[Novalug] best way to secure wireless?

Peter Larsen plarsen at famlarsen.homelinux.com
Sun Nov 26 13:32:02 EST 2006 

Brandon Saxe wrote:
> What's the best (in your opinion) way to secure wireless 802.11x 
> networks in a mix hardware environment with the following support 
> requirements:

First of, as others have pointed out - wireless networks MUST be secure. 
If nothing else, to protect yourself. Most likely, your agreement with 
your ISP only allows your household access to their drop, so allowing an 
open relay access isn't too good.

> 
> o Legacy hardware that consists of devices only supporting WEP 64 bit
> o Legacy hardware that consists of devices supporting WEP 64/128

Consider upgrading these. Alternatively, you can at least lock down the 
MAC addresses and use arpwatch and other software that looks for "wierd" 
traffic. At the very least, if you cannot upgrade these I would use a 
firewall and put the systems on their own segment and limit their access 
as much as you can. Try with an authorized proxy server, if they need 
external HTTP access.

> o Newer hardware that can do WPA

I use "rolling" WPA. I have "newer" devices that still gets kicked off 
now and then because of it, but it seems to work for me. I'm no 
encryption expert - so if someone here knows of issues there, I would 
greatly apprechiate it.

> o Linux/Windows clients

That shouldn't make a difference - on the IP side.

> o IPSec VPN clients that need to connect to outside networks

These clients will encrypt traffic on their own. However, if there is no 
layer 2 encryption, someone can simply record and rebroadcast those 
sessions. Keeping this on top of an encrypted wireless network is a good 
thing.

> o L2TP/PPTP VPN clients to outside networks possible
> 
> Is there a way all this stuff can exist together on a secure, wireless 
> network?

Definiately, but segment your network. Don't put the VPN clients on the 
same segment as your internal servers. Likewise with your less secure 
clients. Setup secured protocols between the segments, and make sure you 
have intrution detection installed on "points of entrace" to your 
network. The golden rule of wireless network is never to hook it 
directly up to your internal network, but always go through a firewall.

> Obviously, the least common denominator in this scenario is the WEP 
> 64-bit devices. Is there a software solution you'd recommend?

Replace the hardware/get a better encryption. Of course you can use 
application based encryption, IPSEC etc. - but it would make each client 
setup kinda difficult. See above for other ideas.

Regards
   Peter Larsen

More information about the Novalug mailing list