Posted on 06/01/2004 7:36:03 AM PDT by KansasConservative1
I have heard rumors regarding a Class Action lawsuit against Linksys / Cisco regarding the WRV54G. I too have had inumerable problems with this "VPN" router. Here is a partial list of my most recent. Also, I build networks for a for a living so I am not a rookie with routers or VPN connectivity.
- Router "goes away" every day or two and takes multiple resets to get it working
- Procedures for getting the microsoft software VPN client to work with it have only worked once and fail to work reliably or at all since.
- I have found no other software client (surprisingly Greenbow does not work either) that actually works with it.
- Many small errors... like changing the timezone to Central only to have it return to Pacific every time I commit.
- Numerous router to router lab tests have failed. The WRV54G appears not to be able to talk to a similar model.
- Rumors of transverse nat not working are abound on the internet. I cannot test because I cannot get it to work even once (even with support calls)
- Support calls are scripted and end in "we know that it works" yet they can provide no configuration examples of client examples becides the "windows client". Which as I said earlier, I saw work once for about 10 seconds.
On a positive note: For a VPN router that does not VPN nor route reliably, the wireless range is impressive.
Please post Class Action information or send privately to my account. KC1
By Robert X. Cringely
One of the cheapest Linux computers you can buy brand new (not at a garage sale) is the Linksys WRT54G, an 802.11g wireless access point and router that includes a four-port 10/100 Ethernet switch and can be bought for as little as $69.99 according to Froogle. That's a heck of a deal for a little box that performs all those functions, but a look inside is even more amazing. There you'll find a 200 MHz MIPS processor and either 16 or 32 megs of DRAM and four or eight megs of flash RAM -- more computing power than I needed 10 years ago to run a local Internet Service Provider with several hundred customers. But since the operating system is Linux and since Linksys has respected the Linux GPL by publishing all the source code for anyone to download for free, the WRT54G is a lot more than just a wireless router. It is a disruptive technology.
A disruptive technology is any new gizmo that puts an end to the good life for technologies that preceded it. Personal computers were disruptive, toppling mainframes from their throne. Yes, mainframe computers are still being sold, but IBM today sells about $4 billion worth of them per year compared to more than three times that amount a decade ago. Take inflation into account, and mainframe sales look even worse. Cellular telephones are a disruptive technology, putting a serious hurt on the 125 year-old hard-wired phone system. For the first time in telephone history, the U.S. is each year using fewer telephone numbers than it did the year before as people scrap their fixed phones for mobile ones and give up their fax lines in favor of Internet file attachments. Ah yes, the Internet is itself a disruptive technology, and where we'll see the WRT54G and its brethren shortly begin to have startling impact.
You see, it isn't what the WRT54G does that matters, but what it CAN do when reprogrammed with a different version of Linux with different capabilities.
Yes, smartypants, I know that other wireless access points and routers run Linux or can be made to run Linux. It didn't take long for hackers to figure out that Apple's original AirPort access point used a version of the 486 processor and could be convinced to speak Linux. But the WRT54G is different. This is a $70, not a $299 box and its use of Linux is no secret. Linksys, now owned by Cisco, not only doesn't mind your hacking the box, they are including some of those hacks in their revised firmware.
We're not in Kansas anymore.
Probably the most popular third-party firmware you can get for the WRT54G comes from Sveasoft, a Swedish mobile phone software company. Actually, Sveasoft is only kinda-sorta Swedish since the head techie (and for all I know the company's only employee) is James Ewing, a former contract programmer from California. Ewing took time off to visit Honduras where he met a woman from Sweden, and a decade ago moved with her back to Scandinavia, where they live three kilometers from the mainland on an island without broadband Internet service. Looking for a cheap wireless connection much like the one I had a few years ago in Santa Rosa, Ewing discovered through the Seattle Wireless Group web site the amazingly adaptable WRT54G, and has devoted much of his time since to improving the little box's firmware.
If you have a WRT54G, here's what you can use it for after less than an hour's work. You get all the original Linksys functions plus SSH, Wonder Shaper, L7 regexp iptables filtering, frottle, parprouted, the latest Busybox utilities, several custom modifications to DHCP and dnsmasq, a PPTP server, static DHCP address mapping, OSPF routing, external logging, as well as support for client, ad hoc, AP, and WDS wireless modes.
If that last paragraph meant nothing at all to you, look at it this way: the WRT54G with Sveasoft firmware is all you need to become your cul de sac's wireless ISP. Going further, if a bunch of your friends in town had similarly configured WRT54Gs, they could seamlessly work together and put out of business your local telephone company.
That's what I mean by a disruptive technology.
The parts of this package I like best are Wonder Shaper and Frottle. Wonder Shaper is a traffic-shaping utility that does a very intelligent job of prioritizing packets to dramatically improve the usability of almost any broadband connection. If you supposedly have all this bandwidth, but uploading slows your downloading to a crawl or web surfing makes your VoIP phone calls break up, you need Wonder Shaper. At the expense of the top 10 percent of upstream and downstream bandwidth, Wonder Shaper makes brilliant use of what's left over. The result is that not only are phone calls and web serving unaffected by each other but your wireless ISP customers won't have a measurable effect on your surfing, either.
Frottle is another Open Source product, this one coming from a network of wireless networks in Western Australia. Frottle's job is to cure the hidden node problem that was left unsolved in the original Wireless Distribution System (WDS) 802.11 specification from 1999. Hidden nodes are wireless clients or access points that are out of range from one party in a client-AP data transfer. 802.11's CSMA/CD technology assumes that all parties can listen on the line and avoid collisions. But on a wireless network this isn't always possible, so Frottle uses a token-passing scheme (yes, just like Arcnet or Token Ring) to make sure only one node at a time can talk whether the clients can hear each other or not. Maximum bandwidth is limited but maximum throughput is increased, which is why IBM used to argue that Token ring's four megabits-per-second was more bandwidth than Ethernet's 10 megabits.
Neither Wonder Shaper nor Frottle are the most elegant solutions, but they work well and they work together on the Sveasoft firmware.
The result is a box you connect to power, to a DSL or cable modem and MAYBE to your PC (if all you want to be is a service provider the PC isn't needed) and it automatically attaches itself to an OSPF mesh network that is self-configuring. In practical terms, this mesh network, which allows distant clients to reach edge nodes by hopping through other clients en route, is limited to a maximum of three hops as the WiFi radios switch madly back and forth between sending and repeating modes. If you need to go further, switch to higher-gain antennas or gang two WRT54Gs together. Either way, according to Ewing, his tests in Sweden indicate that if 16 percent of the nodes are edge nodes (wireless routers with DSL or cable modem Internet connections), they can provide comparable broadband service to the other 84 percent who aren't otherwise connected to the Net.
There is an obvious business opportunity here, especially for VoIP providers like Vonage, Packet8 and their growing number of competitors. If I was running a VoIP company ,I'd find a way to sell my service through all these new Wireless ISPs. The typical neighborhood WISP doesn't really want to DO anything beyond keeping the router plugged-in and the bills paid, so I as a VoIP vendor would offer a bundled phone-Internet service for, say, $30 per month. I handle the phone part, do all the billing and split the gross sales with the WISP based the traffic on his router or routers. If one of my users walks around with a WiFi cordless phone, roaming from router to router, it doesn't matter since my IP-based accounting system will simply adjust the payments as needed.
The result is a system with economics with which a traditional local phone company simply can't compete.
That's just one idea how these little routers might be used. The actual killer app will probably be something altogether different, but I am convinced this is the platform that will enable it. And that's because what we are talking about here isn't just what you can do with a WRT54G, but what you will soon be able to do with almost any wireless access point.
The cat is out of the bag. This same firmware runs on Belkin, ASUS, and Buffalotech routers today. The source code comes from Broadcom, not Linksys. Linksys paid a Taiwanese company called Cybertan to customize the Broadcom standard Linux distribution that is given to all manufacturers. Two years from now, the current crop of name-brand routers will give way to dirt cheap generics from China and Taiwan with exactly the same hardware and chips. If you look inside the current 802.11g crop from the big names you have basically two routers -- Broadcom and Atheros. They are all based on reference designs and are essentially identical internally.
A well-funded VoIP company like Vonage could today start WISP-based deployment one city at a time. With newspaper ads and direct mail, they could recruit what would be essentially micro-franchisees, each of which would get at cost a pre-configured router (or my preference -- a pair of routers) and a DSL or cable broadband account. Since each node costs the VoIP provider exactly nothing, the problem of flaky franchisees is eliminated by over-building the network and conscientious franchisees make more money as a result. For $50 down and $30 per month the franchisee makes $93.75 per month (provided they keep the connection up and running). Want more revenue? Put routers in all your stores or delivery trucks or in the homes of your friends in exchange for giving them free Internet and/or phone service. Your take per router drops to $78.75 but your gross profit margins are still more than 70 percent.
Or imagine a school or a church distributing routers among parents or parishioners as a fund-raiser. Let's see how long SBC or Verizon lasts against the Baptists. Now THAT's disruptive.
"the WRT54G is a lot more than just a wireless router. It is a disruptive technology."
I would call it a disruptive technology... For other reasons.
I don't have a wireless router but I got sick of having to reset my Linksys Broadband Router a couple of times a day and have replaced it with a different brand.
I use a BEFSX4 and it's been doing fine.
>>the wireless range is impressive. <<
Why allow your neighbors to read what's on your hard drive? That's as crazy as discussing your financial information on a cordless phone........all it takes is for someone with a scanner to tape record the call and they have everything necessary to clean you out!
I follow proper security protocol.
No ESSID Broadcast,
128 Bit Wep.
MAC Filtering.
And if someone has a ton of computing power and want in, my locked down internet security firewall will slow them down enough.
It would be easier to break in to my house and take my computer.
"all it takes is for someone with a scanner to tape record the call and they have everything necessary to clean you out!"
You may need to learn a tad more about wireless communication prior to commenting on this thread. "Tape recorder..."
And what realworld good will turning off ESSID BC do?
None, zip, zero against a person who know what they are doing.
True. But it is good foundational practice. Do you not agree?
I can tape verbal conversations from my scanner with a tape recorder.
We had a BEFSR41 for a couple of years, and it worked
just fine. The cable modem needed power-cycling more
often than the router, but both where infrequent.
We now have a WRT54G, and it works with any of
the computers (powerbook, dell, shuttle) that
we have tried at home.
Install an OS, and all sorts of packages and such to add
dubious functionality? No thanks. Sounds cool, but it
sounds too much like work.
I'm almost to the point of insisting that the children
fill out a software change form when they want me to
install something on their computer :)
"We now have a WRT54G, and it works with any of
the computers (powerbook, dell, shuttle) that
we have tried at home."
Do you use the VPN functionality? What about the reboots etc?
From: http://www.icsalabs.com/html/communities/WLAN/wp_ssid_hiding.pdf
This presence in management messages, or frames, is an oft-overlooked detail of the IEEE 802.11 specification that is critical to debunking the myth of SSID hiding. Management messages are always sent in the clear, even when link encryption (WEP or WPA) is used, so the SSID is visible to anyone who can intercept these frames.
http://www.wirelessweek.com/article/NEa0503296.1iw?verticalID=360&vertical=Applications
Wireless risk prompts big firms to act
May 5, 2004 12:00am
South China Morning Post Publishers Ltd.
SOUTH CHINA MORNING POST via NewsEdge Corporation : Faced with complex security threats, enterprises in Asia have started to extend network protection to all portable communications and computing devices linked to wireless internet systems.
Industry experts said a growing number of large firms were becoming aware that traditional perimeter security alone was insufficient to keep unwanted threats - spread from so-called wireless client devices - from infecting corporate networks and spreading to other client machines.
According to Gartner Dataquest, more than 20 million handheld computers have been sold in the past five years but only a minuscule 1 per cent of these devices carried simple virus protection.
"Networks have never been so vulnerable," said Eka Hartono, senior regional product marketing manager at information security systems specialist Symantec.
"The presence of a wireless connection elevates overall security concerns, as more connected client devices present an inherently higher security risk to an organisation. But any single security technology alone, such as anti-virus software, can no longer protect businesses against sophisticated internet threats."
That is why many large businesses, mainly multinational operations across the region, are moving rapidly to implement multiple security functions to connected mobile devices.
Ms Hartono said Lonely Planet - with offices in Melbourne, Oakland, London and Paris - was an early adopter of Symantec's Client Security 2.0 software, which offers a quick single update mechanism for virus definitions, firewall rules and intrusion detection signatures when any network attack occurs.
She claimed the new Symantec system was more efficient and effective than multiple security technology updates.
Colorado-based Configuresoft, for example, provides configuration management software that simply focuses on correcting and assessing configuration settings on remote machines every time they connect to an enterprise's internal network.
For basic anti-virus deployments, Symantec has also made available its AntiVirus for Handhelds Corporate Edition 3.2 for Palm and Windows-based handheld computing and communications devices. The setup can be accomplished without synchronising with a desktop system. .end (paragraph)<>
<< Copyright ©2004 South China Morning Post Publishers Ltd. >>
http://www.mirrors.wiretapped.net/security/info/textfiles/risks-digest/risks-23.16
Date: Mon, 26 Jan 2004 16:13:37 -0600
From: Chris Meadows aka Robotech_Master Subject: Another wireless risk
The other day I was in the position of needing to print out my credit card site's invoice display. Since I don't have a fully functional printer at home, and I needed to make a photocopy anyway, I decided to take my Mac Powerbook down to Kinko's and print it off there.
The problem was, when I plugged the Powerbook into their Ethernet link (called a "Macintosh link" for some reason by their onsite documentation...never mind that any computer with an Ethernet port could use it), I couldn't reach the Internet. (Nor could I see any printers in my application...and the printer driver disk the Kinko's clerk helpfully offered didn't help, because it only had drivers for OS 9, not OS X.) However, the fellow who'd just vacated the laptop station had been using wireless, and he said that should work. And I did a quick scan, found an open wireless router labelled "linksys," (the way they didn't even bother to change the default name should have warned me, I suppose...but given the general lack of computer adroitness I had observed in the staff, that carelessness seemed to fit right in) with a Lexmark printer on it, and Internet access...so I called up the invoice and hit print, then asked the Kinko's clerk where that particular printer was.
Longtime RISKS readers should be able to guess what came next. "But we don't have a wireless network...and we don't have any Lexmark printers either." Further research indicated that the wireless router was hooked into a Bellsouth DSL connection, presumably someone's nearby home or business. So I had just printed my credit card invoice to some total stranger's printer...and had no way even to find out where it was so I could get it back. Fortunately, the invoice didn't contain any *truly* sensitive information, such as my SSN or account number (beyond "ends with ...."). And I was closing that account anyway.
The risk here is kind of the inverse of the "usual" risk associated with a wireless system...instead of "you never know who might be using your network," it's "you never know whose network you might be using." The combination of an open wireless network and a location where you would expect there to be one can easily enough confuse you into conflating the two.
I challenge you to break into my Linksys setup. Like Kansas, no SSID broadcast and MAC filtering, plus TKIP encryption, changed SSID (guessing Kansas did that too) and no DHCP. I also change the configuration every once in a while: wireless channel, SSID, assigned IPs, admin and wireless passwords.
Yes, it's still theoretically possible to break into my wireless network, but not very practical unless you are an ueber wireless hacker with lots of time on your hands. It'd be better if you lived near me or I might notice that van parked out front for the next few months while you sniff packets (make sure to keep up with the password, SSID and channel changes in that time).
As with Kansas, easier to break into the house and steal my computers.
But it is sad the way some people set them up. When I look for networks on my computer, there's one called "Linksys" with no encryption within range.
All of the things you can do to secure a wireless network generally add up. Sure, no SSID won't stop l33t h4x0r , but 1) it's one more thing he has to deal with and 2) it stops the wannabes.
It's about as much protection as adding a layer of tissue to you M1A1 armor.
Thanks for the article post. I actually understand companies are hesitant about wireless. I am sure that wireless decreases security to an extent. The primary security I have is my "lack of importance." The only people that "should" want to hack me are people looking for free internet. I can easily stop them. Now, if a minor country wants my information, then maybe they can get it. In the case of a company with a ton of classified or other information, I would recommend against wireless. I believe that if it was configured properly it would be as secure as anything. However, if someone makes a mistake on configuration, then you have problems.
As I said, for a good hacker it's just one more thing he has to do. But less knowledgeable people out there fiddling around will be stopped by it. The question is, why NOT do it?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.