>>>>> "Tom" == Tom Hanan <[email protected]> writes:
Tom> Here is a short summary of many previous e-mail from contributors Tom> to OpenWireless.org regarding best practices for standing up and Tom> securing an OpenWireless.org SSID on an open access point. Tom> [...] Tom> 1) Use a dedicated access point, on its own subnet, to stand up Tom> OpenWireless.org access. This "Ensures WiFi Password Protected Tom> Equivalent isolation" between unencrypted OpenWireless Traffic and Tom> your other encrypted & password secure Traffic and thus minimizes Tom> your additional exposure by standing up an OpenWireless SSID. Using Tom> an old access point you already have or buying a modern one with Tom> VPN tunneling capability for <$15 will provide gracious providers Tom> of OpenWireless access with the best possible protection against Tom> malicious abusers of their hospitality with the least possible Tom> hassle from their ISP and Copyright Trolls. On first read, that sounds like a dedicated piece of hardware, which generally isn't necessary with modern hardware. A modern router with the right radio(s) can create multiple virtual interfaces with their own SSIDs and attachable to seperate subnets on each radio. With firewall rules, it's trivial to keep traffic separated. In general this does not protect you against complaints, as you typically will have one pubilc IP address, and the complaints will come back to that address, either directly or indirectly. The purpose of the separate subnets is for local security of your private network, so that people on the public network are not allowed to reach hosts on the private network. If you want to segregate complaints, you need another public IP address. There is usually a cost tradeoff to achieve this, and for most people it's not worth the cost. Tom> 2) Limit your exposure to your ISPs Six Strikes IP monitoring, Tom> Extortion actions by Copyright Trolls or potentially unprovoked Law Tom> Enforcement action by limiting ALL OpenWireless access via your IP Tom> address to VPN. [...] In my jurisdiction (the US), this is excessive and paranoid. In other jurisdictions, it might not be. It would certainly limit the availability of openwireless.org networks to a tiny fraction of potential users. In our 14+ years of experience, we have not found this necessary. Tom> 3) Upgrade your Router or Router Software to support routing of all Tom> Non VPN Tunneling OpenWireless traffic to a No/Low cost VPN Lite or Tom> full VPN service that you setup and or pay for. [...] The only way Tom> an OpenWireless user can ensure their own security is by using Tom> their own VPN! End-to-end encryption and valid public keys are the way for users to ensure the privacy of the content of their communications. A users VPN is going to protect the content of the communication only as far as the other end of the VPN tunnel. It's primary utility is to redirect complaints from the openwireless.org network operator to the user. An openwireless.org provided VPN is going to redirect complaints to the end point of that VPN tunnel. They are likely to get forwarded to you anyway. Just learn to deal with the (few) complaints and your life gets much less complicated. We help manage about 60 networks, and see one or two complaints a year, total. None of them, ever, has had any significant consequences. -- Russell Senior, President [email protected] _______________________________________________ Tech mailing list [email protected] https://srv1.openwireless.org/mailman/listinfo/tech
