| Matthew Rosewarne on 2 Oct 2007 21:21:04 -0000 |
|
While the idea of an open-but-secure access point is long overdue, very few people have actually bothered to implement them. It's much easier to grasp the quaint old notion of the strong perimeter defence, even though this goal is proving more and more untenable. An open-but-secure network is certainly possible, but requires some work to set up. I can guarantee you that there's no firmware on any consumer-grade AP that can do it, so you would need to use a custom firmware. Here's how I would go about it: 1. Since WEP is worthless, don't bother with it. 2. The wireless network is to be treated as a DMZ or external/untrusted zone, just like the internet. 3. To get out of the DMZ and into the internal/trusted network, you use a cryptographically-sound VPN, such as an IPSec tunnel. Filtering MAC addresses is in no way to be considered "security". 4. Set up QoS so that any traffic in or out of the internal network has absolute priority over traffic from the DMZ, so people can't hog your connection. Rate limiting is not particularly helpful, since DMZ traffic can still hold up "trusted" traffic. 5. Any other restrictions on DMZ traffic are up to you. There is another issue, not technical, but legal, that might warrant some attention. In your contract with your ISP, you probably explicitly agreed not to provide an open access point. While it's unlikely they'll do anything about it, they might decide to cut off your access. %!PS: If it has the horsepower, trying using your AP as a Tor node. Attachment:
signature.asc ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|