[lug] wifi security - was "laptop partioning, boot loaders"

[Ken MacFerrin]

> So...now I'm looking at wireless, and not sure exactly which of the
> wireless products will actually work (although I've seen "general"
> reports that the wireless items with this laptop do well with linux). It
> has available 802.11a/g, but not b. 

Most any client card that works with "g" will still be backward
compatible to "b".  They both run at 2.4GHz, it's just that "g" has a
higher max data rate..

> Well, the information from the data sheet and other online data about
> the WRT54AG isn't as complete as I'd like, it's more from a "wireless
> for dummies" perspective (although I've been a dummy before, it doesn't
> answer some of my questions). Especially since this particular wireless
> router is able to simultaneously run both 2.4 GHz and 5 GHz...and has a
> 4 port switch. There is an "infrastructure" mode for access to LANs,
> which is what I'm interested in, but I'm wondering if anyone knows if
> the 2.4 GHz G and 5 GHz A can be set independently? Or if they share
> setup entirely?

I haven't used this router at all, but I'd doubt you'd be able to run
the G and A wifi networks in different "modes" such as having the A
network in a client mode and the G network in an AP mode.  I haven't
seen that feature in any consumer grade router.

> 
> Also, it talks about bridging, but I'm not certain that they mean this
> in the technical way...it sounds kind of like marketing speak, perhaps
> requiring yet more purchases  (YMMV). Specifically, I don't want it to
> assign IP addresses, nor to consume any...I want true bridging. But I do
> want to filter such that only the laptop's MAC can talk from the
> wireless side, locked down cold and tight without some drive-by
> script-kiddy getting in (I have to laugh, I still remember all the BLUG
> presentations on this topic).

This you should be able to do.  Using MAC filtering authentication for
the wifi should be entirely separate from whether the router is set to
Bridge mode.  Although as mentioned by previous posters, MAC filtering
doesn't gain you much if someone is really trying to crack your wifi.


> What I'd *like* to do probably is not possible...but maybe someone here
> can tell me how possible it is, and whether the WRT54AG can do this.
> 
> I have a "safe" DMZ LAN that does not touch the outside world. It
> connects only locally. Everything here so far has 2 NIC's, and only the
> stuff not touching the outside world has any ability to do anything
> interesting. I have a second wired network which talks to the outside
> world on a cable modem, and is heavily firewalled. I'm hoping that
> somehow I can take this dual band router and bridge the 802.11A to the
> 'safe' net with only the one MAC being allowed, and also connect the
> 802.11G side to the net with the cable modem, using this single wireless
> device to access two separate wired LAN's and not let them overlap. I
> don't think this is possible, I doubt the connections on the WRT54AG can
> be set up separately, e.g., I doubt it is possible to connect 1 of the
> switch ports to one net and another to another net. Can anyone confirm
> this?

On the wired side this should be possible using VLANs.  The router
should allow you to assign each physical port to a separate VLAN.  On
the wireless side, this could be possible *if* the router allows you to
assign the A & G networks to separate VLANs, but I'm going to guess that
it will only support one VLAN assignment for all wireless connections.

Unfortunately VLANs will only gain you a little security as VLAN Hopping
is possible.  For what you want to accomplish it's probably more
realistic to use the wireless as part of your less secured LAN and then,
as previous posters had recommended, use an OpenVPN box to control
tunnels from your less secure LAN into your "safe" LAN.

> Assuming I can't get one device to work on both nets, would two of these
> units within say 15 feet of each other interfere and be a mess to avoid?
> 
> I'm wondering one more thing...the WRT54AG advertises 152 bit WEP
> encryption. Is this sufficient, or is it like many of the others that
> it's merely somewhat adequate and not even that if someone is determined
> to abuse it? The 40 bit and older stuff is just a joke. I noticed one of
> the other WRT54 variants advertised AES 128 bit encryption, but I'm
> guessing that this would require custom drivers and would not be usable
> on linux without great hassle.

Using WEP is going to less secure regardless of the bit strength.
Having a 152bit key just means an attacker will need to capture more
packets before cracking the key.  For most personal purposes WPA/PSK
will be secure enough for your wifi authentication and will be available
on most linux supported wifi chips by using wpa_supplicant.  For a bit
more "cool factor" you can setup a FreeRADIUS sever and run WPA2/RADIUS.
 For extreme cool factor you could setup single signon for your LAN
using OpenLDAP and Kerberos and then tie in your OpenVPN and FreeRADIUS
as well...  Just thinking about the setup and troubleshooting time to
get it working gives me a headache though.

Again, for personal use, I think WPA is sufficient.  In my neighborhood
there's so many unsecured wifi routers it would be silly for someone to
spend a second to even both cracking a WEP/WPA secured one..

-Ken