the NAT function of the intermediate
router would only pass valid (port 53, 80, and 443) to Zen and not to any
other PC within your 'safe' LAN, unless some PC from your LAN initiated
a connection to his laptop... (bit difficult if you don't know IP, so
configure the wireless access point to DHCP and set a pool of "1" !)

On 05 Oct 2006, Peter <z123@nospam.com> wrote:

Is wireless the only option available to link his laptop in? I have a
cheap router (Ebay : under a fiver including an RJ45 and delivery) to be
able to plug the WAN port into a hub connecting an access point to my old
ISDN router (not connected to anything else) to see if someone would try
to break into that segment (but still unable to reach my 'safe' LAN :-)

Peter wrote:
Unless you have a nice packet analysis system you won't be blocking any
particular type of traffic - just the common ports. Let's take HTTP for
example - that's port 80. If I want to run a mailserver on port 80
there is *nothing* stopping me doing so.

If port 25 is blocked, the trojan will use an open port instead. This
is how many students get around filtering systems designed to prevent
instant messenger programs from working - connect via port 80 to a proxy
machine which then forwards the request on port #whatever to the chat
server. Unless your filtering system is doing packet inspection it
won't see anything odd.

So, allowing only HTTP/HTTPS/DNS will not prevent anything from doing
anything. At best, it'll stop the most basic of e-mail worms from
distributing themselves. Even assuming that the particular nasties on
your son's PC are of the "duuuuuh, I can't find port 25. I'll give up."
variety it *certainly* won't stop him logging into Hotmail and sending a
quick "lollz! lookit nude screensaver attached! omg lolz!" with a nice
..SCR attached (infected with the virus-du-jour, naturellement).

There are large numbers of white papers and research articles detailing
how self-replicating worms do their dirty work these days - perhaps you
should read a few? That'll give you an up-to-date background on this
topic, rather than relying on people in newsgroups to spoonfeed you.

--
Gareth Halfacree
http://gareth.halfacree.co.uk

Peter wrote:
Google 'zombie networks'. There is no shortage of compromised machines
which can accept commands via IRC to install and configure a proxy doing
anything on any port. The chances are your son's laptop is one of them.

I'm afraid that didn't make any sense. A damn sight more home users use
a webmail system than business users.

For an example of how a worm can spread via port 80 (and please bear in
mind this is simply one example of one worm spreading in one way), see
<http://www.theregister.co.uk/2006/06/12/javscript_worm_targets_yahoo/>.

The Register ran a story a number of years ago (which, I am sorry to
say, I am unable to immediately find for your edification) detailing how
spammers were automating webmail signups by setting up shell websites
offer free pornography - all the user had to do was complete a short
form and type the numbers that appear in the box... The numbers were,
of course, loaded from Yahoo!'s website - when the victim entered the
code, the numbers were relayed back to Yahoo! and the spammer had a nice
new Yahoo! Mail box. Completely automated.

Neither are e-mail worms the only form of malware out there. Every
posting your son makes to an internet message board could come with
'nakedchiqs.scr' attached. Every e-mail sent via Hotmail or Yahoo!
could be similarly afflicted. Every time he types in his passwords or
(heaven forfend!) your credit card details a keylogger could be
recording his every keystroke and sending it back to an undesirable
entity (via port 80, no less). Every floppy disk (or, to update this a
trifle, pen drive or memory card) he inserts could leave his system with
'real_paris_hilton_xxx.exe'. Every website he visits could be the
target of an unrequested security audit (and before you harp on about
port blocking, such things as cross-site scripting attacks operate
*entirely* via a standard HTTP request on port 80). This is to say
nothing of Distributed Denial of Service attacks perpetrated by a virus
connecting to a particular website via port 80 thousands of times per
second (times thousands of computers).

Fix it.

--
Gareth Halfacree
http://gareth.halfacree.co.uk