WiFi Security for Semi-Public locations ?

Archived from groups: alt.internet.wireless (More info?)

Is there any security solution for a WiFi location where the users are
utterly non-technical, and trying to get them to type in WEP codes a
futile exercise.

It's resonable to require users to have fully-patched w2k or XP
systems (and piss off a couple people that have w/98 laptops.)
Needless to say, these are personal laptops, so I can't force anything
on them.

There is no on-site technical staff. If all we can come up with is
MAC filtering, it would take a week or two for someone to get around
to updating the AP with a new members's address. We are talkking
about a handfull of laptops.

Suggestions ?

Thanks.


--
a d y k e s @ p a n i x . c o m
----
6 answers Last reply
More about wifi security semi public locations
  1. Archived from groups: alt.internet.wireless (More info?)

    Al Dykes wrote:

    >Is there any security solution for a WiFi location where the users are
    >utterly non-technical, and trying to get them to type in WEP codes a
    >futile exercise.
    >
    >It's resonable to require users to have fully-patched w2k or XP
    >systems (and piss off a couple people that have w/98 laptops.)
    >Needless to say, these are personal laptops, so I can't force anything
    >on them.
    >
    >There is no on-site technical staff. If all we can come up with is
    >MAC filtering, it would take a week or two for someone to get around
    >to updating the AP with a new members's address. We are talkking
    >about a handfull of laptops.
    >
    >Suggestions ?
    >
    >Thanks.
    >
    >
    >
    >
    >
    >
    >
    >
    Are you concerned that the WiFi users may infect your network or
    concerned that a compromised WiFi user may infect other WiFi users?

    I'd suggest turning off file sharing for the WiFi subnet (and possibly
    port 25 to prevent spamming from your network). If the users can't
    connect to file systems on your network, it will be difficult to place a
    virus/trojan on that network.
  2. Archived from groups: alt.internet.wireless (More info?)

    In article <382vd.73033$Dm2.3921@bignews1.bellsouth.net>,
    Jerry Park <NoReply@No.Spam> wrote:
    >Al Dykes wrote:
    >
    >>Is there any security solution for a WiFi location where the users are
    >>utterly non-technical, and trying to get them to type in WEP codes a
    >>futile exercise.
    >>
    >>It's resonable to require users to have fully-patched w2k or XP
    >>systems (and piss off a couple people that have w/98 laptops.)
    >>Needless to say, these are personal laptops, so I can't force anything
    >>on them.
    >>
    >>There is no on-site technical staff. If all we can come up with is
    >>MAC filtering, it would take a week or two for someone to get around
    >>to updating the AP with a new members's address. We are talkking
    >>about a handfull of laptops.
    >>
    >>Suggestions ?
    >>
    >>Thanks.
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >Are you concerned that the WiFi users may infect your network or
    >concerned that a compromised WiFi user may infect other WiFi users?
    >
    >I'd suggest turning off file sharing for the WiFi subnet (and possibly
    >port 25 to prevent spamming from your network). If the users can't
    >connect to file systems on your network, it will be difficult to place a
    >virus/trojan on that network.


    It's their network, such as it is. It's essentially just a
    closed-membership internet cafe with a WiFI AP. The space is a tenant
    a Manhattan office building several other APs are visible, so snooping
    and hacking from the outside are a risk.

    I'd also like to use this as a lesson to the membership about Safe
    Computing, but that's my adenda, not theirs. These are utterly
    non-technical business people. They are mature enouygh that they
    won't be hacking. Catching a virus that spams is a possibility, but
    I've had some progress in teaching about AV practices and if an
    indident did happen I'd use it as a teaching point.

    My #1 priority is to prevent easy snoopiong because everyone uses
    their passwords to log into webmail and other online services.
    Protecting member's machines from being hacked is a secondary,
    and Zone Alarm would go a long way in addressing that.


    --
    a d y k e s @ p a n i x . c o m
    ----
  3. Archived from groups: alt.internet.wireless (More info?)

    Jerry Park wrote:
    > I'd suggest turning off file sharing for the WiFi subnet (and possibly
    > port 25 to prevent spamming from your network). If the users can't
    > connect to file systems on your network, it will be difficult to
    > place a virus/trojan on that network.

    Even simpler is to put the WiFi network on a different subnet from any PCs
    on the wired network (if it exists). I do this at home; the cable modem is
    connected to my main router, which serves as a gateway on 192.168.0.1 to the
    main LAN. Then the WiFi router is connected off of a LAN port from the main
    router, and the WiFi router serves as a gateway on 192.168.1.1 to the WiFi
    LAN. Even if WiFi security is breached, no one can get to my main LAN.
    It requires two routers, but I would use them anyway because of the
    locations involved.
  4. Archived from groups: alt.internet.wireless (More info?)

    Al Dykes wrote:

    >In article <382vd.73033$Dm2.3921@bignews1.bellsouth.net>,
    >Jerry Park <NoReply@No.Spam> wrote:
    >
    >
    >>Al Dykes wrote:
    >>
    >>
    >>
    >>>Is there any security solution for a WiFi location where the users are
    >>>utterly non-technical, and trying to get them to type in WEP codes a
    >>>futile exercise.
    >>>
    >>>It's resonable to require users to have fully-patched w2k or XP
    >>>systems (and piss off a couple people that have w/98 laptops.)
    >>>Needless to say, these are personal laptops, so I can't force anything
    >>>on them.
    >>>
    >>>There is no on-site technical staff. If all we can come up with is
    >>>MAC filtering, it would take a week or two for someone to get around
    >>>to updating the AP with a new members's address. We are talkking
    >>>about a handfull of laptops.
    >>>
    >>>Suggestions ?
    >>>
    >>>Thanks.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>Are you concerned that the WiFi users may infect your network or
    >>concerned that a compromised WiFi user may infect other WiFi users?
    >>
    >>I'd suggest turning off file sharing for the WiFi subnet (and possibly
    >>port 25 to prevent spamming from your network). If the users can't
    >>connect to file systems on your network, it will be difficult to place a
    >>virus/trojan on that network.
    >>
    >>
    >
    >
    >It's their network, such as it is. It's essentially just a
    >closed-membership internet cafe with a WiFI AP. The space is a tenant
    >a Manhattan office building several other APs are visible, so snooping
    >and hacking from the outside are a risk.
    >
    >I'd also like to use this as a lesson to the membership about Safe
    >Computing, but that's my adenda, not theirs. These are utterly
    >non-technical business people. They are mature enouygh that they
    >won't be hacking. Catching a virus that spams is a possibility, but
    >I've had some progress in teaching about AV practices and if an
    >indident did happen I'd use it as a teaching point.
    >
    >My #1 priority is to prevent easy snoopiong because everyone uses
    >their passwords to log into webmail and other online services.
    >Protecting member's machines from being hacked is a secondary,
    >and Zone Alarm would go a long way in addressing that.
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    The simplest for that is to set up WPA access to the wireless network.
    WEP can be compromised fairly easily, but WPA is generally secure. Since
    you indicate the members using the network are non-technical and don't
    want something like that, I don't know. Its easy to set up WPA on the
    wireless device and easy to set it up on the client. Once set up, you
    don't have to worry about it -- it just works. (You just have to type in
    a key once).

    If your members connect to their web mail, etc. with a secure connection
    -- that should protect them.

    The only other thing I can think of is setting up the system to require
    VPN to connect. Since that is more work than setting up WPA, I suppose
    that is not an option.
  5. Archived from groups: alt.internet.wireless (More info?)

    Pl visit http://www.publicwifi.net for the answer to all your
    questions. They have what I believe is the best solution that has a
    captive gateway, content advisor and a firewall rolled and packaged
    into a single live CD. I am using it and it takes all of 1 hour to do
    the entire setup (including the 200MB download). After that all it
    takes is to boot and forget that you ever had a problem!
  6. Archived from groups: alt.internet.wireless (More info?)

    "outbackwifi" <shivkumar@outbackwifi.com> wrote in message
    news:1102927906.437697.121360@z14g2000cwz.googlegroups.com...
    > Pl visit http://www.publicwifi.net for the answer to all your
    > questions. They have what I believe is the best solution that has a
    > captive gateway, content advisor and a firewall rolled and packaged
    > into a single live CD. I am using it and it takes all of 1 hour to do
    > the entire setup (including the 200MB download). After that all it
    > takes is to boot and forget that you ever had a problem!

    shame - i get site "coming soon" from yourdomain.com at that address...
    >
    --
    Regards

    Stephen Hope - return address needs fewer xxs
Ask a new question

Read More

Laptops Security WiFi Wireless Networking