On Wed, 2003-12-31 at 09:31, Chris Gehlker wrote: > On Dec 31, 2003, at 8:59 AM, Chris Gehlker wrote: > > > > Where the manual isn't much help is in laying out some kind of > > decision matrix that would allow me to choose the appropriate level of > > security. I don't care if someone wants to park in front of my house > > and share my connection to the internet. I don't worry to much about > > them printing from my printer. I do care if they get into the shares > > on my desktop but I don't think the notion that some black hat is > > going to park outside house a capture every byte and then analyze them > > to discover our usernames and passwords. As another example, it is > > easy to set the MAC address of the iBook as the only one allowed on > > the network. Presumably, it is also very easy to forge MAC addresses. > > Then manual doesn't actually say that. One has to infer it from the > > fact that it goes on to discuss more expensive and presumably better > > security methods. > > > Duh. Responding to my own post. But sometimes the mere act of writing > down the question helps one see the answer. It dawned on me that some > of the cheap but weak security methods, like the MAC based access list, > only prevent write access to my network. It takes some pretty strong > encryption to prevent read access. The signals are *broadcast* after > all. > > I still don't really know what level of security is appropriate for a > home office network. --- sometimes answering questions helps to solidify the issues in my mind as trying to ask them so here's my take. You probably should consider the wireless network as untrusted as is the internet. On your computer, you could create iptables rules to reject everything but port 22 & 515 from the network (tcp - printing might be udp, I don't know). Then if you needed access to say files from your linux desktop, you could pipe it through ssh. If you have more than 1 computer on the 'wired' side of things, this would be a problem. In this case, the idea would be to have 2 routers, one for the internet and the wireless router. The wireless router would set the restrictions... only ports 22 & 515 go to any ip address on the wired lan, everything can go to the default gateway on the wired lan. Unless you use encryption (WEP or ???), all passwords transmitted in clear (telnet, rsync, nfs) could be sniffed/captured by anyone snooping wireless lan. WEP Encryption in 802.11b (which is the only available Airport for an iBook that I know of) is supposedly easily broken. Craig