Tell me about wireless routers

[azhrei_fje]

That's wise, Fenris. Concerning your ENworld account, Setanta is correct: don't worry about it unless you use the same password elsewhere.

It's mostly important for things like Yahoo! mail, GoogleMail, HotMail, and so on. I disagree with Y!'s choice to default to "Standard" on their login screen instead of "Secure" (secure uses HTTPS to transmit username/password), so I bookmarked the Secure page and go there to login.

I'm trying to get my friends and clients to start using digital signatures. There was a note on slashdot recently that AOL and Yahoo! were going to start *requiring* them before they would deliver email. They somehow think it will help stop spam. I'm not sure it will. :\ But it's a good thing, regardless.

Digital signatures are not encryption; they're simply a way to know that the person who sent an email really is who they claim to be. Essentially, the message is encrypted (using a one-way algorithm) and the final encryption code are appended to the message. This lets the email client look up the key on a web server, perform the same encryption, and compare the results with the message. If they're the same, it really was sent by that person.

Of course, I've got my email client setup to use encryption for the entire message, not just a digital signature. But it seems that *very few* people know anything about it, and trying to train everyone I exchange email with would be impossible (sigh), so I can't actually use it yet. But some day...

 

[Setanta]

[quote[I disagree with Y!'s choice to default to "Standard" on their login screen instead of "Secure" (secure uses HTTPS to transmit username/password),[/quote]

My guess there is that they don't have sufficient SSL accelerators. I know one of the vendors they use for load balancing (I think it's their primary load balancing vendor, but I'm not sure) doesn't really make one right now, but they're coming out with one soon, so maybe Yahoo is waiting to get their existing load balancers upgraded with SSL acceleration before making the default HTTPS.

 

[andargor]

I haven't read every single post, so I apologize if I rehash some points that have been made.

I was tired of cabling lying on the floor at my home, and wanted my 2 WinXP PCs and laptop to be able to move around the house in case I need to rearrange things. I also have 2 Linux servers, one for development/web server, and one is a firewall/mail server/DNS.

Initially, I was loathe to implement wireless, for some of the reasons mentionned above. I was concerned about security, especially since it's cabling replacement behind my firewall. But my job functions required me to go to a wireless security symposium that explored in-depth the latest technologies in the field. I was much reassured.

So much so, that I have replaced all my "inside" cabling with wireless. Of course, the choice of security measures is important. I'll get to that in a second.

First, I bought a D-Link DI-624. It's an OK 802.11g box, but not only do you have to reboot it once and a while, but it actually reboots itself periodically. So stability is an issue. I was annoyed at that and decided to buy a Linksys WRT54GS. Since I'm a Linux junkie, I enjoyed the fact that I could replace Linksys' software with OpenWRT (openwrt.org). This box has been the most stable, never rebooting ever since I've installed it. And it allows me to secure my network even further.

Now, the security measures. You have three main choices:

• WEP: I do not recommend this, neither does the industry. It has been hacked since 2001, and whatever the key length (128 or 256 bits) it is ridiculously easy to penetrate with existing tools. If this is your only choice, stay with cables.
  
• WPA: Stands for Wireless Protected Access. I won't go into the gruesome technical details, but it implements a stronger level of integrity checking with dynamic encryption rekeying. There are rumors that this may have been hacked, but no confirmed reports. It is probable that partial penetration was possible during the alleged hacks, but doubtful that the access lasted long enough for any significant data retrieval. Typically, WPA uses a passphrase to allow access to the network (WPA-PSK). With a suitably secure passphrase (long, with alphanumerics), a normal home should be secure enough.
  
• WPA2: The updated version of WPA, it utilises a more advanced encryption algorithm and tighter integrity checking (AES-CCMP). We are talking the military/government standard here, which no one is even rumored to have successfully hacked. You have the option of either using a passphrase like WPA, or using a RADIUS server for authentication (WPA2-EAP). There is a slew of authentication methods with RADIUS: client-side signed certificates (EAP/TLS), NT Domain sign-on (EAP/TTLS), MS-CHAPv2, hardware tokens like SecurID, etc.

Most modern wireless access points/routers support WPA2, so that should be your choice. As for authentication, personally I wanted to use RADIUS, and hence why I went with the Linksys WRT54GS with OpenWRT: I installed freeRADIUS right on the box itself. Sure I could have installed freeRADIUS on the Linux servers, but this way I can still log in if my Linux box is down. (I actually did install it on a Linux box as well, and use it as a backup).

I use client-side certificates, so WPA2-EAP/TLS. My clients check the root certificate on the Linksys, so they don't connect to "rogue" access points that would try to emulate mine. If you are familiar with PGP, it is a similar signature checking process.

My setup is on the "paranoid" level of the scale, but it does require technical knowledge. If you have this knowledge, or someone who does and is willing to help, then I can see no reason for you not to go to wireless.

HTH,

Andargor

 

[azhrei_fje]

Wow, excellent summary, Andargor! (And I've told you this before, but *thank you* for your RSRD XML work. )

I think I'd heard about freeRADIUS on the WRT itself. But before I commit to flashing the firmware, I want to find a good/small bootable CD open source system with freeRADIUS already installed and ready to configure. I did some googling last night and found a couple. The first was m0n0wall, based on FreeBSD. It has gotten good reviews, and it's only a 6MB download! The second one I can't remember off-hand and I'm not at the machine that has the bookmark (it might've been DSL or a similar small Linux CD).

I currently have a WRT set aside for this. It's currently programmed to disable the wireless so that I can use it to just plug-n-play if one of my other routers go down. But it will likely take the place of the router that is between the cable modem and the in-house network. (Which, in my case, means using SSH to get through the internal firewall, since the WRT will act as the outside edge of the DMZ.)