[TCLUG] Wi-Fi security question

Tue Dec 30 15:50:03 CST 2003

I am reminded of the old acronym K.I.S.S. ...

Odds are if you know very little about wireless, then I am sure you mother
knows even less.  The ideas and suggestions everyone has been tossing around
in response to you message are good and noteworthy.  However, the more
complicated you make you set up for your mom, the more of a headache it will
be for you and her.

I have worked in networking and network security for over 10 years.  I have
seen some nasty hacks and compromised systems and have set up my own
networks and attempted many of the "black arts" in order to learn how to
recognize and defend against the enemy.

When I was working for Cypher42 and we developed airsnort.  It put the proof
in the pudding that WI-FI and WEP were worthless.  I use airsnort to this
day to check my own network and to show clients and unknowing admins that
they need to do more then WEP.  When we released airsnort we did so with the
knowledge that it would be used by sys admins but that it also allowed every
12 yr old with a laptop and the ability to follow directions the ability to
sniff you WEP password and log on to you network.

I live in a multi unit housing development (apartment) and run a wired and
wireless network.  I have a firewall between me and the id10ts out there
(BTW, has anyone else noticed that the little Billy's and Sally's got a
'puter for X-mas and have been doing some X-mas break hacking?)  My firewall
is beefy and ready to do battle with the enemy.  It drops a lot of packets
and keeps adware and spyware at bay while blocking many other IP addresses
i.e.  I know no one in China and therefore do not need their subnets
attempting Micro$oft hacks on my web connected systems.

My home network security is simple and effective.  I use XXX different
layers to protect my data.  1] I use a firewall to protect my wired and
wireless networks.  2]  I only allow connections to my network only from MAC
addresses I have explicitly allowed (yes I know you can fake a MAC, but this
makes it a little harder for little Billy or Sally.  3]  I enforce password
based transactions on all systems.  This took a little getting used to for
my wife. (she hated it at first)  I also follow good user habits like
changing passwords more often than my smoke detector batteries.  4] I check
my logs at least every other day.  I used to import some of the log data
into spreadsheets to look for patterns, but I have not recently because I
need to remake the analyst spreadsheets (low level format of a supposedly
backed up drive...)  And probably the most important 5]  I keep my software
up to date by applying patches.

My wireless access point is a Apple Airport Extreme.  I have the ability
with that AP to have it not broadcast the fact it is a wireless gateway
(called a closed network if I remember correctly).  Yes, this only cuts out
some of the _potential_ war drivers. I also can turn the signal strength
down.  There is no reason for me to be able to connect to my network from
across the court yard, therefore 35% signal is fine for reaching all of my
apt.  I can share ip addresses (DHCP) from the AP, but I cannot log usage so
I do not use it.  Also it does allow for RADIUS authentication if you so
choose.  It allows for separate access and admin passwords and up to a 128
bit WEP key.

I run a unix based firewall and unix based DHCP that also only allows MAC
address registered users connect.  If I have important data to transmit or
even store, I encrypt it or use an encrypted transmission medium (VPN or
SSH).  I run airsnort from time to time to see if there is anyone elese
running a wireless net and have found nothing.  I have spent all but two to
three months of the last 5 years with a broadband flavor of network
connection and many more years of constant dialup connections to my home
network.  I have had a few attempts to break into one or more of my systems
but that is as far as it has ever got.

So in closing, take all that has been said on this issue and digest it.
IMHO if you went to Best Buy and bought a Linksys wireless access point and
some form of firewall software for windows (i.e. Mcaffree makes a windows
firewall). You ensured that your mother's systems were patched and kept up
to date.  You only allowed access by MAC of you mom's computers.  And you
checked on the setup from time to time she would most likely have no
problems.

Hope this helps.

Eric
Network Security For Hire

On 12/29/03 12:37 PM, "The Wandering Dru" <dru at druswanderings.net> wrote:

> My mom is looking to go the wireless route in the near future for her
> laptop.  I know a lot of you that use wireless put the AP on the DMZ of
> your firewall.
> 
> My question is this, do you pinhole the firewall to allow certain
> services(ie, filesharing, printing, etc.) back into the LAN or do you
> just limit the AP to internet access?  Or is there some other fancy way
> to allow these services that I'm not aware of?  I'm mostly just looking
> for a security/convenience trade-off comparison.
> 
> I have nearly no expereince with wireless and would like to come up with
> a plan/cost before I go buying stuff willy-nilly on my mom's bill.

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list