dsl, networking, paranoia

ME dugan at passwall.com
Sat Mar 2 13:54:30 PST 2002


On Sat, 2 Mar 2002, augie wrote:
>         INTERNET
>                 |
>                 |
>         DSL Modem
>                 |
>                 |
>         Linux Gateway (firewall)
>                 |
>                 |
>         Hardware Router ----- Wireless Base-Station
>                 |               |                        {:}
>                 |               |                        {:}
>         [Linux PC] [Windows PC]        [Linux Laptop]

Why not:
         INTERNET
                 |
                 |
         DSL Modem     (firewall rules on this interface)
                 |    /
                 |(fwr)         
         Linux Gateway (firewall)---- Wireless Base-Station-.
                 |               (fwr)                       |
                 |                                          ?(any)
                HUB-.                    wireless cloud-> ?????
                 |  |                                    ????????
                 |  |                                       ???
         [Linux PC] [Windows PC]                      [Linux Laptop]

Your Linux gateway with 3 interfaces, and firewall rules for input from
 the wireless and the internet being much alike.
Enable WEP on the wireless Access Point
Have your Linux gateway do the secure tunnel (IPSEC, or VPN or?)
Only allow SSH to your firewall/router from the wired network if enabled
 at all.

A firewall between you and the wireless users might be a good idea, as you
can see people coming into your house trying to run sniffers and attack
your internal network, but is is not so easy to see people trying to break
you WEP key from outside, or attack your Wireless Access Point Venbdor's
 poor implementation of feature XYZ which leads to easy browsing/sniffing
 of WEP "Secured" data.

Myabe even look into the nocatnet authentication for access points to
limit internet access from people who might try to steal you throughput
and/or to provide a public access point with their group too.

> Hardware Router: i already have this, so i figured it would be a good place 
> to distribute connectivity.

Counter to what might be expected, the Linux kernel firewall and routing
rules are often better and more secure than router (especially cheaper
routers.) Though Linux may be a bit slower than some hardware based
routers, the quality/security/features may be a good tradeoff in just
using Linux for the firewall/routing.

> Wireless Base-Station: i read about this in last months linux journal. maybe 
> some old laptop with two NIC's one wireless one not. then as i understand it 
> i can use VPN to encrypt and authenticate the connection between the 
> base-station and my only other wireless device, the laptop. this way no one 
> can get on my wireless network, and do bad things.

This can help, but layered security is better. Dont rely upon only this,
but also add more. For speedup here, you can look to support nocatnet with
their authentication system and possibly use it yourself instead of making
your own from scratch.


-ME

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++ 
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ !PGP
t at -(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html



More information about the talk mailing list