Brent Saner on 2 Oct 2007 22:58:51 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Verizon FIOS & open wireless

  • From: "Brent Saner" <brent.saner@gmail.com>
  • To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
  • Subject: Re: [PLUG] Verizon FIOS & open wireless
  • Date: Tue, 2 Oct 2007 18:58:45 -0400
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; bh=ChWLolxYE9sTDF+EYyK62sg1Nq1mhTcIBpqp14uSSf0=; b=ON8zdk1+yFeARf7cMqd0QAnVp9BXi2nOcyNVcgpwNF23EpQ5V6peA+E+KArs4C+uHDUjFHrtiXo2vLJKBu4lu/vKymGxNvrvPbpL/JyEsxsOqyOJs8Q19bMB51VeXiwhRWHF9b9By/3GeeBXQEhr40thaiSopSv1rIUDyITRc6c=
  • Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
  • Sender: plug-bounces@lists.phillylinux.org

well, that's always the preference, i think- when able, always delegate specialized hardware.

of course, there are downsides- more hardware to maintain, cost, different possibilities of bugs/security risks ("a chain is only as strong as its weakest link"), etc.

On 10/2/07, zuzu <sean.zuzu@gmail.com> wrote:
On 10/2/07, Brent Saner <brent.saner@gmail.com> wrote:
> BRILLIANT!
>
> you have slain the Beast of Insecure Open AP. you get B00ts of 1337n3ss, 14
> gold, 3 silver, and 15 pounds of tasty meat.

I love the _idea_ of VPNs but have found them to be a bear to
implement in practice.  I'd like to be able to roll out IPsec, but the
closest I've come is using OpenVPN, and 90% of the time I'm lazy and
rely on SSH tunnels (which I think is how OpenVPN works anyway).
anyone out there have mad IPsec (or general VPN) skills who can share
some "best practices" from experience?

p.s. DD-WRT can do everything else described.  it'll even host an
OpenVPN server with the "-vpn" branch of the distribution, although
that's a bit too many eggs in one basket for my taste.  I'd prefer a
beefier dedicated/separate device for that.


> On 10/2/07, Matthew Rosewarne < mrosewarne@inoutbox.com> wrote:
> >
> > While the idea of an open-but-secure access point is long overdue, very
> few
> > people have actually bothered to implement them.  It's much easier to
> grasp
> > the quaint old notion of the strong perimeter defence, even though this
> goal
> > is proving more and more untenable.  An open-but-secure network is
> certainly
> > possible, but requires some work to set up.  I can guarantee you that
> there's
> > no firmware on any consumer-grade AP that can do it, so you would need to
> use
> > a custom firmware.  Here's how I would go about it:
> >
> > 1. Since WEP is worthless, don't bother with it.
> > 2. The wireless network is to be treated as a DMZ or external/untrusted
> zone,
> > just like the internet.
> > 3. To get out of the DMZ and into the internal/trusted network, you use a
> > cryptographically-sound VPN, such as an IPSec tunnel.  Filtering MAC
> > addresses is in no way to be considered "security".
> > 4. Set up QoS so that any traffic in or out of the internal network has
> > absolute priority over traffic from the DMZ, so people can't hog your
> > connection.  Rate limiting is not particularly helpful, since DMZ traffic
> can
> > still hold up "trusted" traffic.
> > 5. Any other restrictions on DMZ traffic are up to you.
> >
> > There is another issue, not technical, but legal, that might warrant some
> > attention.  In your contract with your ISP, you probably explicitly agreed
> > not to provide an open access point.  While it's unlikely they'll do
> anything
> > about it, they might decide to cut off your access.
> >
> > %!PS: If it has the horsepower, trying using your AP as a Tor node.
> >
> >
> ___________________________________________________________________________
> > Philadelphia Linux Users Group         --
> http://www.phillylinux.org
> > Announcements -
> http://lists.phillylinux.org/mailman/listinfo/plug-announce
> > General Discussion  --
> http://lists.phillylinux.org/mailman/listinfo/plug
> >
> >
> >
>
>
>
> --
> Brent Saner
> 215.264.0112 (cell)
> 215.362.7696(residence)
>
> http://www.thenotebookarmy.org
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --         http://www.phillylinux.org
> Announcements -
> http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --
> http://lists.phillylinux.org/mailman/listinfo/plug
>
>
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug



--
Brent Saner
215.264.0112 (cell)
215.362.7696(residence)

http://www.thenotebookarmy.org
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug