RE: [m0n0wall] Securing that wi-fi network...

From:	Christiaens Joachim <jchristi at oce dot be>
To:	"'Magne Andreassen'" <magne dot andreassen at bluezone dot no>
Cc:	"'m0n0wall at lists dot m0n0 dot ch'" <m0n0wall at lists dot m0n0 dot ch>
Subject:	RE: [m0n0wall] Securing that wi-fi network...
Date:	Mon, 29 Sep 2003 10:43:51 +0200
This sounds like a wonderfull idea! Makes it more 'plug and play' :-)

no really, it sounds more userfriendly, and that's what m0n0wall is all
about (I think)

Joachim

-----Original Message-----
From: Magne Andreassen [mailto:magne dot andreassen at bluezone dot no]
Sent: maandag 29 september 2003 3:52
To: 'mono'
Subject: [m0n0wall] Securing that wi-fi network...


Hi,

Need to share some thoughts on wireless networking with m0n0wall. ;)
Please comment(pros or cons) on this.

WEP is, as we all know, pretty bogus. And i cant understand why people
feel secure
when using it. Of course it is more secure than running without, but if
someone
wants to, they can easy hack it. So what, you say? Well, if you are a
bit paranoid
like me, you like to have a little control over who is accessing your
network, and 
since pretty much anyone can connect to your wireless network(if not
properly 
configured), one should take his/her precausions.

I would like to have some kind of encryption other/in addition to WEP
for my wireless 
clients. I also want users connecting to my wireless network to
authenticate themselves. 
Either to the bulit in PPTP service in m0n0wall, or since im running
Win2000 Active 
Directory, to my windoze wannabe RADIUS service. I like the VPN feature
of m0n0wall, 
and use it to connect via internet. So why not use it for wireless?
One thing tough; DHCP is generally a bad idea on wireless networks, but
i really
want this since changing ip adress config on my windows 2k laptop is
boring when
roaming between school, work and home.
I am aware that dhcp works on wireless interface in brigde mode(with
LAN). Problem 
is that no filter rules apply in brigde mode.

So what i am thinking:
-DHCP on wireless interface. (not possible in m0n0wall(...yet))
-Enable PPTP server in m0n0wall.
-Add some firewall rules on wireless interface:
	GRE Wireless net * * *				- for VPN
	TCP Wireless net * * 1723			- for VPN
	UDP * 68 wi-ip 67					- DHCP
	UDP * 68 255.255.255.255 67			- DHCP
	UDP wi-ip 67 * 68					- DHCP

And you are good to go! works like a charm :)
Your wireless clients will now get a leased ip-address, but cannot
connect to internet 
or your LAN, untill they authenticate to the PPTP service in m0n0wall.
In windows, a simple setup of a new network vpn connection does the
trick!
Only thing needed to be done on m0n0wall, is adding DHCP for optional
interfaces and
maby include the above firewall rules into the filter.inc file. (or one
could add these
manually as i did).

Does this sound like fun or not?
Same effect can ofcourse be achieved with static ip-adresses, but i hate
changing those
ip adresses all the time! :)

I will, if not anyone else is already looking into it, write the code
for the dhcp
on optional interfaces as soon as i get the time, and post a note to the
list...


Magne



---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


-----------------------------------------------
MISSION STATEMENT 
-----------------------------------------------
Oce enables its customers to manage their documents efficiently and
effectively by offering innovative print and document management products
and services for professional environments.

-----------------------------------------------
DISCLAIMER 
-----------------------------------------------
This e-mail message and any attachment are intended for the sole use of the
recipient(s) named above and may contain information which is confidential
and/or protected by intellectual property rights.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form) by
other persons than the designated recipient(s) is prohibited.

If you have received this e-mail in error, please notify the sender either
by telephone (0032-2-729.48.11) or by e-mail and delete the material from
any computer.
Oce-Belgium/Oce-Interservices is nor responsible for the correct and
complete transfer of the contents of the sent e-mail, neither for the
receipt on due time.  This e-mail message does not bring about a contractual
obligation for Oce-Belgium/Oce-Interservices.

Thank you for your cooperation.

For further information about Oce-Belgium/Oce-Interservices please see our
website at www.oce.be

-----------------------------------------------