How should I implement security

I installed a G network at a conference center so that
clients that rent out meeting rooms can have net access.

I have one D-Link router and one D-Link repeater. I
am not sure what the best way to set up security so that:

1. The visiting clients can connect with minimal hassle,
using their own pc's with wifi radios, and not have to
reconfigure much to get going.

2. The office staff at the conference center can easily
change the passphrase regularly or after each meeting.

I need to know whether to use WEP, WPA or WPA-PCK, and
how to make it so that the router and repeater don't
both have to be reconfigured (or an easy way to do both)
to change the passphrase.

So far in testing, the three devices (router, repeater,
client radio, all D-Link) all have different setup screens
with different options. This is way too complicated as-is.
Some things have WEP, some WPA, some passphrase only, some
hex only, etc.

Any recommendations?





Jorabi

What about boring old WEP ?
I know it's pants security - but it's just for casual internet access
is it ?
But if you change the WEP key every day, or how ever often a new group
comes in, stick it on the white-board, whatever, for them to see.
Surely most clients will support WEP.
If you stick WPA-PSK on there, half the clients won;t be able to
connect ...
Not sure you can do much to make changing the WEP key quicker on your
devices though ? Although when you get used to it, you'll end up
doing it in a flash. Maybe if it was a Cisco Aironet you could do some
scheduled script to upload a different config each day containing the
new key.

"Emlynfluff" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> What about boring old WEP ?
> I know it's pants security - but it's just for casual internet access
> is it ?

1 question - do you need any security?

it doesnt sound like you are charging for access - so why not leave the feed
open?

> But if you change the WEP key every day, or how ever often a new group
> comes in, stick it on the white-board, whatever, for them to see.

and then the meeting starts, it gets rubbed off, the users want to set up
their PCs to get mail in a lunch break......

> Surely most clients will support WEP.
> If you stick WPA-PSK on there, half the clients won;t be able to
> connect ...
> Not sure you can do much to make changing the WEP key quicker on your
> devices though ? Although when you get used to it, you'll end up
> doing it in a flash. Maybe if it was a Cisco Aironet you could do some
> scheduled script to upload a different config each day containing the
> new key.

and be prepared to be asked by a %age of all the clients to "assist" with
the configuration if they even have to set up the key.
>
--
Regards

Stephen Hope - return address needs fewer xxs

"stephen" wrote ...
>
> "Emlynfluff" wrote ...
>
>> What about boring old WEP ?
>> I know it's pants security - but it's just for casual internet
>> access is it ?
>
> 1 question - do you need any security?

I considered that. I am a consultant and this is my first WLAN at
a business. I want my customer to feel secure (even though I have
their office LAN separated from the WLAN).

> it doesnt sound like you are charging for access - so why not
> leave the feed open?

And have passersby in cars using up the bandwidth? That's what the
customer will be concerned about. Tell me more if I can do this
without much risk.

>> But if you change the WEP key every day, or how ever often a
>> new group comes in, stick it on the white-board, whatever, for
>> them to see.
>
> and then the meeting starts, it gets rubbed off, the users want
> to set up their PCs to get mail in a lunch break......
>
>> Surely most clients will support WEP. If you stick WPA-PSK on
>> there, half the clients won;t be able to connect ...
>> Not sure you can do much to make changing the WEP key quicker
>> on your devices though? Although when you get used to it,
>> you'll end up doing it in a flash.

It won't be me, since I'll be gone. The customer isn't very
savvy but I guess they can be trained.

>> Maybe if it was a Cisco Aironet you could do some scheduled
>> script to upload a different config each day containing the
>> new key.

Not Cisco, but maybe I could write a script for Windows to
automate most of the steps. Good sugg.

> and be prepared to be asked by a %age of all the clients to
> "assist" with the configuration if they even have to set up
> the key.

Yep. I'll have a handout, and hopefully one or two attendees
will step into the techie role.

Re my other questions on changing passwords: (a) should I use
WEP 64 or 128? (b) should I use passphrase or hex? (c) is there
any way to change the password on the router and automatcally
have it change on the repeater? Thanx.

"Jorabi" <(E-Mail Removed)> wrote in news:%h2Vd.34541$vK5.32265
@twister.nyroc.rr.com:

>> 1 question - do you need any security?
>
> I considered that. I am a consultant and this is my first WLAN at
> a business. I want my customer to feel secure (even though I have
> their office LAN separated from the WLAN).
>
>> it doesnt sound like you are charging for access - so why not
>> leave the feed open?
>
> And have passersby in cars using up the bandwidth? That's what the
> customer will be concerned about. Tell me more if I can do this
> without much risk.

You can avoid this by placing the APs in such a way that the signal
won't radiate too much outside. Or you can change the antenna on the AP.

>>> Surely most clients will support WEP. If you stick WPA-PSK on
>>> there, half the clients won;t be able to connect ...
>>> Not sure you can do much to make changing the WEP key quicker
>>> on your devices though? Although when you get used to it,
>>> you'll end up doing it in a flash.
>
> It won't be me, since I'll be gone. The customer isn't very
> savvy but I guess they can be trained.

That's what you think! The client WILL call you. And if you don't
answer, you just racked up an unhappy customer : )

> Re my other questions on changing passwords: (a) should I use
> WEP 64 or 128? (b) should I use passphrase or hex? (c) is there
> any way to change the password on the router and automatcally
> have it change on the repeater? Thanx.

Use WEP 64, not all cards support WEP 128.

You should use a passphrase. Most cards take a passphrase. However, I
think you can convert between Hex and Passphrase, so perhaps have both
versions of the key available?

--
Lucas Tam ((E-Mail Removed))
Please delete "REMOVE" from the e-mail address when replying.
http://members.ebay.com/aboutme/coolspot18/

"Jorabi" <(E-Mail Removed)> wrote in message
news:%h2Vd.34541$(E-Mail Removed)...
>
> "stephen" wrote ...
> >
> > "Emlynfluff" wrote ...
> >
> >> What about boring old WEP ?
> >> I know it's pants security - but it's just for casual internet
> >> access is it ?
> >
> > 1 question - do you need any security?
>
> I considered that. I am a consultant and this is my first WLAN at
> a business. I want my customer to feel secure (even though I have
> their office LAN separated from the WLAN).

another poster suggested limit the coverage - you can direct the radio
pattern to some extent, or turn down the power level on the AP.

some APs can run multiple virtual "lans" for lack of a better term - cisco
aironet 1100 or 1200s can support this. you can have different vlans with
different login and encryption setups using the same hardware (a default
type is "guest mode" which may be what you want).

note that if you do this then any "secure" wifi and the guest account are
only separated by VLAN - so you need to take some care about segregation of
traffic and security.

just be aware this isnt consumer cost equipment.
http://www.cisco.com/en/US/netsol/ns...ages_list.html


bunch of cisco docs about wifi
http://www.cisco.com/en/US/netsol/ns...ages_list.html

if 1100s are too steep, then i suggest you make this a separate wifi to any
internal system and just air gap it from the internal network - maybe even a
separate internet feed so you dont have to worry about bandwidth hogging.
>
> > it doesnt sound like you are charging for access - so why not
> > leave the feed open?
>
> And have passersby in cars using up the bandwidth? That's what the
> customer will be concerned about. Tell me more if I can do this
> without much risk.

if it doesnt go anywhere but to the internet then do you care?

the problem is that any sort of security needs administration and
complicates setup, and since you have a constant churn in your users you
need to balance cost of "lost" bandwidth to that sort of risk vs overhead
costs for admin.
>
> >> But if you change the WEP key every day, or how ever often a
> >> new group comes in, stick it on the white-board, whatever, for
> >> them to see.
> >
> > and then the meeting starts, it gets rubbed off, the users want
> > to set up their PCs to get mail in a lunch break......
> >
> >> Surely most clients will support WEP. If you stick WPA-PSK on
> >> there, half the clients won;t be able to connect ...
> >> Not sure you can do much to make changing the WEP key quicker
> >> on your devices though? Although when you get used to it,
> >> you'll end up doing it in a flash.
>
> It won't be me, since I'll be gone. The customer isn't very
> savvy but I guess they can be trained.
>
> >> Maybe if it was a Cisco Aironet you could do some scheduled
> >> script to upload a different config each day containing the
> >> new key.
>
> Not Cisco, but maybe I could write a script for Windows to
> automate most of the steps. Good sugg.
>
> > and be prepared to be asked by a %age of all the clients to
> > "assist" with the configuration if they even have to set up
> > the key.
>
> Yep. I'll have a handout, and hopefully one or two attendees
> will step into the techie role.
>
> Re my other questions on changing passwords: (a) should I use
> WEP 64 or 128? (b) should I use passphrase or hex? (c) is there
> any way to change the password on the router and automatcally
> have it change on the repeater? Thanx.

buy 802.11g equipment and run it in B/G mode for the widest compatibility.

if you change it every day then WEP 64 should be enough - you arent worrying
about security here, so much as making the system inconvenient for
unauthorised users to get at.

--
Regards

Stephen Hope - return address needs fewer xxs

"Jorabi" <(E-Mail Removed)> wrote in message
news:OD0Vd.34532$(E-Mail Removed)...
>
> I installed a G network at a conference center so that
> clients that rent out meeting rooms can have net access.
>
> I have one D-Link router and one D-Link repeater. I
> am not sure what the best way to set up security so that:
>
> 1. The visiting clients can connect with minimal hassle,
> using their own pc's with wifi radios, and not have to
> reconfigure much to get going.
>
> 2. The office staff at the conference center can easily
> change the passphrase regularly or after each meeting.
>
> I need to know whether to use WEP, WPA or WPA-PCK, and
> how to make it so that the router and repeater don't
> both have to be reconfigured (or an easy way to do both)
> to change the passphrase.
>
> So far in testing, the three devices (router, repeater,
> client radio, all D-Link) all have different setup screens
> with different options. This is way too complicated as-is.
> Some things have WEP, some WPA, some passphrase only, some
> hex only, etc.
>
> Any recommendations?


There are products like firstspot from patronsoft that have a captive
portal.
<this is a windows version>
You can have one password displayed for everyone to use to access the
net.
Granted, it doesnt prevent hackers from sniffing the air but can limit
access.
Or if you are a linux guru there are many free captive portals
available.
If you want to make access easy, forget about wep and wpa. You could
set up a server that supports https and go that route and be sure to
have an access point that support vpn passthrough for those wanting to
access work.