[geeks] home wap paranoia

[Dan Duncan]

On Wed, 17 Mar 2004, Daniel Johannsson wrote:
> I'm wondering how paranoid other geeks members are about people getting
> onto their wap, and out on their net connection.  I live in a fairly
high
> density area, with a lot of apts/condos and some coffee
shops/restaurants
> withing probable wap range, so I'm thinking I should try to go fairly
> secure.

I'm less concerned about someone using my link to hit the net than
I am that they will use it to access my LAN.

> Are people in general just trusting 128bit wep and using non broadcast
> ssids, or also doing things like putting the wap on a private network,
and
> then forcing ipsec tunnels from the laptops to a machine with a nic on
> both the private and the external facing network?

I have 128bit WEP, non-broadcast SSID, restricted access to certain
MAC addresses, AND I have the wireless segment firewalled off from my
internal LAN.  I moved the wireless router up front so it's now my
internet firewall.  The LAN side of the wireless router is what
I consider my pseudo DMV.  The only machines in that subnet are
fairly hardened and the only open ports are ports I already have
open to the net anyway.  I have two other NAT routers with WAN ports
on that segment and behind those are my workstations.  No inbound
traffic to those guys unless I initiate a tunnel or temporarily
open a port on the firewall.

I recently had a shell account hacked on one of my DMZ boxes.  It
was an account I use to accumulate and read mail on a box that
doesn't have anything else in the way of tools on it.  The hacker
came in via ssh, but was using my password.  I'm pretty sure he
sniffed it from my cellphone pulling email via POP3.  the box
has now been rebuilt and the POP accounts no longer have shell
access.

-DanD

-- 
#  Dan Duncan (kd4igw)  dand at pcisys.net  http://pcisys.net/~dand
# Westheimer's Discovery:  A couple of months in the laboratory can
# frequently save a couple of hours in the library.