Wireless security

Dave Ihnat ignatz at dminet.com
Fri Jun 25 15:11:32 UTC 2004 

On Fri, Jun 25, 2004 at 10:51:18AM -0400, Jason Dixon wrote:
> Layered security is key.  Check out my presentation from a 
> not-so-recent LUG:
> 
> http://www.calug.com/13aug03talk/80211b_security_20030813.sxi

I've not had time to review your presentation, but will shortly.

> In short, you'll want a combination of 
> encryption/authentication/filtering at multiple layers.

And, especially in this case, firewall/routing restrictions.

> Examples would include WEP (layer 2 encryption), EAP, IPSec (layer
> 3 encryption/authentication), MAC filtering, etc.

I'd like to stress--WEP, either 64 or 128 bit, is no real protection.
HOWEVER, that said, always turn on the highest level that can be supported
in your network by connecting devices.  Again, it's layers.  Your car
door locks won't stop a professional, or even a determined amateur
with a big screwdriver, but it will stop the walkby.  WEP protection is
similar--it's another obstacle.

Your only real protection over wireless is tunneling a VPN session through
the connections.  Unfortunately, sometimes you can't do that.  Sometimes,
you can't even turn on WEP.  And I don't believe you can, in your setup--
I don't recall TiVO offering the option of setting up encryption.

In this case, I hate to say it, but if you're concerned about
security, you really need two WAPs capable of firewalling.  One for
your general-purpose wireless networking, with WEP, MAC filtering,
and running some VPN--IPSEC, whatever.

On the second, put devices like the TiVO that can't do encryption.
Then set up routing tables and firewall rules to prevent ANY traffic
except EXACTLY what the device needs, and to direct traffic only to
appropriate destinations.  For TiVO, this isn't as easy as it might be;
you can figure out where they're going for program updates by watching the
firewall logs, but they change NTP servers without notice, and will *not*
tell you what servers they're using (I've asked).  All you can really do
is restrict any traffic to/from the TiVO except directly to/from your
broadband connection (let TiVO take care of itself), and to/from other
TiVOs and the designated local server (if you have the home media option).

Basically, you're segmenting your network with internal firebreaks--one
for the encrypted, secured wireless, in which case you're going to rely
more on the encryption/VPN and less on routing restrictions; and one
for unsecured devices, in which case you're going to assume intruders
can connect, but are going to use routing and access restrictions to
prevent them from seeing and/or getting to anything useful.

Of course, only you can decide what's an appropriate security level.
The vast majority of people just shrug and figure the odds are against
their particular network being found.  Maybe you're in a rural setting,
and somebody getting close enough to wardrive is going to be noticed.
Maybe you're on a quiet residential street with little or no through
traffic, neighbors who notice lurking strangers, and no scriptkiddies
with wireless on the street.  If these conditions apply, you may decide
the risk is low enough that you don't care.  (Personally, I'm much to
paranoid for that...)

Cheers,
-- 
	Dave Ihnat
	ignatz at dminet.com

More information about the redhat-list mailing list