Re: [PLUG] Verizon FIOS & open wireless

[zuzu <sean.zuzu@gmail.com>]

On 10/2/07, Brent Saner <brent.saner@gmail.com> wrote:
> BRILLIANT!
>
> you have slain the Beast of Insecure Open AP. you get B00ts of 1337n3ss, 14
> gold, 3 silver, and 15 pounds of tasty meat.

I love the _idea_ of VPNs but have found them to be a bear to
implement in practice.  I'd like to be able to roll out IPsec, but the
closest I've come is using OpenVPN, and 90% of the time I'm lazy and
rely on SSH tunnels (which I think is how OpenVPN works anyway).
anyone out there have mad IPsec (or general VPN) skills who can share
some "best practices" from experience?

p.s. DD-WRT can do everything else described.  it'll even host an
OpenVPN server with the "-vpn" branch of the distribution, although
that's a bit too many eggs in one basket for my taste.  I'd prefer a
beefier dedicated/separate device for that.


> On 10/2/07, Matthew Rosewarne <mrosewarne@inoutbox.com> wrote:
> >
> > While the idea of an open-but-secure access point is long overdue, very
> few
> > people have actually bothered to implement them.  It's much easier to
> grasp
> > the quaint old notion of the strong perimeter defence, even though this
> goal
> > is proving more and more untenable.  An open-but-secure network is
> certainly
> > possible, but requires some work to set up.  I can guarantee you that
> there's
> > no firmware on any consumer-grade AP that can do it, so you would need to
> use
> > a custom firmware.  Here's how I would go about it:
> >
> > 1. Since WEP is worthless, don't bother with it.
> > 2. The wireless network is to be treated as a DMZ or external/untrusted
> zone,
> > just like the internet.
> > 3. To get out of the DMZ and into the internal/trusted network, you use a
> > cryptographically-sound VPN, such as an IPSec tunnel.  Filtering MAC
> > addresses is in no way to be considered "security".
> > 4. Set up QoS so that any traffic in or out of the internal network has
> > absolute priority over traffic from the DMZ, so people can't hog your
> > connection.  Rate limiting is not particularly helpful, since DMZ traffic
> can
> > still hold up "trusted" traffic.
> > 5. Any other restrictions on DMZ traffic are up to you.
> >
> > There is another issue, not technical, but legal, that might warrant some
> > attention.  In your contract with your ISP, you probably explicitly agreed
> > not to provide an open access point.  While it's unlikely they'll do
> anything
> > about it, they might decide to cut off your access.
> >
> > %!PS: If it has the horsepower, trying using your AP as a Tor node.
> >
> >
> ___________________________________________________________________________
> > Philadelphia Linux Users Group         --
> http://www.phillylinux.org
> > Announcements -
> http://lists.phillylinux.org/mailman/listinfo/plug-announce
> > General Discussion  --
> http://lists.phillylinux.org/mailman/listinfo/plug
> >
> >
> >
>
>
>
> --
> Brent Saner
> 215.264.0112 (cell)
> 215.362.7696(residence)
>
> http://www.thenotebookarmy.org
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements -
> http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --
> http://lists.phillylinux.org/mailman/listinfo/plug
>
>
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug