[geeks] Secure 802.11b?
Scott Howard
scott at doc.net.au
Mon Mar 18 05:23:21 CST 2002
On Sun, Mar 17, 2002 at 05:01:41PM -0500, Michael Dombrowski wrote:
> I've been thinking of setting up 802.11b here and want to protect my
> network against snoopers. My idea is something like:
>
> Internal Network->802.11b Firewall->Dumb Access Point->Laptop
>
> In my setup the Firewall machine would block off every port except
> the VPN one, the laptop or other client computer would connect to the
> main network via the VPN so it would be just like it's on the
> network. The firewall machine would also run a dhcp server. Is this
> method viable or are there easier ways to do what I want? I also
> could consolidate the access point + firewall into one machine with
> NetBSD + IPX + PC Card swapbox but then I lose some flexibility in
> the future.
There's only one way to do it securely - VPN of some form. Depending on
your choice of client and firewall/router software the best options are
either PPTP (trivial to setup, but MS-centric), or IPSec (more difficult,
but works on most platforms. I have :
Internal Network -> Router running PPTP/IPSec -> AP -> Laptop
The router does DHCP for the 192.168.1.x range (with no default route),
but the only traffic it will accept is traffic from the laptop(s) to the
router on either PPTP or IPSec ports. The PPTP/IPSec tunnel gets given
a real IP address (ie, routable, but you could just as easily use NAT),
and a default route.
The only traffic which is ever unencrypted is the initial DHCP
request/reply. Anyone can come along and request an IP address, and get
one, but they can't get beyond the password-protected PPTP/IPSec.
The notebook is setup to automatically bring up the PPTP connection as
soon as it's needed (with a saved password), so other than a few seconds
delay the entire process is completely transparent.
Scott.
More information about the geeks
mailing list