[TriLUG] wireless security

Mike Johnson mike at enoch.org
Fri Aug 20 12:30:12 EDT 2004 

Jeremy West [jkwest at lagrandeapartments.com] wrote:
 
> Situation:  I'm installing wireless internet access for a building in the NC 
> State campus area.  The owners are concerned about security (obviously).  Now 
> I can do the whole WEP thing, some mac authentication, and NAT'ing magic.  
> But... is there a better way?  I'll working on a limited budget.

Remember what WEP means: Wired Equivalent Privacy.  That means that it
only provides the same amount of 'security' as someone plugging into
your LAN.  WEP is -not- security.  Treat a wireless link like you would
any clear text traffic travelling over the internet.  Once you think of
it that way, you can kind of wrap your mind around how to protect it.  

There's two things you have to secure, here.  One is the traffic that's
flowing across the link.  The other is access to the wireless network.
One route you might take is a little WEP, mac auth, and some other NAT
magic and not really concern yourself much beyond that point with
securing access to the wireless network.  This requires that all
communications across the link be 'secured' at an application level.
For instance, make sure that all mail crossing the link is using SSL
(SMTP and IMAP/POP) and all important web straffic is also using SSL.  

The other, more preferred way to secure all this, is to run a VPN over
the link.  Have network VPN nodes at either end of the link, and have
those nodes -only- accept encrypted traffic.  This means that an
attacker might associate with your wireless access points, but they
cannot actually use it for anything (perhaps other than being a
nuisance).  With this in place, you can be certain that your
communications across the wireless network  are as protected as you 
can make them.
 
> Would it be easier to setup the server as a wireless access point, or use a 
> blackbox (linksys senario)?

Eh, the access point doesn't matter as much.  Though, a pair of linux
boxes with wireless NICs and OpenVPN would be pretty easy to implement.

Mike
-- 
"Spare me your space-age technobabble Atilla The Hun!" --  Zapp Brannigan

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc

More information about the TriLUG mailing list