Is the D-Link DIR-655 secure enough for a small bizz ?

[Chimworth]

Hi, after finding your site and reading the charts I picked up a D-Link DIR-655 and love it! I don't use the wireless often, but when I do I can't believe how far away I can be and still get a connection! But anyways this is for home use so I don't get overly concerned about security(not the type to keep personal info on my machines)...

But now I am wanting to recommend this router to my sister to use in her small business. Before I do, I'd like to know if this router's security or firewall like features are the same/better/worse then another wireless router. And if for example, it's as good as others would some type of additional firewall unit between it and the link to the web be a good idea?

Thanks in advance for reading and any advice you guys can give me

 

[scotty]

Generally speaking, yes. But as with anything it depends on the needs of the business. A few things to consider:

- Service / Support - A 655 is a home user product and as such if something happens to it you'll likely be waiting at least a week or two for a replacement. This may or may not be acceptable for the business.

- Controlling Outbound Traffic - Home user routers control inbound traffic, but don't control outbound traffic to virtually any extent. This can become important for controlling internet access and general security of the environment. This can be important as a lot of spyware and malware apps like to phone home on wierd ports and depend on this.

- VPN - The device will let VPN tunnels through, but can't act as an end-point. You can always set up windows server or something else to do this, but this is just something to consider if there might be secondary home offices or teleworkers.

- General Stability - The 655 is a pretty solid product, but generally home user routers don't have the same kind of beef behind them that business class routers do. For $300 - $500, the Linksys RV0 or a sonicwall/watchguard product might be better.

Personally, I never use home-user grade routers in a business environment, unless it's like a 2 or 3 person shop. In my experience of doing small-medium business IT consulting for the past decade, I've seen far too many home-user grade devices crap out. I would much rather spend a couple extra hundred dollars for a more beefy unit that typically with have a better warranty, better service, etc. That's just my opinion based on my own experience. I know lots of business that still use home-user class devices without much issue.

The 655 is a good unit, but I'd go for a Linksys RV0, Sonicwall TZ, or Watchguard X Edge personally.

 

[Brandon]

Cisco and Juniper both make low end systems as well, wich are on the same price range as SonicWall/WatchGuard. I personally use an ASA5505 for my home. I would go with something a bit more if it's not an in-home shop, and even then it's really iffy.

Most routers do provide quite a bit of protection however, just depends on what you feel you need. I made a small write up on this a few months back that may help you.

 

[scotty]

Ha! That was just the article I was going to point you towards. That explains a lot of what's relevant here. Good on Brandon for writing it.

Another consideration to keep in mind is that many small business class routers have extra subscription-based features that might be of value to you or the business. Most have IDS, Web-Filtering, and Spam blocking services which you can add or activate for a fee (i.e. all 3 of these generally cost about $150/yr on a Watchguard for example). I've thrown in a few watchguards and sonicwalls with these services in small offices and they ended up being of huge value for the business. In one case, there was a client of mine that was a small retail shop getting absolutely rediculous amounts of spam. They were also very hesitant to spend anything more than about $100 on a router. I sold them what ended up being a $750 Watchguard with the SPAM filtering service enabled on it, and ever since they've said it was worth every penny. That, and they don't have to reboot the router every couple weeks.

 

[Brandon]

I read something this morning about a new "exploit" of sorts, which really makes me glad I went that rout. This guy wrote a virus that installs a new NIC firmware, which allows it to then use the PCI bus to do anything it wants, including installing it on the other. From there, it just bridges the NIC's via the PCI (Normally for a firewall box, it goes to the OS and back).

I don't think every NIC is explitable like this, however a lot seem to be. This is a really really scary thought for all of those that use Linux PC's as firewalls.

 

[jdabbs]

I read something this morning about a new "exploit" of sorts, which really makes me glad I went that rout. This guy wrote a virus that installs a new NIC firmware, which allows it to then use the PCI bus to do anything it wants, including installing it on the other. From there, it just bridges the NIC's via the PCI (Normally for a firewall box, it goes to the OS and back).

I don't think every NIC is explitable like this, however a lot seem to be. This is a really really scary thought for all of those that use Linux PC's as firewalls.

Malicious code can do a number of wonderful, terrible things. Although hardware-based rootkits are better positioned to evade detection and/or removal, the primary concern in evaluating this virus should be susceptibility (dependent upon the method of transmission and effectiveness of current defenses).

That's where the "exploit" itself comes in: there's an important distinction between targeting hardware, and targeting a particular device's drivers. The latter has a reduced scope, as drivers are OS dependent. I haven't read the same article, so I can't tell you which is the case. Although exploiting driver flaws has always been a valid option, exploiting network drivers hit the mainstream in 2006, with the Macbook Wi-Fi "hack" (it was a third party card, and the resulting controversy more about the researcher's coyness and whose fault the flaw really was).

To tie this in with and somewhat answer the OP's interests, to the best of my knowledge there are no currently disclosed vulnerabilities for the DIR-655. However, let's look at D-Link's track record. There's a lot of room for improvement WRT responding with fixes for security issues. They are about on par with Linksys, and better than Netgear, though the number of issues is probably due more to the number of eyes looking at a particular device than any inherent characteristics.

My recommendation to the OP is to go with the DIR-655 if it's suitable in every other aspect. If you're seriously considering a consumer router, "real" security (provided by a manufacturer that feels obligated to fix your issue) isn't in your price range, and in that respect the products that are can be considered to be on par. The best you can do to protect yourself is to stay reasonably informed of issues that pertain to your device. If I were a betting man, I'd wager that any eventual compromise would come from opening the wrong email attachment, where all your best-laid security plans are woefully inadequate.

 

[Chimworth]

Let me 1st say "wow" you guys are realy helpfull! I don't think I have ever posted in a forum before and received such detailed replies.

Thanks a lot!!

So from your replies I have quickly checked the few suggested products and I am now leaning towards the Sonicwall TZ 180 Wireless. Though this is quite a small office, maybe 3-4 users, it is a Dental Practice. So Personal Information Protection Act applies and having snoops peeking around would be very bad indeed. PC magazine did a pretty throrough review it seems and while not perfect it may be the best choice in this situation. reveiw is here: http://www.pcmag.com/article2/0,1895,2159533,00.asp

I know Cisco is the guru but I have only considered going for their certs and at this point have no experience trying to configure their systems. Plus on their site I couldn't figure out if it would even rout to a few workstations or what would be required to do so and for wireless as well.

So ease of use and set-up etc.. is my basis so far. In the 2nd to last paragraph of the review he mentions the keyloggers and trojan horses can get in without much trouble. Would you guys be able to suggest a solution for proctection against that? He also mentions that a wireless client would only be protected within the network and it confuses me if that is just against virus or hackers trying to get at your data..

Thanks again guys and any additional input will be appreciated

 

[Brandon]

AVG on the PC's.

In the world of working PC's, virus protection is Key! We currently use mostly TrendMicro products (ServerProtect, OfficeScan, Outbreak Management, ASA Trend Addin, and several more.. ) that have a very low footprint for a large company, however that's way overkill for your needs. Windows Server Antivirus can be a bit more complicated, as most won't install.

Trend Internet Security can be installed onto three computers with one licence (Non-server). Kaspersky makes a good product as well. ClamAV can be installed on server OS's, and is a free software.

Any Anti-virus will keep you going strong for a long time. The best all depends on what you like/need. I've used Trend Products for many years, so I will stand by them in a heartbeat. Other's love Nortan, and/or McAffee. All depends on price/likes/dislikes.

 

[scotty]

Good Choice! The TZ's are a great line of firewalls. I've installed dozens of them.

To clarify your questions.

What the reviewer is referring to with 'trojan horses and keyloggers getting though' - he was mentioning that in integrated security scanning software (in this case, McAfee), didn't stop everything. This isn't uncommon. Many AV scanners that are integrated into firewalls typically only catch the biggest vulnerabilities, but don't catch everything. Some firewalls are better at certain things than others (Watchguards and Astaros tend to be a bit stronger with this). This typically isn't a big deal, but remember security is a layered approach so good client-side AV/AS software is a must, which the reviewer mentions. I wouldn't worry about this point.

As far as 'wireless clients only being protected from the inside'... The reviewer notes that the security suite doesn't include a personal firewall, so if a wireless client is outside the network (i.e. wifi hotspot) they have only the windows firewall to rely on. This typically isn't a big deal, but it depends on the clients needs. If they're going to have laptops travelling alot with sensitive data on them, then perhaps the lack of a stronger firewall is a concern. That's up to you. And if you have medical information floating around on a laptop, data encryption is a zero-exception must. Again, that's another layer.

And regarding Cisco's, they definately have a rock solid products, but at the SMB level there's a lot of good competition. Cisco's are great in that they're very flexible, customizable, and you can be very granular with settings, but you're right they're not always the easiest to set up. They have a good Pix line for smaller applications (which can largely be configured via. a GUI), but personally I prefer other products in the SMB space. I love Ciscos as much as the next man (going for my CCNA as we speak), but I lean towards others in smaller applications.

Hope this helps.

 

[YeOldeStonecat]

Let me 1st say "wow" you guys are realy helpfull! I don't think I have ever posted in a forum before and received such detailed replies.

Thanks a lot!!

So from your replies I have quickly checked the few suggested products and I am now leaning towards the Sonicwall TZ 180 Wireless. Though this is quite a small office, maybe 3-4 users, it is a Dental Practice. So Personal Information Protection Act applies and having snoops peeking around would be very bad indeed. PC magazine did a pretty throrough review it seems and while not perfect it may be the best choice in this situation. reveiw is here: http://www.pcmag.com/article2/0,1895,2159533,00.asp

I know Cisco is the guru but I have only considered going for their certs and at this point have no experience trying to configure their systems. Plus on their site I couldn't figure out if it would even rout to a few workstations or what would be required to do so and for wireless as well.

So ease of use and set-up etc.. is my basis so far. In the 2nd to last paragraph of the review he mentions the keyloggers and trojan horses can get in without much trouble. Would you guys be able to suggest a solution for proctection against that? He also mentions that a wireless client would only be protected within the network and it confuses me if that is just against virus or hackers trying to get at your data..

Thanks again guys and any additional input will be appreciated

The Sonicwalls are good wireless products...stable. I've done some setups, where I use their "WiFiSec" VPN product...basically the wireless is put in different subnet than the network...and you have to use their IPSec Global VPN client to connect to the main network. So...basically they treat the wireless clients as IPSec VPN clients...ultra secure.

A good antivirus on all workstations/servers is still a must...regardless of if you have a UTM appliance. Esets NOD32, and Kaspersky, are tops!

 

[Brandon]

As far as 'wireless clients only being protected from the inside'... The reviewer notes that the security suite doesn't include a personal firewall, so if a wireless client is outside the network (i.e. wifi hotspot) they have only the windows firewall to rely on. This typically isn't a big deal, but it depends on the clients needs. If they're going to have laptops travelling alot with sensitive data on them, then perhaps the lack of a stronger firewall is a concern. That's up to you. And if you have medical information floating around on a laptop, data encryption is a zero-exception must. Again, that's another layer.

We avoid hot-spot browsing buy supplying AT&T AirCards to our people with laptops.. This is a very good method of keeping to a secure network, but it can be costly for small busines.

PointSec and Windows Vista BitLocker also make for good options with added healthcare solutions. Currently all of our Laptops have Pointsec loaded, which had it's ups.. and a few.. really big downs.. (It takes give or take 5-6 hours to wipe a laptop running pointsec).

I have LoJack for laptops on my personal laptop (3 year services, with dell 3year) which has a services that will remote wipe stolen PC's. A lot of newer Laptops have built-in hardware that uses this services, so you can't just remove the OS to avoid it.

Health Care gets fairly complicated when it comes to computer security, I currently work for a Health Insurance company that deals in PHI (Personal Health Information) on a minute by minute basis. HIPAA regulations are something not to be taken lightly, as letting the smallest thing leak can break about major lawsuits.

With that said, it kills me how often I see Doctor's offices running open WAP's inside their office.. The majority are sporting a "linksys" SSID *shakes head*.

 

[Chimworth]

Boooo I just typed out a reply which was lost with a session expire>.<

I hate when then happens, my own retarded fault for not copying the whole thing before posting though...

whew ok count to 10 finished, time to retype!

Brandon, I also like AVG! Nortan I hate, the TZ comes bundled w/ McAfee so I hope that will cover my needs well enough as I'm not sure if I can use the AV at the gateway feature using an alternative AV. And the "Doctor's offices running open WAP's inside their office" scenario is exactly what I am trying to avoid !! Totally Scary!

Scotty, thanks for the reminder about data encryption I may have to find another forum to get some advice on that XD!

YeOldeStoneCat, the "WiFiSec" VPN connection for the laptop sounds very very good indeed...

Which makes me wonder, if you were in a hotspot or on a less secure home/hotel network, would creating a VPN connection to your office network somehow make you secure all of a sudden?

 

[scotty]

Data travelling over VPN's is pretty secure. Therefore, connecting to a VPN over a hotspot would make the traffic you're sending over the VPN secure, but that's only a small part of it. The laptop itself is still sitting in the open where others can try to get in. Essentially, if there's any data sitting on the laptop itself, that data could potentially be vulnerable. If all of the data and information is sitting on the server side, and the laptop is merely connecting to the server (i.e. via RDP) then there's less of a concern. But again, the laptop itself is potentially vulnerable so you have to make sure the OS itself is locked down (strong passwords on all accounts, strong firewall, etc). Again, a multi-layered approach.

As far as encryption goes, lots of options. Windows itself has basic encryption capabilties, and Vista Ultimate (and Biz I think too) offers better 'bitlocker' drive encryption capabilities (encrypts entire drives). Truecrypt has always been my favorite, and with it you can encrypt either a container or the full hard drive itself (requiring password to boot). Performance can take a small hit, but generally negligible for regular office/productivity tasks. Various business class laptops now offer hard-drive level and hardware level encryption too. Lenovo I think has the most offerings in this category, but I know most other manufacturers have a few offerings.

The simplest/strongest mix IMO is full drive encryption with truecrypt. Combined with other best practices (strong passwords on all windows accounts, BIOS passwords, etc), this is usually quite sufficient. And of course, physical security of the laptop itself is important. Word has it the next major line of intel processors (nahalem) will have AES extensions built right into the processor so encryption calculations run much much faster.

 

[Chimworth]

Great that clears things up!

OK I think I'm ready to plan this out and get it ready, I'll be in America mid July trying to set this up so I may be back on this thread looking for help!!

So thanks again for all your help, really great you guys put up the forums here, I have had this site bookmarked for a long time, love the resources!

 

[YeOldeStonecat]

Which makes me wonder, if you were in a hotspot or on a less secure home/hotel network, would creating a VPN connection to your office network somehow make you secure all of a sudden?

Yup....your traffic becomes encrypted.

Remote Desktop Connection from a public wifi is also good..since that's encrypted itself.