Wi-Fi security? Don't need it!

2008-01-10 05:13 pm
mdlbear: (hacker glider)
[personal profile] mdlbear
Security expert Bruce Schneier, in a Wired article titled Steal This Wi-Fi, writes
Whenever I talk or write about my own security setup, the one thing that surprises people -- and attracts the most criticism -- is the fact that I run an open wireless network at home. There's no password. There's no encryption. Anyone with wireless capability who can see my network can use it to access the internet.

To me, it's basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it's both wrong and dangerous.
He then goes on to explain why it isn't dangerous. I found it from this Techdirt post, but it's really nothing new: I've had an open access point at the Starport ever since I installed it.

It's very simple, really: everything wireless is treated as "outside the firewall" as far as anything inside, on the wired network, is concerned. It's behind a router that blocks outgoing port 25 (SMTP) to make life hard on drive-by spammers; everything else is open going out. Coming in from the big, bad Internet, nothing gets through except http, dns, and ssh. And from there to my wired network nothing gets in except http, dns, ssh, and ipp (so people can print, as long as they know the URL of one my printers). That's it.
  • Mood: vindicated
Tags:
Flat | Top-Level Comments Only

Dumb question time

Date: 2008-01-11 01:34 am (UTC)
From: [identity profile] capplor.livejournal.com
So the wifi is open, but your system is protected. Is that in the standard WIFI equipment/software setup? If not, how hard is it for bozos like Fred or me to do?

Re: Dumb question time

Date: 2008-01-11 03:21 am (UTC)
mdlbear: blue fractal bear with text "since 2002" (Default)
From: [personal profile] mdlbear
I'm not sure you could do it with the average WiFi router -- it depends on having the WiFi and wired networks on separate subnets so you can control the traffic between them. With two routers (only one of which would be a WiFi router) it's easy: connect the WAN (Internet) port of the WiFi (outside) router to your internet connection (cable or DSL modem), and connect the WAN port of the second (inside) router to one of the switch ports on the outside router.

You can get a similar effect by putting the WiFi router on the inside, and just plugging it into a port on the outside router -- you get this for free if your DSL modem has multiple ethernet ports. It's not quite as safe, and a little bit tricky to get right.

Re: Dumb question time

Date: 2008-01-11 04:08 am (UTC)
ext_3294: Tux (Default)
From: [identity profile] technoshaman.livejournal.com
Problem is, a lot of the new wifi setups are DSLmodem and Wifi router all in one, and they don't make it easy for you to separate things out, if atall. Solution is, turn off wifi on the DSLmodem, use a separate wifi router and maybe even a separate firewall box depending on how smart your wifi router is. It's not really easy to do it right...

The other issue is most ISP contracts say you're responsible for *anything* that goes over your link. So if somebody wardrives your link and uses it to suck kiddie porn, you're hosed if they catch you. (You could be hosed even if it's not in the contract; negligence contributing to accessory....)

In the linked article, Bruce tries to minimize the fear... I'm sorry, I make my money as a sysadmin, not a pundit, and just because it's highly unlikely doesn't mean you don't prepare for it. You don't leave your doors unlocked in the city, either, even if it is Seattle.

Re: Dumb question time

Date: 2008-01-11 06:27 am (UTC)
mdlbear: blue fractal bear with text "since 2002" (Default)
From: [personal profile] mdlbear
No, the solution is to turn on WiFi on the DSL router, and splice in a separate firewall for your hardwired ethernet.

Actually you usually get a choice (at least, my ISP gave me a choice): a cheap or free DSL modem with one port on it, or a more expensive one with WiFi and a 4-port switch. Go for cheap.

The kiddie porn problem is a potential problem; it would be hard to prove negligence if articles like Bruce's, and ISPs like Speakeasy and Sonic that allow you to share your connection, exist to show that leaving your connection open is a "best practice" rather than a negligent one.

Re: Dumb question time

Date: 2008-01-11 06:52 am (UTC)
ext_3294: Tux (Default)
From: [identity profile] technoshaman.livejournal.com
Best practice convinces you and me. It doesn't convince a jury, especially when the prosecutor is running for re-election.

You're right about the easy way WRT firewall vs. wi-fi, though... in general. In specific, my Qwest setup is combo wifi+router with PPP over ATM with some authentication; if I turn off security on that wifi and there's a flaw in the firmware, I risk getting DDOS'ed. Much prefer the modem end be a separate box, and string the wifi and router downstream of it. It's the old Unix mentality, yaknow.

Maybe I'm too much of a security weenie, but...

Innnnnnteresting. I just peeked at WiMax, which I'm considering getting through ClearWire (if I can) whenever I end up moving again... it's got some pretty serious encryption in it. Now I don't feel so bad about the idea of having *all* my data go out over medium-range wireless...

Re: Dumb question time

Date: 2008-01-11 07:52 pm (UTC)
mdlbear: blue fractal bear with text "since 2002" (Default)
From: [personal profile] mdlbear
"You don't leave your doors unlocked in the city, either, even if it is Seattle."

Don't know about you, but I have two doors on the front of my house: the screen door, which is just latched, and the front door, which has a deadbolt on it. It's not unusual for packages to get left between the screen and the door; if I had an enclosed front porch the screen door would be there instead.

I probably should use NoCatSplash on my WiFi to let guests know that it might be monitored (I know the Feds are listening, in any case -- AT&T owns the line). That's probably enough.

Re: Dumb question time

Date: 2008-01-11 08:43 pm (UTC)
ext_3294: Tux (Default)
From: [identity profile] technoshaman.livejournal.com
I have the main outer door.... and a large covered area just outside of it, which can safely shelter packages as well as a recycle bin and at times various other stuff, and an old rural-sized mailbox across the street, which is great for having small packages mailed USPS. Although frankly, anyone who gets inside the outer gate had best have either a uniform that says "FedEx", "UPS", "USPS", or the like, an invitation, or a warrant. Anyone else is liable to find themselves on the business end of something either loud or pointy.

(In keeping with that paradigm, all my mail/web/etc. services are colo'ed offisite. :)

(And for the record, you and yours have a standing invite, just give us a little warning so if anything needs rearranging... :)
Flat | Top-Level Comments Only

Most Popular Tags

Links

Style Credit

Page generated 2025-07-03 09:54 pm
Powered by Dreamwidth Studios