adding wireless to my home network

[Jamon Camisso]

William O'Higgins Witteman wrote:
> I'm going to be plugging a wireless router into my home network in a few
> days, but I'd appreciate any advice on how exactly to do it.  I have a
> server that I want to move to the basement, and I want to be able to use
> my laptop without borrowing signal from my unwitting neighbour.

Just how unwitting is your neighbour? I've got a few people in my 
building/neighbourhood who password protect and change their ssid, but 
who openly offer their internet to anyone who wants to use it. I don't 
think that there are any laws (in Canada anyways) at the moment that 
have been used to find someone with an open AP liable for the actions of 
others who use the connection. That being said, your friendly EULA 
issuer might not agree.

> Right now, all the wired computers, including the server, live behind a
> router/firewall.  I like this, and I like having the server behind a
> firewall too.  If I plug my wireless router into the wired
> router/firewall though, than any computer that gains wireless access can
> also see my wired machines, which I'd prefer to avoid.

If you restrict access to the wireless portion of your network using one 
of your below-mentioned methods, there is no reason why such a setup 
need worry you.

> Also, can I forward a port (22 for instance) from one router/firewall to
> the next router/firewall to a machine of my choice?
> 
> I am not hugely worried about neighbours stealing my signal, but I want
> to protect the machines on my network from transient wireless threats.
> Are there suggestions as to which security methods I should use; WEP,
> WPA, MAC address recognition etc?  Finally, I bought my router so that it
> would be compatible with OpenWRT.  Is it worth it to reflash it at once,
> or should I wait until my warranty lapses before fooling with something
> that already does what I need?
> 
> Thanks.

MAC filtering is OK, but your unencrypted traffic is just that -- 
unencrypted, transmitted in the clear unless encrypted by something 
like... ssh etc. Someone with just a little knowledge of ifconfig could 
easily spoof a MAC address or two and create some pretty nasty 
man-in-the-middle attacks. Someone who can install kismet can read any 
radio traffic within range of their card and its antenna (or additional 
antenna for that matter).

Anyone with enough smarts (read little to none in this case) to spoof a 
MAC address could crack WEP in a matter of 15 minutes or so, given just 
a few (1 even!) packets and hardware that can replay and monitor packets 
at the same time. Such cards are readily available for under $20 if you 
check chipsets and the local stores.

Anyone who can crack WEP in a short amount of time could easily crack 
WPA *if* your passphrase is too weak. Indeed, it is faster to crack a 
weak WPA passphrase with a dictionary than to crack WEP by bruteforce 
and replaying packets. Choose a good long (20 characters, 
non-dictionary) passphrase and WPA provides good security.

As for reflashing, if the wireless router does everything you want it 
to, what would voiding your warranty accomplish? Unless you can reflash 
back to the original, in which case it would be a great thing to try, 
I'd say it would be best to leave well enough alone unless you are 
absolutely certain that the hardware revision and the firmware are a 
match for each other.

My $0.02

Jamon
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml