[fw-wiz] home net security (was Re: 802.11b and IPSec)
From: Bennett Todd (bet_at_rahul.net)
Date: 06/10/03
- Previous message: Ben Nagy: "RE: [fw-wiz] Re: SMTP Proxies and Application Proxies for Lotus Domino"
- In reply to: Paul Robertson: "[fw-wiz] 802.11b and IPSec"
- Next in thread: Paul Robertson: "Re: [fw-wiz] home net security (was Re: 802.11b and IPSec)"
- Reply: Paul Robertson: "Re: [fw-wiz] home net security (was Re: 802.11b and IPSec)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Paul Robertson <proberts@patriot.net> Date: Tue, 10 Jun 2003 10:23:37 -0400
2003-06-09T18:52:19 Paul Robertson:
> I'm looking at putting in wireless access at home, but I'd really rather
> do IPSec than WEP (LEAP or not)- are there any commercial WAPs that will
> gateway IPSec traffic, or am I stuck building my own gateway with a spare
> PC, *nix and a PCI wireless adapter, or doing pass through to a gateway
> host?
I don't know the answer to the question you ask. If I wanted to hunt
for such a gizmo, I'd guess Symbol might be the likeliest folks to
offer one. They've got the hottest wireless security devices I've
seen.
If you don't mind, though, I think it'd be valuable to expand the
discussion to a more general analysis of security for home nets.
Now obviously a home net can be anything. There are undoubtedly
maniacs who have beowlf clusters doing hotly proprietary financial
modelling or whatever, with Special Needs. But they aren't typical.
Let's fantasize that the typical home net has 802.11b; it has one
or more workstations on it, which being pure clients are easy to
harden (hardening hosts is only hard when you need to offer network
services from those hosts).
For specific roles for which a home server might be needed, it's
easy to find solutions with good security; for many purposes, it
suffices to have the server expose nothing but ssh. When you only
have to allow access from a couple of clients, which you completely
control, you can find secure alternatives for most other network
server needs.
As I see it, the one hard-to-address aspect of home net security is
preventing drive-by wireless users from committing offenses on the
internet through your access.
While it's weak protection, I think wiring down the DHCP with an
enumerated list of MAC addrs is decent protection. Not perfect, of
course, but it'll cut out casual drive-bys, and improve the odds
that you at least notice even when a clever one tries to do bad. And
it's awfully easy to do.
Enabling WEP would also add a modest little increment of hassle to a
drive-by, but given the utter lack of key management in 802.11b WEP
I'll give that a miss.
I think the next step up would be to go with a solution like
<URL:http://www.hpi.net/whitepapers/warta/>, interposing a gateway
between your access point and your internet connection that serves
pppoe and requires authentication.
-Bennett
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- application/pgp-signature attachment: stored
- Previous message: Ben Nagy: "RE: [fw-wiz] Re: SMTP Proxies and Application Proxies for Lotus Domino"
- In reply to: Paul Robertson: "[fw-wiz] 802.11b and IPSec"
- Next in thread: Paul Robertson: "Re: [fw-wiz] home net security (was Re: 802.11b and IPSec)"
- Reply: Paul Robertson: "Re: [fw-wiz] home net security (was Re: 802.11b and IPSec)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
