Re: Security is vital!
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Thu, 29 Mar 2007 15:02:51 -0500
On Wed, 28 Mar 2007, in the Usenet newsgroup comp.os.linux.questions, in article
<FExOh.1544$H_5.806@xxxxxxxxxxxxxxxxxxxxxxxxxx>, ***** charles wrote:
So I am still liking OpenBSD, the 4M ISO download. It basically
installs nothing and you have to add whatever you want through an
Internet ftp server.
That's as good as any. The key is "does OpenBSD have the wireless driver"?
The wireless distance is rather far, 1.5 miles but it is a clear line
of sight, no obstructions. There are two 60 foot towers to be used.
At 2.4 GHz, the clearance needed is about 8.5 meters - 28 feet, and
curvature of the earth adds about a foot, so assuming nothing is within
30 foot of line of sight (vertically or horizontally), that should be
fine.
The current configuration uses two Linksys WET11's with no security.
One of the buildings is right accross the street from a high school.
At the moment any kid with a properly configured laptop can hop onto
the Internet through the current system. So the main goal is to secure
the wireless link. I could set it up so that access is only through
the connected keyboard without a lot of grief.
First thing I'd do after setting the link encryption would be to set it
up as a point to point link. For example, building one on 192.168.0.0/24
with the router on this link as 192.168.0.254 (use the numbers you would
want - this is for hand-waving). The other building is on 192.168.1.0/24
with the router on this link as 192.168.1.254. The link being on
specific IPs of 192.168.3.33 and 192.168.4.44 with a _host_ route only
between the two. Ignoring the default route to the world and loopback
the _hosts_ in building one have the routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.1.0 192.168.0.254 255.255.255.0 UG 0 0 430 eth0
with the hosts in the other building having
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.0.0 192.168.1.254 255.255.255.0 UG 0 0 430 eth0
The router in building 1 has only the following:
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.4.44 0.0.0.0 255.255.255.255 UH 0 0 16 eth1
192.168.1.0 192.168.4.44 255.255.255.0 UG 0 0 430 eth1
with the router in the other building having
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.3.33 0.0.0.0 255.255.255.255 UH 0 0 16 eth1
192.168.0.0 192.168.3.33 255.255.255.0 UG 0 0 430 eth1
Your school kids no longer have _access_ as the routers have the only two
valid addresses on the link. Without encryption, the link can be sniffed,
which is why you encrypt it. Problem solved.
OS
Wireless driver
SSH (only if I want access from another computer)
I _ALWAYS_ recommend having a second way to admin the box (the primary
means is usually the console or serial port). I'd set up SSH so that it
ONLY accepts connections from "a few" specific hosts on the LAN.
What apps would I need to run to manage the connection, if any?
[compton ~]$ whatis ifconfig route
ifconfig (8) - configure a network interface
route (8) - show / manipulate the IP routing table
[compton ~]$
Actually, you may need 'iwconfig' to manage the wireless, but that's it.
I am hoping when I get the first one set up correctly, I can just
clone the software to the second identical machine.
The routers are a pair - set them up at the same time, but this can be
done in the lab or what-ever. Actually, these boxes are so dumb and
under-worked, I'd be use anything cheap and dirty to do the job - a pair
of 386SX laptops would likely be enough, but that obviously depends on
the number of hosts in the two buildings and how much they talk to each
other..
Since the lans already have an Internet connection, the wireless
connection will have to be in "bridge mode".
I wouldn't - but I've been doing IP networking since the 1980s. The
main reason I would NOT use a bridge is to keep the traffic on the
link to a minimum, and prevent outsiders from connecting. Do _each_
of the LANs have their own (local) gateway to the world (independent of
the wireless link)? If so, all the more reason to configure the routers
this way, as the only traffic going over the air is that between the
buildings. Stuff going to the world won't be on this link and with
the routing tables I show, there is no way any outsider can hitchhike
because the routers can't send packets to the world - they have no
route to there.
Old guy
.
- Follow-Ups:
- Re: Security is vital!
- From: ***** charles
- Re: Security is vital!
- References:
- Security is vital!
- From: ***** charles
- Re: Security is vital!
- From: Moe Trin
- Re: Security is vital!
- From: ***** charles
- Security is vital!
- Prev by Date: Newbie character device driver questions
- Next by Date: Re: Security is vital!
- Previous by thread: Re: Security is vital!
- Next by thread: Re: Security is vital!
- Index(es):
Relevant Pages
|
Loading
