The Challenges were:
- KyLinTV STB only supports WEP and WEP is not secure
- KyLinTV needs to have priority over other Internet traffic excluding my VOIP service.
- It needs to be wireless since the cable modem is on the opposite end of the house and there is too much attenuation on the power lines to successfully use power line networking.
- I only have one public IP address available.
The Equipment:
The Solution:
Ok, so we all know that WEP is completely insecure. If you don't know that do some research online and you will soon realize it is not acceptable for use if you will have other computers or accessories on the same network. However, KyLinTV only supports WEP security in the wireless card built-in to the STB (Set Top Box)
I have several other computers, network printers, NAS, media players and VOIP adapters on my primary wireless network. That network uses the DIR-655 since the speed is much better and it has QOS (Quality Of Service) controls which allow me to adjust the priority of various traffic on the network both wireless and outgoing/incoming Internet traffic.
The DIR-655 also has DMZ functionality which allows for a virtually segmented network which I can place the KyLinTV STB and second router using WEP on. The DMZ disallows hackers to access my primary network but does allow outgoing and incoming Internet traffic for the KyLinTV STB. This is key for many reasons but the most important is I don't want to share my network and data with others outside of my house and I don't want people snooping on my Internet usage.
I placed the WBR-2310 behind my DIR-655 like this:
- WAN port of WBR-2310 connects to LAN port of DIR-655
- WBR-2310 is set with a reserved DHCP IP address
- WBR-2310's IP address is set as the DMZ in the DIR-655 setup
- QOS setting is set to VI (Video) for the IP address of the WBR-2310. This gives it second priority only lower than VOIP traffic.
- WISH (This is the wireless prioritization system) is set to provide second level priority to all wireless traffic from the IP address of the WBR-2310 only second behind VOIP traffic.
The WBR-2310 is setup as follows:
- MAC filtering is enabled to only allow the KyLinTV STB WLAN MAC (Found in "Network Setup") address access (Note: easy to spoof a MAC so don't assume security here)
- 128 bit WEP encryption
- DHCP for LAN is disabled (Two reasons: just one thing more for a hacker to deal with to discover the subnet and more importantly KyLinTV STB will need to connect to the wireless router and then go through the process of requesting an IP address each time the unit is powered on. This saves you about 5-20 seconds of start up time each power-on of the STB.)
- Privacy separation ON
- Password protection on the administrative account
- No wireless configuration allowed
- SSID Broadcast OFF
This is by no means 100% secure, but it is the best you can do with WEP. Anyway, even if it is broken into the only thing they will gain access to is the Internet and the KyLinTV STB. If they want it that bad I am almost inclined to let them have access ;)
KyLinTV STB setup:
- Static IP on a different sub net than the primary network (Start-up Time Saver 5-20 secs)
- 128 bit WEP to match that of the WBR-2310
So I hope this makes sense. If you need further explanation let me know. Thus far it is working great.
No comments:
Post a Comment