Party on Wayne, (scnr) I have the exact setup here at home and am using ipsec to overcome the security issues of WEP. I'll give you a brief walk-through. On Fri, 2003-04-25 at 14:24, R. Wayne McCorkle wrote: > I recently purchased a wireless access point. After some research into the > relative insecurity of WEP, I am looking implent more stringent measures. > My current setup includes a LAN sitting behind a packet filtering firewall > running Debian Woody. The current plan is to move the access point outside > the firewall, as shown in the diagram below ... Afaik an malicious intruder has to capture ca. 2GB of traffic to compute the preshared key (PSK) of WEP, therefor IPSEC is preferred. I am using IPSEC with the x509 patch to enable win32 clients to connect with certificates. > The network address for each of the interfaces is shown above. Connections > to the access point are exclusivly MS Windows machines running XP. A file > server in the LAN runs Samba and a DHCP server (I plan to serve DHCP > address from the LAN, not the access point ... if possible). If you deploy IPSEC, you can run every TCP/UDP service on top of it, DHCP is used here to supply the clients with an IP adress over the initially insecure WLAN connection. IPSEC is a virtual device on top of eg eth1. > I am currently in the process of building a new firewall where I'll > upgrade from ipchains to iptables. At the same time, I'd like to implement > some security and authentication services for the access point. Some > questions I have: > > I understand that WEP is not optimal. My research indicates that IPSec > would be better. Any suggestions or pointers on setting up IPSec on > the new firewall? Or, is there someting prefereable to IPSec? The only drawback of IPSEC with win32 clients that I am aware of is the terrible certification mgt. in winXP/2K. > What can I use to autenticate the Windows services from Samba. It seems > to me that I am going to have a two step autentication process. First > step is authenticate access to the Access Point. Second step is granting > permission to utilize services shared by machines on the LAN (i.e. > Samba) Well, I use share based authentication since I use ssh/sshfs with my clients, but you are right, it boils down to generate the secure IPSEC connection and run whatever service you want on top of it. > Will I be able to access Samba services across the network boundary > from 192.168.1.x to 191.168.2.x? Sure. > I realize these are not all Debian related questions. But I will be > running Debian on the firewall and this seemed like a good place to start. > Ideas and pointers to documentation/HowTos would be much appreciated. I got IPSEC up and running with the following steps, this is not the debian way of doing things: Get a tarball of freeswan, the debian packages are missing the x509 patch from http://www.strongsec.com/freeswan/ and patch the sources. Install the client (there is a file explaining the steps to patch the kernel). For win32 clients you want to use the gpl'd ipsec implementation from marcus mueller http://vpn.ebootis.de/ - I had a hard time trying to get IPSEC/L2TP working with the built-in WinXP client and failed at last. Generate and distribute certificates. An excellent howto with winXP/2K is available here: http://www.natecarlson.com/linux/ipsec-x509.php or here: http://www.jacco2.dds.nl/networking/freeswan-l2tp.html This should be sufficent to get you started. hth Stefan -- "boredom is not a burden anyone should bear" -- Stefan Radomski <sr@oop.info>
Attachment:
signature.asc
Description: This is a digitally signed message part