0

I have a router provided by my ISP physically connected to the internet access point. It has basic security (WPA2-PSK) and broadcasts its SSID.

I have a second router bridged wirelessly to the first to access the internet. It has hidden SSIDs, MAC filtering (as well as WPA2-PSK) and the latest firmware. One of the allowed MACs is that of the ISP host router. It has the ability to configure firewall rules but I don't know what rules (if any) I would need to configure.

Is the ISP host router considered the weak link? If I connect to the bridged router in order to access the internet will I benefit from this extra security?

I am trying to mitigate wireless attacks and internet attacks. I was considering attaching a NAS (with no sensitive data) to this router. The basic router cannot use MAC filtering.

myol
  • 133
  • 4
  • what do you want to defend against? – schroeder Nov 25 '15 at 21:16
  • 1
    I think there are a few incorrect assumptions in your setup. The first being hidden SSIDs are more secure than broadcasted SSIDs (See http://blogs.technet.com/b/networking/archive/2008/02/08/non-broadcast-wireless-ssids-why-hidden-wireless-networks-are-a-bad-idea.aspx). The second being that MAC filtering trumps WPA2-PSK (or maybe I'm assuming you're not using WPA2-PSK). MAC filtering is pretty trivial to bypass if you know what you're doing. Also, as @schroeder said, what are you trying to defend against? Wireless attacks? Internet attacks? ISP snooping? etc. – Nadeem Douba Nov 26 '15 at 03:12
  • @Nadeem Douba - I am curious as to how you you stop ISP snooping. Assuming you were using Tor or a VPN client of sorts, the weak link is the exit node. – Motivated Nov 26 '15 at 07:52
  • I should have clarified. Done now. – myol Nov 26 '15 at 11:35
  • 1
    @Motivated if you're using the ISP's modem/router as the gateway for your internal network then the ISP can remotely access your internal network. One way of circumventing that is by placing a router/firewall between the ISP's modem/gateway and the internal lan which restricts traffic. My comment was more in terms of self-defence. Not anonymization. – Nadeem Douba Dec 03 '15 at 16:52
  • @Nadeem Douba - I wasn't aware that a direct connection to the modem/router from the ISP was capable of providing them access to the internal network. If you placed a firewall in between the device and internal LAN, what would you be blocking specifically e.g. which ports, etc? – Motivated Dec 03 '15 at 17:19
  • 1
    @Motivated the best thing you can do is block all inbound traffic originating from the internet/ISP modem and only allow outbound traffic from your LAN. If you need to host a server then you will have to setup a DMZ and properly isolate the server from the rest of the network. Furthermore, I'd restrict outbound traffic to ports 80, 443, and 53. – Nadeem Douba Dec 16 '15 at 21:57
  • @Nadeem Douba - Thanks. Does placing the server in the DMZ provide the capability for the ISP to access the devices in the external network? If yes, how would you prevent this? When you say block all inbound traffic originating from the ISP, how would you ascertain the entire network range? – Motivated Dec 18 '15 at 17:36

0 Answers0