[Volunteers] Wireless Access Point for meetings

Chris Verges chverges at cisco.com
Thu Jul 7 13:18:29 PDT 2005


Hey folks,

I checked with our hosts at Veritas/Symantec, and they said it would be 
alright to bring a wireless access point and connect it up at the 
meetings.  I've already configured a spare Cisco Aironet 1200 
(802.11a/b/g) with the following settings:

    ESSID: svlug
    Allowed Traffic:
       DHCP    UDP     67   <--- client requests only!
       DNS     TCP/UDP 53
       NTP     UDP     123
       HTTP    TCP     80
       HTTPS   TCP     443
       SSH     TCP     22
       VNC     TCP     5800,5900
    Management Interfaces:
       SSH and HTTPS only
       No TELNET or HTTP
       Password on the AP is *not* default

All other traffic is denied for now.  So what I'd like to know from ya'll:

    * What type of wireless security should we use?  The AP can be run
      in three modes:
         1. No security.  This would allow anyone to get on the network.
         2. 40/128-bit WEP.  This would allow all types of clients,
            including PDAs, to connect.  We could use a static key that
            we publish on our svlug.org page, or we could rotate the key
            for each meeting and announce it at the beginning.  (I
            personally like this option since it is simplest and offers
            people with PDAs and other non-laptop devices to get
            online.  Remember that we will only be at the meeting for ~2
            hours, so a passive WEP attack probably won't generate a hack.)
         3. WPA.  This would only allow clients with WPA capabilities to
            get on; while this is supported by most operating systems,
            PDAs generally cannot be used.  WPA is more secure than WEP
            in that an encryption key is generated for each client when
            the client associates to the AP.  This would require us to
            have a username/password that we either publish on the
            webpage or rotate for each meeting -- same scenario as with
            WEP above.
    * What other type of traffic should be allowed?  We are definitely
      NOT allowing:
         1. SMTP (TCP 25)
         2. FTP (TCP 20,21)
         3. TELNET (TCP 23)
         4. TFTP (UDP/TCP 69)
         5. NETBIOS (UDP/TCP 137,138,139)
         6. SNMP (UDP/TCP 161,162)
    * Should we set any QoS for interactive sessions like SSH?  Or do we
      not think this will be abused?  Honestly, I don't think we'll have
      any issues with this ... most people are kind enough to not
      download huge amounts of data at the meetings.

Thanks,

Chris Verges
-- 
chverges at cisco.com
408 525-0401




More information about the volunteers mailing list