Federal Linux

The six dumbest ways to secure a wireless LAN

Tracy R Reed  | 

This guy hits all of the big wifi security myths that are out there.

As far as I am concerned there is only one proper way to secure wireless and if you can’t be bothered then your data just isn’t important enough. I don’t use this setup at home because I don’t have any important data there. But any big company concerned about security should probably use something like this:

          10.0.0.0/24 laptop -> —IP ——> firewall/VPN box —>corporate network              —IPSEC ->           1.2.3.0/24

The laptop starts up, dhcp’s an RFC1918 IP address, then starts an IPSEC session with the firewall using strong authentication (prearranged keys), then the IPSEC session gives him a routable IP which he can use to access the company network. Note that the VPN box does not NAT or in any way route the RFC1928 addresses. The only way out of this network is through IPSEC. Also, be sure that the VPN box hands out IP’s only in a certain subnet and that the rest of your network does not use these IP’s so you can easily tell a wireless client talking on your network from a wired one.

Every modern OS supports IPSEC now. A few years ago I tried to implement wireless security using PPTP on Windows and IPSEC on Linux and MacOS X and it was a nightmare managing both and I never got IPSEC to compile properly on MacOS X. Nowadays just do IPSEC. Everything should do it now and they’ve even gotten it figured out on MacOS X.