On Wed, 2005-02-16 at 20:09 -0500, Craig Brooksby wrote:
> Hi all -- seeking advice / pointers to where I can read up... my two
> questions are numbered, below.
>
> My home network is through a D-Link wireless router, to the Cox cable
> modem. It works fine -- I am not an expert. For security, I did
> stuff like the following:
>
> 1) Turned WEP on, at 128-bit
> 2) Turned on filtering by Mac address
> 3) Added WPA-PSK authentication.
>
> The router seems to be able to do more -- firewall stuff, etc. At the
> same time, I know people use old boxes + Linux to do all these things.
> So here's what I'm wondering:
>
> 1) Are there clear reasons why running an old box + Linux as a router
> / firewall / etc. is *better* than just using the features in the
> little $60 router? (I mean, the *fan noise alone* from this old box
> is enough to tilt the scales for me :-)
>
> 2) Do people plug in Wi-Fi adapters into the old box and use it to
> control a wireless network? Or is all that better left to the D-Link?
> I ask because my son's Win XP box is currently wireless.
>
> I want to learn more about networks. I am resourceful and like new
> challenges, but if such things are better left to people with long,
> deep experience / formal training -- network "engineers" and people
> who relax by readin manpages -- please advise.
-----
It's all possible by the average person - it's just that the average
person isn't interested in devoting the time and energy to learn this
stuff.
- Don't know about your wireless router but generally, you only have
both WEP & WPA-PSK available when you are in 'mixed-mode' meaning you
are allowing WEP & 802.11b connections and are allowing WPA-PSK &
802.11g connections. Do you need both? Do all your machines handle
802.11g? If so, then use the 802.11g because it is 54Kbps versus 11Kbps.
WPA is stronger encryption but not backwards compatible. I can't
conceive that any of these cheapo boxes support both WEP & WPA-PSK
simultaneously but I've certainly been wrong before.
The restriction/filtering by MAC Address is probably a good thing to do
- as long as you can manage it and if you can manage that, you can
probably do anything else you've set your mind to doing.
The wireless router, if kept up to date with firmware updates is
probably as secure, if not more so than your own box router. Your own
box router can be more versatile and employed to do other things such as
dns but of course, that concept weakens the security of the box.
You could conceivably do this...
<cable modem> - - <wireless router> - - <linux router w/ firewall>
public IP 192.168.1.0/24 192.l68.2.0/24
and your linux router had two network cards 1 on the 192.168.1.0 network
and one on the 192.168.2.0 network and then all your computers plugged
into a hub/switch with the 192.168.2.0 network card of the linux router
and all had different 192.168.2.0/24 addreses.
then you could drop the WPA/WEP & filtering/restrictions by MAC Address
altogether if the linux router considered the wireless router as part of
the big bad untrusted traffic area sometimes referred to as the
internet. Then you could set up a vpn (ipsec/openvpn/cipe) so that a
wireless connection couldn't get on your local network without using
VPN. That would ensure encrypted traffic from your laptop or desktops
using wireless if they connected through to the network because their
only ability to connect to the network would be through the vpn channel.
This would be in my opinion, the 'optimal' method for using with high
security.
Craig
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss