On Fri, Jan 23, 2009 at 10:01 AM, Roger Searle <[email protected]> wrote: > Comments on TKIP+AES vs TKIP vs AES alone would also be welcome, since > perhaps TKIP+AES is generally very adequate, being more than TKIP alone?
What are you protecting against? What devices are you going to connect to the network? The smaller devices that want to connect to wireless networks (I'm thinking of phones and games consoles) can't always do all of the fancy encryption. So make sure that you know what they're going to support before getting carried away. All encryption mechanisms are vulnerable to different attacks, the ones that are "safe" now will be crackable in a few months time. And as a general rule, firmware can't be upgraded quickly enough to react. So if you really want to be secure, you should not trust the wireless encryption alone. If all you have is larger devices (i.e. Linux, OS X or Windows machines) then you can downgrade the security state of the network itself, possibly even leaving it open (which makes it easy for friends to use their kit at your place). Run a VPN (IPSec is also supported in some smaller devices, like iPhones) from each machine back to a server, and tell your firewall to block or rate-limit anything that isn't VPNd. There is also another guideline -- which is to not become too paranoid. In general, there are so few people out there who really want to leech bandwidth, and so many open networks, that even WEP is effective at convincing them to leave you alone. But WEP is trivially crackable, so any WPA2 at this stage should be enough to raise the bar enough to make them move on. You can't make a 'perfect' network, so don't worry about it too much :-) -jim
