Wireless Networking...but this time with a BSD router...

[3lusiv3]

Quote:

Originally Posted by philodox There is such a thing as being too obsessed with security. I don't openly invite attack and I lock down my systems well enough, but what motivation would a hacker have to attack me? None. Ease up and relax a bit.

I agree. I'm very security conscience, since I work in IT, but I'm also realistic.

Even if someone was to bother cracking my work's wi-fi network, which is only 40 bit wep ( and for a good reason), what would they gain from doing this and why would they even bother? Even if someone was to connect to our wireless network they would still not be able access any critical data.

 

[Stephonovich]

First, I like tinkering. I'm taking networking/security classes, I love Linux, and it's fun seeing how much I can lock something down.

Second, it's not my data. If it was mine, I wouldn't care as much, mainly because I have nothing anyone could possibly want. (A decent movie and music collection, I suppose) But the church keeps financial and other such information on their computers (although not shared), and I have to keep things like this in mind.

 

[3lusiv3]

I like tinkering too, and I'm a huge fan of OpenBSD, FreeBSD and NetBSD. I like Linux too. I'l use whatever does the job. I like to be strict with security but I also try to be realistic.

 

[psychogentoo]

Quote:

Originally Posted by Stephonovich First, I like tinkering. I'm taking networking/security classes, I love Linux, and it's fun seeing how much I can lock something down. Second, it's not my data. If it was mine, I wouldn't care as much, mainly because I have nothing anyone could possibly want. (A decent movie and music collection, I suppose) But the church keeps financial and other such information on their computers (although not shared), and I have to keep things like this in mind.

How much physical security do you have for your servers (NOC)? Are tapes being stored offsite? If so what type of physical security does that facility have? How many people have root level access?

I'm asking this because the focus of security has been at hardware and software level.

 

[Stephonovich]

Quote:

Originally Posted by psychogentoo How much physical security do you have for your servers (NOC)? Are tapes being stored offsite? If so what type of physical security does that facility have? How many people have root level access? I'm asking this because the focus of security has been at hardware and software level.

There are no servers, persay. There are clients (desktops and laptops) that all run through WRT54Gs, via 802.3 or 802.11.

The building itself is locked, and is in a good neighborhood of a fairly small town. Crime isn't much of an issue. It used to be a bank, so I'm presuming it's fairly secure.

As of now, there are no backups to my knowledge. Some people probably have some of the stuff on their flash drives. Again, something I need to educate them on. As mentioned, currently my focus is on the network.

Unfortunately, due to XP's retardedness, everyone has an Administrator account. I'll probably change that soon as well. As to the WRT54Gs, they have access in theory. They know the password, anyway. However, none of them would touch it. They're afraid

 

[JiiEf]

A bit late, I know, but if you go with Linux, you might also want to consider:

http://zapatopi.net/mindguard.html

I use WPA-TKIP and MAC address filtering. Router (Airport Express

) doesn't support turning SSID broadcasting off, but that's just too bad, I guess. I have things that keep me awake at night, but the security of my WLAN is not one of them.

/JF

 

[Stephonovich]

Quote:

Originally Posted by JiiEf A bit late, I know, but if you go with Linux, you might also want to consider: http://zapatopi.net/mindguard.html I use WPA-TKIP and MAC address filtering. Router (Airport Express ) doesn't support turning SSID broadcasting off, but that's just too bad, I guess. I have things that keep me awake at night, but the security of my WLAN is not one of them. /JF

That's absolutely brilliant. Someone had way too much time on their hands. The comments especially are awesome:

Quote:

/* Although conveniently left out of most C textbooks, it's a well-known fact in the anti-mind-control community that the rand() function -- originally developed by the RAND Corporation for use in its political mind-control research -- interacts with a computer's underlying circuitry in complexly emergent ways, making the function useful for mind-control detection due to the quantumeffects of psychotronics on aluminum atoms. A side-effect of this is that it also works well for pseudo-stochastic number generation, something many hack programmers ignorantly use it for. */

All programmers should aspire to have such esoteric and daedal comments.

As for actual security; believe me, I'd love it if they all had Macs. It would make user-level security so much easier. Virii and spyware would be practically non-existant, as would crashes. Shame they're so pricy... actually, not too bad, now that I look at 'em. Lesse... they've got a Dimension 4700 (all Dells here), which after they spec'd it out, is $1200. They may have gotten a discount due to their being non-profit, but I'm guessing no more than $200, if that. Then, they've got two laptops (which Dell apparently no longer makes - they've only got Celerons and Pentium M now. These are P4 2.8) which are probably around $1000 or so a piece. They're not exactly wimpy; P4 2.8, as I mentioned, 512MB RAM, and XP Pro on all of 'em. Oh, on top of all this, they bought a 5 unit site license for Office 2003 Pro. That's at least $1500, I'd bet, even with discounts. Heck, a one-man license of Pro is $500. I attempted to convince them of the virtues of OpenOffice, but they wouldn't hear it. I mean, really. 2.0 is absolutely brilliant, and is for all intents and purposes, a perfect clone of Office. Anyway... I could get a Mac Mini for $500, and an LCD for about $200. There's $300 savings right there. A couple of 14" iBooks would be about $2500. Bit pricier there, but with the savings on other things, and the enhanced security, stability, and usability, it'd be worth it.

I wonder if I could convince them to use Linux at some point and time. Should bring in Knoppix sometime...

 

[psychogentoo]

Quote:

Originally Posted by Stephonovich I wonder if I could convince them to use Linux at some point and time. Should bring in Knoppix sometime...

There are some good case studies for a whole organization to Linux. Check out the many articles on the Ernie Ball corporation. They went to an all linux shop after the BSA (Business Software Alliance) embarassed them all because of a disgruntled employee and transferring legal copies of Windows to a different computer. They haven't looked back since.

 

[Stephonovich]

Quote:

Originally Posted by psychogentoo There are some good case studies for a whole organization to Linux. Check out the many articles on the Ernie Ball corporation. They went to an all linux shop after the BSA (Business Software Alliance) embarassed them all because of a disgruntled employee and transferring legal copies of Windows to a different computer. They haven't looked back since.

Ernie Ball? As in the guitar strings manufacturer? /me Googles... yep. Cool.

I'm going to d\l the latest version of KNOPPIX, anyway, and let them have a try. The main issue would be a desktop publishing program. They currently use M$ Publisher (yeargh), but I did some Googling, and OOo isn't too shabby. Someone also recommended Scribus. I have zero experience with DP programs, but I may get these going to let them use it.

Thought of another issue: printer compatibilty. They have a quite spiffy Oki ES3037e, and it gets used constantly. It must be 100% compatible. Oki themselves doesn't provide drivers for Linux. (Mac, but not Linux? C'mon, people... it's only a step away) LinuxPrinting reveals that there are a few efforts to have support for Linux, even inside the company. It might work, might not. This would definitely be the cornerstone. It must work. I wonder if WINE can emulate drivers?

A fully Linux enviroment would make my life a whole lot easier, I can tell you that much.

 

[stevesurf]

Quote:

Originally Posted by 450 Thanks for all the help guys... I forgot to add one more thing... Where do I fit the VoIP router in the chain?

One small question by the original thread starter!
The VoIP router and WAP/Router are converged...here is the Linksys / Vonage version

 

[450]

Quote:

Originally Posted by stevesurf One small question by the original thread starter! The VoIP router and WAP/Router are converged...here is the Linksys / Vonage version

Thanks! I'm gonna go email AT&T to see if this will work with their service.

Would something like this work:

step 1: Downstairs PC > 10/100 Ethernet card > Access Point (wired)
step 2: Upstairs PC > Wireless G card > Access Point
step 3: Access Point > BSD router
step 4: BSD router > VoIP router (ethernet input) > Cable Modem (from the WAN (output) of the VoIP router)

 

[the_villain]

Quote:

Originally Posted by Stephonovich Ernie Ball? As in the guitar strings manufacturer? /me Googles... yep. Cool. I'm going to d\l the latest version of KNOPPIX, anyway, and let them have a try. The main issue would be a desktop publishing program. They currently use M$ Publisher (yeargh), but I did some Googling, and OOo isn't too shabby. Someone also recommended Scribus. I have zero experience with DP programs, but I may get these going to let them use it.

I use Scribus daily and it's very good DTP program and I also use it for generating .pdf files.

 

[Stephonovich]

Good news - Linksys (and Microsoft, so client is taken care of) are now officially supporting WPA2, AKA 802.11i. I just checked, and Dell apparently released drivers for all their built-in cards as well. Other vendors are following suit, for the most part.

This is wonderful news for me. No more worries about weak security. Of course, this will be cracked in due time, but for now, I'm ecstatic. So much easier than dealing with a RADIUS or NoCat server.

Yay!

 

[psychogentoo]

Quote:

Originally Posted by Stephonovich Good news - Linksys (and Microsoft, so client is taken care of) are now officially supporting WPA2, AKA 802.11i. I just checked, and Dell apparently released drivers for all their built-in cards as well. Other vendors are following suit, for the most part. This is wonderful news for me. No more worries about weak security. Of course, this will be cracked in due time, but for now, I'm ecstatic. So much easier than dealing with a RADIUS or NoCat server. Yay!

yay! now you just have to make sure the users won't give away the key for a candy bar!