Posts tagged security

Just got unifi-ed

When Telekom Malaysia (TM) announced their Fiber to the home broadband initiative, I was rather excited as broadband speeds in Malaysia have stagnated over the past couple of years. Initially when I jumped on to the DSL bandwagon in 2001 with a paltry (by today’s standard) speed of 384kbps down and 128kbps up. It was a big improvement over any 33.6 or even 56kbps modems of the day. Fast forward 10 years and internet speeds have doubled or tripled many times in neighboring countries and all we’re stuck with is 2mbps DSL. 4mbps is available but few areas could even qualify with the poor quality of cabling or exchange equipment. My home couldn’t even get past 1.8mbps due to the distance from the exchange.

It took TM about a year plus to reach my backwater housing area. The good thing is many others have sacrificed their effort and time to enable TM to iron out the kinks in the system and to improve the roll-out, delivery and implementation service. After all, there are thousands and hundreds of thousands of homes to install.

The good is that they no longer need eight guys to install like for my parents home, a year back. The bad is that they still are not coordinated with their contact center and appointment scheduling system. It still takes an entire day but most of it will be spent waiting and waiting or cleaning up. If you’re lucky, everything goes well after install otherwise, you’ll end up waiting for new modems, BTUs, and more technicians.

For me, the install was a breeze. Minus the five hours waiting for the installers to show up. When the appointment time said 9:30am to 2:30pm, I assumed the install will complete within that window rather than start at 2:45pm! Anyway, my install was through the ceiling so all was needed was a hole drilled through the outside wall to get into the ceiling, pull the fiber and drop it into my central cable drop. My home, fortunately for the TM installers, had a central cable drop where all ethernet, phone, cable TV, etc are laid down so drilling through the wall took the longest time. The Brits build houses to last in the 60s.

Fortunately for the installers, I also provided the ceiling light and ladder otherwise they would have come to grief with such a miserable ladder of theirs. Also to their benefit, my entire house is wired with CAT5e (long story why it’s not CAT6) so again, the rest of the setup was a breeze. Plug the Fiber BTU here, LAN to WAN port, IP TV out to Port 2 (next to my TV), Phone out to Phone Distribution panel and viola, IP TV works, we got internet and the rooms have phone lines! Hallelujah!

Since I had a Cisco VPN Router & SPI firewall going, I wanted to junk the crappy DLINK DIR615 that came with the package. The router has caused grief to many users due to it running custom firmware, lack of security (all wide open settings), poor wireless and network performance, and more. The problem with using your own router is that the incoming network has three VLANs and if you didn’t care about the IP-TV, you can go ahead. I paid for all services so I damn well want the access.

Solution was simply replace the DIR615 with a VLAN bridge. I used a MikroTik RB250 for this purpose. If anyone wants a pre-configured RB250, drop me an email. I have the RouterBoard Rb750GS as well but for the moment, I wanted to continue using my Cisco router.

Here’s the TM Fiber Broadband Termination unit (BTU)

The crappy D-Link DIR615 which was quickly replaced…

My Cisco VPN and IPS/IDS Firewall

The Huawei IP TV Set-top box (STB). Still a bit laggy when watching internet streaming content

The awesome MikroTik RB250 VLAN Bridge.

I really need to fix my cabling mess! For now, Yellow is WAN link, white is Internal network, Blue is POE, green is for Voice and now Red for IPTV.

 So how does it perform? The good is that it works pretty much as it is advertised. No complaints until the service starts going down or becomes unreliable but overall, my satisfaction is high. Minus the setup, installation part of course. Your mileage may vary and depending on your home and where you want certain components, i.e. IPTV, Wireless, phone, etc, the process might cost you a fair bit and be more trouble than in my case.

Wireless Security

From experience (and analyzing the airwaves), quite a number of people ignore security when they get their wireless networks setup. Well, all that security is inconvenient I suppose but do you know how far your wireless access point or router transmits to? This is more apparent in a condominium or apartment setup where you not only have neighbors beside you, you also have to worry about neighbors above and below you. At one point, before I moved to a house, I could pick up networks three floors up. While the signal strength is not good, breaking into it was simple was it used WEP and a five character password.
More than half my surrounding networks at that point had no security! and worse still, many still had their default linksys, dlink or belkin setup IP addresses, usernames and passwords! I taught someone a lesson by changing his wireless router password and within a few days, the router got setup with WPA.
WPA itself is not invulnerable and I’ve successfully got into a few WPA networks around my condo unit with BackTrack because their WPA passwords were nothing more than simple strings like “linksys” or “mynetwork”.
Anyways, after I got my soon-to-be-replaced Belkin wireless router up, I went around my house with inSSIDer and kismet. What you see below is inSSIDer’s scan of my neighborhood. First thing I normally do is to lower the transmit power to ensure my router doesn’t broadcast further than my main gate. My Belkin router doesn’t do that but it’s going to be replaced in a few days so no worries. Secondly, to ensure good connectivity, you make sure there’s no channel overlaps. You can see my hopefaithandlove network all by itself on channel 1. You also can see most other networks have none (gasp!) or purely WEP security. Finally, I normally make the WPA2 key long enough. My method is to pick a favorite verse from the bible. If you want tighter security, don’t leave spaces, substitute occasional numbers for alphabets, and perhaps throw in a Greek or Yiddish word in the process! Better still if you have more resources, go with WPA-Enterprise with a Radius authentication server… client certificates, the works! Ah, a totally different ballgame. For me, I stick to WPA2, put my wireless on a separate VLAN so that if someone gets into my wireless network, all they can do is get to the internet. Not good but better than having the ability to hit my main PC or File server.