Axiom Home Page Forums General Discussion The Water Cooler Ain't WiFi great?

As long as we're on this wifi security subject, here's another tip for everyone.

For god's sake, don't plug your wi-fi access point into a hub! I recommend using only switches in most cases, but especially this one. You don't want your wired traffic being broadcast into the airwaves as well.

A brief note: even with a switch, there is broadcast traffic. It's best to use a WiFi on a DMZ port. In much smaller (most?) installations, use the WiFi router as the router for the network where possible.

One objection to using it on a DMZ is that it then becomes more visible to the outside world. A few good reasons to use a DMZ is for web or e-mail servers, or possibly a VPN, if you keep the wireless behind or within your router I think is the best choice. If you use NAT (Network Address Translation) then it is even more difficult to get into your network. One idea we were thinking here is using a server to authenticate wireless accounts to allow access to the trusted network. Separating them by using VLAN security which the Cisco AP's support with firmware 12.00 and up.

Hmm. One of our network guys is recommending it for the client I'm at right now (waiting for someone to show). I wonder what his response to that would be. He had a good reason when he explained it to me... Why would it be more visible to the outside world? The DMZ is just another port on the firewall. I don't see a way to hook up the wireless to anything without a switch or hub without putting it on a separate network, such as the DMZ. NAT is not really security, it is just obfuscation. However, the last line of yours sounds pretty good to me.

The DMZ is another port on the firewall but specifically to make for easier access from outside of it. Hence web servers and e-mail server access. Doesn't make sense to put a access point on it, unless you can filter ports going in both ways to your trusted and outside networks. But then you'd have to be using something like Cisco PIX or Nokia firewalls. But putting such a device there can make the temptation of getting into it that much greater, and potentially easier to hack from the outside without having to know the SID or WEP keys. Simply telnet into it and change the keys from outside the network unless your firewall blocks port 23. All our webservers, VPN's and e-mail servers reside in the DMZ here. But we use Nokia firewalls to block traffic both ways in/out of it.

We're working with SonicWalls. I'll have to check with my guys about whether this is reasonable. I'm still learning the network stuff!

SonicWalls seem to work pretty well...until they start dying on you.

Had one die on me a few weeks ago. It was a 100. They replaced it after we reinstated the warranty with a 320. Not too shabby.,..

Yeah, I work for a consulting company and we were installing them for clients for a while, but too many seemed to die after a year or two. Low end firewall installs are PIX now. Raptor for the better ones.

Dear friends,

We recently moved to a new house (good). Qwest is still our dsl/phone provider (must...control...fist...of...death...). Where we want to put the computer, there is no phone jack (annoying). So, I'm thinking of taking the wi-fi plunge in anticipation of also getting a wireless laptop in the not-too-distant future.

So, can anybody help me with specific SoHo wireless router or access point model advice? I have a Cisco dsl modem and a Netgear firewall/router now. The plan is to put the modem and wireless thingy in an upstairs bedroom and add a wireless PCI card to the main PC in the living room and possibly to the one in the kids room.

Keep in mind that the more I spend on networking, the less I have to spend on home theatre. Maybe I should just run cat5 everywhere anyway...

I only aspire to your geekdom, so be gentle. TIA for sharing your wisdom and guidance.