Domain: wavesec.org
Stories and comments across the archive that link to wavesec.org.
Comments · 7
-
Re:Securing wireless connectionsIPsec is actually quite secure when used properly. The main complaint of security experts like Schneier is that IPsec is too complex for most people to set up at all, let alone set up securely. Apparently you yourself fell victim to this complexity.
A working IPsec wireless gateway setup is described at WAVEsec.
The best lightweight VPN suite available in the free software world is probably OpenVPN. It uses standard SSL encryption instead of trying to invent its own, and so far no doubt has been cast on its security.
-
WEP (in)security assumptionsThe article incorrectly assumes that WEP enabled networks are more secure than non-WEP enabled networks. You can tell by the red/green color choices and the choice imprecations that the authors think poorly of un-WEPd networks. Unfortunately, in reality the best way to secure a wireless network is one that does not involve WEP. It is well known that WEP is insecure and thus one must resort to other means in order to secure a wireless network against known attacks.
As a starting point, the WaveSEC homepage describes a way to secure a wireless network entirely using IPsec, without relying on WEP. In addition, for a small home network you can get away with static IP addressing instead of using DHCP, and in this way you can gain all the benefits of WaveSEC security without needing any software patches (since if you look closely all the software patches are DHCP related).
IPsec is supported in Windows 2000 and up, Linux 2.6 (natively) or 2.0 and up (with Free S/WAN patches), and FreeBSD; unfortunately I have no firsthand knowledge of MacOS support. The main drawback of IPsec is that it is a very complicated protocol and takes a lot of effort to set up. Making different systems interoperate with each other is especially challenging -- for this task, I recommend the Free S/WAN interop page which links to an eclectic pile of guides covering most of the possible combinations.
My own home wireless network is a mix of Linux and Windows XP clients all connected via IPsec, and I have much more confidence in its security than I would otherwise have with WEP.
-
Use WaveSEC with opportunistic encryption.WaveSEC is an add-on for Linux and the BSDs that lets you set up an opportunistic encryption path between your laptop and a server on the wired network. This keeps you safe from eavesdroppers who know your WEP key - indeed, with WAVEsec you don't need a WEP key.
Note that WaveSEC is NOT a replacement for end-to-end security. All it does is protect you from wireless eavesdroppers. If you are using WaveSEC or end-to-end IPsec for all your network connections, you don't need WAVEsec. -
MS article on this, plus an alternativeHere's an article by Microsoft on this matter. It basically says that Microsoft will solve all your problems if only you would buy into the latest Microsoft offerings (XP, ActiveDirectory etc).
Would you rather use a solution based on open standards, try Wavesec. It is mostly based on IPSEC, DHCP and DDNS.
-
Re:We have our own!
The actual home page of WaveSec is this.
-
We have our own!
Some of the people from the FreeS/WAN team have been working on WaveSec. Wavesec uses IPSec, a well known and trusted standard, to secure the radio waves.
-
Clients are the weak point, not IPSECI agree with you completely.
The whole article is a bit silly, pushing relatively unproven standards (EAP) which have been extended (LEAP) and extended (PEAP) over VPN standards with a good trackrecord (IPSEC).
The client is always the weakest link, for both VPN and wireless access. Basically, the author's argument boils down to saying that most IPSEC clients do not block access from other clients while they are connected (split tunneling), whereas the [LP]EAP clients do.
It's a matter of configuration. There is no way one can claim that one client is more secure that the other. Clients are always unsafe, and if not, its user is
:-). I'm sure a determined recalcitrant enduser can always hack his [LP]EAP client to enable split tunneling, or other unsafe settings.The only way to fix this (for both VPN and wireless) is to supply the user with trusted hardware. But that would mean a lot of money and a revolt of endusers because their PCs will be taken away...
By the way, here's an article by Microsoft on this matter. It basically says that Microsoft will solve all your problems if only you would buy into the latest Microsoft offerings.
Would you rather use a solution based on open standards, try Wavesec. It is mostly based on IPSEC, DHCP and DDNS.