[ale] Putting wifi in the house
James P. Kinney III
jkinney at localnetsolutions.com
Tue Jan 31 00:11:41 EST 2006
On Mon, 2006-01-30 at 22:30 -0500, Jeff Hubbs wrote:
> James -
>
> The SMC 2802W is exactly what I have, still in its shrinkwrap.
> According to the docs, it does support WPA. Does that suggest that I
> could use this as the basis for a PC-based WAP?
Assuming the Linux side has WPA support for that card. My last (and
still ONLY) wireless cards are some old Orinoco gold cards from ebay.
But WPA is less than perfect as well. It is certainly better than WEP
(which was worthless for security). I can't find the link at the moment,
but I recall that WPA had some design issues as well (such as predicable
sequences and some other no-no I forget). As a result, I just don't
bother with securing wireless networks using the tools that are part of
wireless. It's either a wide-open wireless free-for-all ride to the
internet or it's an IPSEC vault.
>
> The SMC 7004VWBR WPA that I have appears to be WEP-only. I suppose
> that, to be safe, I could use that in conjunction with SSH or IPSEC.
Good choice on either.
>
> The issue with the laptops in the house is that they will be pushing
> sensitive files to and from file servers that are also in the house and
> therefore that air can't be sniffable; if it's not WPA, it'll have to be
> IPSEC or only use SCP (which would kind of stink).
IPSEC or a mess of ssh tunnels (worse to setup than scp).
>
> One thing I could do is to make the laptops' internal WiFi be set up for
> the house and use WiFi PC Cards for Panera Bread, Krystal, Marriott etc.
>
> Or, if I really wanted to be sublime, I could fix it so that ALL WiFi,
> wherever it was, reached the Internet by VPN through the house - then,
> there would be no distinction. However, would this be screwed up by
> WiFi that requires you to click through a Web page before letting you do
> anything else?
Almost. Put the WAP outside your LAN firewall. Use IPSEC to connect to
the LAN systems. This will have them connect to the public side of the
firewall. Now you have a generic enough configuration that the IPSEC
will also work from Starbucks while still open surfing the web.
If you use a virtual interface on the outside port and the WAP
configured to use that port as its gateway, the data technically won't
hit past the next hop up (where they get dropped since they are another
private address scheme). If they are not LAN destination, they get NATed
like the rest of the LAN traffic. Otherwise, they are accepted on the
public interface as IPSEC traffic.
Just watch the kernel upgrades. IPSEC doesn't track the kernel changes
nicely always. Yes, it's a part of the kernel, but the userspace tools
are still an issue (or I just can't follow directions. still :).
>
> Jeff
>
> James Sumners wrote:
>
> >As has been said, use WPA if you can. I doubt your stand alone AP is
> >going to support it unless there is a newer firmware available to add
> >the support. It is relatively new. WPA support with you PCI card might
> >be easier but that is going to depend on what card it is and what
> >drivers you can use for it. I have an SMC 2802W for my
> >router/wap/gateway and it works rather well, but I don't know if it
> >supports WPA. The driver I am using is the old driver from
> >prism54.org.
> >
> >But really, do you really need to "secure" the wireless signal? I
> >haven't seen any reason to attempt to do so. Anything sensitive I do
> >is already encrypted via ssh or ssl. I don't really care if people can
> >sniff my IM conversations and web surfing. If you are just worried
> >about the neighbors leeching bandwidth, why not let them? My AP is
> >wide open for anyone that wants to use it and I have never had a
> >problem. In fact, I don't think anyone other than me and my roommate
> >have ever connected to it. If someone else did start using it and
> >slowed down my network, then I would take steps to limit their access.
> >
> >On 1/30/06, Jeff Hubbs <hbbs at comcast.net> wrote:
> >
> >
> >>The time has come for me to get WiFi instituted at home and I need to
> >>understand what *should* be done as opposed to *what people typically do*.
> >>
> >>I have a WiFi WAP that I bought on clearance about three years ago but
> >>have only fooled around with once, and I also have a PCI WiFi card that
> >>I bought around the same time that I haven't even used. So, I could use
> >>either the WAP or I could theoretically make one out of any number of
> >>spare machines.
> >>
> >>What I would like to have happen is for our laptops to be able to "WiFi
> >>up" at home as easily as at Joe Blow's Hotspot and Cafe. However, I
> >>also don't want to be trivially eavesdropped on or leeched off of (over
> >>the weekend, the newer laptop was finding two nearby WAPs from the
> >>living room and gave me the ESSID of one of them). If those two
> >>concepts are not compatible, I need to know so that I can make the
> >>situation easily manageable.
> >>
> >>
> >>_______________________________________________
> >>Ale mailing list
> >>Ale at ale.org
> >>http://www.ale.org/mailman/listinfo/ale
> >>
> >>
> >>
> >
> >
> >--
> >James Sumners
> >http://james.roomfullofmirrors.com/
> >
> >"All governments suffer a recurring problem: Power attracts
> >pathological personalities. It is not that power corrupts but that it
> >is magnetic to the corruptible. Such people have a tendency to become
> >drunk on violence, a condition to which they are quickly addicted."
> >
> >Missionaria Protectiva, Text QIV (decto)
> >CH:D 59
> >_______________________________________________
> >Ale mailing list
> >Ale at ale.org
> >http://www.ale.org/mailman/listinfo/ale
> >
> >
> >
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
--
James P. Kinney III \Changing the mobile computing world/
CEO & Director of Engineering \ one Linux user /
Local Net Solutions,LLC \ at a time. /
770-493-8244 \.___________________________./
http://www.localnetsolutions.com
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
More information about the Ale
mailing list