Wi-Fi security? Don't need it!
2008-01-10 05:13 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mdlbearSecurity expert Bruce Schneier, in a Wired article titled Steal This Wi-Fi, writes
It's very simple, really: everything wireless is treated as "outside the firewall" as far as anything inside, on the wired network, is concerned. It's behind a router that blocks outgoing port 25 (SMTP) to make life hard on drive-by spammers; everything else is open going out. Coming in from the big, bad Internet, nothing gets through except http, dns, and ssh. And from there to my wired network nothing gets in except http, dns, ssh, and ipp (so people can print, as long as they know the URL of one my printers). That's it.
Whenever I talk or write about my own security setup, the one thing that surprises people -- and attracts the most criticism -- is the fact that I run an open wireless network at home. There's no password. There's no encryption. Anyone with wireless capability who can see my network can use it to access the internet.He then goes on to explain why it isn't dangerous. I found it from this Techdirt post, but it's really nothing new: I've had an open access point at the Starport ever since I installed it.
To me, it's basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it's both wrong and dangerous.
It's very simple, really: everything wireless is treated as "outside the firewall" as far as anything inside, on the wired network, is concerned. It's behind a router that blocks outgoing port 25 (SMTP) to make life hard on drive-by spammers; everything else is open going out. Coming in from the big, bad Internet, nothing gets through except http, dns, and ssh. And from there to my wired network nothing gets in except http, dns, ssh, and ipp (so people can print, as long as they know the URL of one my printers). That's it.
Re: Dumb question time
Date: 2008-01-11 06:27 am (UTC)Actually you usually get a choice (at least, my ISP gave me a choice): a cheap or free DSL modem with one port on it, or a more expensive one with WiFi and a 4-port switch. Go for cheap.
The kiddie porn problem is a potential problem; it would be hard to prove negligence if articles like Bruce's, and ISPs like Speakeasy and Sonic that allow you to share your connection, exist to show that leaving your connection open is a "best practice" rather than a negligent one.
Re: Dumb question time
Date: 2008-01-11 06:52 am (UTC)You're right about the easy way WRT firewall vs. wi-fi, though... in general. In specific, my Qwest setup is combo wifi+router with PPP over ATM with some authentication; if I turn off security on that wifi and there's a flaw in the firmware, I risk getting DDOS'ed. Much prefer the modem end be a separate box, and string the wifi and router downstream of it. It's the old Unix mentality, yaknow.
Maybe I'm too much of a security weenie, but...
Innnnnnteresting. I just peeked at WiMax, which I'm considering getting through ClearWire (if I can) whenever I end up moving again... it's got some pretty serious encryption in it. Now I don't feel so bad about the idea of having *all* my data go out over medium-range wireless...