Comments are inline, as usual; who wrote what is a big muddled, so I'm
just going to respond to the whole thing, regardless... :-)
On Thu, Jul 01, 2004 at 03:32:05PM -0800, jsw@wadell.org wrote:
> I consider MAC a pretty good security fix, but I am happy to be blasted by
> the group (Arthur?). I REALLY would like to do a Friday on this, but I am
> drowning in Houston.
I'll do the blasting here. MAC is a pretty weak fix; it's easy, almost
trivial, to spoof MAC addresses. While _finding_ a MAC address that
works isn't terribly easy, I imagine some packet sniffing could do it,
and a really dedicated attacker could find out your MAC in all sorts of
other interesting ways.
> learn about setting up security for wireless devices ASAP :) In
> particular WEP and SSID. I imagine it's easy enough to change the
> options on the basestation, but it's setting it up on the card in Linux
> that i'm not so sure about.
WEP is about as effective as plaintext; arguably worse, as it might make
you think you're more secure. The exception here is the fancy Cisco WEP
gadget that rotates your WEP key every few seconds; this is a
proprietary gizmo, and I don't know if the client-side is done in
software or hardware, or (if the former) if there are linux drivers
available.
> > Anyway, all seems to be working good now, except the fact I don't really
> have any security set up. I'm afraid to touch any of the options on the
> access point for fear of it all the sudden not working. Right now my
> only security consists of my limiting access by MAC address and leaving
> it turned off when I'm not using it.
Leaving it turned off _is_ a pretty effective solution.
The only way to really do this right is to set up a machine between the
network where the access point is and the AP itself, like so:
-------- ------------------ ------------- --------
| net- | ---- | middleman machine | --- | wireless AP | *** | client |
| work | ------------------ ------------- --------
--------
(where a --- is a wire, and *** is a wireless connection)
and have the middleman allow VPN connections through to the network, and
drop everything else. Then, teach every laptop you want to allow how to
hook into the VPN (best to do this with a user / group setup on the
middleman, so that you can log in as 'me' instead of 'this computer')
Then everything that gets transmitted wirelessly is already encrypted by
a encryption protocol that Doesn't Suck (tm) and your wired network is
pretty well-defended.
The other solution (and the one I use at school, where there's a
pervasive wireless network, such that we have no access control at all)
is to do exactly two things wirelessly: web surfing (because if people
snoop a web site, that's fine; they could get there on their own) and
ssh-based things (because that's already encrypted).
Note that working https is safe, too.
So, there's your dissertation on network security for the day.
--Mac
-- Julian "Mac" Mason mac@cs.hmc.edu Computer Science '06 (909)-607-3129 Harvey Mudd College -- Attached file included as plaintext by Ecartis -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (SunOS) iD8DBQFA5LLR1AphoTGXiN0RAkRqAJ948wHCYZaxt/2/AoCsPxEdpne39QCfZKdL oXpL/9kRBkm3KtSQajkJ5DU= =Jjwh -----END PGP SIGNATURE----- --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Thu Jul 1 16:56:50 2004
This archive was generated by hypermail 2.1.8 : Thu Jul 01 2004 - 16:56:50 AKDT