creating a new hotspot

Jim Carter jimc at math.ucla.edu
Wed Sep 11 14:47:06 EST 2002


On Tue, 10 Sep 2002, Daniel Curry wrote:

> Management has OK'd the use of wireless in our office, IF it is outside
> the firewall (DUH!) and requires authentication.

> What I need is a step by step (1...2...3...) guide and the appropriate
> software to make this into a WAP. I understand that there will probably
> be kernel rebuilds and such, that is why I am asking for a step by step
> guide, because I don't do kernels all that well.

> What else do I need? The users all have a VPN client on their notebooks
> for home use, so this is just a logical extension.

First, don't mess with monolithic kernels; use modules for your device
drivers, specifically this one. It's much easier when you want to upgrade
your driver. Most Linux distros are set up this way, like SuSE, Red Hat...

I would recommend commandeering about US$ 120 from the beer and pizza fund,
and buying an off-the-shelf access point. I have had good luck with the
Agere Orinoco AP-200 and the Linksys WAP11. (Unless the main motivation is
for you to learn how to build driver modules and to use the host-AP Linux
driver.) A real big advantage of an AP, particularly in an office
environment, is that you can place it up high, above steel filing cabinets,
steel desks, water-filled moving life forms, etc. Also the Linksys AP (not
the Orinoco) has a better antenna than a PCMCIA wireless card does. Thus
your signal strength and coverage will be much better than if you try to
use an old laptop at desk level, and you will spend a lot less than $120
worth of programmer time to set it up.

As for security issues, I can think of a few.  Anyone can associate with
your AP unless you use WEP.  Anyone with a copy of AirSnort can associate
with your AP even if you do use WEP, but at least it will keep the majority
of low-grade leeches and snoopers from wasting your bandwidth.

Your DHCP server should only give IP addresses to users whose MAC address
is registered with you -- I assume this is a small office with infrequent
visitors needing service.  Of course anyone with a copy of AirSnort can
view the packets and determine your subnet and identify a currently unused
IP address, and just set it into his wireless card.

Your firewall should have a separate Ethernet port for the wireless, and
should only pass packets (to the company net or to the internet) if they
have a registered MAC address.  Of course anyone with a copy of AirSnort
can determine the MAC addresses commonly used on your ether, and which one
is currently not being used, and he can force his wireless card to use that
one.

In short, you can't keep a seriously motivated industrial spy from using
your wireless net on the same terms as an employee. Nor can you keep him
from throwing packets at your firewall from the global internet. Management
is wise to demand that the wireless net be outside the firewall.
Nonetheless, the combination of WEP and registered MAC addresses should be
sufficient that neighbors won't be able to use your expensive internet
connection to download copyrighted music files.

On the authentication issue, it should be sufficient for employees to use
the same technology (ssh for pure Linux; VPN for Windows) that they do from
home, since the threat of snooping or packet injection is pretty much the
same.

Likely your neighbors have wireless nets of their own.  Try to coordinate
channel assignments for minimum interference.  802.11b should use channel
1, 6 or 11 (in the USA).

Good luck!  I think you'll like not being tied to your desk, and having
global net information at your fingertips when you're in a colleague's
office or a meeting.

James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA  90095-1555
Email: jimc at math.ucla.edu    http://www.math.ucla.edu/~jimc (q.v. for PGP key)




More information about the wireless mailing list