On the wire(les)s of our nerves.

[hirez]

I finally cracked and bought a wireless AP/switch/router, (A WRT54G, so I can play with OpenWRT in the future) and I'm idly considering how to plumb it into my existing lash-up.

I could do it the Oakley way, which requires that I bung another NIC in the wall BSD box and configure that as router/firewall (which it's already doing well enough).

Or I could bung the wireless kit ahead of the BSD box and create a DMZ such that if/when the wireless is cracked, the winders kit is still behind the BSD firewall. This is going to mean multiple levels of NAT and some extra jiggery-pokery to allow inbound SSH.

Or put the wireless kit behind the BSD box and hope that WPA is good enough and works with BSD-6.0.

Or some other arrangement.

Ideas? War (driving) stories?

Comments

[aoakley.livejournal.com]

Correctly configured WPA is sufficiently strong on its own not to bother any further. I only did my <a href="http://nam-vets.org/frampton>public-hotspot+VPN</a> because my kit only supported WEP (and because running my own hotspot in the middle of nowhere is cool).

[edwards.livejournal.com]

If I don't switch WiFi off on my iPaq, TomTom becomes utterly hopeless in town due to the prevalence of WiFi networks broadcasting. I can't drive for 5 yards without a dialogue box offering me one or more (three is the maximum it offers, I think) networks to join.

[geascian.livejournal.com]

Switch off Broadcast SSID
Switch on WPA, or WEP (not as secure but good enough if you use 128bit)if you dont have WPA.
Switch on MAC Address filtering, if you have it.

You end up with a system that, if you keep your wep keys secret, that is prity secure from everybody but the the spooks :)

[mr-tom.livejournal.com]

Having an insecure wireless network is a good defence if the IP industry comes a-knocking...

[poggs.livejournal.com]

Anything with static keys (WEP, WPA-PSK) isn't terribly secure. However, many newer network cards and APs have weak IV avoidance, so WEP isn't as insecure as it was once.

I'd go WPA-PSK - straightforward, simple etc. If you put your AP on a separate network, is it going to achieve anything? If somebody cracks it, they're going to have the same level of access as you would...

For our home VPN users at work, I set up two DHCP scopes on every router - one to give out corporate addresses to certain MAC addresses, and another one to give 192.168.1.x addresses to anything else. Reasoning? Even if you crack the WEP, you'll still get a 192.168.x.x address (unroutable on the WAN, local NAT on the router only) and get what you want - Internet access.

[aoakley.livejournal.com]

Hmm. Opera for Series 40 phones mangles LJ replies, then. What I meant to say was:

Correctly configured WPA is sufficiently strong on its own not to bother any further. I only did my hotspot-VPN jobbie because 1) I wanted to run a public hotspot and 2) my wifi access point only supported WEP.