Brent Saner on 2 Oct 2007 21:28:25 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Verizon FIOS & open wireless

  • From: "Brent Saner" <brent.saner@gmail.com>
  • To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
  • Subject: Re: [PLUG] Verizon FIOS & open wireless
  • Date: Tue, 2 Oct 2007 17:28:20 -0400
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; bh=d8SXoRKVVzsH2ER9SYQndwfFp76P7Nph5/zzFDN8pI4=; b=qD7qaK2i5tWYGvMAjhFTTpg7SzIqlaj8HkBjC9R+6y2vh/t9k3Jwr+TD7xIcckdjKB45+r9tcPaQtAQXzTBipb9NCN6nBqXlkphqNzNGNkvpyCFdE3K0+pUg/OwX/w2xXV6pz+ezFFt2a0GcURfbwFDvpXKpHYAbw4R8OaXP3TI=
  • Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
  • Sender: plug-bounces@lists.phillylinux.org
BRILLIANT!

you have slain the Beast of Insecure Open AP. you get B00ts of 1337n3ss, 14 gold, 3 silver, and 15 pounds of tasty meat.

On 10/2/07, Matthew Rosewarne <mrosewarne@inoutbox.com> wrote:
While the idea of an open-but-secure access point is long overdue, very few
people have actually bothered to implement them.  It's much easier to grasp
the quaint old notion of the strong perimeter defence, even though this goal
is proving more and more untenable.  An open-but-secure network is certainly
possible, but requires some work to set up.  I can guarantee you that there's
no firmware on any consumer-grade AP that can do it, so you would need to use
a custom firmware.  Here's how I would go about it:

1. Since WEP is worthless, don't bother with it.
2. The wireless network is to be treated as a DMZ or external/untrusted zone,
just like the internet.
3. To get out of the DMZ and into the internal/trusted network, you use a
cryptographically-sound VPN, such as an IPSec tunnel.  Filtering MAC
addresses is in no way to be considered "security".
4. Set up QoS so that any traffic in or out of the internal network has
absolute priority over traffic from the DMZ, so people can't hog your
connection.  Rate limiting is not particularly helpful, since DMZ traffic can
still hold up "trusted" traffic.
5. Any other restrictions on DMZ traffic are up to you.

There is another issue, not technical, but legal, that might warrant some
attention.  In your contract with your ISP, you probably explicitly agreed
not to provide an open access point.  While it's unlikely they'll do anything
about it, they might decide to cut off your access.

%!PS: If it has the horsepower, trying using your AP as a Tor node.

___________________________________________________________________________
Philadelphia Linux Users Group         --         http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug





--
Brent Saner
215.264.0112 (cell)
215.362.7696(residence)

http://www.thenotebookarmy.org 
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug