Advice wanted regarding setting up WiFi
Edwards, Greg
greg.edwards at lmco.com
Thu Apr 1 14:25:24 PST 2004
That talk, Thursday, 18 October, 2001: Peter Shipley, CCNP/CCDA -
WarDriving and LanJacking Risks, showed them trying to connect to the
Exploratorium from the Berkeley hills, about 25miles away. They missed
it. They connected to an AP at someone's home beyond the
Exploratorium...
The slides are at
http://www.baylisa.org/library/slides/2001/10/openlans.pdf
Interesting talk. Some update needed, but most still applies.
Greg Edwards
-----Original Message-----
From: owner-baylisa at baylisa.org [mailto:owner-baylisa at baylisa.org]On
Behalf Of Chuck Yerkes
Sent: Thursday, April 01, 2004 11:54 AM
To: baylisa at baylisa.org
Subject: Re: Advice wanted regarding setting up WiFi
Quoting Jim Hickstein (jxh at jxh.com):
> > As far as I know -- and I do review various logs, including the
logging
> > of DHCP requests, daily -- I have yet to have seen a problem. Then
> > again, the street in front of my house is not conducive to someone
being
> > relatively inconspicuous while parked there, trying to hack my net.
:-}
>
> Who says they have to be near your house? Remember the BayLISA
meeting
> where we heard about "wardriving" with a directional antenna from the
tops
> of the hills?
Missed it, but I will offer, living atop a hill with a box and a
spare very directional antenna that just because I can reach IT
doesn't mean it can reach ME. Imagine you have a very large PA
and are talking to someone 1000feet away who doesn't...
But I can hear networks far enough away to sniff and crack.
WEP vs. "no WEP"
By all means use WEP. I consider it like my door's slam lock.
When I leave for real, I throw the bolt, but if I'm walking
the dog down the street, I'm ok to just use the slam lock.
WEP won't stop all. TKIP and LEAP likely would be Good Enough.
(they just spin the keys periodically).
I use WEP, I also presume that a stranger is on the network.
ODDS:
Are the odds high that someone will use your bandwidth?
Well, we're mostly geeks here. The odds are more than "never".
I like the "extra leg on the Linux box" notion. It isolates it.
In general, I'm a fan of a secure network, but you have windows.
Sit on my LAN and your not getting into my machine.
I use a soekris box for my firewall/NAT box, so it's
got an Internet leg, a wireless leg, and an inside leg.
I don't allow port 25 from wireless to Internet.
You can do that with your NAT box.
If you want to send mail, you send it via the inside box
and authenticate.
Ideally, I'd have laptop -> IPSec -> Soekris. I did, I don't
since an upgrade. IPSec means wep is moot. It also means
visitor pain.
Ideally, I want "sure, you can use port 80, at 2400 baud, without
auth. Authenticate (IPSec? NoCatAUth trusts MAC addresses. Reality
for home is that that's enough) and you have full bandwidth."
I have WEP for now, we change keys fairly often, I block port 25.
I should have IPSec back in play again soon.
Set it up like you know someone outside is on your net and firewall
appropriately. There's no reason a wireless client should be
able to reach all ports on your LAN (esp the windows box).
Hell, setup your NETWORK like you know someone is on your LAN.
Perhaps put that extra Linux network there just for the Windows
box and harden the other boxes.
More information about the Baylisa
mailing list