From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LSdgy-0005hh-8L for garchives@archives.gentoo.org; Thu, 29 Jan 2009 20:40:52 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 117CDE0307; Thu, 29 Jan 2009 20:39:48 +0000 (UTC) Received: from mail-qy0-f20.google.com (mail-qy0-f20.google.com [209.85.221.20]) by pigeon.gentoo.org (Postfix) with ESMTP id B380EE0307 for ; Thu, 29 Jan 2009 20:39:47 +0000 (UTC) Received: by qyk13 with SMTP id 13so224031qyk.10 for ; Thu, 29 Jan 2009 12:39:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=K1rFiKYgvbw/kuqgKCKtFUWal5kXzAmU88tXvhwXqL8=; b=F39YJYQpPXSsdBMkANoaWdR0ewlKt2hoMYyMJSs143QC23hB08dMgCltwjhM5uxL/n zH9W7lGMGakkdCZBSgynx6Mr0pfwZKTVF9gryoVq+i0MpvfCCDzppEj5NPreHSOk8ICr CHaMjDmfbHZin/LEQXXEibHDj9D7VraQBC0p4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=YxO9LcJ+l9Khd6oV+0/jvHNaGugrqyOpxQl1xW92yKvIWZm2XxxkB/+uMyJou+gufm Q8SJu8jwQD6qYzb6kWN/6kdlcBf/b2ZHMQXbvMf8ewkvb6S8XAEsITFqgAy6z9OtHlAj yKRRLOl7wMnmwokGSYDcVsiTHCuT/5RCaYFj4= Received: by 10.214.44.6 with SMTP id r6mr938102qar.105.1233261586906; Thu, 29 Jan 2009 12:39:46 -0800 (PST) Received: from gentoo-everex.local ([66.194.104.5]) by mx.google.com with ESMTPS id 5sm446690ywl.41.2009.01.29.12.39.45 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 29 Jan 2009 12:39:46 -0800 (PST) Message-ID: <4982140C.6020007@gmail.com> Date: Thu, 29 Jan 2009 15:39:40 -0500 From: Saphirus Sage User-Agent: Thunderbird 2.0.0.19 (X11/20081231) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Locking down a wireless network References: <49bf44f10901290940p3ab050cep2e5bd985ee901fde@mail.gmail.com> <58965d8a0901290950v3183b14bra1ca458c3ee255d9@mail.gmail.com> <49bf44f10901291230h7ccc4d5flea56e903f1c654e3@mail.gmail.com> In-Reply-To: <49bf44f10901291230h7ccc4d5flea56e903f1c654e3@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 5ed6baa5-da45-4986-9591-8222db8636b8 X-Archives-Hash: e786a300ef4e551b1d84311050fe60d2 Grant wrote: >>> My Gentoo router's wireless network is encrypted via WPA and doesn't >>> DHCP. I'd like to take this a step further in case my WPA key gets >>> hacked. Can I issue only certain IPs to certain MAC addresses? >>> >>> Does WPA2 require hardware support? >>> >> I don't think so. It should just be a driver/firmware update if you've >> got some device that supports WPA and not WPA2. The AES encryption of >> WPA2 requires a little more hardware power than WEP or WPA normally >> uses, but I don't think it needs any special chip or anything like >> that. >> >> You can also do VPN over your wifi connection, and require it for >> access to the rest of your network or the internet. At least then if >> someone hacks your wireless key, they still can't do anything without >> having your VPN certificate. >> > > It sounds like VPN may be the strongest thing going. Could I turn off > WPA and keep everything hidden within the VPN? Could I use a password > instead of a certificate for access? Is the only downside that the > client needs to have VPN software installed? > > - Grant > > That's not much of a downside, VPN encryption (IPsec, SSL, L2TP, and maybe PPTP) is usually more secure than that datalink-layer WPA or WPA2 anyway. As for if you can set it up without a certificate, I believe that PPTP and L2TP can operate with nothing more than a "shared secret". But, a certificate just makes it all the more secure. And yes, your transmitted data will still be encrypted in a VPN even if you're using an open wireless hotspot.