Hi all, and Season's Greetings
http://securityfocus.com/infocus/1814 is an article on a new generation of
WEP encryption cracking tools that have moved the time (and number of
packets) necessary to crack a WEP (Wireless Encryption Protocol) protected
WIFI (802.11) session from millions of packets and up to days, down to
thousands of packets and in some cases just seconds.
What this means is that the wireless access point you bought yourself for
Christmas may be the undoing of all your other security doings, allowing
attackers into the heart of your network with very little effort.
If you are contemplating adding wireless to your life (home, office, etc.)
there is one major rule that you should not break unless you truly are
going to purchase excellent equipment and change the encryption keys
frequently (more than daily - an onerous task to say the least):
Treat the wireless link as if it is completely insecure!
This means:
1 - don't install it onto your normal "inside" LAN behind your normal
firewall (you DO have a firewall, don't you!) but instead, purchase one of
the ones that is its own firewall and put it "outside" the LAN directly
onto the external link to the Internet. (see below for how to do this)
2 - use encryption (a VLAN or other encrypted session such as SSH (secure
shell) or SSL (secure socket layer, aka HTTPS) for anything you want to
keep safe - such as passwords to your bank, your e-mail information and
passwords, etc., or connections to your main computer system for file
sharing or remote console
3 - assume someone is sitting at your kerbside listening in to your
electronic conversations at all times.
4 - as usual, set your system up using 128 bit encryption (it makes the job
of cracking a lot harder) and change the key at regular intervals (weekly
is not a bad idea if you use the link a lot, otherwise, at least monthly)
This won't guarantee that your system won't be "owned" by the bad uglies,
but it will make their job a continuous one instead of a one-time thing.
Now, to make your wireless be "outside" your normal LAN:
1 - find an old Ethernet hub, or failing that, purchase one of the small 5
port switches - you only need 3 ports and the speed is not critical since
the modem you'll hook it to is only running at 10Mbps, not the 100Mbps that
the new switches mostly run at.
2 - disconnect the lead from your modem to your current firewall at the
modem and connect it to one of the "normal" sockets on the new (old) hub.
3 - connect a new cable from the modem to the "uplink" connector on the
hub. At this point your system should work as it always has in the past,
but the hub's lights will blink in unison with the send/receive lights on
the modem.
4 - connect your new wireless access point/router to the hub with the cable
it came with. Configure it quickly as it is now open to the outside world
and there are any number of ways that it can be discovered and hacked if
you don't change its password and lock it down with new settings.
Your new WIFI system should now pick up an address from your ISP. Most ISPs
will now allow you more than one of their addresses on your link so you
should not have to do much, if anything to get it to work. If you do, just
phone them up or visit their web site and go through the process of telling
them that you "have a new computer" (the WIFI router looks to them just
like another computer on your link) and need another IP address.
Enjoy (if you are not already paranoid enough to block all such
enjoyment ;)
richard
Merry Christmas and have a safe computing Happy New Year
Keep 'em guessing - don't give away your secrets.
What's Related