Newb. Ok, this is probably a silly question, but that never stopped me before. If you turn on WEP or WPA encryption at the wireless router, that applies only to wireless connections, not to wired connections - right?
Yep
In article , waybackNO784SPAM44 @yahoo.com (known to some as Peabody) scribed...
This is a true thing, yes. WEP (not recommended, easily crackable), WPA (also getting to the point where it's easily crackable), and WPA-2 (now preferred) apply only to the wireless side.
Happy netting.
Correct
The next question then is what are the security concerns (if any) of having a hard=wired ethernet connection to a wireless router ? What extra concerns do I have.
Kurt Ullman hath wroth:
Wiretap, or rather ethernet tap.
I've uncovered security problems where the wireless bridge is properly protected from sniffing by encryption, but the ethernet cables going to/from the bridge are not. I break into the telephone closet in the office building, install an ethernet tap, and proceed to sniff all the traffic. Physical security is important if you have something worth protecting.
Incidentally, there are Layer 2 encryption products. I have some 3com encrypted ethernet cards (somewhere) that have on board 3DES encryption.
But this is my house and you would have to break into the cable box, I guess?
Yes. This isn't a serious concern for home networks, unless some of your cabling is acessible from public areas such as hallways or fire-escapes.
Isn't it easier just to set up a VPN?
Mark McIntyre hath wroth:
Agreed. It really depends on how you run your CAT5 wiring. Most home users would not notice an extra CAT5 cable leading to the outside of the house. It would offer little in the way of sniffing opportunities as the common ethernet switch does not repeat all packets. However, it would allow access to the home LAN and possibly the client machines if they were unprotected from local attacks.
The problem I mentioned really has to do with corporate LAN's and wireless transparent bridges on rooftops. The CAT5 cable between the rooftop bridge and the corporate ethernet switch is usually unprotected.
A VPN from where to where? The rooftop wireless transparent bridge is just a Layer 2 bridge with no Layer 3 router features. A VPN acts as a shim between these two layers and would require a router rather than just a bridge. A VPN will work with all the traffic routed (not bridged) through the VPN tunnel. That would probably be easier than encrypting the entire LAN but only solves the wiretap problem for one segment of the LAN.
Unfortunately, I have no customers with either Layer 2 or Layer 3 encrypted LAN's and have no clue how common these are in the wild. My guess is that they're very uncommon. For home networks, they're probably never used. Considering the level of paranoia about wireless hacking in the trade press, I would have expected more mention of wired encryption and security, but I guess not.
For home use, I was thinking about setting up the entire LAN as a VPN into a server. Seen this done somewhere, forget where.
Mark McIntyre hath wroth:
It should be fairly easy to do (although I've never tried it). Windoze supports PPTP out of the box. Get a (wireless) router that will terminate a VPN in the router, and you're done. DD-WRT comes with PPTP client and server so that will work. I'm not so sure about the various "VPN router" low end contrivances. I found one (forgot the model but I'll dig it out of my notes) that would only support a VPN termination on the WAN port, which makes sense for a router to router VPN over the internet, but useless for a LAN side VPN. I guess I should check if DD-WRT will do a LAN side VPN.
It works (so far). Results from ipconfig are:
Windows 2000 IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.1.11 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 PPP adapter VPN to local router: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.15.2 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 192.168.15.2
Oh swell. Now I have two default gateways. ipconfig lies. The results from "route print" (with some loopback and multicast routes deleted) are even more confusing. I assigned the IP address of the VPN termination to 192.168.15.1 and the stupid router hands me my own client IP address 192.168.15.2 as the default gateway.
Let's see if traceroute is any more helpful:
Well, that shows that it's going via the VPN to the router's IP address of 192.168.15.1, so I guess it's working (maybe).
I'm still on the internet which is a good thing. The trouble is that I can't tell if the LAN packets are going via the regular network
192.168.1.xxx or via the VPN at 192.168.15.xxx without sniffing. I guess I'll have to change my local IP address to something outside the netmask and see if it still works (later).So much for "this should be easy", where 2 out of 3 diagnostics return gibberish. Got a URL on how to do this so I don't have to do anything useful tonite?
no, thats right, different default g/w for the LAN and VPN.
again IME thats correct for a VPN.
Wish I did....
Y'er right. Two gateways is correct.
My office VPN client does the same thing. I guess it makes sense. VPN talks to itself in order to get to the tunnel on the local router. Y'er right. That's also normal.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.