3/2 I just bought a wireless access point for home(couldn't wait until
the official 802.11a comes out) and for various WinXP reasons,
128-bit WEP is not working on one of my machines, but the AP can
filter by MAC address. Is MAC filtering sufficient wireless security?
\_ No, it's trivially spoofable. But, so is WEP. -tom
\_ Wireless = zero security. If you want security you can't use
wireless.
\_ Using 802.11a should be fine.
\_ there's already a break
\_ If you want wireless security, you'll need to consider a layer3
VPN between your stations and, say, a firewall, using something
like KAME or Free S/WAN. I don't know about Windows IPSEC
implementation, but KAME tends to be pretty interoperable. The
scheme depends on you using a sensible authentication mechanism
between stations, though. -John
\_ On campus they're doing AirBears with a Vernier captive portal,
with authentication on the back end via a Radius server. -tom
\_ This sounds like login-only protection. Is there any
encryption going on after establishing a connection?
\_ Not at the network level, no. You can, of course, use
end-to-end encrypted protocols like SSH. -tom
\_ So a little sniffing and anyone can grab all those
clear text POP and telnet passwords floating around
campus and probably a whole bunch of other things?
\_ Yup.
\_ just like on the wired ethernet. -tom
\_ Except physical access to a wired net is much
harder to get than to a wired net but you knew
that. Why do bother?
\_ It is safe to say at this point that it is
easier to get physical access to the wired
net than the wireless net on campus. There
are only 6 AirBears locations, while every
general-assignment classroom and most of the
libraries have open network ports. -tom
\_ Personally, I would keep a separate subnet for wireless and
treat it as insecure, allowing only ssh connection.
\_ AirBears uses VLANs, so the wireless net can only see other
wireless-net traffic. But there's no firewalling. -tom |
http://csua.com/feed/