Slashdot Mirror
802.11 Security
With the amazing proliferation of wireless networks these days, there seems to be constant churning about how best to secure them, while at the very same time, barely anybody is actually doing anything about it. Potter and Fleck have offered up this little book, 802.11 Security, as a no-nonsense guide to understanding the problem of wireless networking security (or, as the case may be, the complete lack thereof) as well as demonstrating how to implement viable solutions.
Straight from the horse's mouth, "This book is aimed at network engineers, security engineers, systems administrators or general hobbyists interested in deploying secure 802.11b-based systems." The greatest attention is given to Linux and FreeBSD systems, though OpenBSD, Mac OS X and Windows are covered as client systems, too. The authors split the book into four parts: "802.11 Security Basics (Part I)," "Station Security (Part II)," "Access Point Security (Part III)," and "Gateway Security (Part IV)."
Part I, "Security Basics," gives a very good introduction to the concepts of wireless communications. Chapter 1 explains how radio transmissions work (and how antenna shapes affect them), and why radio transmissions are inherently insecure (i.e., anyone with an antenna in range can listen in). 802.11 is explained, as well as WEP, and WEP's problems. Chapter 2 describes in detail the risks involved with wireless networking, and gives examples of types of attacks which can be performed against wireless networks.
Part II, "Station Security," outlines in great detail what you need to do to make sure your wireless network clients are as secure as possible. We're given two goals for client station security: prevent any access to the client systems, and make sure that the clients speak secure protocols for any network services they access. To the paranoid, both these goals are rather obvious, but they're important enough that the authors spent time explaining them. They follow with a couple paragraphs on logging and security updates on the client systems, and the rest of Part II (Chapters 4 through 8) give specific information on how to best secure client systems of various OSes.
Part III (Chapter 9, really), "Setting Up an Access Point," delves into the intricacies of setting up and securing a wireless access point, from generic advice on how to configure access point appliances to more specific instructions on configuring host-based access points running Linux, FreeBSD and OpenBSD. Comparatively little time is spent on host-based access points in the book, probably because most people generally don't do things things way since access point appliances are so cheap and simple to configure/install.
The remainder of the book is spent on Part IV, "Gateway Security" (Chapters 10 through 15), which describes the infrastructure end of how most wireless networks will likely end up being integrated to wired networks. Basic suggestions for structuring the combined networks are given, and follow what I'd consider to be really good advice: wireless networks should be on their own interface of the gateway (or firewall), physically separated from both internal networks and the Internet. The authors strongly recommend against simply attaching the access points to the internal network, as that introduces too many security risks (an example involving ARP poisoning is given to illustrate why and how). The next three chapters detail the configuration of Linux, FreeBSD and OpenBSD as a secure gateway.
Chapter 14, "Authentication and Encryption", introduces the idea of using strong authentication and encryption mechanisms outside of WEP, using NoCat (which will run on Linux, FreeBSD and OpenBSD) and WiCap (for OpenBSD only) for authentication and IPSec for strong encryption. The idea the authors present here is that for the most secure setup, in addition to enabling strong WEP (as detailed in the rest of the book), your wireless network is set up to not allow clients access to anything until they are authenticated. Then, and only then, the gateway will allow wireless clients to access other network segments (i.e., the internal LAN, and/or the Internet), but only if all the communications over the wireless segment are done through secure tunnels. Sadly, the authors neglected to mention OpenBSD's, Windows 2000's or XP's ability to do IPSec, and their treatment of IPSec for FreeBSD and Linux certainly isn't very detailed, though pointers are given to the appropriate web sites for more information. 802.1x authentication (physical port authentication) is also explained in some detail, though it is of little use, since very little equipment deployed today has support for it. It is an interesting concept, though.
Closing out the book, Chapter 15 is appropriately titled "Putting It All Together." Here we get a final overview of all the pieces as well as how they fit together, and how certain aspects of the system as a whole affects both the administrators and the users of the system.
Overall, I'd have to say that this is exactly the type of "security in depth" book I've been needing to help me figure out how best to implement wireless networking at the office with minimal risk to the rest of the network. The authors write in a very approachable style and do a very good job of giving the necessary background before launching into any detailed discussions. I would highly recommend this book to anyone considering installing wireless networking without wanting to simultaneously install a simple back door to their network. Honestly, I haven't found much to complain about.
I'm of the opinion that, after reading this book, and using it as a guide to setting up a secure wireless network, I'll be able to sleep at night. Even though people can still war drive (or even war fly) and find your access points, even if they managed to crack the WEP keys and associate to the AP, the network will still be secure because of the multiple layers that have been put in place.
You can purchase 802.11 Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Aren't those terms mutually exclusive?
"Wireless security"?
Is that anything like "military intelligence"?
-/-
Mikey-San
"I may be superficial, but you're fat."
Mikey-San
Karma: +Eleventy billion (mostly affected by watching Celebrity Jeopardy)
Maybe the problem isn't 802.11 security, but computer security in general.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
I have a hard time that 802.11 will ever be super secure. Just because all you need is a laptop a antennae and some good skills to break into a WaveLan, Hewlett-Packard still keeps their Wirless Network open, and I know of several others. So, Until a largescale hack on these systems happens then MAYBE will people get the Idea that 802.11 coiuld be secured better,. That and alot of people have not moved to WLAN yet, just because of the cost of the equipment, and the maitnence and configuration. is not really the easiest thing in the book. So even though I do use it at home, I still refuse to use it on a widescale level..
---
I leave my home network open on purpose. If passerby's want to check they're email or something be my guest. I use Linux and Mac OS X I fear not the script kiddy ;)
Are you secure enough in your masculinity to run 'man touch'?
for the purposes of in-house customer training in a cosmetically clean room (wires are ugly)
Power, keyboard, and mouse cables are less ugly than Ethernet?
It really bothers me that we reward the makers of such a flawed system by buying their products. How can we expect WiFi to improved if we buy it now matter how bad it is?
UNIX/Linux Consulting
I recently was paid to get a wireless network working (as well as fix some shared Internet connectivity problems in general) for a client.
When I arrived, I found out the client had everything running through a Belkin firewall/router device with built in 802.1g wi-fi. (It was attached to an external DSL modem via ethernet cable.)
It struck me that unless I'm missing something, these combo wi-fi bases/routers are inherently limiting in how much security they can offer the user. (EG. You can't really place the wireless clients behind some sort of a VPN tunnel with authentication if the other end of the wi-fi connection is managed by integrated firmware in the router itself, right?)
I ended up enabling 128-bit WEP for the guy, as well as disabling "broadcasting" of the existance of the router/w-fi base, but couldn't see much else to do beyond those measures.
You just have to treat any wireless network segment as insecure and pass any traffic from it through your firewall as you would for internet traffic.
Sig for sale or rent. One previous user. Inquire within.
Interesting. We can get a man to mars. We are now a matter of months from curing almost every known disease via un diferiantiated cells and some protiens.
But we can't create a united task force to spread wireless broad band across my blood back yard?
otherwise, it's a good book.
Quick take: ehh. It's good for small, Unix savvy sites, but windows shops or large installations should probably look elsewhere.
Check out my eclectic infosec blog at InfoSecPotpou
Before you exchange data with another host, simply use Diffie-Hellman to get a symmetric key and then encrypt/decrypt all your communications. I thought SSL solved this problem ages ago.....
smd4985
Basically, you're left with a security HOWTO for linux with some BSD thrown in.
Given O'Reilly's publishing record lately, I'm wondering if the golden years of must-have books was just a fluke.
I hate it when people say wireless is so incredibly insecure. It's true that the wireless signals can easily be picked up by anyone. It's also true that one can pick up radiation from cables to sniff packets on your "secure wired network."
The solution is to not rely on the hardware encryption of your card and hub. Instead, use encrypted streams for all communications from your laptop. Use SSH, never use telnet (that should be common sense). If you just do that, then you don't have to worry about someone sniffing your packets because they are encrypted (and if they're also hardware encrypted you have some nice double-encryption). Also, you could easily set up an ssh tunnel to your router for the http protocol or whatever else you need. That way you have the security through the air. Anything after that is subject to wires on the internet, which like I said before, give off measurable radiation.
In short, just remember to always use software encryption and not rely on the hardware encryption of your wireless devices. Simples as that.
We used 802.11 to make a secure office home network, and like any insecure medium for IP, you can secure it against sniffing by layering a secure tunnelling protocol on top of it. This probably wasn't necessary since most sensitive information goes over ssh or SSL connections anyhow, but the way to do it is to use a encrypted network device tunnelling driver thingy.
:)
... )
I'm used to CIPE and like it because it has a Windows NT/2K/XP implementation as well as a Linux module. VTUN does much the same job, is slightly easier to set up, although instead of a Windows driver, runs on Solaris and various BSDs. We used the latter to make a link between mine & my partner's house and managed to use the Linux bridging features to bridge his home wireless network to the office ethernet-- the bridge is over a vtun interface which sits on top of the 802.11 link between our office and his house. Complicated but it seems to work
Anyone else have a similar setup? I'd be interested to know how to grow this kind of setup manageable (not that we have a need for it, but
Matthew @ Bytemark Hosting
Securing wireless networks has to deal with all the issues of wired networks, in addition to the fact that the transmission medium has to be secured.
With wired networks you can make assumptions that the wire is (relatively) secure against tapping. Even more so with fibre.
Although it is possible to tap Cat5, it's not as easy as with wireless.
This book allows you to to "secure" (nothing is perfect) the transmission medium to that you can start worrying about other attacks.
I've read it and am using the information as a basis for developing a wireless security (yeah I know it's never completely secure) solution. If nothing else, it's a centralized resource explaining the major protocols and issues involved. It gives you a great overview of which avenues to explore, and then take it to a test environment and see what works for you......
There is no such thing as viable security with 802.11. Get over it.
That's it, the whole book, two sentences, and it's free for the public domain.
implementing a wireless network at the office for the purposes of in-house customer training in a cosmetically clean room (wires are ugly)
Yes, but TUMORS are more ugly. For a little extra work when installing them, you will never see the wires. There are a lot of products out there to help hide wires.
Compare that to one of O'Reilly's best books, Building Internet Firewalls, with a cover of $49.95 and 890 pages -- less than 6 cents per page. buy.com has it for $31.47, dropping the ratio to less than 4 cents per page!
O'Reilly books seem to be the most expensive around, yet I think their ability to charge so much has been eroded by good books from other publishers.
Helevius
We haven't done any 802.11 here for a garden variety of reasons, but security coupled with usability is one of them. Everything I've read seems to emphasize putting your 802.11 infrastructure on a DMZ-type segment and requiring some kind of VPN connection to gain access to the Internet and internal network.
..which always leads me to the seperate VPN infrastructure for 802.11 solution, which is more expensive and complicated to setup and maintain.
The simple implementation of this just puts the 802.11 network on the outside of the firewall, using whatever existing VPN infrastructure you have to gain internal access. The downside to this is the set of people with "anywhere" VPN access is a minimally overlapping subset of the people who should have 802.11 VPN access.
And then I'm left with the usability/training issue, explaining to people (lusers, help desk, etc) why the VPN connection is necessary and other sundry details of usage.
And then there's equipment. It makes no sense to equip all ~100 laptops that don't have 802.11 with 802.11 cards for the few conference rooms that would get it.
It looks fun, but there's so much baggage associated with it I can't see it happening in these economic times..
Laptop.
...
How would you like it if some one walked into your home and plugged his laptop into your DSL connection. If you've got WiFi, then he does not even need to get into your house.
It's not just security of the boxes on your network, it's the security of the resourses that your network connects to.
I even have public SMB shares with 104 GB of porn, for my neighbors and passersby to download.
Hmmmmmmmm.....
SO dicussing a meaningless tech issue that directly related to our abilty to do our jobs and keep them so that we can pay taxes in first is a worthless pursuit.
Got it.
Now go back to screwing your sheep, drinking your cheap beer and smoking your Russian gutter weed.
"Bastard operators don't win...anyone can win...Bastard operators win and totally demoralize...that is REAL winning."
-The BOFH
Creating a secure WiFi enviroment is not hard. So waht, you are broadcasting everything over the air to anyone within range. Big deal, with a few precautions and some know how, you can easily secure the wireless network.
Put the AP itself on a port of its own on the firewall (not on of those cheap appliances, but something that will do nat/ipsec/ip firewalling).
Do not use DHCP, disable broadcasting so that for someone to connect to the network they have to actually know it is there.
Use ipsec to connect the clients to the firewall, and have the firewall block ALL traffic coming from the wireless network, except traffic from specific IP's, use static addressing and natting, not dynamic (all this traffic should be encapsulated using ipsec). You can use wep which is almost completely useless for an added bonus.
ie.. Internet gateway/firewall AP (on dedicated port on firewall) wireless clients.
Using IPsec, who cares if anyone sniffs the traffic off the network, it will take them years to decrypt it if you use ipsec. They may still be able to connect to your network, but the firewall is dropping the traffic as it is not encrypted, and your dropping all traffic from all ip's other then those clients you permit at the firewall. The wep would just encapsulate the ipsec, and give a minor added bonus.
I came, I conquered, I coredumped
Even though people can still war drive (or even war fly) and find your access points, even if they managed to crack the WEP keys and associate to the AP, the network will still be secure because of the multiple layers that have been put in place.
...
Actually, layer2 is completely unauthenticated, so anyone can associate with your access point using no key or the wrong key. IP and above will get dropped however.
The lack of an authentication mechanism in the 802.11b MAC leaves a number of nasty weaknesses that can be exploited by malicious persons.
Denial of service (forged disassociation) and active man-in-the-middle attacks (using higher signal and forged BSSID/SSID) continue to remain possible in even the latest security extensions to 802.11.
I'm surprised no mention was made of IDS systems that can detect and respond in real time to 802.11 layer 2 attacks (and other higher level IDS checks on the IP traffic), although even these are of limited utility
I think we've already let the cat out of the bag in terms of accepting poorly designed protocols and buggy software.
This came to me as I power cycling my cable box (which had crashed) not long after power-cycling my DVD player because it "crashes" during certain disc-change cycles (eg, don't hit OPEN when its inventorying the changer -- it will crash every time).
I think so many people have already been so exposed to software bugs and things that don't work right, we've come to expect it instead of expecting software products that are fully debugged.
Now products that are traditionally hardwired logic appliances are becoming more and more software-based and I think the makers already assume they're off the hook and people will accept a certain amount of software screwups to their devices.
Your complaint is more of a design issue than bad software, but it seems to underscore people's acceptance of bugs and bad design as just part of what happens.
I don't think that most people would be suprised that there is a lot of corporate espionage being done by going down to CompUSA and paying $100 cash for your untraceable security hole.
Sure, if you have a tangle of wires, it's not going to look good. But just because you've gotten rid of your CAT-5's doesn't mean you're wire-free. Do you power your PCs and monitors wirelessly? Do you have wireless keyboards, mice, and speakers on all your computers? Heck, you'd need to wirelessly transmit the video signal to your monitors too. Am I missing anything? Well, maybe printers and scanners, PDAs, or any other peripheral you might plug into your computers.
If you're going wireless just because wires are ugly, I think you've still got a ways to go.
1. Become and Uncle Fucker
2. ???
3. Profit!
people only care AFTER they have been fucked. (or if they know what they are doing).
and you can bet your bottom dollar they WON'T be asking you for advice AFTER it's happened.
Because in there minds, YOU are the perpetrator. and in most cases, you are.
"Amusingly enough, shortly after the idea of a wireless network at the office came up, I managed to win 802.11 Security in a raffle at the Kernel Panic Linux Users' Group monthly meeting."
No offense, but you are the most boring person ever
No wait, second most.
Who are y oo ?
1604.22 is twice as secure as 802.11
Best Windows Freeware
I ended up tacking a ethernet cable along the ceiling down to the kitchen. I told the wife that it is just temporary until I drill a hole in the ceiling to run a hidden cable. (I even meant it at the time.)
Of course, I never got around to that, but it seems she's gotten used to the cable. Another problem solved by procrastination.
That's just the old "Get some priorities" troll. Don't bother responding to trolls like this. In fact, why bother responding to AC at all?
Everyone is entitled to their own opinion. It's just that yours is stupid.
Stunnel is quite cool for tunneling most types of traffic. Easy to implement and maintain
Rus
Cheap UK and US VPS
- MAC authentication: this is one of the most obvious ways to increase your wireless security. If you deny all machines except those explicitly allowed, you lock out everyone who has not been authorized from using the network. Bear in mind, this does not prohibit sniffing, but this is crutial to making sure your network isn't being pirated. Many wired networks do the same thing. This is analogous to locking your doors so people can't walk in and plug into your network, so this is clearly a first line. This will also help prevent unauthorized to your AP's management software.
- Use secure/encrypted protocols: I don't care if you're on a wireless network or not, you should always use ssh over telnet, SSL web sessions, and other secure or encrypted protocols if the data are sensitive (as they always are in the case of remote access). You would not send your root password unencrytped over a wired network, so of course you should not send it unencrypted over your wireless network.
- Lock down your AP: I have encountered so many APs that have wide open management consoles. If an attacker can gain control of your AP, she can make life miserable. If you can, make your AP's configuration available only over a wired connection and utilize it's access controls.
There you have it. Three things, and you have strong security. Really the principles are fundamentally the same as a wired network. The difference in this case is the wires are in the air. Why security principles are not easily translated by most network maintainers is beyond me. With a wired network, it takes more work, but just about anyone can still sniff packets. With a wired network, someone can still plug in and use your line, again with more work. And with a wired network, if someone can get to your managed switch/router, they can wreak havoc.Of course with security, always remember the basics. If you don't have a secure foundation, everything else is going to be weak.
Join Tor today!
You get what you pay for.
Why do you think your APEX DVD changer was so cheap? Cheap components save maybe 20 bucks, but it's the lack of real QA that saves the big cheese.
I only assume it's an apex because I have an apex changer with the exact same problems, but for 120 bucks and the ability to play MP3, VCD, etc, I'm willing to accept it. For a 400 dollar Sony, I wouldnt, and most would return it to the store.
I don't need no instructions to know how to rock!!!!
If you think wires are ugly, wait until you see how ugly the blame game turns when someone starts grabbing confidential corporate files through the WAP in your nice clean room...
802.11b can be secured but it requires a multi faceted approach such as the usage of WEP in addition to access keys and SSH and/or IPSec (in other words it is a pain in the ass to truly secure 802.11b). Unless portability were an absolute nessescity and depending on the nature of your business (re:what kind of IP are you responsible for?), I would just do what was needed to make the wires less visible and deal with it.
Now, mind you I like this book too, but it's already out of date. Wi-Fi changes too fast to be captured in a book. For example, WEP has never worked that well even when you try to make the most of it (http://www.80211-planet.com/tutorials/article.php /2106281), but as of a few days ago, WPA (http://www.80211-planet.com/news/article.php/2198 151) finally became available. That said, I still wouldn't write a book about it. Why not? Because by the time a book got into print, WPA, which is only a stopgap, will be replaced by 802.11i. If you want to secure your WiFi network, a book, even this one, is only a start, you really need to keep your nose to the Web sites specialized in WiFi like Glenn Fleishman's Wi-Fi Networking News (http://wifinetnews.com/) and 802.11 Planet.
Steven
in a cosmetically clean room (wires are ugly)
HAHAHA
Spoken like typical non technical person..
My last IT manager was so anal about wires it was insane. We averaged 300 drops per communications room coupled with the wires that needed to run into the switches, it was a nightmare. He made us rewire the entire things and neaten up the wires. I'm not a neat freak but I am not a slob either. The way he wanted it done it was impossible to track down any wires or work on any wires without completely undoing the bundles and starting over. He wanted the closer wires to be shorter so they would not have to be looped around the tray so instead of using prefabbed wires we had to cut and crimp our own in roughly 6in increments (some 18in, 24in, 30in etc..) He did not give a crap about the router upgrades we did, the uptime charts we had, the firmware upgrades, the cooling system or the UPS's we installed to keep the equipment running, all he wanted was a clean looking room in case any of his bosses vistited our site and wanted to look around. It was very obvious he could not impress anyone with his technical ability or oversight, so he decided to go the "neat" route.
Bad boys rape our young girls but Violet gives willingly.
Whoa! When did we send a man to Mars?
Whoa! Does this mean that in a few months, all forms of cancer, Alzheimer's disease, CJD, SARS, AIDS and the common cold will be a thing of the past? Those things were giving me the heeby-geebies, but now I guess it's OK to have unprotected sex with a feverish Hong Kong hooker and then chain smoke afterwards.
I can already get wireless broadband in my back yard -- I didn't need a task force to help me -- RTFM!
"The noble art of losing face will one day save the human race"---Hans Blix
Nice guess on the Apex, yes, it is the AD-700 3-disc changer.
But strangely that's the only software problem I've had with it. Plays VCD and SVCD really well (from a whole shitpile of encodings) and I've yet to have a crash during playing of a DVD.
Maybe there's a bad sensor or something that jams it up?
Most wireless hardware is a lot harder to crack than it used to be. Vendors got a lot smarter when implementing their IV selection algorithms. Go try and AirSnort a Cisco AP these days. I tried against my .b/.a Linksys AP running the latest firmware (that's the important part) and only got 19 weak IVs after two weeks and GBs, and GBs, and GBs of traffic going across it. I flooded the network so I could see lots and lots of packets.
That's fine for home use. I'm not so worried about my simple 128bit WEP now. For the office you can go pricey, but good, with something like Cisco LEAP...or you can buy any old AP and do VPN/SSH/Tunnel.
Oh, did you mean rogue?
Rouge APs want to be found. Otherwise, why would they be applying cosmetics for coloring the cheeks or lips red? Alas, frequently, due to their garish application of rouge, most APs tend to attract only rogues.
400 dollar Sony??? I play DVD's on my Playstation II. They cost only 200 bucks, and do double duty as DVD player and video game.
Farewell! It's been a fine buncha years!
I have the same unit, I found a firmware update that supposedly fixes some stuff, as well as making it region free. You burn it onto an ISO9660 disc and 'play ' it. I believe I found it on doom9.net.
I never tried it, so I cant speak for its effectiveness. The glitches I've seen never really bothered me, they amount more to just a clumsy interface and a crappy remote than anything else, but it's never crashed though. Perhaps I have a newer firmware? It might be worth a shot for you to look into it though.
I don't need no instructions to know how to rock!!!!
is to put your wireless LAN *outside* of your corporate LAN, and force the wireless users to use a VPN (PPTP or IPSec) on their clients to access the corporate internals. that way your not relying on the 802.11b standard at all but on SSH or IPSEC for encryption.
then put them cables in the walls. that way you have the insecurity of cables and the neatness of wireless.
I know you are psychotic, but please make an effort.
You can use wep which is almost completely useless for an added bonus.
WEP is NOT useless. It is a "NO TRESSPASSING" sign. It informs a casual passerby that you INTEND the AP to be private (perhaps saving his time trying to figure out why this particular "open" AP isn't working for him).
And if your firewall or configuration screws up, or somebody cracks it, it gives you ammunition in court to show that the guy who broke in knew he wasn't supposed to be there.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I have a couple of the firmware .ISO images floating around. I never bothered with it because (A) it meant disassembly of the unit to figure out which chip it used, and (B) I haven't had an urge/desire/need to play other region discs or disable Macrovision, and (C) I'm scared that if it fubars I'm out a DVD player.
I think I'll ultimately look for a whole new player here in the next year or so. The APEX MP3 playback is kind of braindead -- there's no shuffle, it often cuts off the beginning if you skip tracks, only 8.3 naming, no remote-based soft power, I think the changer mechanism is slow as hell, audio CD won't shuffle around the CDs, etc.
I bought it 2+ years ago, and at that time it was a miracle product under $200. At that time most players wouldn't play an audio CD-R let alone a CDRW with MP3s on it.
Ok, econ-101 for you: where does tax money come from? Ans: Income, business and sales. Does raising taxes encourage or discourage income and business? Ans: It discourages business (you raise taxes on alcohol and tobacco in order to DISCOURAGE their use, for example). Therefore, the answer is to lower spending, and cut taxes to encourage business, thus generating greater revenue. I know that's incredibly difficult to understand, but you have to realize that level of taxation has an effect on the economy, it's not just dangling out there to either take it or leave it. Greedy overspending governments can get into real trouble during downturns if they do the simple minded thing and stupidly raise taxes, leading to an even worse investment climate which produces even less tax receipts, repeat untill depression. Just look at California, with the dot-bomb bust their tax base was decimated, leaving a huge budget shortfall, enough to make people want to recall the Governor. Should they just simple raise taxes to make up for it? Of course not, they need to RAISE BUSINESS levels and grow their way out of it. Simply raising the tax percentage on what business is left only discourages any businesses for forming and paying taxes. Look at it this way, you have a farm and during a drought year, you don't harvest as much corn as you expected and can't pay for some things you bought when you were expecting a big harvest. What do you do? Probably sell off some things, get out of debt, take a second job - but just running the corn harvester around trying to get more corn won't help (i.e., raising taxes during a trying economic period).
Ok, so how's that for priorities?
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I don't understand why everyone has trouble with it. Stand up a VPN node accepting nothing but your favorite secure VPN protocol (IPSec is fine) on one card and putting your company network on the other. You then connect put your 802.11 routers on the VPN card and configure your 802.11 routers to allow the VPN protocol. You're now secure. Perhaps a DOS attack could make your 802.11 useless (plug an unshielded magnetron into an outlet in the building for example), but your data can't be compromised through it.
On my wireless network I use a couple of things which makes me feel fairly confident in the security of my network:
:)
256 bit encryption
Hardware Mac Address filtering.
Its the filtering I find most important, because it stops folks from jumping on my network behind my firewall. I enter the mac addresses of those who are supposed to get access and deny the rest.
I guess the encryption prevents sniffing, which is nice, but I think anything I would actually care about goes over https or SSH (and I am not a weird tinfoil hat wearing freak who honestly thinks somebody cares to sniff my packets all day hoping to find something interesting, so thats good enough for me). I suppose if somebody really cared and could break the 256 bit encryption it uses, they could sniff out a POP password from a user who has an account on the server and gain access from a wired connection if they knew my internet IP. But I think at this point I'm willing to risk it.
Some additional security in apersonal sense is that I personally don't use the wireless access, thats for other people in my building - I'm connected with wires
I agree. I simply use a 128 bit WEP, open only the vnc port and use vnc with authentication ontop of it for my home wireless n/w. the very nature of vnc adds a lot of noise for the hacker so i think this is farely secure for ur average joe!
The phrase "wireless security" is considered by some to be an oxymoron. How can a system with no physical security hope to facilitate secure data transport? Well, with careful planning and configuration, a wireless network can protect itself from many types of attacks and become almost as secure as its wired counterpart. 802.11 can be deployed with various security mechanisms to provide robust, mobile, and hardened network infrastructure.
If you put the AP inside your network, you're an idiot looking for trouble. If you put it outside, it's basically like anyone on the net. You have to treat an AP as insecure! You still need a firewall to allow traffic from the internet or the AP to flow in. Just like you don't want people to "direct connect" to your servers, you have to use an encrypted VPN over your AP (as WEP is crackable if you want and MAC access can be spoofed). If you have problems with security, you can hire me :)
-- Leeeter than leet
I've played a bit with these and you're somehow right. Most cheap switches/routers treat the wireless and the LAN as 1 net (which is bad!). So you see everything on all the ports. It's very easy to use "arp poisoning" to fool a cheap switch and become a trusted machine.
Better wireless switchs have "dual subnets" and this allows you more flexibility by denying access to the insecure subnet. Unfortunately, most home users can't really afford one, or can't justify the price increase.
Now, home usage and business usage will always differ. You have to weight the value of protecting your data (risk analysis).
What I recommend for small business, which can be applicable to home as well is to have a firewall right behind your ISP modem and your AP (leave those ports unused - treat as insecure!). Behind the firewall, you can install a cheap 5 ports switch (20-50$). I even tell people NOT to buy one of those multi-purpose switches and rather buy a simple gateway. That way, you can't go wrong by mistakenly hooking a machine on the insecure side. Now make sure the wireless traffic can only connect via an encrypted VPN (easy done with the firewall. Discard anything not going to the right port).
The major key is to consider an AP just like a connection to the Internet: INSECURE!
-- Leeeter than leet
Anybody else here from Computer Science House at RIT? I almost peed myself when I saw that "Potter" and "Fleck" wrote a book together.
That's just the old "This is a troll" troll. Don't bother responding to trolls like this. In fact, why bother responding to xchino at all?
Okay, so you won't find 802.1x support in your standard el cheapo LinkSys or NetGear AP. In fact, you won't find 802.1x support in any cheap access point. On the other hand, if one does pay for the higher-end access points, pretty much every major vendor supports 802.1x authentication. It is considered a requirement for an access point to be considered an "enterprise" AP. Furthermore, WECA's requirements for WiFi certification this year are adding "WPA", which is a stripped down version of 802.11i, which happens to depend heavily on 802.1x. Any new products after this requirement is added will have to have 802.1x support in order to be "WiFi Certified."
Believe me, the wireless industry is moving heavily towards 802.1x (I've written two different implementations of 802.1x for two different access point products myself), so it should not be so casually dismissed.
For those who scoff at wireless security: sure, it probably won't be as secure as locked away wired networks; but 802.11i does at least make it non-trivial to break the security of wireless networks (pairwise session keys on a per-client basis, larger size keys, larger IV space, message integrity checks, etc).
To use my notebook in the backyard, I enclosed my property in a Faraday Cage. Of course, I have to shut everything down if my wife wants to back the car out. :)
Apart from the power cables and the monitor's screen signal I have no cables left on my desktop.
Keyboard, mouse, printer are all wireless.
IANAL but write like a drunk one.
Try CraniteSystems Wireless Wall Product. Layer Two Encryption.
I'd ask my ISP about that one, but they are all in jail because one or two of their customers decided to download kiddie porn. Oh wait, they are not in jail and neither am I. The core thought of your statement is dangerous. I'm not resoponsible for the actions of others and common carriers should not be either.
Friends don't help friends install M$ junk.
I get your point, but since wireless places everybody on a big LAN (the same goes for cable modem networks), it is smart to disable file and print sharing on a windows PC. If this isn't practical (the user has several PCs in his apartment and needs to share files and printers, or the WLAN is at an office doing the same), the inner network needs to be behind a firewall.
Either way, ports 137-139 should be firewalled off, regardless. That goes for anyone, really, whether on a party-line network such as wireless, or dialup or DSL. The old maxim holds true... put up a firewall (http://zonelabs.com if nothing else) and only open holes for the services you want exposed. Micros~1 file and print sharing is definitely not something to share with the rest of the world.
Need a Linux consultant in New Orleans?