Thanks for you answers Alvin and Others.
Some more comments below.
On Sun, Aug 07, 2005 at 06:13:23PM -0700, Alvin Oga wrote:
>
>
> On Sat, 6 Aug 2005, David Purton wrote:
>
[SNIP]
> > At present it looks like this:
> >
> > +--------+
> > | switch |-- wired private network
> > +--------+
> > |
> > eth0
> > |
> > +-----------------+
> > | debian linux | +------------+
> > | server/firewall |-- eth1 --| adsl modem |-- internet
> > | gateway/router | +------------+
> > +-----------------+
>
[SNIP]
> it'd be better to add a hub/switch between the dsl router and
> your debian box and plug your wifi card into a 2nd 386-based PC
> or buy a linksys wt54g with a modified firmware
Except that it isn't a dsl router - just a modem. The debian box does
all the firewalling and routing.
>
> > Then I could only allow
> > traffic through to/from the wired network through a VPN (probably using
> > openVPN, since I have used this before and it's easy enough to
> > configure).
>
> wireless traffic over vpn is good and bad
>
> good.. that they cannot see its content in clear text, but
> since its vpn, they have access anyway unless you close off the
> vpn to allow just one mac address
> - good, always run wifi devices over ssh or vpn .. BUT ..
>
> anything you can do .. they can do tooo .. even more so if you don't
> use any passwd or pass phrase, so it'd be pointless
> - passwdless login is a free use-any-time key to the cracker
>
Huh? Why do they have access anyway? I thought the point of using a VPN
was so that you need a key + passphrase to log onto the VPN... And how
is that different to going through a sniffed wired network?
Without going through the VPN you can't get through the firewall either
way.
[SNIP]
>
> they are the van outside the house or around the corner or behind the
> house or at starbucks or the high powered wifi antenna on the mountain top
>
> > What are the disadvantages of doing it this way?
>
> what is important to you would decide which is better ...
> - time
> - ease to setup
> - data security
> - getting fired from the company because a cracker got
> into the corp lan from your wifi home network
>
> endless tons of disadvantages no matter which way you do it
>
> i opt for data and login security first ... time and costs is secondary
> or non-issue ... data cannot be replaced/bought unless your backup
> scheme is self checking and self correcting and secure
>
> > And what hardware would you recommend to get this setup to play nicely
> > with linux?
>
> see above
>
> any pci card will work
>
> -- if you want your own AP .. you will have to pick a pci card that
> is supported by a wifi driver
>
> linux-wireless.org/Drivers
>
> -- if you want your own AP with WPA... you will have to pick
> a pci card that is supported by hostap or madwifi
>
> -- if you buy off-the-shelf...
> - some netgear switches will not talk to linksys clients
> and vice versa ( s/netgear/any-commercial-product/g )
mmm ok, So I don't need a hardware AP connected to an ethernet Card?
Just so long as the PCI card is supported bu the linux wireless drivers?
>
> > I guess the other option is getting a wireless router which I could
> > attach to my switch.
>
> always put insecure wifi OUTSIDE the firewall
>
Fair enough.
> bad idea to put wifi inside ( your switch )
>
> > How does this compare to using just an access point? Is it better?
>
> linux based AP is better ...
>
> - you can control what it does
> - there is no default passwds that you didnt change
> - you can use wpa, wep is broken and worthless for preventing prying eyes
This was my initial thought.
>
> c ya
> alvin
>
--
David Purton
dcpurton@chariot.net.au
For the eyes of the LORD range throughout the earth to
strengthen those whose hearts are fully committed to him.
2 Chronicles 16:9a
Attachment:
signature.asc
Description: Digital signature