On 09/09/11 05:33, David Walker wrote:
> Hi.
>
> I'm using some old gear that doesn't support WPA or better (WEP only).
> Until I get around to that what are my options security wise?
define "security" :)
>
> Here's the machines:
>
> inet <-> OpenBSD <-> CPE AP <-> USB <-> OpenBSD <-> desktops
>
> The AP is some Cisco or something. Like those WRT54s and whatnot.
> I notice it has options for L2TP pass through and maybe IPSEC and PPTP.
> I'm not really sure how they work that (no man pages of course).
> The USB stick is old and WEP only (Netgear MA111).
>
> I have control over all the machines
> It's a bit dual purpose - it's my route to the internet so I figure
> encrypting/decrypting at the OpenBSD machines or tunneling between
> them or something is probably good but the plan is also to access the
> immediate inet OpenBSD machine from the desktop end OpenBSD machine
> via SSH at some point but I'm not sure if that matters.
>
> I'm unfamiliar with all of that (yes even SSH).
> I'd like to use something that's in base at a minimum.
> If it's conceptually simple that's a bonus.
>
> Best wishes.
Your risks with wireless:
* Unauthorized use to access Internet
-> use AuthPF so that you have to ssh authenticate to use the
gateway.
* Unauthorized use of local resources
-> Use strong authentication for anything internal
* Packet sniffing
-> use encrypted communications for all you can, and everything
important. SSH tunnels are your friend
* Crappy wireless drivers
-> already using OpenBSD, unlikely a bad driver will root you.
* Machines unprotected from direct drive-by attackers
-> already using OpenBSD. PF is your friend.
* Uncontrolled access to network'
-> authenticate everything.
* I feel like I have forgot something. :-/
Basic trick for safer wireless is to assume your wireless devices and
all devices that are accessible via wireless are raw on the Internet.
As all your listed devices are OpenBSD, this is entirely possible.
Nick.
