Security

Hi guys,

We have about 3-4 guys here who would be keen to get AP's setup but their main concern is data security (i.e. unencrypted data being transferred around). Can you give us any details on that (preferably in layman's speak)? Is it in the HOWTO?

This answer should probably be put in the FAQ as I'm sure a lot of people but "Wireless" and "Security" in the same sentence...

Cheers
Matt.

I am get around to putting something about that in the HOWTO, but till then;

NoCatAuth provides the security. It exchanges authentication information via SSL then dynamically updates the IPTables firewall to allow traffic to pass from authenticated clients.

From that point onwards security is over to the user. The Access Point is secure enough, but if a user wants a secure wireless connection then it is advisable to run an encrypted tunnel (PPTP GRE, IPSec, SSH etc.) just like one would do across the general internet.

Thanks Simon. Wrote you up a good review and posted it to our Yahoo Group - We have now about 5 new people who are interested now.

Cheers
Matt.

What I am going to do is put a nat firewall between me and the wireless network, Can pinhole thru the ports that I want to be accessable on my lan, and the whole lan can go out on the wireless network using the internal 192.168.x.x addresses, being natted to the "wan" IP of the small router.

The wireless network is just as secure as the internet, that is, it isnt. If you have no problem sending something over the internet, then you should have no problems sending it over the wireless netwoek. SSH, HTTPS and secure POP and IMAP exist for a reason.

In anycase, a large use of the wireless network will be for swapping media etc, and not needing security.

Really glad to read your post richms.

The funcionality you describe is something I'm in the process of building into the firewall scripts presented in the HOWTO., as it has become increasingly apparent talking to the NZW guys that this is functionality that they definitely require.

I think that putting in a seperate firewall between your LAN and your AP is unnecessary. Definitely treat your AP as an untrusted public facing system, but rely on it's ability to firewall and NAT/PAT your LAN machines.

-Simon.

The thing is I trust a seperate box I can pick up and hold a lot more then I trust a piece of software on a computer running an operating system that I know very little about.

I was thinking something like a d-link or linksys ethernet router would be ideal

Well that's over to you. If you want to spend the money it will make you more secure. If you think you need it go right ahead.

However I should point out that short of a commercial firewalling solution such as Cisco Pix or Checkpoint Firewall-1, you won't find better firewalling than Linux except maybe from BSD.

Also worth mentioning that the "home use" type ethernet routers tend not to support stateful firewalling.

Lastly, it's worth mentioning that IPTables is not an application as such running in the application layer of Linux - IPTables does have user space commands, but it is in actuality mods that form a part of the kernel.

-Simon.

Yes, but if any of the numerous services on the linux box become comprimised because I have being slack about getting them updated etc, or have inadvertantly configured them incorrectly then my network is as good as comprimised without something there.

As for the statefull firewalling, I will be using NAT to go out, and simply pinholing a FTP and possibly web server thru, I dont think that any statefullness would help there as I want those services open to everyone.

Basically, I dont trust myself to admin the linuxbox and keep it secure, and I dont want to rely on the goodwill of others to keep it that way.

Have you guys considered using a Direct Connect server?

That is a great way to manage your file shares.

Server only requires One port to be open, your client just needs 1 (2 sometimes).

easy to manage the security/what you are share'n?

I am going to jump into this wireless stuff shortly I can provide a demo if required..

Yep, When i eventually get around to having some AP's up around where i am, i will be having a Direct Connect Server running

CmdrChris, I was trying to leech off you at Gaggle but you were waaaaay too slow to make it worthwhile, ahhh well, maybe at Gaggle 4?

Bigted

Gaggle was pretty quick from what I saw.... I did manage to upload about 300gb at that event...

Seemed a bit random at times tho. one guy gets 10mb and some would get about 400k....

I Think DC is a pretty good method for file-sharing. Resumable searchable mutliple souce downloads, what more could you want.