On Sun, Feb 5, 2012 at 9:47 PM, Craig <diese...@pisquared.net> wrote: > On Sun, 5 Feb 2012 16:30:40 -0500 Ed Booher <edboo...@gmail.com> wrote: > >> If you start housing important data on a system available behind WiFi, >> it isn't a question of if, it's a question of when is someone going to >> get around to breaking into it and sniffing around. > > This is why I do not use WiFi. It would be a benefit, however, with our > upcoming move of my office to another part of the house.
The same can be said for any internet connection. If you have WPA2-AES on your AP, and use RADIUS, there aren't any known ways of getting data out of the air. A good site plan will keep most of the signal in the house, and you can set up a secondary AP/VAP with less restrictive or no security that does not have access to your important data/computers for running into the back yard etc. >> Might even want to go with an optional WiFi add in card for said switch >> and move fully to a business class level. Then you could even add in SSL >> certificate encryption to the WiFi. > > How does this work? How is it implemented? Most APs will do it, at least SOHO-class or better - you would need "WPA2-Enterprise" and a back-end RADIUS server for what Ed describes. The certificates are TLS, or you could just use PEAP and log in. Practically TLS is easier to use if your hardware is locked down, PEAP is better if you think the computer itself might wander off. You could also do "WPA2-PSK" if you don't want to have to maintain a separate authentication server, which honestly is what I'd recommend. It's not great for enterprise because you should change the passphrase occasionally, but for a half-dozen clients I think the benefits of the external authentication server aren't there. Most consumer APs will do WPA2-PSK. Note that in either WPA case you need to be using AES, anything else is a waste of time. > Is it possible to run an encrypted VPN over WiFi, thus having a more > secure link? Both WPA2 and VPN are probably using an AES variant, so it isn't strictly more secure as long as your network is clean. In my view, the best practice is to keep the data itself secure (HTTPS, VPN) when necessary, and files encrypted at the source if they contain private information - the network isn't really trustworthy unless you have some serious hardware and time to monitor it. Even with a good antenna I don't have signal at the street, and I have a bunch of APs. Definitely use SSL for anything that might be sensitive, DNSSEC if you can, use static IPs for computers that might be subject to some kind of DHCP-injection attack, put all data behind a username and password, change passwords occasionally, and follow the other standard information security practices. End-to-end encryption like VPN, or encrypting individual files, is the way to go if you need to do something really safe, but that should be true whether you are logging in to work over the WAN or saving financial data onto a NAS - for all you know, someone has already compromised your printer, done an ARP injection, and is logging the ethernet from your PC as I type. :) In my view the only reason to avoid wireless nowadays is performance; 11n is okay, but still performs worse than a 100Mbps link in most cases; hardly good enough for realtime media streaming. Works well enough for internet access but real data transfer still needs a wire. Best, -Tim would have been arguing closer to Ed's position three years ago _______________________________________ http://www.okiebenz.com For new and used parts go to www.okiebenz.com To search list archives http://www.okiebenz.com/archive/ To Unsubscribe or change delivery options go to: http://mail.okiebenz.com/mailman/listinfo/mercedes_okiebenz.com
