Wireless security

[mep]

I am considering purchasing a wireless network and have some security concerns.

My big question is if the network has WPA security would also using a VPN make it more secure??

Also, who makes the best wireless hardware that is user friendly?

Thanks,
MEP

 

[mep]

I just spoke to a friend in the wireless industry. He told me that for ultimate security (Intel does this) you should use a VPN to tunnel through the wireless connection.

He also said that Linksys makes pretty good stuff.

Regards,
MEP

 

[peartree]

Did your buddy also mention the cost in dollars of paying for a VPN connection and that the connection is only good between two specific computers or networks? If not, you may be in for a nasty shock.

=== SHOPPINGMAN!!! Never assume ANYTHING ====

 

[mep]

I understand that you can only make a connection between 2 computers using VPN. I was thinking about either using a router with VPN capability or creating a file server that interfaces with the WLAN router to provide internet access to the router.

I thought Win 2K and XP provide ipsec VPN capability in the software. So I thought the costs would be minimal. I was also thinking the VPN capability would allow remote access to my network when I was traveling.

I also thought I could turn on and off the VPN when I attach to other people's wired networks.

Let me know if I am off base.
Thanks,
MEP

 

[peartree]

You're almost right. Win 2K, at least, has a VPN >client< built in. That means that it will connect to a VPN server. It is NOT, however, a VPN server itself. That's where the big bucks come in. You have to either buy a VPN server yourself (ridiculously expensive) or pay for a VPN service (merely too expensive for mere mortals).

What I didn't get out of your original post is why you think you need a VPN tunnel in the first place. I see you've covered that in this post. XP, at least, has builtin capability to allow you access to your machine from the Internet. It's called Remote Desktop. Clients are available for some versions of Windows. The one fly in the soup is that you have to have access to your system via an IP address. Most broadband ISP's don't like handing out static IP addresses and will want you to pay for one, Still, it's cheaper than paying for VPN services...

=== SHOPPINGMAN!!! Never assume ANYTHING ====

 

[mep]

Actually the VPN was for 2 reasons.

1) To access my home machines data remotely. 2) To improve security of the wireless access point.

I appreciate the carification on the VPN solutions. I didn't realize the high costs to build a VPN server.

I thought that there were some AP solutions that contain VPN servers for about $200. Check out the links
http://www.linksys.com/products/product.asp?grid=33&scid=35&prid=565
http://www.tomsnetworking.com/Reviews-143-ProdID-2900G.php

I thought as along as you are in a single broadband session you would have the same ip address. My router is always connected to the modem theoretically creating a constant ip address. I understand that if I turn everything off and back on it would change the ip address and I would have to update the VPN software.

Thanks for the help,
Mark

 

[peartree]

"I thought as along as you are in a single broadband session you would have the same ip address."

More or less true. The 'less' part comes when you try to access that IP from the Internet. What you're actually seeing is actually an Internet gateway IP and not one accessable from the Internet. It's kind of like NAT on a huge scale. I know this because I've been through the same thing. I wanted to do exactly what you do. I found that what looked like my IP, from the Internet end didn't exist. So, even if you bought a VPN server appliance, you'd more than likely end up having to buy (monthly cost) a static IP from your ISP. Check with them, but I'll bet that's what they say. I know that in my case, my ISP has stated in their online terms of use that anything remotely like trying to operate your system as a server will cause you to lose your account. Period.

Now, as for the security end of it, if you feel that strongly that your router and (maybe) an additional software firewall can't keep you safe, then buy yourself a HARDWARE firewall appliance. There isn't much better protection than that.

And, finally, get yourself a free subscription to the Lockergnome newsletters. You can get a whole lot of info about such stuff and you mail in questions like this, secure in the knowledge that the huge readership can almost always help you out. Their subscriptions are near 1,000,000. Go to www.lockergnome.com.

=== SHOPPINGMAN!!! Never assume ANYTHING ====

 

[peartree]

Just came across this. It might be a better option-

App Offers Easy Remote Access
By Andrew Garcia
April 19, 2004





01 Communique's I'm InTouch 3.5 provides easy remote access to firewall-protected PCs via secured Web communications, giving access to data and applications without the hassles of setting up a VPN or reconfiguring the firewall.

A subscription to I'm InTouch is priced at $99.95 per host computer per year. The subscription price includes product updates, technical support and unlimited usage. Version 3.5 started shipping last month.

Read more at http://www.eweek.com/article2/0,1759,1568277,00.asp.

=== SHOPPINGMAN!!! Never assume ANYTHING ====

 

[mep]

Wow!! Thanks for the info about the broadband ISP. Too bad thier NAT can't keep people out of my machine.

I use a router with a NAT in it and zone alarm software. Check out this site it called Shields Up!!. I used it to ensure my ports were closed.
https://grc.com/x/ne.dll?bh0bkyd2

Now back to my original question. How can I make a wireless connection as secure and my wired connection?? Does WPA and 802.1x cut it??

Thanks,
MEP

 

[peartree]

You're welcome. Thanks for passing on info about Sheilds Up!, but I've been using Steve Gibson's www.grc.com for a long time. I first started using his software on my own system in 1990. You might want to look in on their newsgroups to keep yourself up to date on security matters.

Now, on to your situation.

Firewall software is going to do no good at all if you don't run it on the desktop machine AND your laptop. Both sides need to be protected. Fortunately, the newest version of ZoneAlarm has the ability to protect both. Get yourself the newest version and when you install it, make sure you enable 'Mobile Protection'.

Firewall software, though, is really only half the story (or less). In this day and age, especially when you throw in a broadband connection, you need both firewall AND anti-virus software. The easy way about it is to use an integrated solution. Being in the middle of writing a review of this kind of software right now, I can recommend F-Secure Internet Security 2004 as a good product with a reasonable price. It has firewall, antivirus, anti-Trojan, and spyware protection, amongst other things. It's not the only one, but it is a very reasonable $69 or so a year. Given the sheer volume of new viruses and other threats these days, companies are forced to keep a large (and very busy) staff around to work on a daily basis. That makes the software you see only the visible end of it. You're really buying a service package. It's not uncommon to see over 100 new virus signatures a day.

So, there you are. Installing the new ZoneAlarm on both sides should keep you safe.

I'm puzzled, though. You say that NAT doesn't keep people out of your machine? Why not? The only machine which will show an IP to the net is the router. All your computers don't have visible IP's, just locally accessible subnet IP's.

=== SHOPPINGMAN!!! Never assume ANYTHING ====

 

[mep]

You're welcome as well.

I have been using the free version of Zone Alarm. I am unsure if it has mobile protection. When I buy the laptop I will make sure I have the proper protection. I was planning on leaving my desktops behind the NAT.

I have been using NAV for about 6 years now. Ever since I got an Internet connection at home. I also use a registry watchdog to prevent unauthorized access to the registry. Check it out. www.winpatrol.com

I am interested in an all-in-one solution because I think it would require less processor overhead. I will check out F-Secure Internet Security 2004.

I am sorry for the confusion about the NAT. I meant if the ISP is using a NAT on a grand scale too bad it can't prevent people from accessing my computer.

Thanks,
MEP

 

[peartree]

Quite all right. I'm glad that you're protected. You can rest easier in knowing that the newest version of ZoneAlarm Free does protect mobile users as well as fixed installations.

As for WinPatrol, you're right, it's a great program. I'm a registered user of WinPatrol Plus.

Unfortunately, the only place I can point to your error is the idea that an integrated program will result in less processor overhead. That is not always the case. Even these days, it's remarkably hard to judge how much of a load a particular program puts on your system. If you have a reasonably modern system (CPU speed over 1 GHz), then it really shouldn't make a big difference to your system's performance. I have to admit that I have a hard time imagining where running firewall software would be noticeable, except if you were running a few of the most modern games on an older system with outdated hardware. If that's the case, then you have more problems than security software.

As for the ISP, that's exactly what happens. Their servers do the routing to the actual customers' lines and what you think is your IP is not necessarily going to remain the same the next time you log in. That goes double if you're using DSL, since you dial in every time you go to connect (as I understand it).
As you note, it still can't stop Bad Guys from going after your system, if they want to. Your system, after all, does have an IP address, however temporary. Your vulnerability exists because these crackers run software that probes huge numbers of IP's, one by one in order. Sooner or later, they'll get to YOU. As soon as they get a response, other software goes to work and you're under attack. The good thing about firewalls like ZoneAlarm is that they try to keep anyone out there from getting a response from your system. They do it by ignoring most outside requests. The only ones they let through are- #1) Requests generated by you or your software, or #2) connection maintenance traffic generated by your ISP (and even that is monitored). The birth of what are called 'Blended threats' has upped the battle. Then throw in spoofing and all the other threats and you can be sure that the wages that security experts get is well earned. Top that off with the fact that the threats change on an almost hourly basis...

Now, how does all this apply to your original plan of buying a laptop. This becomes a little subjective, but I can offer a few guidelines, I think. First, I'd look for no less than a 1.5 GHz (P4M) or 1500+ Athlon CPU. Any less than that and you're not going to get performance you want. It's really tough having a decently fast desktop and then trying to get used to losing half that performance every time you turn on the laptop. I'm going to be in the market for one, myself, so I know what's going on. Fortunately, prices are coming down all the time. I've seen reasonable prices on 2200+ laptops, lately. Second, I wouldn't settle for any less than 256 megs of RAM aand I'd make sure that adding RAM was something I could do without taking it in for service.
Then you add in a 40 gig minimum hard drive, USB 2.0 ports, and the rest of the goodies.

That should give you a good shot at running whatever you want to without worrying too much about CPU load.

=== SHOPPINGMAN!!! Never assume ANYTHING ====