Thanks for the article link, I’m not sure if I want to attempt setting this up on my own, but you’ve given me great fodder for dinner table conversation with hubby tonight!

Windows will do that to you if you are not careful

Here is a quick article on using SSH to build a ‘poor mans’ vpn back to a home server… windows? I dunno if it will work. Windows SSH is… problematic at best. Works like a charm with *nix and macs.

Have you checked out the latest Ubuntu Linux? It pretty much rocked my socks off. I think that if it’s not at grandma level, it’s darn close. It even has a live-cd so you can try it with out totally destroying Winders.

You’re really a wealth of knowledge though! VPN is still a very new term to me, and as far as I knew (until about 10 minutes ago) VPN was just how people logged into their computers at work from home. *chuckle* I had to have my husband explain to me how it worked.

For me, it’s like this, just over a decade ago, I helped my husband run all the home networking stuff and I was current on security and securing our servers from the outside world. Today, I’ve become so attached to windows that it has crippled my memory of network security and caused all of my once really cool ability to geek with my husband to completely atrophy.

What I do remember though, is that there are always some very simple things that you can do that will make it that much harder for people to take advantage of you. This is true in life, and the internet. It doesn’t make sense not to do them, even if some schmoe can easily work his way around mac filtering, there will be some other schmoe that can’t figure out why your network doesn’t work for him anymore. And while you may be right, that those people who are trying to get on your network without knowing how to get around mac filtering likely have good intentions, the road to hell is still paved with them.

It just makes sense to do what you can, even if it’s simple and not necessarily the most effective means. Besides, Joe Neighbor could always come over and ask if you had a wireless network, and if you’d mind sharing some bandwidth. I know I’d be glad to let Joe Neighbor share some bandwidth if he hit a bad patch.

Still, I love your suggestions and am now going to spend the remainder of the day reading about how VPN works, so I can get a more refined understanding beyond “Well, it encrypts everything over your wireless, plus everything goes through one point so that it can be firewalled/proxied/filtered.”

Bruce has this to say:

Whenever I talk or write about my own security setup, the one thing that surprises people — and attracts the most criticism — is the fact that I run an open wireless network at home. There’s no password. There’s no encryption. Anyone with wireless capability who can see my network can use it to access the internet.
To me, it’s basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it’s both wrong and dangerous.
I’m told that uninvited strangers may sit in their cars in front of my house, and use my network to send spam, eavesdrop on my passwords, and upload and download everything from pirated movies to child pornography. As a result, I risk all sorts of bad things happening to me, from seeing my IP address blacklisted to having the police crash through my door.
While this is technically true, I don’t think it’s much of a risk. I can count five open wireless networks in coffee shops within a mile of my house, and any potential spammer is far more likely to sit in a warm room with a cup of coffee and a scone than in a cold car outside my house. And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence

Of course, he also goes on to talk about the risks of not using point to point encryption of some sort (esp. over wireless, and esp. over other people’s wireless). If you have that part of it down, then it’s no more unsafe then connecting from anywhere else.

Here is my take on it.

1) Have your wired network behind a firewall.

2) Have your wireless network open

3) With the correct sniffer, it is trivial to find and masquerade as a valid MAC address. So, MAC filtering is a good idea, but it’s not a panacea for proper WPA pass-phrases and good tight VPN’s.

4) Make sure that your wireless devices always use a secure VPN to connect to resources. In fact, it’s a good idea to redirect _all_ of your traffic thru a VPN into your secure network and then back out. After all, how much of your email uses POP? Yeah… POP passes passwords in plain text.

So, (in an related topic) at the airport a few weeks ago, I saw a open wireless called ‘Free Wireless’. I tightened down the firewall, opened the log file, and connected. Wham. If I had been a windows box, I would have been rooted right then.

That was in SF. I also saw it at SeaTac. Not the same one, but the same idea. I also noticed that when I was connected to the AT&T network at SeaTac, I was under constant assault.

So – VPN back home, and then traffic out to the internet from there with HUGE firewalls on the roaming device seem like a great idea to me.