I have had FIOS for 3 years now and have always been happy with the service. However, because of the nosey neighbors - who are computer geeks by profession - it has become necessary for me to add several layers of security to my home network as follows:
Level 1 - SSID Not Broadcast
Level 2 - WPA2 TKIP Hex encryption key - 64 random hex characters and digits
Level 3 - Lock down MAC ID's that can access the system
Level 4 - Assign specific IP addresses to every piece of equipment on the network
Level 5 - Change the default Router IP address to something besides 192.168.1.1 - since, pretty much any **bleep** with the slightest bit of network knowledge knows that this is the default IP address of most wireless routers and can start hacking away at the user name/password, at will.
I was very disappointed to learn from FIOS Tech Support last night that Verizon does not support Level 5 in my security setup. Austensibly this is because the set top boxes cannot be assigned static IP addresses within the router and have to connect via DHCP to the 100-150 block of the IP address. In all honesty, assigning a static IP address to a device is not technologically challenging - my Samsung TV can do it and it's 5 years old. I have the brand new Verizon DVR and it can't do it?
While I understand that Verizon does not want to fix every hyper-technical problem that comes along when people are setting up complex, partitioned networks. I even understand that they don't want to support a second router on a different subnet. However, my opinion is that - if they continue to provide the Actiontec Routers to consumers - they should be ready and willing to support all of the technical features that it provides.
If anyone else here has experience with putting the STB's on a non-default IP address (e.g., 192.168.25.117), please direct me to instructions on how to do it. My preference is to lock down static addresses for each box, rather than allowing them to randomly pick from a DHCP pool.
Thanks for any help anyone can provide.
Best regards,
Andrew
The set top boxes just take whatever they are assigned from DHCP, and then also communicate using some self assigned addresses between each other. Many over at DSLReports, and I'm sure here as well, have changed the subnet. The most you should have to do is reboot each set top box after you make the changes, and the boxes should act as well-behaved DHCP clients from that point.
Also, for your Wireless, do not use WPA2-TKIP encryption. Use AES with WPA2. It's much stronger, and you get the benefits of Wireless N should your router have a capable radio. You can continue using your key, but I would expand it beyond Hex to something more broad.
Just as a note, HEX covers anything from 0 to 9 and the letters A to F. If your key is within this range, I suggest generating a new one using a generator. Try this: http://wolanski.eu/generator/. Or if it makes things easier, think of a few words (the first that come to mind) and type them out. Obscure the actual words using symbols and numbers, and perhaps reverse some of the words or do other funny things. That should help give you a simple to remember, but harder to brute force key. Keeping it away from hitting "L33tspeek" or Dictionary as a key will make it harder.
For example: Dog! Sabre Orange Xbox Friday December 'Murica
As a key: !g0DS4br3Or@ng3%b0xyadFr1Dec3mb3r'Mur1C@
@ASTOWE wrote:
If anyone else here has experience with putting the STB's on a non-default IP address (e.g., 192.168.25.117), please direct me to instructions on how to do it. My preference is to lock down static addresses for each box, rather than allowing them to randomly pick from a DHCP pool.
Thanks for any help anyone can provide.
Best regards,
Andrew
Did you try it?
you can just reconfigure the router to be a different subnet to 192.168.1, change the default admin userid to something else, change the base address of the router to be something other than 1
Verizon won't support you if you have issues with the setup but there is no real reason why it shouldn't work. If you have issues with the guide or stb's after making the cahnges just revert it back to 192,168.1
The STBs are well behaved DHCP clients, They will operate on any subnet your wish to assign. They will even operate on a 172.16.x.x (class B private).
VZ told you it was not supported because their CSR scripts are not designed to deal with a non-standard subnet. If you call for support, one of the first things the CSR will have you do is a hard reset on the router which will put you back on the 192.168.1.x subnet.
Your best security is #2.
Level 3 is useless. Wireless MAC addresses are transmitted in the clear and are easily viewed with a wireless sniffer and then spoofed.
Level 5 is pointless. If someone has gained access to you network, the router can easily be found with a port/IP scanner.
And no, you can't assign the STBs static addresses.
@Anti-Phish wrote:Your best security is #2.
Level 3 is useless. Wireless MAC addresses are transmitted in the clear and are easily viewed with a wireless sniffer and then spoofed.
Level 5 is pointless. If someone has gained access to you network, the router can easily be found with a port/IP scanner.
Level 1 usless/pointless too. For more info about that, I point to
http://www.howtogeek.com/howto/28653/
and level 3 too
See
http://www.zdnet.com/blog/ou/the-six-dumbest-ways-to-secure-a-wireless-lan/43
where it says Disable DHCP
Your first four steps lock things down pretty well and knowing the subnet 192.1.1.0 does not add much for the Russian hacker living next door trying to get at your compartmented top secret material on your home wifi.
One additional suggestion would be to add host level security on your computers with firewall and other M$ techniques.
Or you can look into:
http://en.wikipedia.org/wiki/Faraday_cage
http://en.wikipedia.org/wiki/Tin_foil_hat - They probably don't really care that much to to break through WPA2
Start a new topic or ask questions in the open forum.
