Guides > Computing > Networking
Introduction
Welcome to my Networking Guide.
Wireless
Background
The following are a good introduction to the wireless standards:
Concerns
- We use a Southwestern Bell FF888 cordless telephone is in use in my home, which may cause interference. I phoned the supplier in Leamington to find out what channels it operates on and only managed to get a bit of a useless reply of, "31-39 MHz in 1 MHz increments". The wireless access point is set to use channel 11, which doesn't seem to be affected by the telephones anyway.
The Router
- The router supports a dynamic DNS service, but unfortunately only http://www.dyndns.com, which charges $25 a year. I use http://www.zoneedit.com, which is free for up to five domains, but isn't supported by this router, so I will just have to watch out for a change in my IP address and manually change its entry using zoneedit. TODO See if there is a way I can monitor my WAN IP address from the Web Server and automatically update zoneedit.
- requirements
- DSL, cable and ADSL compatible - ethernet WAN port
- four or six port 10/100 full duplex ports
- flash BIOS upgradable
- especially considering the introduction of Wi-Fi Protected Access (WPA) in the ratified standard
- MAC address filter
- IP address filter
- ability to disable SSID broadcast
- web server suport (port forwarding)
- No need for multi-NAT, as we only have one IP address anyway
- downloadable log
- DHCP support with static IP address allocated to specific MAC addresses, so PCs always have the same IP address, which is especially important when doing port forwarding.
- dynamic DNS support
- Decision
- I decided the Netgear WGR614 (Broadband Gateway, Router, Four Port Switch and 802.11g 54Mbps Wireless Access Point), along with two Netgear WG511 (802.11g 54Mbpc PCMCIA PC Card)s would fulfill all of the above requirements. This combination had outperformed any of the other 802.11g products on the CNet web site.
- security
- Change the default SSID to something that does not give away any personally identifiable information.
- Disable SSID Broadcasts so nobody will know there is even a network there unless you give them an SSID.
- Change the default password for the Administrator account.
- Enable MAC Address Filtering.
- Change the SSID periodically.
- Enable WEP 128-bit Encryption. Please note that this will reduce your network performance.
- Change the WEP encryption keys periodically.
- Configuration:
- Port Forwarding
| Description |
Port |
IP Address |
| HTTP |
80 |
192.168.0.2 |
| Netmeeting |
1503 |
192.168.0.2 |
| NetMeeting |
1720 |
192.168.0.2 |
- disable LMHOSTS
- WAN
- allow respond to PING (for ICMP)
- improves connection to sites that dynamically set the MTU size based on the ping response.
- Your ISP also periodically pings your IP address to see whether you are still connected, so if your router doesn't respond to it, you may end up being disconnected
- change web management port to 8080
- Turned off UPnP (Universal Plug and Play), as my operating system (Windows 2000) doesn't support it. If supported, this option is useful, as it allows applications to automatically set the port forwarding of the router. For example, NetMeeting will automatically set the router to forward ports 1503 and 1720. Apparently, only Windows XP onwards supports it.
- wireless settings
- SSID: withheld
- Region: Europe
- Channel: 11
- If another wireless access point appears in the area using the same channel, then change it to 6 or 1.
- You can only use 1, 6 or 11, as the channels inbetween actually overlap slightly and cause interference.
- Mode: g only
- This may speed up the handshaking, as it only searches for 802.11g devices.
- It also improves security, as 802.11g devices aren't very common as yet.
- Wireless Access Point: enabled
- Wireless Access MAC List: enabled and withheld
- Authentication Type: Open System
- Ironically, using shared key sends a plain text challenge for the client to encrypt, which means it is possible for a hacker to determine the key, as you have the before and after text. As authentication uses the same key as the WEP, this compromises the whole network. It is therefore better to just let anyone connect to the network, but disable the SSID broadcast and set up the MAC Access list to restrict access to specific MAC addresses.
- WEP Encryption
- I initially set this to 64bit, as I thought it would be faster than 128bit, but it turns out to be slower. I performed the test using a 24 MB file on my web server (Matrix 2 - Reloaded Superbowl Trailer.mov) and downloaded it onto a my laptop positioned near the wireless access point so the signal strength was 100% and speed 54 Mbps. When the file finished download, the dialog displays the average speed in KBps (kilobytes per second), which can be converted to Mbps (megabits per second) by multipling by 8 and dividing by 1024.
- The results were as follows:
| WEP |
Result 1 |
Result 2 |
Result 3 |
Average |
| None |
739 KBps |
739 KBps |
739 KBps |
739 KBps (5.773 Mbps) |
| 64 bit |
659 KBps |
642 KBps |
697 KBps |
666 KBps (5.203 Mbps) |
| 128 bit |
677 KBps |
677 KBps |
697 KBps |
683 KBps (5.336 Mbps) |
- Conclusion: WEP does impact performance, but security is paramount with wireless. 128 bit encryption is faster and more secure than 64 bit, so use it.
- Email
- turn email notification on
- outgoing email server: witheld
- send to this email address: witheld
- send logs according to this schedule: when log fills up
- check the security
- test speed
- Client configuration setup
- reconfigured the network so it uses
- TCP/IP
- Obtain IP address automatically (DHCP)
- Obtain DNS addresses automatically
- Enable NetBIOS over TCP/IP
- Disable LMHOSTS
Lessons Learnt
- Assign static IP addresses using DHCP based on the MAC address of the network card for all PCs, especially those of laptops which will hibernate, otherwise you risk the same IP address being allocated to more than one network card. This problem resulted in laptops disappearing from the network neighbourhood.
- Especially important, is the paradoxical use of Open System instead of Shared Key for the Authentication Type, as Shared Key challenges a client with plain text and varifies it has been encrypted correctly, which means the encryption key can be worked out, which then compromises the WEP encryption, as the same keys are used for both. This was highlighted http://www.arstechnica.com/paedia/w/wireless/security-5.html
- Set WEP encryption to 128bit, as speed tests show it is actually faster than 64bit. I did the tests by hosting the 24 MB "Matrix Reloaded" trailer on my web site an downloading it internally. The dialog that appears displays the actual download speed when it finishes.
- Upgrade the router and wireless cards to the latest firmware to bring it up to the latest 802.11g standard.
- ZoneAlarm
- Add your ISPs DNS servers as trusted zones. You can determine what they are by typing ipconfig /all in a command prompt.
- Add the IP address for localhost (127.0.0.1) as a trusted zone, which allows VNC to work.
- If your router doesn't support automatic redial on the WAN port, but it does support automatic connect on detection of outbound internet traffic, then set up a background service to ping a web site at a set interval. A useful one would be to have a network time protocol (NTP) client poll one of the NIST Internet Time servers to set the local system time. This can easily be done on Windows 2000 or XP using the Windows Time service as follows:
- Open up a command prompt (Start | Programs | Accessories | Command Prompt)
- Set your system to use one of the time servers from http://boulder.nist.gov/timefreq/service/time-servers.html. I have chosen time-a.timefreq.bldrdoc.gov (NIST, Boulder, Colorado) in this example:
- First verify it actually exists by pinging it ping time-a.timefreq.bldrdoc.gov
- Set the system to use it: net time /setsntp:time-a.timefreq.bldrdoc.gov
- Verify it is set correctly by querying it: net time /querysntp
- Set your clock manually to about ten minutes ago using: time 12:55.
- Run the w32tm service manually in verbose mode to make sure it works: w32tm -v
- Look at the output generated to make sure the time has been set and how long it will be to the next synch by looking for the text Time until next synch - . The default 2699.96s, which is 45 minutes. This might not be enough if you are also using this service as a means to make sure you are alsways connected to the internet. The number of setting can be specified as a parameter of the service later.
- Set your clock manually to about ten minutes ago using: time 12:55.
- Set the Network Time service to start automatically at startup.
- Run Start | Settings | Control Panel | Administrative Tools | Services.
- Double click on the Windows Time service.
- Set the Startup type to Automatic.
- Supply the synchronisation period as a Start parameter, which can be one of the following:
- 0 == once a day
- 65535 == once every 2 days
- 65534 == once every 3 days
- 65533 == once every week (7 days)
- 65532 == once every 45 min until we get 3 good syncs, then once every 8 hrs (3/day)
- 65531 == once every 45 min until we get 1 good sync, then once every day
- Otherwise, the number of times a day you want it to synchronise. For an interval of a specified number of seconds, divide the number of seconds into the number of seconds in a day (86400). For example, if you want the service to synchronise every fifteen seconds, the parameter would be set to 86400 / 15 = 5760 as a start parameter of -period 5760.
- Make a note of the time and click on Start.
- Set your clock manually to about ten minutes ago.
- Restart the computer and verify that the time is now correct.
- Every now and then, have a look at the system logs to verify the time is being set correctly.
Previous Configurations
Windows 2000 WAN Bridge and Internet Connection Sharing
TODO
|
|
bottom
top
![[RSS]](http://theunissen.cc/christopher/images/rss.gif)