I have a few potential security holes with my awkward wireless setup that I could use some tips on fixing.
Right now the setup goes as follows:
-Actiontec MI424-WR Router with wireless disabled, default firmware a la Verizon
-WRT54G with Tomato 1.10 firmware working as a wireless bridge
-Multiple computers with wired connections, file-sharing enabled
-One computer with a Linksys wireless PCI card that supports up to WPA2
-XBOX 360 with XBOX (original) MN-740 wireless gaming adapter, only supports WEP
-Multiple DS handhelds that only support WEP
-Wii console that supports up to WPA2
The 360 is isolated to an extent that wireless is a lot handier than trying to run cable to its destination. The 360 wireless gaming adapter is far too expensive and doesn't even support WPA2. So right now the WRT54G is only using WEP so it can interface with the MN-740. Connections to the WRT54G are assigned IPs by the Actiontec, so even wireless clients are seen as wired.
This yields a problem, because the "AP Isolation" option on the WRT54G does nothing to deter file-sharing and the Actiontec seems very limited in its ability to distinguish the difference between wireless connections and isolate them appropriately. So basically anyone who obtains access to the WRT54G has full permission in the network.
There is a MAC filter list and SSID broadcast is disabled. I imagine that's enough to keep most people out but I don't feel all that great having shared files on a vulnerable network.
I attempted to flash the firmware on the MN-740 to support WPA as outlined here:
http://www.dslreports.com/forum/remark,13360873
The problem is that WPA still didn't work, yet WEP continued to function. Accessing the device's setting pages through a browser shows that the firmware upgrade seemed to take place in some capacity, not sure what happened there but WEP definitely still works.
Another router JUST to use as a bridge for the 360 seems like overkill but may honestly be the best solution, although I'd like to just work with what I already have if that's possible.
An additional point of interest is that I have also own a WL-167G USB stick that could technically broadcast to the 360 and be removed when not in use. This is what we did with the DS systems before the 360 entered the picture, but I'd like to think of it as a last resort because my main questions are:
-Are there additional methods of isolating clients from file-sharing on the WRT54G with this particular firmware, especially when it's only acting like a bridge?
-Are there other security holes I should know about with this setup?
-Asides from disabling the SSID broadcast and adding a MAC filter list, are there any other good practices for maintaining some semblance of security with WEP?
This setup is really wonky and I'm sure some of my questions are kinda vague. All kinds of random suggestions you want to throw out are welcome, just wanted to discuss this so I can figure out how I should move into making it more secure.
Posts
That article also makes me wonder if it's worth the stress of using a MAC filter and disabling SSID broadcast. It's not like those are any worse to maintain than a crazy WPA2 password (which is only a problem on the Wii and less of one with a USB keyboard), but it really doesn't sound like they do much besides prevent accidental access by neighbors. But it's not that much extra work to juggle them so I'll probably keep them around.