Re: Router

[Casey Boone <caseyboone@gmail.com>]

>  
> "Reasonable" is a pretty subjective term with network security.  There is
> the standard 802.11 encryption and a static key with is good for keeping
> nosy neighbors off your network but probably not effective against a really
> determined party (e.g. corporate espionage). 
>   
> A good way to go is to secure the wireless computer to the LAN using a VPN
> server in addition to the built in encryption on the 802.11.  Very easy to
> do using a [COUGH] Windows server, but I'm basically ignorant in the Linux

i wouldnt trust a windows box as a vpn server, if security is
important.  better to go with a dedicated appliance or a *nix setup.

> arena. I believe there's also way using a RADIUS server with dynamic keys
> that is truly the most secure but I've never done it.  I've also had better
> luck with the more expensive wireless devices rather than the el Cheapo
> consumer grade Linksys; some customers see the stuff in the Sunday paper and

nowdays the cheap stuff has something called WPA which should in
theory make them much more secure if implimented properly.  WPA allows
for 2 modes of operation, normal WPA mode where 802.1x authentication
is done via a radius server or WPA-PSK where every client has the same
key from the get go (psk = preshared key).

even just using wep is more secure nowdays than it used to be as the
implimentation was fixed in most products, but i would lean towards
wpa instead.  any halfway decent wireless card that isnt too old
should have wpa as an option under windows xp.  linux support isnt
quite up as high unless you have a well supported card and have the
wpa supplicant installed (unfortunately my card is broadcom based,
cant use it unless i use the windows drivers via ndiswrapper and then
it wont connect to anything other than an unencrypted network)

to answer the thread starter, i would get an access point, not a
router, and be sure it supports WPA.  either put it on a timer or have
someone do it manually, but turn it off at night.  set it up for
WPA-PSK mode unless you have a lot of wireless users (in which case
that should justify the purchase of a more expensive product taylored
to fit your needs)

another option would be to use any access point you wanted, run
unencrypted, and look at something like airfortress.  i have done
packet captures of airfortress traffic and the data is encrypted just
above the ethernet frame layer, so kismet got confused about what ip
addresses the traffic was from and destined for.

> refuse to pay for the better quality equipment.  I've had great luck with
> Strix Systems wireless, although it's quite expensive -
> http://www.strixsystems.com/ - I would think that Cisco or Proxim would also
> be a good bet.  The Strix is made for commercial applications, banks,
> hospitals, that occupy multiple floors in buildings; users can roam freely
> over the entire wireless network, along with breaking it down into segments
> with multple SSIDs.  They also have access points in which you install a
> second 802.11a radio and you can put in nodes with don't have to be attached
> to the wired network via ethernet, you can do Power-Over-Ethernet to forego
> the wall wart, lots of different things.  Pretty fun stuff to work with. 
>   
> Anyone ever use the 802.11 hacker tools like NetStumbler? 
>   

heh "hacker tools" such as netstumbler is something that any network
admin should use to test out his own network security.  actually
netstumbler really isnt that good of a tool except for cataloging AP
names and locations.  kismet is much better (and kismet can see
netstumbler users, while netstumbler cannot see kismet as kismet is
passive listening only)

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.