Posted by: Anonymous Coward
on September 12, 2006 09:30 PM
I agree. These are general things that anybody should do when sensitive communications are done over an untrusted network.
My method uses IPSec. At work, we decided that, since wireless connectivity is inherently insecure, we needed a way to encrypt it at each of our sites. We use Cisco routers, which do support IPSec, so we just made each site's access router into an IPSec gateway and stuck all the wireless access points on a separate VLAN w/ its own IP subnet. The router subinterface that services this VLAN has an access control list on it that says "only IPSec traffic and dhcp requests may talk to me." So, you can get an IP address all day. But you can't go anywhere unless your traffic is IPSec-tunneled.<nobr> <wbr></nobr>:-) Yes, you can still sniff all day, true. But remember that all our folks using wireless are also using IPSec, so they're not accepting any traffic other than their own IPSec tunnels (we force that at the VPN gateways), so attackers are stymied.
Granted, most home users don't have Cisco 2821's at their homes, and Cisco gear is "kinda" pricey, but this general solution does work very well for us for securing wireless. But Cisco IOS is not Free Software, sadly. I remember a couple of years ago reading an article on how to do this with an OpenBSD router; what I describe here with Cisco routers should apply exactly to OpenBSD routers as well. The key here is IPSec and VLAN separation.
Learn about Linux
Download Linux
Get Linux help
Re:Incorrect title
Posted by: Anonymous Coward on September 12, 2006 09:30 PMMy method uses IPSec. At work, we decided that, since wireless connectivity is inherently insecure, we needed a way to encrypt it at each of our sites. We use Cisco routers, which do support IPSec, so we just made each site's access router into an IPSec gateway and stuck all the wireless access points on a separate VLAN w/ its own IP subnet. The router subinterface that services this VLAN has an access control list on it that says "only IPSec traffic and dhcp requests may talk to me." So, you can get an IP address all day. But you can't go anywhere unless your traffic is IPSec-tunneled.<nobr> <wbr></nobr>:-) Yes, you can still sniff all day, true. But remember that all our folks using wireless are also using IPSec, so they're not accepting any traffic other than their own IPSec tunnels (we force that at the VPN gateways), so attackers are stymied.
Granted, most home users don't have Cisco 2821's at their homes, and Cisco gear is "kinda" pricey, but this general solution does work very well for us for securing wireless. But Cisco IOS is not Free Software, sadly. I remember a couple of years ago reading an article on how to do this with an OpenBSD router; what I describe here with Cisco routers should apply exactly to OpenBSD routers as well. The key here is IPSec and VLAN separation.
#