IronWolf said:
I like the LinkSys routers.
The LinkSys routers have the single advantage of being Linux-based, and hence, hackable.
If you have a wired connection to the router, you can build new firmware for it and upload your changes to the router. This allows you to SSH directly to the router itself, which is a big win for security (see below).
I've also used D-Link, Intel and Proxim brands. The D-Link works well, but does need restarted occasionally and has been known to not cooperate well with some PDA wireless NICs.
I have a D-Link connected to my cable modem. On the inside are my wife's machines, the two wired links that go upstairs to the game room and the guest bedroom, and one wired link to my firewall (a computer running Linux). On the other side of the Linux box is my "corporate" network for the company I own and run. (I teach Linux and AIX system administration, networking, security, performance management, OS internals, and how to write device drivers.) My "inside" network is not accessible from outside the Linux firewall, so the wireless D-Link router is not a big security concern as far as my company data. (The Linux machine is only accessible from the outside via SSH and I have strict key checking turned on.)
In the last 2+ years, I have never had to reset the D-Link due to problems with it hanging or crashing. I *have* had to reset the cable modem at least once every 3-4 months (stupid piece of sh*t!) and I live in the lightning capital of the world: central Florida.
Read the directions for securing it and you should be fine. You want the link encrypted, probably locked down to MAC address and SSID broadcasting turned off for starters. Careful reading of the manual should get you started for getting this all setup.
First, be aware that unless you *really* know what you are doing, you WILL NOT be able to secure your communications over a wireless link. First off, MAC addresses are easily spoofed (I can listen on your network and within seconds have your MAC address, which I can then program my NIC to use). Second, not broadcasting your ESSID is good, but it's only used as a "selector" so that when multiple wireless access points are available, a user can choose the one they want. Third, setting a WEP key is necessary, but within 35 minutes and a few thousand data packets, I can decrypt your WEP key and be watching your packets zip across the airwaves. Three strikes, you're out!
What this all comes down to is: DO NOT EXPECT PRIVACY on a wireless link. So don't login to your bank's web site and don't login to Yahoo! mail. Don't even visit those sites, or the cookies being stored by your browser will be sent to the web servers! And heaven forbid you are running Windows on your wireless laptop! At a minimum, put Linux, FreeBSD, OpenBSD, or something with at least A LITTLE security on it!
The correct way to go wireless is to set up a RADIUS server. If you don't want to spend money, put a small Linux box on your network and run a FreeRADIUS server. On your wireless machine, you'll run "wpa_supplicant", which is the client. It will give you a *SECURE* vpn to the FreeRADIUS server, and from there you can go out a wired link to the 'net. Another option is to use FreeS/WAN. It will allow you to securely connect to a server over the wireless link, and then the server sends the unencrypted request over the wired link to the outside world. The thing I like about FreeRADIUS is that I can quickly get my friends an "account" when they visit, so that they can surf the web using their equipment. And it's as secure for them as it is for me.
Of course, once the connection is outside your little network, you're in the big, bad world of the Internet and your packets are fair game to a lot of people...
If you bought a LinkSys router that's running Linux, you can always load new firmware on it that supports SSH. From your laptop, you connect to the router directly using SSH and use SSH to forward ports from your local machine to the router, such as port 80. Now connect to
http://localhost:80/ and you're really connecting to the router, with the advantage that all traffic is tunneled over SSH. Here's a news flash for you: not even the NSA (National Security Agency) can listen in on an SSH-encrypted channel! They can, however, decrypt your 128-bit SSL in realtime using their machine known as Echelon (it's not really a "computer" per se, because it only does one thing and isn't really programmable). Yes, I said "realtime", meaning without any delay.
I use 802.11b because, as stated earlier, I don't need fast wireless access to the 'net (my cable modem maxes out at 650KB/s -- that's a capital "B"). And I ONLY use wireless for web surfing and only to places where I don't have to login. When I'm pushing files around my office I am strictly a wired Ethernet shop. The data stays protected behind my Linux firewall, so even my wife's laptop with a Windows virus can't get to it. (She comes into my office to do our accounting on a Linux machine which is inside the network, because I won't allow her to connect to the company network with a (possibly) virus-laden Windows box.)
I'm not going to drone on and on about wi-fi, but if you value your privacy, you'll pick up the recent 2-part series in LinuxJournal (I think it was April or May) that discusses how to install and configure a FreeRADIUS server and set one up for yourself. Anything else is running naked through the streets with a bullseye tattooed on your b*tt!
