[EMAIL PROTECTED] wrote:
WEP and MAC address filtering are weak solutions.
Yes, but sufficient for 90% of people. Add hidden SSID to this and
that's sufficient for 99% of people. But, most crap access points don't
support this.
Is there a easy secure way to keep freeloaders
off your wifi AP system?
Here's what I've done in the past:
Get a garden variety pix firewall and hang your AP off a spare
interface. Set the pix to serve DHCP in some address range not used
anywhere else in your network. Route nothing out using these addresses,
e.g. that client can only get to other wireless clients. Also set the
pix to allow incoming VPN sessions. Use this VPN to access the internal
network and the intarawebz. This can also be done if, say, your pix only
has one interface, by setting up a separate VLAN on your network and
doing things much the same. You can't securely do it using one VLAN, as
your wireless clients can simply manually change IP addresses and get
one in the range that's reserved. Besides, your DHCP server would have a
hard time differentiating between wired and wireless clients.
The alternative is to use something like WPA-PSK or WPA-EAP of some
sort. But, under Linux this is scarcely supported (and IMO, supported
*wrong*). Half the time it doesn't work, and when it does, it's flakey.
Besides, most consumer grade access points don't have a CPU with any
balls, so as soon as you turn on strong encryption the performance goes
into the toilet. Good luck even getting 802.11b speeds out of your
access point.
nope, i'll stick to open auth and WEP. The likelyhood of someone
spending enough time capturing enough packets to decode both my SSID and
my WEP keys is pretty slim. There are plenty of other open auth/nokey
access points in the area for them to use.
anyhow, i've got to head to work.
-kelsey
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
