Firewall Wizards mailing list archives

home net security (was Re: 802.11b and IPSec)

From: Bennett Todd <bet () rahul net>
Date: Tue, 10 Jun 2003 10:23:37 -0400

2003-06-09T18:52:19 Paul Robertson:

I'm looking at putting in wireless access at home, but I'd really rather 
do IPSec than WEP (LEAP or not)- are there any commercial WAPs that will 
gateway IPSec traffic, or am I stuck building my own gateway with a spare 
PC, *nix and a PCI wireless adapter, or doing pass through to a gateway 
host?


I don't know the answer to the question you ask. If I wanted to hunt
for such a gizmo, I'd guess Symbol might be the likeliest folks to
offer one. They've got the hottest wireless security devices I've
seen.

If you don't mind, though, I think it'd be valuable to expand the
discussion to a more general analysis of security for home nets.

Now obviously a home net can be anything. There are undoubtedly
maniacs who have beowlf clusters doing hotly proprietary financial
modelling or whatever, with Special Needs. But they aren't typical.

Let's fantasize that the typical home net has 802.11b; it has one
or more workstations on it, which being pure clients are easy to
harden (hardening hosts is only hard when you need to offer network
services from those hosts).

For specific roles for which a home server might be needed, it's
easy to find solutions with good security; for many purposes, it
suffices to have the server expose nothing but ssh. When you only
have to allow access from a couple of clients, which you completely
control, you can find secure alternatives for most other network
server needs.

As I see it, the one hard-to-address aspect of home net security is
preventing drive-by wireless users from committing offenses on the
internet through your access.

While it's weak protection, I think wiring down the DHCP with an
enumerated list of MAC addrs is decent protection. Not perfect, of
course, but it'll cut out casual drive-bys, and improve the odds
that you at least notice even when a clever one tries to do bad. And
it's awfully easy to do.

Enabling WEP would also add a modest little increment of hassle to a
drive-by, but given the utter lack of key management in 802.11b WEP
I'll give that a miss.

I think the next step up would be to go with a solution like
<URL:http://www.hpi.net/whitepapers/warta/>, interposing a gateway
between your access point and your internet connection that serves
pppoe and requires authentication.

-Bennett

Attachment: _bin
Description:

Current thread:

802.11b and IPSec Paul Robertson (Jun 09)
- home net security (was Re: 802.11b and IPSec) Bennett Todd (Jun 10)
  - Re: home net security (was Re: 802.11b and IPSec) Paul Robertson (Jun 15)