D-Link Forums
The Graveyard - Products No Longer Supported => Routers / COVR => DIR-645 => Topic started by: jclarkw on December 29, 2016, 09:22:54 PM
-
I'm still using this little beauty; in fact I have 3 of them now (NA HW A1 FW 1.06B01) chugging along reliably, thanks to all the help from this forum.
I'm wondering whether using the DMZ feature (with a static IP address of course) would be a security risk to the fire-walled part of my LAN. I'm planning to hang a video streaming box (Roku) on the LAN, but I don't want my other LAN computers to be exposed to it. Maybe there's a better way, like cascading two routers with the protected LAN on the inside and the Roku on the outside?
Any guidance/cautions on this would be greatly appreciated. -- jclarkw
-
The above question just got more complex because it turns out to be impossible to set a static IP address on a Roku. The only alternative I see is to assign its MAC address a DHCP reservation in the router. I don't know how much less secure this makes the DMZ (assuming it was secure in the first place). Any ideas/suggestions?
Happy New Year to All! -- jclarkw
-
Maybe I'm not being completely clear: I thought routers used to be made with hardware (physical Ethernet port) DMZ connections. (Do they even make consumer routers with hardware DMZ ports anymore?) These were pretty unambiguous and easy to trust. One could hook a wireless access point to one and create an insecure WiFi LAN that was presumably independent from the fire-walled private LAN, although sharing the same Internet connection. With the software variety (as on the DIR-645 and apparently most others these days), it's not obvious that they cannot be easily subverted, especially if the "static" IP address is only assigned by a DHCP reservation. So my question is, does experience indicate that the latter arrangement is sufficiently secure, in particular in the DIR-645 (or in other consumer D-Link routers)? -- jclarkw
-
Seems like your having a great conversation with your self. I'll leave you be an not interrupt. :o
BTW, DMZ is safe to use. ::)
-
BTW, DMZ is safe to use. ::)
OK, thanks! I hope all is well with you in the New Year! -- jclarkw
-
Ya you can use DMZ for your roku, just know that it will exposed to the full on Internet if thats what you want. I use the DMZ for my ATT Microcell. Works well.
2016 is the crappiest year ever. >:(
Hoping 2017 will be great for you and me Sir. ::)
-
BTW, DMZ is safe to use. ::)
I realize that Steve Gibson is viewed as a loose cannon by many in the Internet security business, but further research just turned up the following quote from "https://www.grc.com/nat/nat.htm":
"As the NAT router block diagram above shows, a NAT router has a standard Ethernet switch interconnecting ALL of its LAN-side ports. There's nothing 'separate' about the port hosting the special 'DMZ' machine. It's on the internal LAN! This means that anything that might crawl into it through a forwarded router port, or due to its being the DMZ host, has access to every other machine on the internal private LAN. (That's really bad.) What can be done to create a super-secure internal LAN, while still allowing the flexibility of having one or more security-challenged DMZ or port-forwarded machines? Just use a secondary NAT router..."
This takes me back to my earlier cascaded-router idea. Unnecessary over-kill? -- jclarkw
-
You might review this:
How to extend network without AP Mode using a Router (http://forums.dlink.com/index.php?topic=53250.msg202549#msg202549)
BTW, I've been a Steve Gibson since my early PC days. SpinRite baby! Was a great HDD program.
-
You might review this:
How to extend network without AP Mode using a Router (http://forums.dlink.com/index.php?topic=53250.msg202549#msg202549)
BTW, I've been a Steve Gibson since my early PC days. SpinRite baby! Was a great HDD program.
Thanks again. Always a pleasure working with you. Enjoy your Champagne (or whatever is your preferred beverage). -- jclarkw
-
Ya will be drinking something. :o
Happy New Year to you and yours. ;)
-
You might review this:
How to extend network without AP Mode using a Router (http://forums.dlink.com/index.php?topic=53250.msg202549#msg202549)
BTW, I've been a Steve Gibson since my early PC days. SpinRite baby! Was a great HDD program.
Guest Network Option: I have been advised to put the Roku on the "Guest" network of the router. I THINK this allows direct access to the WAN without any filtering (i.e., bypassing the firewall, MAC filter, and DHCP reservation), similar to the DMZ, but isolates the rest of the LAN from access by guests. Correct?
Other Questions:
1) Can the LAN computers access devices on the Guest network?
2) Is this a secure alternative in your opinion, or is it better to follow Steve Gibson's advice and cascade two routers?
Best Regards -- jclarkw
-
Guest Network Option: I have been advised to put the Roku on the "Guest" network of the router. I THINK this allows direct access to the WAN without any filtering (i.e., bypassing the firewall, MAC filter, and DHCP reservation), similar to the DMZ, but isolates the rest of the LAN from access by guests. Correct? Yes
Other Questions:
1) Can the LAN computers access devices on the Guest network? Not sure, never tried this before. I presume if the FW allows GZ access to the LAN side, it maybe possible. Let us know if you find out anything.
2) Is this a secure alternative in your opinion, or is it better to follow Steve Gibson's advice and cascade two routers? I presume the cascade methed would be more secure. However if your just using the Roku for streaming and nothing else and nothing else has access from the LAN side, I presume it would be ok to use as well. Just know that any device on the DMZ may be susceptible to forms of attacks and scans for accessibility. ::)
-
Furry -- I always assume you know everything, but have you seen this? Steve Gibson recently proposed a three-router solution that better isolates un-trusted devices from trusted ones:
https://www.pcper.com/reviews/General-Tech/Steve-Gibsons-Three-Router-Solution-IOT-Insecurity (https://www.pcper.com/reviews/General-Tech/Steve-Gibsons-Three-Router-Solution-IOT-Insecurity)
I use the above link because it gives nice illustrations for what Steve proposed in Episode #545 of "Security Now!" on 02 Feb 2016 and takes it even further. Maybe overkill, but most of us have old routers lying around... -- jclarkw
-
Kewl info and will keep that handy however for the average home user which maybe the majority here, a single router is what they want and need. More advanced users maybe yes. Ya I can do this as well with my multitudes of routers, however for my needs and simplicity, single works well for me and is safe.
Do you feel that the roku is a susceptible device?
-
Do you feel that the roku is a susceptible device?
Not really. I don't know much about it yet; and while I'm at it, I might want to add other people/things to an isolated network. It sounds as though guest mode would do the job, at least on routers that offer the needed isolation; but you never know if it really works as advertised until you do extensive testing, for which few of us have time...
-
Well if you get some time, let us know. Ya I think GZ will be ok. That's also tied to the WAN side so you may see some issues like with the DMZ.