For a variety of reasons I got motivated to play with my network and my servers over the weekend, and the results were very beneficial security-wise.

First I upgraded all of my access points to WPA2-PSK. They had all been using WPA, and the limitations of my old laptop's wireless adapter had previously prevented this move. My new laptop has an Intel PRO wireless 2200 card, so there was nothing stopping me anymore. I got the laptops, and the Nintendo Wii configured using WPA2. Next came my Palm TX. I suddenly realized that it doesn't support WPA2! A quick search revealed an update available on Palm's website.... for $6. Okaaaaaay. I don't really understand why they are charging for this. A new Windows Mobile device would have WPA2 support included. Besides that, the description doesn't make it clear to me whether the update adds support for WPA2-PSK or just WPA2-Enterprise. I'm not sure what I'll do about this yet, but I'm sticking with WPA2 so the TX is going to have to remain offline for now.

Next I disabled non-TLS connections on my mail server for POP3, IMAP and SMTP-Submission. I had previously warned all my clients that this was coming, but I finally got around to flipping the switch. That means that email passwords can no longer be passed in the clear to my server. Hurray!

That change left only one other way in which unencrypted passwords are routinely transmitted to my server: blogs. I created my secure certificates (self-signed) and installed them on the server. That's when it dawned on me that I was going to need another static IP. I was already running an secure site for webmail on my main IP, and I can't run the new SSL site on an alternate port because I have too many people that connect through proxies that only allow port 80 or 443. So I ordered another static IP from my provider, which was fortunately provisioned within minutes and therefore didn't hold up my project. I got the SSL site up and set up redirects for all the blog management URL's to use the secure address. It feels very good to know that my server is no longer party to any sort of unencrypted authentication.

Lastly, I finally got around to playing with OpenVPN. I have been wanting to setup a VPN server for a long time, and the simplicity of SSL VPN offered by OpenVPN was very appealing to me. After screwing around for hours Saturday night trying to get a multiplayer Civilization 4 game going with Neal, I vowed that I would implement a VPN before we tried again to play because of all the networking headaches we encountered. Well, I did. So far I'm very impressed. I haven't done any performance benchmarks, but as far as ease of use and robustness goes, it seems great. This will be infinitely better than poking a million holes in my firewall to try to appease Civ4's inept multiplayer function.

This entry was posted by ra on Monday, 07 May 2007 at 17:54. and is filed under tech. You can leave a response, or trackback from your own blog.