Wireless Network Security
MatthewHSE
Status: Contributor
Joined: 20 Jul 2004
Posts: 122
Location: Central Illinois, typically glued to a computer screen
Reply Quote
I've been thinking of moving our small office LAN to wireless. But we handle some sensitive data, so I want to make sure I set it up securely.

I'm in the process of reading up on this topic, but one thing that jumps right out at me is the DHCP question. Some say disabled DHCP and assigning static IP's is a good security procedure. Others say (justly so) that it will only take a hacker a few seconds to figure out the IP scheme of the network and assign their own accordingly.

However, if I disable DHCP, assign static IP's to each computer, keeping them all in a set range and using all IP's in the range, then block web access at the router for any IP outside that range, surely that should pretty well negate the possibility of someone being able to gain access, shouldn't it?

The problem, of course, being that this is a Windows network, which will sometimes work with the same IP assigned to multipe computers, although neither gets really good performance on the LAN when that happens since they're constantly fighting one another for their IP.

Plus, the approach I just mentioned seems like it might keep people from using the Internet from our LAN, but I'm not sure it would keep them from gaining access to our network in the first place. To put it pithily, I could keep them from getting out once they get in, but can I keep them from getting in in the first place?

Like I said, I have a lot of reading yet to do on wireless LAN security, but this one thing seems interesting. On one hand it seems like it should help; on the other hand, it seems like it couldn't do much good if any. I'd love to hear facts, reasoning, etc. behind either perspective.

Any good links on wireless LAN security would also be appreciated. After all, there's a limit to how much good information Google can turn up on this, and the SERPS don't say anything about the accuracy of the information they bring up....
Back to top
jeffd
Status: Assistant
Joined: 04 Oct 2003
Posts: 594
Reply Quote
I did some extensive reading on wireless security a few months ago, but sadly didn't bookmark any of the articles.

Bottom line though, it's very simple: if you want a secure, stable, problem free, that's also very fast, network do not use consumer grade wireless products, period.

I've avoided wireless completely and have rarely felt any loss. It's easy wiring a network, just get one of those commercial quality staple guns that are made for cables, some nice ends, jacks, etc, no problems, no fuss, set up once and walk away for the life of the network. For more units, add gigabit switches.

And talk about speed, gigabit networking, if you haven't used it, man, it's almost as fast as internal ide stuff on a box. And it's gotten very cheap, you can now get 8 port metal netgear switches [I never buy the plastic junk] for about $70-80.

We run one with simple fileserver serving up 100-200 mB files and the load times are almost the same as when opened from the local hard drive. You won't touch that with wireless.

Since I've switched to linux, I find myself completely uninterested in stuff like that, wireless also tends to be more of a pain in linux because so many of the drivers are proprietary windows only junk, which creates the same issues that modems did. Same old same old.

But security, it's a no brainer: wireless networking is the nightmare of network administrators around the planet, they have to keep fighing to keep it off so they can actually maintain network security.

I gather that pro grade stuff, the stuff wireless providers use, is a different story, but I've never read up on that, and since you'll never use it, it's not relevant.
Back to top
MatthewHSE
Status: Contributor
Joined: 20 Jul 2004
Posts: 122
Location: Central Illinois, typically glued to a computer screen
Reply Quote
Unfortunately that's the conclusion I was beginning to reach, too. Actually our network is completely wired already so it's not like I have a lot of hassle in running wires or anything. It's just that every little once-in-awhile someone comes in with a laptop and wants to connect wirelessly. It's not really a big deal; in fact I'd planned to keep everything pretty much wired but also have wireless capabilities. In view of the security issues, I'll skip it. We can't risk having someone gaining unauthorized access and the occasional use the wireless would have just isn't worth it.

Gigabit, yes I've been looking at that too. Most of our computers are already gigabit-compatible. I'd have to buy a couple gigabit cards and then of course the switches. So it really is pretty fast? I'm going to have to give that a try.
Back to top
jeffd
Status: Assistant
Joined: 04 Oct 2003
Posts: 594
Reply Quote
The way to deal with people coming in with laptops is to simply run an ethernet cable to where they can sit, and tell them to feel free to plugin.

There is a solution, I was looking at this because I want to test wireless stuff without compromising network security, but it's kind of difficult to implement, not super hard, just not as easy:

LAN sits behind wired router firewall. Wired router is configured to forward dns and http etc requests to wireless router, which is not connected in any way to the LAN. If you can see or access the lan, you have set it up wrong. This is known as a 'demilitarized zone' in networking.

You accept that your wireless network will never be safe, but since it has no access to your LAN or wired stuff, it doesn't matter much, the worst that can happen is that your client's machines get hacked by someone outside. Or that someone latches onto your connection and uses it. Etc.

Personally, I don't think it's worth it, but that's how it would be configured more or less. You could also set up a linux box with two networking cards to act as a dhcp server/router, then run the WAN connection to the wireless router, while setting up the machine to forward all the requests through itself to the wireless router. Big pain in the butt in my opinion, though if I come across a cheap fast wireless router I might test that sometime, but just for testing.

Wireless basically is just a pointless luxury in my opinion, main market is people who can't or won't create a solid wired network.

Gigabit networking
Yes, gigabit is that fast. stunningly fast. Highly recommended however to use cat 5e minimum cable and connectors, but since cat 6 is now cheap and readily available, use that.

If your cabling is old it will be plain old cat 5. That's not that great for gigabit, not built for it, and might give you problems, though it will work more or less, it's just not advised.

cat 6 connectors are I believe gold plated, or some very high conducting surface. When you touch a working gigabit connector, it's very hot, lots of data is moving through it very fast, which creates lots of heat. Thus the advice not to buy cheap plastic switch hubs, buy netgear's blue metal boxes.

The router does not matter

modem -> router -> [single connection] gigabit switch - > LAN

You can daisy chain gigabit switches, but of course you will create bottle necks that way, so it's best to get one that handles most of the machines on the network, 16 port ones are more expensive per port than 8 currently, but 8 will give you connections to 7 machines + router, more than 7 machines, drops it to 6, 1 to router, 6 to machines, 1 to next gigabit switch.

Also convenient is main gigabit switch, split at ends to smaller gigabit switches, 5 port or so, that can be used by low traffic machines etc, and one main high traffic machine.
Back to top
Display posts from previous:   

All times are GMT - 8 Hours