[Nottingham] Setting up a router at uni
jmthelostpacket at googlemail.com
Wed Aug 27 00:27:19 UTC 2008
Danny King wrote:
> Thanks Martin,
> I just got an email from the IT team and they said it was fine to take
> more than one computer as long as I register each one through their
> "registration process", whatever that is.
Basically, they're making sure that they're billing students for their
net usage. They also, understandably, like to be sure of what equipment
is connected to their network...
> I think I'll look into finding/buying a little hardware router rather
> than using a spare computer. Other students are what I'm worried
> about, especially since I have full intentions of getting some friends
> together to try and test out security on our boxes! As for capability,
> is NAT the only requirement I should be looking for?
> Thanks again.
NAT routers do two things - they route data packets to the correct
machine in their slice of LAN, and silently drop (or bounce) rogue
packets (pings, other incoming packets) which aren't accompanied by the
correct header information for the router to know where that packet is
going. DMZ and port forwarding rules bypass this by routing all "other"
incoming packets (those not routed to systems on the LAN) to the DMZ,
those directed through specific ports to specified addresses on the
local network. Ergo, NAT routers by their nature are hardwalls.
More sophisticated NAT routers can include AV, SPI (Stateful Packet
Inspection, which is the firmware's ability to determine the protocol
used, the source and destination IPs of each packet (thus be able to
hold open a port for that connection), and the default behaviour of
dropping each and every packet that does not adhere to strict
preprogrammed filter rules - this makes an SPI-equipped router
practically invulnerable to ICMP spoof attacks and other such packet
flooding behaviour: at least, that's the theory. Linksys WRT54GS
routers, for instance, were so broken in early models that [from
experience] literally every one sold was returned faulty within days or
even hours with the same firmware problem). More recent models of
SPI-equipped routers are a lot more stable, and while a little more
expensive than bog-standard routers (the £20 jobs...) they are a lot
more secure, in every sense of the word.
More information about the Nottingham