Posted on 04/15/2002 11:39:48 AM PDT by Tumbleweed_Connection
Edited on 04/13/2004 2:16:31 AM PDT by Jim Robinson. [history]
No typo; I subtracted two from 256. I figured .0 is the net and .256 is the broadcast?
In case you couldn't tell- I know more about TCP/IP theory than practice. :)
I don't think that's much of a concern with wireless networks. Current sniffing/scanning tools for the radio link won't yield IP addresses. Even conventional ethernet sniffers (like tcpdump) run against a wireless card will only see broadcast traffic, not everything on the link. And if the traffic is encrypted... well...
But my point was that IF you can play with the subnet mask to get the subnet small enough, you won't leave many free addresses for an intruder to camp out on. The best way is not to leave ANY. For example, a single host connected to a Linksys router box is perfect for a 255.255.255.252 netmask, because it only yields two usable host addresses. The intruder can't even get on the subnet; the router won't see his traffic.
Consider a netmask of 255.255.255.248 which yields six host addresses. You set up a subnet at 192.168.0.73 and put hosts at 0.74, 75 and 76. The rest of the addys you deny in the packet filter. The intruder has no idea what netmask you're using. Suppose he assumes 255.255.255.0 and starts out with an IP of 192.168.0.0 -- even if he sniffs the router, he's never gonna talk to it. Even if he plops down on 192.168.0.77 right in the subnet, he's filtered out by the firewall. But if YOU want to put a host there, you simply take it out of the packet filter.
Sniffers are overrated. Design a network right and you don't need to worry about 'em.
Hey man- I'm desktop support, not helpdesk. May not be a big difference to you, but when you're the second to last man on the totem pole... :)
My apologies... I shouldn't post stuff late at night when I'm half asleep. I lump Desktop/Deskside and HelpDesk together because I get referrals from all of 'em.
CallWave might do what you want. I used it until I got a second phone line.
See http://www.callwave.com
Call me paranoid but I am very uncomfortable usng any system that allows such easy access to my network.
It seems to me, that for the money spent on the wirelss access point, wirelsss NIC cards ect, you could spend the same amount and get a real 10/100/1000 MB connection using conventional Category 5 or 6 cabling.
I'm sure that for some instances, it is the only workable solution and 11 MB sounds like a lot. BUT.... I have been using home networks for almost 10 years, in that time I have gone from Thin Coax (<1.5 MB) to Category 6 (currently 100 MB but soon to be 1000).
It seems that bandwidth requirements expand to meet whatever you have available. Never in my wildest dreams would I have imagined that I would have bandwidth issues running 100 MB at home but none the less it happens.
I would suggest, as someone who does this for a living, save your money on equipment and get real connections run using real cables. It does limit your options as far as locations but is worth it for not only security as well as speed and looking to the future...
Cheers,
knews hound
Fine. Now let me tell you why I DO use wireless. I am a former radio professional turned into a network engineer and security administrator, so I know both of these media and what they can do, and the risks involved.
I have a 100 Mbps wired network at home with six hosts and four laptops. I do some programming projects at home and I can telecommute, but I also have an office away from home. I use the laptops most of the time because they're convenient to use and all of them are equipped with wireless cards... so is my PDA.
It is NOT convenient to be dragging a 100-foot piece of CAT-5 behind me as I walk through the house with a laptop under my arm, because kids can trip on it and cats like to chew on it. It's not practical to stop running processes, unmount all of my NFS drives, vary the interface offline, disconnect the cable, walk to the living room, re-connect a cable, vary the interface up, re-mount my drives, logon to the "big" host and restart everything.
It's all about convenience. But you have to know what the medium does and what you can do with the medium. You wouldn't think of running a cable out to a waterproof enclosure on the back deck or the front porch because you know it's too easy for someone to come around with a long cable and plug in and sneak off somewhere to play; yet here's a wireless access point that your neighbors can play with and they don't even need a cable! It seems like the height of stupidity to do this, because you are bypassing your physycal security and every precaution you have taken with your firewall, so you MUST keep security in mind when you set things like this up.
AND it's all relative. A wireless LAN can be made secure enough for my purposes, and I am careful about what I access on a wireless laptop. But it will never be as secure as a wired ethernet, just like a wired LAN will never be as secure as dumping all of your data onto CDROMs and accessing it that way.
So you take precautions. Change the ESSID. Set a good robust WEP key IN HEX that is not vulnerable to dictionary attacks. Change the key at least as often as you change your passwords; every three to six months is a good interval. Use the MAC filter to ensure that only YOUR cards have access. My security has been tested by some individuals who tried to get into my stuff for a solid three months before they finally gave up and moved on. I know this because I log every access attempt and I check my logs frequently.
Wireless LANs are very risky and high-maintenance, but some of us think they're worth the trouble. But you HAVE to understand what you're using, and deal with the risks appropriately.
Two reasons:
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.