The six dumbest ways to secure a wireless LAN
This is an *excellent* article:
http://blogs.zdnet.com/Ou/index.php?m=20050318
This guy hits all of the big wifi security myths that are out there.
As far as I am concerned there is only one proper way to secure wireless
and if you can't be bothered then your data just isn't important enough.
I don't use this setup at home because I don't have any important data
there. But any big company concerned about security should probably use
something like this:
10.0.0.0/24
laptop -> --IP ----> firewall/VPN box -->corporate network
--IPSEC ->
1.2.3.0/24
The laptop starts up, dhcp's an RFC1918 IP address, then starts an IPSEC
session with the firewall using strong authentication (prearranged
keys), then the IPSEC session gives him a routable IP which he can use
to access the company network. Note that the VPN box does not NAT or in
any way route the RFC1928 addresses. The only way out of this network is
through IPSEC. Also, be sure that the VPN box hands out IP's only in a
certain subnet and that the rest of your network does not use these IP's
so you can easily tell a wireless client talking on your network from a
wired one.
Every modern OS supports IPSEC now. A few years ago I tried to implement
wireless security using PPTP on Windows and IPSEC on Linux and MacOS X
and it was a nightmare managing both and I never got IPSEC to compile
properly on MacOS X. Nowadays just do IPSEC. Everything should do it now
and they've even gotten it figured out on MacOS X.
http://blogs.zdnet.com/Ou/index.php?m=20050318
This guy hits all of the big wifi security myths that are out there.
As far as I am concerned there is only one proper way to secure wireless
and if you can't be bothered then your data just isn't important enough.
I don't use this setup at home because I don't have any important data
there. But any big company concerned about security should probably use
something like this:
10.0.0.0/24
laptop -> --IP ----> firewall/VPN box -->corporate network
--IPSEC ->
1.2.3.0/24
The laptop starts up, dhcp's an RFC1918 IP address, then starts an IPSEC
session with the firewall using strong authentication (prearranged
keys), then the IPSEC session gives him a routable IP which he can use
to access the company network. Note that the VPN box does not NAT or in
any way route the RFC1928 addresses. The only way out of this network is
through IPSEC. Also, be sure that the VPN box hands out IP's only in a
certain subnet and that the rest of your network does not use these IP's
so you can easily tell a wireless client talking on your network from a
wired one.
Every modern OS supports IPSEC now. A few years ago I tried to implement
wireless security using PPTP on Windows and IPSEC on Linux and MacOS X
and it was a nightmare managing both and I never got IPSEC to compile
properly on MacOS X. Nowadays just do IPSEC. Everything should do it now
and they've even gotten it figured out on MacOS X.
