[clue-tech] Re: Wireless security again
David Anselmi
anselmi at anselmi.us
Wed May 18 17:54:45 MDT 2005
Collins Richey wrote:
[...]
> To follow up on my earlier question, is there a likely (or even
> difficult) path through the wireless connection to get to my desktop
> PCs?
Yes. Your PCs only protection from anyone on wireless is WEP, which is
easily broken. Will someone passing by bother to try to get into WEP?
Depends. But if I wanted to get in to one of your PCs I could (and I've
never used wireless before--it's just a matter of some reading and some
trying).
> Give the diagram, lets say the wired router hands out addresses
> like 192.168.4.nnn. The WRTG gets one of these addresses on its
> inbound side and hands out addresses like 192.168.5.nnn where
> 192.168.5.1 is reserved for the WRT45G itself. All of these addresses
> are private, non-legit for the public.
Probably your WRTG is doing SNAT for the laptops. That makes it more
difficult for the PCs to get to the laptops but trivial for the laptops
to get to the PCs. Try it. See if you can ping either way (packet
filtering on the hosts set to allow that, of course).
> Can a sniffer break into one of my wireless laptops and tunnel into
> the 192.168.4.nnn range?
No need as it's an extra hop, but yes.
> To be a little more specific about usage, neither of the laptops are
> intended for any kind of financial transactions, but the Windows
> desktop PC does a few Ebay and Paypal transactions per week.
> Supposedly, these are well encrypted. Can a sniffer be looking at
> those transactions given the description above?
Probably not. That traffic won't route out to the wireless, and
broadcast traffic is unlikely to either.
> Before anyone suggests it, I'm NOT into putting up a permanent 24x7
> firewall machine. That's an obvious solution, but I don't want
> anything running 24x7 except the cable modem and hardwired router.
What you really want, if VPN is out, is 802.1x or 802.11i. But the WRTG
doesn't seem to support that. You could add MAC filtering. That's not
bullet proof but will help.
Dave
More information about the clue-tech
mailing list