Sign in with
Sign up | Sign in
Your question

WiFi Security for Semi-Public locations ?

Last response: in Wireless Networking
Share
Anonymous
a b D Laptop
a b 8 Security
December 12, 2004 6:05:45 PM

Archived from groups: alt.internet.wireless (More info?)

Is there any security solution for a WiFi location where the users are
utterly non-technical, and trying to get them to type in WEP codes a
futile exercise.

It's resonable to require users to have fully-patched w2k or XP
systems (and piss off a couple people that have w/98 laptops.)
Needless to say, these are personal laptops, so I can't force anything
on them.

There is no on-site technical staff. If all we can come up with is
MAC filtering, it would take a week or two for someone to get around
to updating the AP with a new members's address. We are talkking
about a handfull of laptops.

Suggestions ?

Thanks.






--
a d y k e s @ p a n i x . c o m
----
Anonymous
a b D Laptop
a b 8 Security
December 12, 2004 6:05:46 PM

Archived from groups: alt.internet.wireless (More info?)

Al Dykes wrote:

>Is there any security solution for a WiFi location where the users are
>utterly non-technical, and trying to get them to type in WEP codes a
>futile exercise.
>
>It's resonable to require users to have fully-patched w2k or XP
>systems (and piss off a couple people that have w/98 laptops.)
>Needless to say, these are personal laptops, so I can't force anything
>on them.
>
>There is no on-site technical staff. If all we can come up with is
>MAC filtering, it would take a week or two for someone to get around
>to updating the AP with a new members's address. We are talkking
>about a handfull of laptops.
>
>Suggestions ?
>
>Thanks.
>
>
>
>
>
>
>
>
Are you concerned that the WiFi users may infect your network or
concerned that a compromised WiFi user may infect other WiFi users?

I'd suggest turning off file sharing for the WiFi subnet (and possibly
port 25 to prevent spamming from your network). If the users can't
connect to file systems on your network, it will be difficult to place a
virus/trojan on that network.
Anonymous
a b D Laptop
a b 8 Security
December 12, 2004 7:22:49 PM

Archived from groups: alt.internet.wireless (More info?)

In article <382vd.73033$Dm2.3921@bignews1.bellsouth.net>,
Jerry Park <NoReply@No.Spam> wrote:
>Al Dykes wrote:
>
>>Is there any security solution for a WiFi location where the users are
>>utterly non-technical, and trying to get them to type in WEP codes a
>>futile exercise.
>>
>>It's resonable to require users to have fully-patched w2k or XP
>>systems (and piss off a couple people that have w/98 laptops.)
>>Needless to say, these are personal laptops, so I can't force anything
>>on them.
>>
>>There is no on-site technical staff. If all we can come up with is
>>MAC filtering, it would take a week or two for someone to get around
>>to updating the AP with a new members's address. We are talkking
>>about a handfull of laptops.
>>
>>Suggestions ?
>>
>>Thanks.
>>
>>
>>
>>
>>
>>
>>
>>
>Are you concerned that the WiFi users may infect your network or
>concerned that a compromised WiFi user may infect other WiFi users?
>
>I'd suggest turning off file sharing for the WiFi subnet (and possibly
>port 25 to prevent spamming from your network). If the users can't
>connect to file systems on your network, it will be difficult to place a
>virus/trojan on that network.


It's their network, such as it is. It's essentially just a
closed-membership internet cafe with a WiFI AP. The space is a tenant
a Manhattan office building several other APs are visible, so snooping
and hacking from the outside are a risk.

I'd also like to use this as a lesson to the membership about Safe
Computing, but that's my adenda, not theirs. These are utterly
non-technical business people. They are mature enouygh that they
won't be hacking. Catching a virus that spams is a possibility, but
I've had some progress in teaching about AV practices and if an
indident did happen I'd use it as a teaching point.

My #1 priority is to prevent easy snoopiong because everyone uses
their passwords to log into webmail and other online services.
Protecting member's machines from being hacked is a secondary,
and Zone Alarm would go a long way in addressing that.















--
a d y k e s @ p a n i x . c o m
----
Related resources
Anonymous
a b D Laptop
a b 8 Security
December 12, 2004 7:22:49 PM

Archived from groups: alt.internet.wireless (More info?)

Jerry Park wrote:
> I'd suggest turning off file sharing for the WiFi subnet (and possibly
> port 25 to prevent spamming from your network). If the users can't
> connect to file systems on your network, it will be difficult to
> place a virus/trojan on that network.

Even simpler is to put the WiFi network on a different subnet from any PCs
on the wired network (if it exists). I do this at home; the cable modem is
connected to my main router, which serves as a gateway on 192.168.0.1 to the
main LAN. Then the WiFi router is connected off of a LAN port from the main
router, and the WiFi router serves as a gateway on 192.168.1.1 to the WiFi
LAN. Even if WiFi security is breached, no one can get to my main LAN.
It requires two routers, but I would use them anyway because of the
locations involved.
Anonymous
a b D Laptop
a b 8 Security
December 12, 2004 8:00:04 PM

Archived from groups: alt.internet.wireless (More info?)

Al Dykes wrote:

>In article <382vd.73033$Dm2.3921@bignews1.bellsouth.net>,
>Jerry Park <NoReply@No.Spam> wrote:
>
>
>>Al Dykes wrote:
>>
>>
>>
>>>Is there any security solution for a WiFi location where the users are
>>>utterly non-technical, and trying to get them to type in WEP codes a
>>>futile exercise.
>>>
>>>It's resonable to require users to have fully-patched w2k or XP
>>>systems (and piss off a couple people that have w/98 laptops.)
>>>Needless to say, these are personal laptops, so I can't force anything
>>>on them.
>>>
>>>There is no on-site technical staff. If all we can come up with is
>>>MAC filtering, it would take a week or two for someone to get around
>>>to updating the AP with a new members's address. We are talkking
>>>about a handfull of laptops.
>>>
>>>Suggestions ?
>>>
>>>Thanks.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>Are you concerned that the WiFi users may infect your network or
>>concerned that a compromised WiFi user may infect other WiFi users?
>>
>>I'd suggest turning off file sharing for the WiFi subnet (and possibly
>>port 25 to prevent spamming from your network). If the users can't
>>connect to file systems on your network, it will be difficult to place a
>>virus/trojan on that network.
>>
>>
>
>
>It's their network, such as it is. It's essentially just a
>closed-membership internet cafe with a WiFI AP. The space is a tenant
>a Manhattan office building several other APs are visible, so snooping
>and hacking from the outside are a risk.
>
>I'd also like to use this as a lesson to the membership about Safe
>Computing, but that's my adenda, not theirs. These are utterly
>non-technical business people. They are mature enouygh that they
>won't be hacking. Catching a virus that spams is a possibility, but
>I've had some progress in teaching about AV practices and if an
>indident did happen I'd use it as a teaching point.
>
>My #1 priority is to prevent easy snoopiong because everyone uses
>their passwords to log into webmail and other online services.
>Protecting member's machines from being hacked is a secondary,
>and Zone Alarm would go a long way in addressing that.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
The simplest for that is to set up WPA access to the wireless network.
WEP can be compromised fairly easily, but WPA is generally secure. Since
you indicate the members using the network are non-technical and don't
want something like that, I don't know. Its easy to set up WPA on the
wireless device and easy to set it up on the client. Once set up, you
don't have to worry about it -- it just works. (You just have to type in
a key once).

If your members connect to their web mail, etc. with a secure connection
-- that should protect them.

The only other thing I can think of is setting up the system to require
VPN to connect. Since that is more work than setting up WPA, I suppose
that is not an option.
Anonymous
a b D Laptop
a b 8 Security
December 13, 2004 3:51:46 AM

Archived from groups: alt.internet.wireless (More info?)

Pl visit http://www.publicwifi.net for the answer to all your
questions. They have what I believe is the best solution that has a
captive gateway, content advisor and a firewall rolled and packaged
into a single live CD. I am using it and it takes all of 1 hour to do
the entire setup (including the 200MB download). After that all it
takes is to boot and forget that you ever had a problem!
December 14, 2004 1:12:53 AM

Archived from groups: alt.internet.wireless (More info?)

"outbackwifi" <shivkumar@outbackwifi.com> wrote in message
news:1102927906.437697.121360@z14g2000cwz.googlegroups.com...
> Pl visit http://www.publicwifi.net for the answer to all your
> questions. They have what I believe is the best solution that has a
> captive gateway, content advisor and a firewall rolled and packaged
> into a single live CD. I am using it and it takes all of 1 hour to do
> the entire setup (including the 200MB download). After that all it
> takes is to boot and forget that you ever had a problem!

shame - i get site "coming soon" from yourdomain.com at that address...
>
--
Regards

Stephen Hope - return address needs fewer xxs
!