Can a wireless network be 'safe'

I would think that a VPN over wireless encryption would be more than good enough to protect the data from eavesdropping.

Duane :)

Hi,

I wonder if I may safely set up a wireless link for some emergency server administration.

However, WEP is hacked, WPA can be hacked, VPN is not safe enough, so does it exist 'safe' alternatives?

What about a hardware encryption box at each side of the wireless link which obfuscates the data in a non proprietary custom specified way. Does it exist such hardware, or should I just forget my remote server admin project?

Thanks for comments and info

Tor

No. 5.7Ghz is actually more crowded than 2.4GHz depending upon location. It's so bad in the metro areas that co-ordination groups have been organized to establish some level of order.

your running inside an office or in a residential area, 5.7Ghz is just fine. If you're in a glass wall skyscraper overlooking the city, forget it.

IPSec, PPTP, L2TP, SSL, SSH2, etc

Yep. That's what I do to run my office LAN remotely. The web admin is also available with HTTPS security. There's also SSH2 for secure shell login.

No. The WRT54G with Sveasoft Alchemy will terminate a PPTP VPN connection. It will NOT initiate a VPN connection. That has to be done with either a dedicated PPTP router that does such things (i.e. Netscreen) or with a Windoze client.

I'm not sure what you're trying to accomplish and what you have to work with. I'm guessing you want to establish a permanent VPN between your house and office. I do that mostly with Sonicwall SOHO routers. The routers argue among each other to create the VPN tunnel. I can be at one end of the tunnel and see every computah at the other end. It can also be used for remote or roaming access. The downside is that running some ancient applications (i.e. dBase and FoxPlus) across the VPN network is really slow. Basically, the VPN creates a common network between the two LAN's at each end.

Wireless should be a seperate issue. I have no clue what level of security you can afford or need. WPA encryption is sufficient. If you can handle a RADIUS server, adding 802.1x authentication will also help. Maximum security would be to use the VPN from the client and terminate it at the VPN router. I would setup the wireless as an access point (not a router) to connect to your LAN. One nice feature of a seperate access point is that when you're not at home, just turning it off will take care of any unattended security issues. I've described how to convert a wireless router into an access point in this group about 5 times. Let me know if Google can't find it.

Sonicwall does make a VPN router that has wireless. I've never used it because it's expensive. There are also cheapo VPN routers made by Dlink and Linksys. I've used the BEFVP41 effectively.

Yup, you can do just that. Its what is called a fine meshed network. Hit in a google search SIP and read what the state of the art, thinking an doing is to date. Though, how to unite an abunance of people withina common goal. Everery individueal wil have an own xdsl thingy and as for that, it will be Got for all of us like our common provider. Dick Hartog (hidden somewhere in The Netherlands)

"Tor Tveitane" schreef in bericht news: snipped-for-privacy@individual.net...

"Duane Arnold" skrev i melding news:Ma3oe.10116$_o.3058@attbi_s71...

OK, will in addition shifting the radio freq to a less used band with this device:

also be an advantage?

Btw, does it exist several flavors of VPN networking?

What about Linksys WRT54GS with sveasoft firmware. Will a link between two of those using PPTP be what you consider 'secure enough'?

Tor

"Jeff Liebermann" skrev i melding news: snipped-for-privacy@4ax.com...

Interesting, so if I have a WRT54 wired to the server subnet at work and another WRT54 at home connected wirelessly to the other, both with their PPTP set up and with 60 chars WPA keys and MAC filter enabled will give me sufficient security to sleep well at night?

Tor

Actually Satori, Alchemy, and Talisman all contain pptpclient. We've upgraded it through all of the release and Talisman sports the latest version (1.6 IIRC).

You can either initiate a PPTP client connection in the web using the setup page and setting the Internet connection type to PPTP. We added encryption support for Microsoft's MPPE and a checkbox in the web interface to enable it.

You should be able to point the router at your office MS VPN server, add your login and password, and enable encryption and create an encrypted link firectly from the router to your office.

You could also do all of this manually in the rc_startup script and support both an Internet connection and a PPTP client connection on the router simultaneously.

James Ewing Sveasoft

Cool. That will be very useful. Thanks.

I've been running Alchemy-V1.0 v3.37.6.8sv which apparently does not include a PPTP client. I guess it's time to upgrade.

/ # find / -name *pptp* -print /usr/sbin/pptpctrl /usr/sbin/pptp /usr/sbin/pptpd /www/index_pptp.asp /tmp/pptpd /tmp/pptpd/pptpd.conf /tmp/pptpd/options.pptpd /tmp/var/run/pptpd.pid /lib/modules/2.4.20/kernel/net/ipv4/netfilter/ip_nat_pptp.o /lib/modules/2.4.20/kernel/net/ipv4/netfilter/ip_conntrack_pptp.o

All of the download sites and the main web page for Alchemy list the version as 1.0. If there have been updates, it would be difficult to notice.

Suggestion: Add the exact version number to the filenames of the ZIP and bz files.

I think you mean TightVNC.

's just a fancy remote control program. It has no inherent security of its own, but I would hate to sniff VNC and deal with its data compression algorithm.

Let's go down to basics. Your minimum protection has to be on several levels. All have to be functional or you don't have any security.

1. Encryption. That's WPA and your major line of defense.
2. Authorization: That's the login and password to your network.
3. Authentication: That's 802.1x or perhaps X.509 certificates. This prevents spoofing and insures that clients are for real.

There are lots of ways to combine these (and others I didn't mention). The wireless link between two WRT54G radios can have multiple levels of encryption and authentication. For example, a 3DES IPSec VPN running with RC4 WPA encryption, with an SSH2 client, encrypts the payload *FIVE* times. You want more security, just pile on a few more layers of encryption.

Sorta.

that the TZ150/TZ170 is limited to 2 VPN tunnels between hardware clients with the standard 10 "node" license. This makes it fairly difficult to build an effective remote office network. To get more tunnels, you have to buy the 25 user license upgrade which almost doubles the price. I really don't know much about these products other than what I read in the data sheets. I wouldn't mind selling some, but the price usually kills the bid.

"Sveasoft" skrev i melding news: snipped-for-privacy@g43g2000cwa.googlegroups.com...

Interesting! Does it exist a detailed howto for this scenario? Do I use:

Office Win2000 Server -- wired --> WRT54GS --- wireless link --->

WRT54GS --- wired --- > my computer at home

Thanks for precisions for which modes the two WRTs should be set etc.

Btw I use Alchemy v1 final

regards

Tor

"Jeff Liebermann" skrev i melding news: snipped-for-privacy@4ax.com...

Does this mean that a link between two WRT54s using a large key WPA and encrypted TightVND sessions could be considered relatively 'safe' anyway?

I know how to do this, thanks anyway.

Do you mean this one:

regards

Tor

"Jeff Liebermann" skrev i melding news: snipped-for-privacy@4ax.com...

Does this mean that a link between two WRT54s using a large key WPA and encrypted TightVNC sessions against a server could be considered relatively 'safe' anyway?

I know how to do this, thanks anyway.

Do you mean this one:

regards

Tor

Well, I see Mr. *L* has been answering your questions. I don't think I need to respond.

Duane :)

Using OpenVpn. Its very simple ...

Yes. Actually using just WPA is considered safe from wireless sniffing. It is possible to decrypt stupid or short WPA pass phrases, but the long and complex ones are currently impossible.

However, there are plenty of ways to do it wrong. I sometimes do "security audits" just for fun. The point to point link between buildings used WPA encryption, but no VPN. Just a wireless transparent bridge. They had set the access point configuration via the web interface, but didn't realize that the wireless bridge radios also had a telnet interface with a different password. Once that was set, I checked if SMTP was active and sure enough, the default passwords worked. So, I had to also disable SMTP (which sends its passwords unencrypted). Three different passwords to nail down this system. If any of them were accessible, then I could just read the WPA key from the wireless bridge, and I could decrypt the traffic. It took me about 10 minutes to change the bridges from point-to-point to point-to-multipoint, add my radio to the list of authorized devices, and give myself a tour of their LAN. They were impressed and actually paid for lunch. (I had to leave the tip). I don't wanna mention the make and model number of this bridge because the clueless manufactory hasn't bothered to fix the problem.

Adding a VPN adds yet another layer of encryption. In my never humble opinion, unless you need a tunnel between two building or sites, WPA is sufficient. However, if you're stuck with WEP, most definitely add a VPN tunnel.