Personal tools
You are here: Home The six dumbest ways to secure a wireless LAN
Navigation
Who is Tracy Reed?

I am a Linux enthusiast, a multi-engine instrument-rated pilot, and a traveller. I am interested in all aspects of computing and technology in general, especially Linux and Free Software. As an avid pilot I can be found somewhere over the skies of the southwestern US most weekends.  As a traveller I have been to many interesting places. Check out my photo gallery. Want to get me something cool? Check out my Amazon.com wish list!

 Tracy

 

The six dumbest ways to secure a wireless LAN

by Tracy R Reed — last modified Jan 02, 2009 12:49 AM

This is an *excellent* article:

http://blogs.zdnet.com/Ou/index.php?m=20050318

This guy hits all of the big wifi security myths that are out there.

As far as I am concerned there is only one proper way to secure wireless
and if you can't be bothered then your data just isn't important enough.
I don't use this setup at home because I don't have any important data
there. But any big company concerned about security should probably use
something like this:

          10.0.0.0/24
laptop -> --IP ----> firewall/VPN box -->corporate network
             --IPSEC ->
          1.2.3.0/24

The laptop starts up, dhcp's an RFC1918 IP address, then starts an IPSEC
session with the firewall using strong authentication (prearranged
keys), then the IPSEC session gives him a routable IP which he can use
to access the company network. Note that the VPN box does not NAT or in
any way route the RFC1928 addresses. The only way out of this network is
through IPSEC. Also, be sure that the VPN box hands out IP's only in a
certain subnet and that the rest of your network does not use these IP's
so you can easily tell a wireless client talking on your network from a
wired one.

Every modern OS supports IPSEC now. A few years ago I tried to implement
wireless security using PPTP on Windows and IPSEC on Linux and MacOS X
and it was a nightmare managing both and I never got IPSEC to compile
properly on MacOS X. Nowadays just do IPSEC. Everything should do it now
and they've even gotten it figured out on MacOS X.
Document Actions