Sunday, October 30, 2011

Managing Internet Content Access at Home

Like many of us, our children are accessing the Internet at home every day for many reasons including school homework, socializing, personal research, music shopping, etc. I like to encourage this too since the Internet medium will only provide more functionality and information as time progresses. The only concern I have is how does one prevent access to adult oriented material and yet provide access to all other "age appropriate" data.

There are parental controls built into some of the commercial anti-virus software such as Norton and others. However, this normally requires one to lock down the computer(s) so your children do not have administrative access. For young children, locking them out of administrative access is probably completely appropriate, but as they reach pre-teen years, I personally like my children to administer their own computers(s). I think this is good learning exercise for them and only enhances their computer skills. Besides, this gives me one less computer to manage!

How to filter
So what is one to do to filter out content that we deem in-appropriate for our children? Well, this takes some technical networking knowledge to implement. What I am about to describe is for the parents that are comfortable in unix, networking, and basic firewall configuration. Let's start with a physical overview of my setup here. As you can the Freebsd box is running as my router, obtaining a public IP via my Uvsere Gateway, acts as a firewall, and performs NAT for clients on the private "Home" LAN. What the diagram does not show is how it performs Internet Content Filtering and the diagram for that is here.

DNS - OpenDNS
One of easiest ways to filter Internet sites is use OpenDNS. The utterly fantastic DNS service that is free for home use and is just awesome. You can configure site access based on categories and this in itself will take care of much of the Internet Content Filtering for you, but not all. You could say I use OpenDNS as my pre-filter and then Dansguardian for the rest.  This allows me a very granular level of control.  In order to use OpenDNS you have to point your clients to use the OpenDNS DNS servers versus your IP Service Provider's DNS Servers. There are other steps involved so please read up on the service and their website. In my configuration at home, I use a caching name server and point it to the OpenDNS Servers as forwarders.  I can't say enough about OpenDNS - use it!

The Firewall - IPFilter
The firewall I use is called IPFilter sometimes called ipf and comes with Freebsd. I have used it for years, find the syntax to be very easy to understand, and the documentation is located in the Freebsd Handbook here.  TheNetwork Address Translation box on the former diagram is actually part of IPFilter and I separated it out in the diagram because it is configured separate from the firewall.

Dansguardian
The former diagram illustrates Dansguardian making the decision if the Internet traffic outgoing request should be permitted or not. It does that in two ways:

  1. Content filtering - looking for words and phrases that you have configured to be permitted or not.
  2. Blacklist filtering - list of sites organized in categories that you can block or permit. For example, I have all gambling sites blocked. However, it's very easy to configure a site to be permitted despite being in one of the blocked categories. For example, if I blocked all news sites, I could configure it to permit www.cnn.com through if so desired. Note that with blacklist filtering you have to update your list of categories/sites regularly to stay current and the Dansguardian site provides links to providers of blacklists.
Apache Traffic Server
Apache Traffic Server is an optional component. In my configuration it is acting as a forward proxy caching sites to speed up access. Many sites in our household are regularly accessed and by caching the sites, I speed up Internet access. I used to use Squid, but I found Apache Traffic Server to be much faster.

Summary
I have shown you one configuration you can use for content filtering for your home. As I mentioned earlier, I would only pursue this type of set up if you are comfortable in unix, networking, and firewalls. I have been involved in networking, firewalls, and other Information Technology areas for some 20 years now so the work involved is straight forward for me. If you have questions or feedback, feel free to post a comment or contact me at:  john at mysnmp dot org  I would appreciate any/all feedback.



Sunday, February 6, 2011

Improving Wireless Reception - Part 3

Introduction
I will assume at this point, you are still suffering wireless connectivity issues in your home even after applying suggestions from Part 1 and Part 2 of this blog series.  Don't worry!  There are still solutions that will resolve your issue.  They just take a little more money, some technical expertise, and time.

Fastest Fix
The fastest and easiest fix to improve your wireless signal strength is to use high gain antennas.  For example, let's say your router/access point is located on the outside wall of your home (versus the middle of the home).  As a result, half your wireless signal is going through your wall to the outside.  Recall the stock antennas that router/access points come with have very low dbi and the signal pattern is a large doughnut shape.  If your router/access point resides near the outside wall of your home, we need to redirect that wasted signal going outside and make use of it in the house.  You can't increase the power output of your router/access point (well you can, but this is a different discussion), in fact it can make things worse.  However, we can substantially increase the signal strength by using directional antennas to send the majority of the transmitted signal in a particular direction.  So, in effect we are increasing signal strength but we are not changing the actual power output of the transmitter.

Removable Antennas?
Now we have a caveat.  Not every router/access point will have removable antennas.  This is why I always recommend that when buying any wireless device, assure it has removable antennas to permit the use of third party antennas.  If your router/access point has fixed antenna, or worse yet, no antennas on the outside, it is time to buy a new router/access point with removable antennas.

Third Party Antennas
There are a handful of manufactures that make third party antennas for wifi devices.  I have personally only used the directional antennas from Hawking Technologies and have been pleased with their performance.  I have used omni-directional antennas from a number of brands and have also been pleased with their performance as well.

Antenna Types
There are two planes to consider when focusing wireless signals.  One option is to flatten the doughnut and increase signal strength in all directions.  These are called high gain omni directional antennas.  This type of antenna would be appropriate if you are trying to increase the signal strength on one floor of your home.  In this scenario, there will be almost no wifi signal going vertically and all the wireless signal is radiated horizontally.  I would recommend this type of antenna if your router/access point was located near the center of your home.  You can find several examples of this antenna on amazon from different manufactures.  Go with the highest gain you can find,  which is usually 9 dbi.

Alternatively, Hawking Technologies for example, sells a "corner" antenna.  This antenna would be a great solution if your router access point is located in a corner of your house.  The antenna I am referring to is located at Amazon Hawking HiGain Directional Corner Antenna.  It will focus the signal out in an approximately 90 degree angle horizontally.  I have also used this antenna for client computers that are some distance from the router/access point to increase throughput with great success.

Your Last Resort
If you continue to have wireless connectivity issues in your home even after exploring/testing third party antennas, your last resort is to just run multiple access points.  I do this in my home because my house (old rancher) is 60+ years old and the walls were made with a concrete based board and plaster.  Based on my testing, these type walls attenuate the signal at least 12 dbi.  As a result, I run 4 access points in my home.  I have two on the main floor and two in the basement.

Running multiple access points requires some technical expertise so you do not bring down your whole home network  You may want to seek out a friend or colleague that is knowledgeable in wireless networking to set this up for you.  The way I do this is the following:

  • Run each access point on a different IP (of course) but put them on same network, aka a flat network.
  • Only run one DHCP server and make sure it points to the correct default gateway and DNS server(s).
  • Put each access point on a unique channel
  • Assign separate SSIDs for each access point.  Ideally, you should actually run all the access points on the same SSID.  However, I find wireless clients are sticky to the access point they originally connect to.  For example:
    • I am upstairs with my laptop and it connects to upstairs access point A.  Then I go downstairs with my laptop and in a perfect scenario it would connect the downstairs access point which now has the stronger signal.  However, I find this does not happen.  Therefore, I just disconnect from the upstairs SSID and then connect to the downstairs SSID that now has the strongest signal.
  • All the access points need to be connected to your inside network via a wired connection.  Consider them just clients on your wired network and each access point will bridge wireless clients.
  • I actually buy router/access points and don't use the "router" part when they are acting as access points.  Note:  there are manufactures that sell just an access point.  However, I find these are more expensive than the router/access points.
This configuration has worked very well for me.  Note:  only pursue this if you know what you are fairly familiar with networking.  If you start putting multiple access points on your network without probably configuring them, you will break your network without question.

Conclusion
I hope these three blog entries help you improve your wireless network in your home.  These steps have certainly helped me and others that I have helped in the past.  If you have questions or comments please post them.  If you wish to contact me privately, please do:  john@mysnmp.org.

Sunday, January 16, 2011

Improving Wireless Reception - Part 2

Introduction
At this point I am assuming you have gone through the steps of Part 1 of this exercise here and still have not improved your wireless access to your satisfaction.

Next Steps - Pick a Clear Channel
Now we need to bring up inSSIDer again.  Recall we installed this application in Improving Wireless Reception - Part 1 on Step 1.  Please see the output of inSSIDer below:


Take a look at channel 6 above.  There are overlapping SSIDs on this channel.  Let's assume for discussion sake that your SSID is HELIOS.  Note that there are other SSIDs on this channel as well.  We want to avoid this condition.  Normally a wireless router/access point will pick a clear channel but that is not always the case.  The point here is if your SSID is overlapping with other SSIDs, move your channel to a clearer channel.  If you go into the wireless settings of your wireless router/access point you can manually select what channel to use.  I, for example, put my PHOEBE access point on channel 11 which is completely clear and you can see the strong signal at about -30 RSSI.  

Once you have completed the channel change, re-survey your wireless signal in your home and see if your RSSI improves.  If it does, record the change.  Secondly you should disconnect and reconnect all your wireless clients.  Simply disconnect and reconnect to your SSID using the Windows wireless connection tools.  See below:


Simply click Disconnect and then the Connect button will display below your SSID.  See above.

Connection Issues Still Persist - Link Layer Protocol
At this point, the improvements will be more technical so you may need to read your manuals in more depth and/or read other articles on the web to help you with these steps.

Recall in Part 1 of this article we talked about the different wireless protocols.  For the consumer, they are:

  • 802.11a
  • 802.11b
  • 802.11g
  • 802.11n (sometimes called Draft N)

In Part One I did not go into detail about 802.11n.  It is the next generation of wifi access after 802.11g and provides speeds up to 6x faster that 802.11g, theoretical.  It does propagate through your walls better than 802.11g and has a double channel mode that permits connections up to 300 MBits/sec theoretical.  The specification also defines additional frequencies at 5Ghz.  You will see these wireless routers sold as "Dual Band".  I have not seen much in the way of wireless clients that support the 802.11n 5Ghz.  You will have a much clearer signal on 5Ghz, but 5Ghz frequencies do not go through walls as well as the standard 2.4Ghz frequencies.  Trade offs of course...

Here are the rules you need to follow now:

  1. Most importantly, get off 802.11b.  802.11b has the poorest signal propagation through walls.  If you have a wireless router/access point that only supports 802.11b, it's time to upgrade.  If you have a router that supports both 802.11b and 802.11(g/n) you need to disable 802.11b.  By mixing 802.11b signals with 802.11(g/n), it will reduce throughput.
  2. Accordingly, if you have wireless clients, perhaps an older laptop, that only supports 802.11b, you need to get a PCMCIA, USB, or Express Card wireless adapter that supports 802.11g/n.  Head over to you local MicroCenter or Frys and get your necessary upgrades.  The staff at Microcenter and Frys are very helpful.  Alternatively, you can purchase online at tigerdirect or newegg.  There are other online merchants of course, but I tend to stick with tigerdirect or newegg for my computer needs.  Just a matter of preference.  See below for some hardware recommendations.
  3. My general rule of thumb for wireless gear is do not buy the latest gear nor the gear that has all the bells and whistles.  I find there are more bugs in the latest gear that take time to work out.  I go for gear that has been out for approximately 2-3 years.  By doing so, more of the bugs have been worked out and this leads to higher stability.  This is especially important for your wireless router/access point.  I personally avoid the cheapest gear and avoid the most expensive gear.  Again, personal preference.
  4. Brand selection: 802.11g  This is a tough one to recommend as each hardware line of the major wireless vendors can have good and poor lines of equipment.  The classic line of wireless router that has been out for years is the Linksys WRT54Gxxxx line.  Both the older models (ebay) and the later models of this line are generally very stable.  Make sure you are running the latest firmware be it opensource dd-wrt or from Linksys.  Both have advantages and disadvantages.  For the technical minded ones, you will definitely want to use one of the open source firmwares.  Tomato and dd-wrt both have some nice "techie" features. 
  5. Brand selection:  802.11n  I have gone through several 802.11n wireless routers and they have been very unstable and subsequently I put them in my "wait for new software/firmware" box.  The only model I am going to recommend is the model I use now and has been stable.  It is the D-Link DIR-855.  I chose this model since it came out a few years ago, it has three external antennas, and they are removable to permit use of third party antennas.
  6. Antenna selection.  If possible, buy a wireless router with external antennas, the more the better.  Even better still, models that have antennas you can disconnect and install third party antennas are the best solution.  Do your home work, pull the specification details and find hardware that looks good to you.  Check reviews.  Note:  I did extensive reading on reviews and have been burned.  What I learned from this is generally see what the user rating is for the wireless router/access point.  If it is above average, then go to the vendor support forums and see what kind of complaints are posted about the gear.  Base your decision off the support forum primarily.
  7. For client wireless adapters, I do not have any recommendations.  The few that I have purchased from major brands have all worked fine.  Get the latest drivers from the manufacturer website.  Note:   if you are buying a wireless card for a desktop, you definitely need to get one that has a cable permitting the antenna to go on your desk or better yet on a shelf.  The common model, with two or three antennas sticking out of the card, are less effective because they are buried behind your computer, table, wall, cables, etc.  All these things attenuate the wireless signal and will give you poorer signal quality and throughput. 
802.11g or 802.11n
Which version should I get?  802.11g gear is cheaper and has a maximum throughput of 54Mbits/second theoretical.  Normally 802.11g is just fine for your typical internet user that reads mail, surfs the webs, pull down music from online music vendors, watches videos on youtube, etc.  Note:  802.11n will propagate through your house better than 802.11g by some margin.  If you have signal difficulties, go ahead and get 802.11n gear and run a pure 802.11n network on a clear channel.

Repeat Part 1
If you have replaced any of your wireless gear, you now need to go back through the steps of Part 1 of this article located here.

Still Hope
If you still have wireless signal difficulties after following Part 1 and 2 of this article, there is still hope in Part 3 of this article.  I will try to get it out as soon as I can.

If you are using this article and it is helping you or not, I would really appreciate some feedback.  If you are hesitant to post publicly, feel free to email me at john at mysnmp dot org.  I'd be happy to work with you individually.

Sunday, January 9, 2011

Improving Wireless Reception - Part 1

Introduction
This article is targeted at the non-technical or semi-technical user trying to improve their wireless reception at home.  Many people in my family and neighborhood ask me how to resolve poor (wifi) wireless reception in their homes so I thought I would share some tips and techniques I have suggested.  For clarity sake, what I am referring to is network wireless access as defined in 802.11a/b/g/n specifications and I am not talking about cell phone reception.

What is the difference between 802.11a/b/g/n
802.11b
802.11b was defined and implemented first for the consumer back in late 90's.  This provided a transmissions speed of 11 Mbits per second in best conditions.  11 Mbits per second equates to about 1 MByte/second in ideal conditions.  Note:   for the more familiar with networking, I am NOT getting into packet overhead intentionally.  This specification used 2.4 Ghz frequencies.  This implementation of  wireless access was widely accepted and was a huge step into wireless networking that had useful speeds.

802.11a
Next 802.11a came out for the consumer and used 5 Ghz frequencies.  It never really took off but is still available today.  5 Ghz frequencies are less crowded.  However 2.4 Ghz frequencies go through walls/floors much better than 5 Ghz frequencies.  Having not used 802.11a I am going to keep my discussion short on this specification.  However, I will mention, don't pursue setting up an 802.11a network.  There are better options.

802.11g
Following 802.11a, 802.11g hit the consumer market and is still the most common wireless access method today based on my scans in public spaces and neighborhoods.  No, I am not a hacker, I just "listen" to see what is broadcast.  The FCC permits anyone to listen to any frequency barring cell phone frequencies.

802.11g goes through walls/floors even better than 802.11b and allowed speeds up to 54 Mbits which equates to about 6 MBytes/second in perfect conditions.  Like 802.11b, 802.11g used 2.4 Ghz frequencies in 11 channels described well on wikipedia here.

Some issues with 802.11g include crowded space since other devices like cordless phones, microwave ovens, baby monitors, IP video monitors, and other devices also use 2.4 Ghz frequencies.  Needless to say, your neighbors are also using 802.11g and you may get interference from them depending on where you live.

802.11n
I am going to discuss 802.11n in part 2.  But in essence it is the next generation of wireless access after 802.11g.

Improving your wireless signal
Here are the steps I would follow to improve wireless access in your home.

1.  Create a baseline!  We need a metric to work against to see if we are improving the signal.  Download and install inSSIDer on your wireless laptop .  This simple, open source free tool will allow you to actually measure your signal and, more importantly, tell you what channels are in use.  Screenshot below:

Figure 1:  inSSDer screen shot
2.  Some notes on inSSDer.  Your have to select your interface and click Start in the top right hand corner.    This tool reports what wireless networks are in the area, what channels they are using, and the access status (open/encrypted).  Click on the RSSI column and sort the data so the highest number is at the top.  Note the numbers are in negative numbers so -52 is higher than -100.

3.  Now, the screen maybe overwhelming but we need just a little bit of information from it for our efforts.  Identify your network SSID, in other words, the network you connect to at home.  I will use CALLISTO in our discussion.  CALLISTO has an RSSI (will explain what this is later) of -72 and is on channel 1.  That's all you need to note now.

4.  Now take your laptop and go to places in your home where you like to work and have wireless access, e.g. kitchen, living room, etc.  For each room note the RSSI number for your network (write it down please!).  Note:  spend at least 1 minute at each location for the RSSI number to "settle down", then record the number.

5.  Now the work begins.  If your router/access point does not have external antennas go to step 6 below.  Make sure all connections to the router/access point are plugged in snugly.  Sometimes cables slide out.  Tighten the antenna connections, and put the antenna(s) straight up.  If they were already straight up, just tighten the antenna connection(s).  Next, repeat step 4 and take measurements and record them!.

6.  Make sure all connections to the router/access point are plugged in snugly.  If any connections were loose, repeat step 4 and record the measurements!.

7.  The biggest boost in reception is the next step.  Many people put their router/access point under a desk or table.  You cannot do that!  You lose about 25% of your signal strength if you bury your router/access point under a desk/table.  Put your router/access point in a high place in the clear.  What I mean is like on top of a shelf.  If you have no shelf nearby, consider mounting the router/access point on the wall up high.  Buy longer cables if it cannot reach your top shelf or ideal location.  Normally this would just be a longer ethernet cable available at Microcenter, Frys, Best Buy, Office Depot, Staples, etc...  Once you have moved the router/access point to the higher location, repeat step 4 and record the measurements!

Goal
We want the RSSI number to be as high as possible.  Again think negative numbers so -30 is higher than -80.  Ideally you want your RSSI number to be higher than -60.  You can still get connections between -60 and -70 but the connection will be very poor and intermittent.  I aim for RSSI of -50 and higher for my home network.

Your Homework
The location of your router and antenna position will directly influence your wireless reception.  Continue to re-position your router/access point and repeat step 4.  Again you are aiming for a high location that is clear of obstacles.  Ideally, router should be in the middle of the house.  If you have a router/access point without external antennas, turn the router in 90 degree steps and repeat step 4.  Find the position that provides the best reception for your house.

You have more influence on the radiated wireless signal if you have external antenna(s).  To find the best position for the antennas start with them straight up and record your RSSI at different locations.  Then, change the angle of the antenna(s) in small increments, 45 degrees, one antenna at a time and repeat step 4.  If you can visualize, each antenna normally radiates a doughnut shaped signal perpendicular to the antenna.  The important aspect to note here is there is almost no signal coming off the top or bottom of the antenna.

End of part 1
This is the end of part 1.  However, we still have more options for improving wireless reception.  I will try to get part 2 out in the next few days.

I'd really appreciate some comments, good or bad on this posting so I can improve it.  Questions are welcome too!

Friday, January 7, 2011

LastPass Multi-factor Authentication Methods

LastPass Multi-Factor Authentication
There are a few ways to use multi-factor authentication with Lastpass, an online password manager that supports multiple operating systems.  I am interested in two of these methods:  Sesame and Yubi Key.  Does anyone have opinions on either?  I am leaning towards Yubi Key however, each key is:  $25.00 where as Sesame is free.

https://lastpass.com/support_faqs.php#yubikey

Comments welcome!

Sunday, January 2, 2011

Gmail Account Security Breach - zorpia spam

Recevied zorpia.com spam
My son and I had an interesting security breach this morning with regards to zorpia.com.  We detected this when all of his gmail contacts were spammed with email from "invitation at zorpia.com" on his behalf.  All of his contacts were spammed multiple times with the same email that was essentially trying to get the recipient to click on links that pointed towards zorpia.com.  Let me explain how the events transpired:

OpenDNS
Since my son is blocked from zorpia.com via OpenDNS I knew he did not have an account there.  We discussed the issue and quickly realized some account of his was breached.  At this point, all we knew was the zorpia spam was sent to me and my wife.  Shortly thereafter, my son received a forwarded zorpia email from his grandfather asking about it.

zorpia.com email getting sent to his gmail contacts
At this point, we knew for sure it was something to do with his gmail account.  Since his password was "tight" at 9+ characters including punctuation characters, it was hard to believe someone cracked his password.  Especially since it was used no where else.  I asked him if had recently used a friend's computer to access his gmail account and he had not.  He did mention he brought his Mac over to his friend's house and they ran an "open" wifi network (shame on them).  Since my son has a Mac, the open wifi  did not raise immediate concerns.  I have has Mac buttoned up with ssh key authorization only.  We then ran a Norton scan on his Mac and it was clean.  His USB sticks were also scanned and were clean.  Home network scans on all home computers were also clean.

Firewall Check
My home network firewall (FreeBSD/IPFilter) is fully logged and very tight.  I ran some reports on the logs and nothing jumped out at me.  I actually put all log entries into mysql making searching through firewall data very easy.

Gmail Account Access Details
Lastly, I asked him to look at his bottom of his gmail page and look at what IP addresses were used to access his account.  I have a static IP address at home so there should really just be my public IP address listed since his Mac rarely leaves our house.  To our shock, the IP addresses were coming from several addresses.  I ran a few "whois" and most IP addresses pointed to the amazon clouds.  However, some where starting to show up from Japan in near real time.

Gmail Account Breached for Sure
Obviously, at this point we knew his gmail account was breached.  We changed his password to a nice 13 character password with the standard upper/lower case letters, numbers, and punctuation.  Fortunately, gmail provides a way to sign out all other sessions (thank you google!).  At this point, the breach was closed.

Notification
Lastly, we monitored the IP addresses his gmail account was accessed from and it continued to just remain from my public IP.  We emailed his gmail contacts about the issue warning them not to click on any zorpia emails from him.

Password Policies
This should remind all of us to:

  • Use passwords that contain upper/lower case letters, numbers, and punctuation.
  • I require my family to use fully random characters that do not spell anything.
  • Length of passwords, at least in my opinion, should be 14 characters long for all financial institutions.
  • Passwords can be shorter for sites with less security concerns, online forum perhaps.
  • Never use the same password anywhere.
  • Use some secure method to record your passwords.  There are several online services to help you manage them.  Some services use 3 way authentication which is what I require for my family.
  • Change passwords regularly which is easier to do using one of the online services.

In closing, it would be nice to think that the Internet is friendly and useful place and it certainly is.  However, security should always be a concern.  Hacking techniques constantly evolve and one needs to stay up to date on their computer/network security infrastructure.