802.11G access point recommendations?

Sat Aug 7 06:18:13 PDT 2004

>Date: Sat, 7 Aug 2004 00:26:03 -0700 (PDT)
>From: "Michael T. Halligan" <michael at halligan.org>
>To: baylisa at baylisa.org
>Subject: 802.11G access point recommendations?
>Sender: owner-baylisa at baylisa.org

>I'm looking to throw a couple of ap's at each end of my apartment to make
>sure we have good wireless throughout.  I'd rather not spend more than
>$200-$300 per access port (preferrably 1/2 that).  My thoughts on
>security are I'd just like to use WEP, and limit MAC addresses. Does
>anybody have a good recommendation for something like this?

Just about any working 802.11b AP ought to cope reasonably well,
I'd think: I do that sort of thing -- mostly for historical reasons:
one of the original Apple AirPorts was provided for my use a while
back -- must have been around 3 or 4 years ago.  One of the filter
caps in its power supply started failing, with resulting flakiness.
So I picked up a Linksys WAP-11 to take its place, then was told
about a Web site where someone had documented the problem with the
AirPort filter caps.

I called Apple; the rep. pushed back a little when the serial number of
the unit I had was not in the range of "affected serial numbers" that he
was authorized to approve.  I pointed out that I had opened the unit and
saw he top of the filter caps bulging noticably; he asked to speak with
his supervisor (granted), and came back a few minutes later with an RMA.

So now I have 2 APs.  They are set to the same WEP key and the same MAC
filter list (though changing a MAC address is as easy as

	ifconfig an0 ether fe:dc:ba:98:76:54

so I am under no illusions about "security" that it provides), and none
of them broadcasts the SSID (though that is trivial to obtain, e.g. via
Ethereal).  One of them is set to channel 1; the other, to channel 6.

And WEP is demonstrably insecure.

I have two reasons for going to this extent, but no further:

* It's usually enough to help keep honest people honest.  I lock my
  front door, but I don't always lock my back door, and the picture
  windows in front could be smashed by someone determined to get in.

* I have just enough hurdles to be easy to implement, but that (to my
  mind, at least) would clearly show that someone gaining access to my
  network did so intentionally, and not by accident.

(I note that I have heard that there is a "feature of dubious intent"
with some Microsoft products, such that they will not associate with an
AP that is not broadcasting its SSID.  I don't really know if this is
true or not, and can't bring myself to care.)

Note that with 802.11b (which is what I am using), although there are
nominally 11 "channels" that may legally be used in the US, the channels
overlap enough that the set of maximal size of non-overlapping channels
consists of channels 1, 6, and 11.

Oh:  I have a *separate* network for APs (and other "guest" access).
It's "behind" a packet-filter, but spearate from my "trusted" net -- I
have 3 NICs in my firewall.  Each AP is set to merely bridge, and
neither acts as a DHCP server.  (I do have one of those, but it is
elsewhere.)

As to the same WEP key & MAC filtering, I have tested failover, and it
works like a charm (at least, running FreeBSD on my laptop):  I
associated with one of the APs, then unplugged it; the NIC in my laptop
promptly associated with the other AP without me needing to even be
aware of it.

More stuff on this at
http://www.catwhisker.org/~david/Canyon/wireless.html and
http://www.catwhisker.org/~david/FreeBSD/upgrade.html -- in case the
above wasn't quite enough of my deathless prose.  :-}

Peace,
david
-- 
David H. Wolfskill				david at catwhisker.org
I do not "unsubscribe" from email "services" to which I have not explicitly
subscribed.  Rather, I block spammers' access to SMTP servers I control,
and encourage others who are in a position to do so to do likewise.