Archived from groups: alt.internet.wireless (
More info?)
Al Dykes wrote:
>In article <382vd.73033$Dm2.3921@bignews1.bellsouth.net>,
>Jerry Park <NoReply@No.Spam> wrote:
>
>
>>Al Dykes wrote:
>>
>>
>>
>>>Is there any security solution for a WiFi location where the users are
>>>utterly non-technical, and trying to get them to type in WEP codes a
>>>futile exercise.
>>>
>>>It's resonable to require users to have fully-patched w2k or XP
>>>systems (and piss off a couple people that have w/98 laptops.)
>>>Needless to say, these are personal laptops, so I can't force anything
>>>on them.
>>>
>>>There is no on-site technical staff. If all we can come up with is
>>>MAC filtering, it would take a week or two for someone to get around
>>>to updating the AP with a new members's address. We are talkking
>>>about a handfull of laptops.
>>>
>>>Suggestions ?
>>>
>>>Thanks.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>Are you concerned that the WiFi users may infect your network or
>>concerned that a compromised WiFi user may infect other WiFi users?
>>
>>I'd suggest turning off file sharing for the WiFi subnet (and possibly
>>port 25 to prevent spamming from your network). If the users can't
>>connect to file systems on your network, it will be difficult to place a
>>virus/trojan on that network.
>>
>>
>
>
>It's their network, such as it is. It's essentially just a
>closed-membership internet cafe with a WiFI AP. The space is a tenant
>a Manhattan office building several other APs are visible, so snooping
>and hacking from the outside are a risk.
>
>I'd also like to use this as a lesson to the membership about Safe
>Computing, but that's my adenda, not theirs. These are utterly
>non-technical business people. They are mature enouygh that they
>won't be hacking. Catching a virus that spams is a possibility, but
>I've had some progress in teaching about AV practices and if an
>indident did happen I'd use it as a teaching point.
>
>My #1 priority is to prevent easy snoopiong because everyone uses
>their passwords to log into webmail and other online services.
>Protecting member's machines from being hacked is a secondary,
>and Zone Alarm would go a long way in addressing that.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
The simplest for that is to set up WPA access to the wireless network.
WEP can be compromised fairly easily, but WPA is generally secure. Since
you indicate the members using the network are non-technical and don't
want something like that, I don't know. Its easy to set up WPA on the
wireless device and easy to set it up on the client. Once set up, you
don't have to worry about it -- it just works. (You just have to type in
a key once).
If your members connect to their web mail, etc. with a secure connection
-- that should protect them.
The only other thing I can think of is setting up the system to require
VPN to connect. Since that is more work than setting up WPA, I suppose
that is not an option.