Firewall Wizards mailing list archives
home net security (was Re: 802.11b and IPSec)
From: Bennett Todd <bet () rahul net>
Date: Tue, 10 Jun 2003 10:23:37 -0400
2003-06-09T18:52:19 Paul Robertson:
I'm looking at putting in wireless access at home, but I'd really rather do IPSec than WEP (LEAP or not)- are there any commercial WAPs that will gateway IPSec traffic, or am I stuck building my own gateway with a spare PC, *nix and a PCI wireless adapter, or doing pass through to a gateway host?
I don't know the answer to the question you ask. If I wanted to hunt for such a gizmo, I'd guess Symbol might be the likeliest folks to offer one. They've got the hottest wireless security devices I've seen. If you don't mind, though, I think it'd be valuable to expand the discussion to a more general analysis of security for home nets. Now obviously a home net can be anything. There are undoubtedly maniacs who have beowlf clusters doing hotly proprietary financial modelling or whatever, with Special Needs. But they aren't typical. Let's fantasize that the typical home net has 802.11b; it has one or more workstations on it, which being pure clients are easy to harden (hardening hosts is only hard when you need to offer network services from those hosts). For specific roles for which a home server might be needed, it's easy to find solutions with good security; for many purposes, it suffices to have the server expose nothing but ssh. When you only have to allow access from a couple of clients, which you completely control, you can find secure alternatives for most other network server needs. As I see it, the one hard-to-address aspect of home net security is preventing drive-by wireless users from committing offenses on the internet through your access. While it's weak protection, I think wiring down the DHCP with an enumerated list of MAC addrs is decent protection. Not perfect, of course, but it'll cut out casual drive-bys, and improve the odds that you at least notice even when a clever one tries to do bad. And it's awfully easy to do. Enabling WEP would also add a modest little increment of hassle to a drive-by, but given the utter lack of key management in 802.11b WEP I'll give that a miss. I think the next step up would be to go with a solution like <URL:http://www.hpi.net/whitepapers/warta/>, interposing a gateway between your access point and your internet connection that serves pppoe and requires authentication. -Bennett
Attachment:
_bin
Description:
Current thread:
- 802.11b and IPSec Paul Robertson (Jun 09)
- home net security (was Re: 802.11b and IPSec) Bennett Todd (Jun 10)
- Re: home net security (was Re: 802.11b and IPSec) Paul Robertson (Jun 15)
- home net security (was Re: 802.11b and IPSec) Bennett Todd (Jun 10)