[vox-tech] Laptop WiFi Security

David Rosenstrauch darose at darose.net
Tue Apr 25 08:16:31 PDT 2006 

Bob Scofield wrote:
> I have two questions about WiFi security in laptops.  (I don't have a laptop 
> that allows me to do much WiFi, but I'm interested in these issues anyway.)
> 
> If a person uses a WiFi connection at an airport, hotel, coffee house, etc. 
> clearly the connection is not encrypted.  I have been told that if you use an 
> open connection, someone can get into your hard drive.  That is, a hacker 
> could read your files.  This leads me to ask two questions.
> 
> 1)  One computer professional told me that the solution to the problem is to 
> have firewall software on your laptop.  He recommends Zone Alarm for Windows, 
> but my interest is Linux.  I know that SuSE comes with a firewall.  My first 
> question is:  Is there a firewall package for Debian?

Firestarter is a nice little GUI-based firewall.  I use that and like it.

> 2)  The second question is whether there is *any* merit in the following idea 
> I thought of.  Suppose you had a laptop  that had a major Windows partition, 
> and a major Linux partition on it.  Suppose you also put a second very small 
> Linux partition on it.  The small Linux partition would be used exclusively 
> for e-mail and web surfing at open WiFi connections.  

> Would such a set up protect the files in the main Linux partition when the 
> small partition was booted and being used with an open WiFi connection?  I 
> suppose one problem with such a Baroque set up would be that the password you 
> use for e-mail on the small Linux partition would still be subject to theft 
> by a hacker.
> 
> So is there any value in this type of set up?
> 
> Thank you.
> 
> Bob


I guess that would be effective ... as long as no one gained root 
access.  (If they did, they could just mount the other partitions.)

Personally, I think it's overkill, though.  There's several security 
tweaks that I'd recommend doing to a laptop before even considering 
that, such as:

* run a firewall, like above, and only allow port forwarding to a daemon 
when absolutely necessary

* disable all unnecessary daemons - especially login shells like ssh, 
telnet, etc.  Also samba too.

* if you must allow ssh access, don't allow root logins, and only allow 
access via public keys instead of passwords

* keep your systems up-to-date with your distro's latest security patches

* since you're using an unsecured and unencrypted network, try to use 
encryption for outgoing traffic whenever possible - i.e., use ssh, 
https, imaps, tls, etc.

If you religiously apply techniques like this, I'd say you'll be in very 
good shape security-wise, and there's probably no need to do what you're 
suggesting.  It certainly can't hurt, but I think it provides not much 
benefit for the amount of work involved.

Just my $0.02.

HTH,

DR

More information about the vox-tech mailing list