[lug] laptop partioning, boot loaders

Zan Lynx zlynx at acm.org
Tue Jun 13 10:26:07 MDT 2006 

On Tue, 2006-06-13 at 06:50 -0600, D. Stimits wrote:
> Sean Reifschneider wrote:
> 
> >On Mon, Jun 12, 2006 at 10:03:30PM -0600, David L. Anselmi wrote:
> >  
> >
> >>How will you keep the script-kiddy from deciding to use your MAC on his 
> >>card?
> >>    
> >>
> >
> >Yeah, MAC lockdown isn't that useful.  I'd prefer to set up the AP so that
> >it can only communicate OpenVPN packets to my OpenVPN server, and any other
> >traffic would have to be tunneled over OpenVPN.
> >
> >Sean
> >  
> >
> 
> See! I'm asking the right group already :)
> 
> This is exactly what I need to know...what *really* works or not. Ok, so 
> it sounds like they will spoof MAC's. OpenVPN for home would be nice. 
> Does this stop them from getting to my cable modem's bandwidth, or does 
> this just stop them from getting to my systems that are connected to it? 
> I'm not sure if this is something that stops them from using the 
> wireless at all, or just from doing destructive things with my ssytems 
> on it.
> 
> So...what about hardware? Is the hardware involved at all in the 
> security? Does 128 bit WEP stop anything? Or 152 bit WEP? Is there some 
> wireless hardware/brand/model that I could consider ideal for the situation?

Whether or not your cable modem is open to the public depends on how you
set it up.

You could do this:
Wireless <----\
               --> Switch/Hub <- OpenVPN Router <-> Switch/Hub <-> LAN
Cable Modem <-/

And _that_ would make your cable modem available to the world.

It'd be more reasonable to do this:
Wireless <----\
               --> OpenVPN Router <-> Switch/Hub <-> LAN
Cable Modem <-/

The OpenVPN Router in that case needs 3 interfaces, one of which can be
a wireless card, preferably a good one with Linux support for being an
Access Point.  Otherwise it could be another Ethernet card connected to
a Linksys/D-Link/Whatever wireless bridge.

In a setup like that you don't really need any wireless security.  You
could even put up a web page saying "You're connected to D. Stimits'
Wireless Network.  Private Access Only.  Sorry."

If you got ambitious or just like to play around like I do, you could
try setting up IPSec in addition to OpenVPN.  It's not too difficult,
with a 2.6 Linux kernel and the racoon daemon.  Get it hooked up with
certificates, and a OpenLDAP / ActiveDirectory setup, and try to
convince Windows 2000/XP/2003 clients that they would really like to do
secure networking with you.

Okayyy, maybe thats' too ambitious.  I haven't made it work yet. :)

Oh, back on the hardware side, there are some more reliable wireless
encryption techniques.  The good ones need things like a RADIUS server
and a PKI infrastructure.  WPA2 with EAP-TLS.

If you got _really_ crazy you could end up doing OpenVPN over IPSec over
WPA2.  Then you could use *that* to load a HTTPS web site.

:)
-- 
Zan Lynx <zlynx at acm.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20060613/f06c31fc/attachment.pgp>

More information about the LUG mailing list