Newb. Ok, this is probably a silly question, but that never stopped me before. If you turn on WEP or WPA encryption at the wireless router, that applies only to wireless connections, not to wired connections - right?
I've uncovered security problems where the wireless bridge is properly protected from sniffing by encryption, but the ethernet cables going to/from the bridge are not. I break into the telephone closet in the office building, install an ethernet tap, and proceed to sniff all the traffic. Physical security is important if you have something worth protecting.
Incidentally, there are Layer 2 encryption products. I have some 3com encrypted ethernet cards (somewhere) that have on board 3DES encryption.
Agreed. It really depends on how you run your CAT5 wiring. Most home users would not notice an extra CAT5 cable leading to the outside of the house. It would offer little in the way of sniffing opportunities as the common ethernet switch does not repeat all packets. However, it would allow access to the home LAN and possibly the client machines if they were unprotected from local attacks.
The problem I mentioned really has to do with corporate LAN's and wireless transparent bridges on rooftops. The CAT5 cable between the rooftop bridge and the corporate ethernet switch is usually unprotected.
A VPN from where to where? The rooftop wireless transparent bridge is just a Layer 2 bridge with no Layer 3 router features. A VPN acts as a shim between these two layers and would require a router rather than just a bridge. A VPN will work with all the traffic routed (not bridged) through the VPN tunnel. That would probably be easier than encrypting the entire LAN but only solves the wiretap problem for one segment of the LAN.
Unfortunately, I have no customers with either Layer 2 or Layer 3 encrypted LAN's and have no clue how common these are in the wild. My guess is that they're very uncommon. For home networks, they're probably never used. Considering the level of paranoia about wireless hacking in the trade press, I would have expected more mention of wired encryption and security, but I guess not.
It should be fairly easy to do (although I've never tried it). Windoze supports PPTP out of the box. Get a (wireless) router that will terminate a VPN in the router, and you're done. DD-WRT comes with PPTP client and server so that will work. I'm not so sure about the various "VPN router" low end contrivances. I found one (forgot the model but I'll dig it out of my notes) that would only support a VPN termination on the WAN port, which makes sense for a router to router VPN over the internet, but useless for a LAN side VPN. I guess I should check if DD-WRT will do a LAN side VPN.
Oh swell. Now I have two default gateways. ipconfig lies. The results from "route print" (with some loopback and multicast routes deleted) are even more confusing. I assigned the IP address of the VPN termination to 192.168.15.1 and the stupid router hands me my own client IP address 192.168.15.2 as the default gateway.
Let's see if traceroute is any more helpful:
Well, that shows that it's going via the VPN to the router's IP address of 192.168.15.1, so I guess it's working (maybe).
I'm still on the internet which is a good thing. The trouble is that I can't tell if the LAN packets are going via the regular network
192.168.1.xxx or via the VPN at 192.168.15.xxx without sniffing. I guess I'll have to change my local IP address to something outside the netmask and see if it still works (later).
So much for "this should be easy", where 2 out of 3 diagnostics return gibberish. Got a URL on how to do this so I don't have to do anything useful tonite?