On Fri, Jun 25, 2004 at 10:51:18AM -0400, Jason Dixon wrote: > Layered security is key. Check out my presentation from a > not-so-recent LUG: > > http://www.calug.com/13aug03talk/80211b_security_20030813.sxi I've not had time to review your presentation, but will shortly. > In short, you'll want a combination of > encryption/authentication/filtering at multiple layers. And, especially in this case, firewall/routing restrictions. > Examples would include WEP (layer 2 encryption), EAP, IPSec (layer > 3 encryption/authentication), MAC filtering, etc. I'd like to stress--WEP, either 64 or 128 bit, is no real protection. HOWEVER, that said, always turn on the highest level that can be supported in your network by connecting devices. Again, it's layers. Your car door locks won't stop a professional, or even a determined amateur with a big screwdriver, but it will stop the walkby. WEP protection is similar--it's another obstacle. Your only real protection over wireless is tunneling a VPN session through the connections. Unfortunately, sometimes you can't do that. Sometimes, you can't even turn on WEP. And I don't believe you can, in your setup-- I don't recall TiVO offering the option of setting up encryption. In this case, I hate to say it, but if you're concerned about security, you really need two WAPs capable of firewalling. One for your general-purpose wireless networking, with WEP, MAC filtering, and running some VPN--IPSEC, whatever. On the second, put devices like the TiVO that can't do encryption. Then set up routing tables and firewall rules to prevent ANY traffic except EXACTLY what the device needs, and to direct traffic only to appropriate destinations. For TiVO, this isn't as easy as it might be; you can figure out where they're going for program updates by watching the firewall logs, but they change NTP servers without notice, and will *not* tell you what servers they're using (I've asked). All you can really do is restrict any traffic to/from the TiVO except directly to/from your broadband connection (let TiVO take care of itself), and to/from other TiVOs and the designated local server (if you have the home media option). Basically, you're segmenting your network with internal firebreaks--one for the encrypted, secured wireless, in which case you're going to rely more on the encryption/VPN and less on routing restrictions; and one for unsecured devices, in which case you're going to assume intruders can connect, but are going to use routing and access restrictions to prevent them from seeing and/or getting to anything useful. Of course, only you can decide what's an appropriate security level. The vast majority of people just shrug and figure the odds are against their particular network being found. Maybe you're in a rural setting, and somebody getting close enough to wardrive is going to be noticed. Maybe you're on a quiet residential street with little or no through traffic, neighbors who notice lurking strangers, and no scriptkiddies with wireless on the street. If these conditions apply, you may decide the risk is low enough that you don't care. (Personally, I'm much to paranoid for that...) Cheers, -- Dave Ihnat ignatz@xxxxxxxxxx -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
