Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#94258 - 16/05/2002 17:41 Securing 802.11b (Wireless)
matthew_k
pooh-bah

Registered: 12/02/2002
Posts: 2298
Loc: Berkeley, California
I'm working on modernizing an office network, and looking to upgrade them from a unix server with serial terminals to a unix server with windows terminals over ethernet and wireless, with a DSL connection available to all the Windows and the unix box.

I would like to add a few roaming laptops to the system, and this should be very possible with 802.11b, except that its security is almost non existant. Is there any way short of using a linux PC as a firewall to really Do This Right?

Matthew

Top
#94259 - 16/05/2002 18:24 Re: Securing 802.11b (Wireless) [Re: matthew_k]
genixia
Carpal Tunnel

Registered: 08/02/2002
Posts: 3411
Yes.

What you want to do is create a 3 port firewall:

External: Faces the DSL line. Locked down tight, with only ssh/VPN tunnelling allowed. Possibly a well-secured external facing web server, but this isn't advisable either from the security standpoint or the bandwidth standpoint (better to have an external hosting company)

DMZ (De-Militarized Zone): Connected to your wireless AP. Again, locked down tight, and only allows ssh/VPN tunneling in. (Don't trust the wireless encryption).

Internal: Should be obvious

_________________________
Mk2a 60GB Blue. Serial 030102962 sig.mp3: File Format not Valid.

Top
#94260 - 16/05/2002 20:50 Re: Securing 802.11b (Wireless) [Re: genixia]
matthew_k
pooh-bah

Registered: 12/02/2002
Posts: 2298
Loc: Berkeley, California
That's what I'd figured basicaly, but is there any hope of doing this without a PC? I could do it with linux, but i'd prefer to avoid the extra complexity.

Matthew

Top
#94261 - 17/05/2002 03:16 Re: Securing 802.11b (Wireless) [Re: matthew_k]
frog51
pooh-bah

Registered: 09/08/2000
Posts: 2091
Loc: Edinburgh, Scotland
An important thing to look at is whether the data going across the WLAN is confidential or sensitive. If it is then WEP, EAP or LEAP will not be enough to prevent it being sniffed, so you're talking about a VPN solution (IPSec is probably your best option here.)

To prevent unauthorised access to your WLAN, enable MAC filtering functions on your AP's and turn on dynamic keys if your vendor supports them (most do now.)

To prevent access to your LAN, follow genixia's advice and firewall. Easy to do with an old box running Linux.

If your mission critical systems could be brought down by an intruder getting past the firewall, seriously think about strong authentication - SecuRemote VPN solution using tokens is a good solid solution.

All depends on how great you think the risk is. Put in a solution related to that risk.
_________________________
Rory
MkIIa, blue lit buttons, memory upgrade, 1Tb in Subaru Forester STi
MkII, 240Gb in Mark Lord dock
MkII, 80Gb SSD in dock

Top
#94262 - 17/05/2002 09:00 Re: Securing 802.11b (Wireless) [Re: frog51]
DWallach
carpal tunnel

Registered: 30/04/2000
Posts: 3810
Your best bet is to do a VPN. You can get all kinds of cheap Linux boxes with multiple Ethernet interfaces (for example, check out the Portwell PNA-3303). Then, you can ignore the WEP/LEAP stuff that never actually worked and use generic, cheap base stations and wireless cards. Likewise, many new laptops are coming with 802.11b built-in. If your solution requires a non-standard card, then you can't take advantage of these new laptops.

If you want your wireless network to be effectively "inside" your network, with sensitive traffic going wireless, VPNs are the only safe option available to you. (Although, you could do it on-the-cheap with SSH tunnels and HTTP proxy servers.)

Top