networking

Over the past several weeks/months I have been collecting together the components necessary to update and enhance the hardware supporting this and several other websites that I maintain from my home.

The original configuration in a self-hosted model was that of a single PC. This thankfully was replaced by better hardware a couple of years ago that could be best described as powerful desktops or low-grade, non-redundant, server equipment.

Well today I am pleased to announce that through a little begging, a little borrowing and a little scavenging I have established not only a redundant configuration in terms of multiple web servers but also a load-balanced and highly available configuration.

Here's a quick overview of the setup as it stands now.

[Click Image To Enlarge] Home Network Diagram

As you can see there are now two web servers and two database servers. A little overkill for the current setup maybe; but enough room to grow for the foreseeable future too. Like I said earlier this is not the only website that I am hosting on this system but it is the one that currently draws the most attention and the most traffic.

Here are few pictures of the equipment in operation. Some of it is not the newest server technology but the systems run strong, offer RAID capability and in the case of the two newer servers redundant power also.

[Click Image To Enlarge] The used rack is a little more aesthetically pleasing than the previous open wire rack	[Click Image To Enlarge] Wiring mostly in place, just a little tidy up to do.
[Click Image To Enlarge] Intake fan at bottom aids cooling as does spacing somewhat	[Click Image To Enlarge] Separate switches for separate internet connections
[Click Image To Enlarge] Extractor fan to remove excess heat. First fan had worn bearing hence the clipped wires	[Click Image To Enlarge] Foam aids sound suppression but also heat build up

My next step will be to establish some kind of round-robin DNS setup that permits fail over, albeit slightly delayed between the two types of internet connectivity that I have.

Over the next week or so I hope to provide examples of how I have established the load-balancing and replication using the Microsoft Windows Operating System.

Yes, that's right I am using Windoze!

Why not Linux I hear you cry? It's the perfect LAMP configuration! This is true, but I wanted to try something a little, well unconventional by todays standards.

That said, in all likelihood upgrades or additional equipment will involve Linux, although I'm hearing good things about Windows 2008, so I'm gonna have to try it somewhere, maybe here!

(A.K.A. CHANGING THE DEFAULTS TO PROTECT THE INNOCENT!)

My intention with the information that follows is to better equip the casual home user in addition to the road warrior in establishing and utilizing, in a responsible manner, the now VERY ubiquitous networking technologies known as ‘wireless’.

Without delving into the technical abyss I have chosen to separate this advisory or set of basic guidelines into two distinct components of wireless connectivity:

1. Client (Desktop or Laptop) Configuration
2. WAP (Wireless Access Point) Configuration

Before I begin let me point out a few sometimes overlooked items that must be restated.

Securing wireless networking is an ongoing battle between manufacturer and hacker requiring new methods of authentication, validation and encryption to safeguard network traffic. This in turn spurs on the creation of new capturing, interpretation and cracking tools in a perpetual game of cat and mouse with YOU, the end user, caught in the middle.

So with security in mind why not simply use a wired network instead of wireless?

For better security you would be advised to do exactly that but wireless networking these days has become so easy to install (imagine running a network cable to every room in your house) not to mention it is also more convenient! It is through this convenience and subsequent vulnerability by design (lack of physical boundaries) that our home networks, in addition to public hotspots, have become more susceptible to interception and attack all because that wonderful data travels on the airwaves instead of through a closed copper wire.

Think about it for a moment.

The very fact that wireless networks have no physical boundary means unless you do something to protect that information (encryption), whoever is in range of your access point or the one you are sharing (hotel, internet café, etc.) potentially has access to the same data that you are exchanging to and from the network. By utilizing wireless networks you are unwittingly enabling the watching and capturing of traffic, more commonly known as ‘sniffing’.

So if the risk is so great, why do we use it? Again, it goes back to pure and simple convenience but that doesn’t mean we can’t do anything to better protect ourselves; by changing a few default parameters we can reduce the risk.

The steps that I will now explain will hopefully mitigate this risk to an acceptable level for the home and travelling user (for the time being) but as I have already identified above it is a constant game of cat and mouse between vendor and hacker and we, as end users, are all positioned firmly in the middle!

Wireless Threat Mitigation

To provide the safest user experience the items identified below should be established on both the client computer (desktop or laptop) and the WAP (wireless access point) utilized to gain Internet access.

If you do not operate a wireless home network but travel with a laptop for business or pleasure you should firmly consider the client computer configuration recommendations.

Client Computer Recommendations

1. Apply all system updates and patches appropriate for the operating system and configuration being used.
2. Ensure Anti-Virus is installed and that it is successfully updated often, ideally daily.
3. Ensure Anti-Spyware if separate from your anti-virus is installed and also updated often.
4. Ensure a Third-Party Firewall is installed (block outgoing as well as incoming) or at a minimum that the XP Firewall is enabled (incoming only).
5. Change your preferred wireless configuration to ‘Infrastructure Mode’. No ad-hoc networks please!
6. If travelling on behalf of your company, establish VPN connectivity to safely communicate beyond the hotel wireless network in a controlled encrypted manner.
7. Disable the wireless network adapter when not required. Some systems have a physical switch to turn off wireless communication while others use Function Keys (for example, FN+F2 on Dell laptops).

Wireless Access Point

You should consult the manufacturers documentation on how to complete the following steps and quite honestly if it doesn’t allow for the configuration to be controlled in the manner I am about to describe, throw it out and get a new one!

1. Change the default username and password used to access the administration function of the access point. The fact that manufacturers use a default name and password is so that you can change it after taking it out of the box. If you don’t then somebody else just might, even if only for fun! Remember though, default usernames and passwords are readily available on the internet and are accessible (for legitimate and not so legitimate reasons) to you and the not so honest ‘hacker’ alike. Choose a default password of at least 8-characters in length that uses both alphabetical and numerical values and throw in at least one special character for good measure!
(Don’t use words found in the dictionary as this really doesn’t provide any protection!)

2. Change the Service Set Identifier (SSID) to something other than the default (e.g. Linksys). The SSID is the name of your wireless network and ideally should only be known to you. By default Access Points broadcast this name in order to make it easier for users to find. You know it’s there so why tell anyone else! Simply turn off Beacon Broadcasts and make the name something ambiguous so as not to draw attention. For example DON’T use your address (123 First Street) or family name (Smith), use something like ‘91234jn1’. No mistaking only you would know that one!

3. Enable the strongest encryption supported, preferably WPA v.2 (Wi-Fi Protected Access Version 2) but at a minimum the more commonly available WEP (Wired Equivalent Privacy). Encryption between client computer and access point has to be the top security measure, but for ease of configuration and setup many vendors don’t have encryption enabled by default.
In order to use the stronger WPA, your Access Point must support it. If it doesn’t appear in the list of options see if applying a firmware update will provide so. In addition your wireless network adapter must also support it (again, a firmware update may be required); and your wireless client must support it. Microsoft Windows XP Service Pack 2 provides the necessary WPA client.

Although most Access Points support the Wired Equivalent Privacy (WEP) protocol, it has a number of security flaws, and a knowledgeable web-surfer, let alone a hacker can crack it. It provides for privacy, per the name, rather than true encryption but it’s better than using nothing at all. Make sure you set the WEP authentication method to ‘Shared’ rather than ‘Open’ as ‘Open’ does not encrypt the data, only the client authentication. Also, use 128-bit WEP and change the key often.

4. Always apply the latest firmware and security updates for your Access Point.

5. Most Access Points, although not all, provide for the filtering of media access control (MAC) addresses. The idea here is to ‘white list’ your computers and devices while denying others access. Basically speaking traffic from addresses that are not on your list will be rejected. While it makes things a little more difficult it is by no means the holy-grail as sniffing traffic will determine approved MAC addresses that can then be impersonated or ‘spoofed’ to gain access. The more layers or hurdles a potential intruder has to cross to gain access the more unlikely they are to choose your network over one with no protection.

6. Review log files. Most Access Points have the capability to log traffic either incoming, outgoing or both. At a minimum you should log incoming traffic and review it at regular intervals. You may be surprised to see just who is trying to access your network enabling you to take additional steps to block or filter this unauthorized traffic.

One other consideration worth mentioning at this point is the use of a Firewall. Some Access Points incorporate Firewall technology while others do not. If you have a combination of systems and devices at home that include a wired internal network you will wish to isolate any possible wireless threat from entering your wired segment. In essence what you will be establishing what is called a DMZ or ‘DeMilitarized Zone’ for your wireless devices, essentially placing a firewall between the wireless network and the wired network. The manufacturer documentation will be able to explain this concept in greater detail, if applicable.

One last item in securing your Access Point (that is constantly overlooked); if you are not using it TURN IT OFF! Why leave it running it you are not there or are not using it.

In the grand scheme of things, as a home user you are unlikely to become the target of a professional hacker (unless you have one living next door – sorry about that!). The risk at home is inherently less than that of a high profile public environment such as a book store, internet café or hotel network.

With the simple steps I have outlined here, hopefully you will have a better understanding as relates to basic wireless networking security and the need to change the defaults to better protect your network or the traffic to/from your laptop when travelling.

Safe Computing!