VPN advice (was Re: [ale] [OT] WEP auth modes)

Synco Gibraldter synco at xodarap.net
Wed Mar 5 22:28:21 EST 2003




it's quite common for administrators to treat a wireless segment the same
as they treat an external segment [except for the uplink route of course]
and this is probably the safest way to do it...

i personally have a wlan and i have no security on it whatsoever [because
it's 2.4MHz and the chances of someone coming close enough to abuse it are
remote -- plus i log all packets and would be interested in seeing what
someone might do if they were to use my network] -- but i have set up
IPSEC just to find out how hard it would be and it was really much easier
than i expected... if you download the freeswan package, its configure
script should get all relevant information and, upon compilation, patch
your kernel source... then when you go to recompile your kernel, you'll
notice there's a whole new section where you can enable IPSEC.  after
that, it's as simple as modifying a configuration file and you should be
ready to go... ipsec really is the standard and the linux side is pretty
easy to get going.  i haven't really dealt with the windows side, but i
think i've seen a radio button to turn on IPSEC before so i don't think it
should be too hard :}

as far as your wlan and your lan being bridged, you're right -- that's not
a great idea for the reason you mentioned (plus the one i alluded to
above) -- it's best to keep them on separate segments (physically and in
terms of subnets)..

this is one of my fading interests, so i've stopped researching it as
much, but i'm still pretty intrigued by wireless, so if you come across
anything great for you vpn, drop a line mang.

peace,
sg.


On 5 Mar 2003, Joe wrote:

> Synco Gibraldter <synco at xodarap.net> writes:
>
> > hey... here's the difference:
> >
> > open system means that, even without the correct key, the user can
> > transfer data with the access point or another machine on the network...
> > if you were to send out an arp flood to identify machines in the area, you
> > could do this successfully without a key.  the routing isn't handled
> > without a key, so actual connectivity isn't possible without the key.
> >
> > shared key means that absolutely no communication is possible without the
> > key, so if you're not testing or debugging and you only want people with
> > the key to find and use your wlan, then use this mode.
>
> Thanks.
>
> > how are they the same?  they're both ridiculously insecure and in either
> > one of these modes, wep can be broken very very very quickly.  wep is
> > basically a big waste of time and i'd advise you to use a vpn.  if you
> > want more information, just run a google search for something like "wep
> > insecurity" and you'll have a few days worth of reading.
>
> I know it's insecure. And I've decided I've got to do something about
> that.  My wireless boxen are a WinXP box (gag, retch), a WinME box
> (choke, hurl), and a laptop that may have a number of different OS's
> on it in the near future, including Gentoo Linux (installing now),
> FreeBSD, OpenBSD, Red Hat 8, and Lycoris Linux.  I need a VPN solution
> that will work for all those. I admit to being frightened of IPsec,
> but I suspect it's the only game in town. Is there some good
> documentation (web site, book, whatever) that will make it possible to
> get IPsec working on all these platforms without losing much more
> hair? I've done the "PPP-over-SSH" thing before, between Linux
> boxen, but I doubt there's a Windows solution that will play that
> way. Am I wrong?
>
> Also, my AP is on the same Ethernet segment as all my other machines.
> I suspect that's bad, and I should put a firewall between the
> AP and the rest of my network. Presumably that FW would be one end
> of the VPN. It seems to me that folks will still be able to sniff
> my wifi network and find out MAC addresses and so forth, even with
> a VPN in place, correct?
>
> Thanks,
>
> -- Joe Knapka
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list