[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: (solved) Re: how to (dis)allow some users from using wireless router?

On 8/15/07, Celejar <celejar@gmail.com> wrote:
> On Mon, 13 Aug 2007 08:57:45 +1000
> "Adrian Levi" <adrian.levi@gmail.com> wrote:
>
> > On 8/13/07, Celejar <celejar@gmail.com> wrote:
> > > On Mon, 13 Aug 2007 08:18:19 +1000
> >
> > <Snipped>
> >
> > > I don't quite follow you.  Can you explain in more detail?
> > >
> > > Celejar
> >
> > Ok, Assuming your wireless router can use an open Linux distribution
> > or your wireless router connects directly to a linux firewall, you can
> > use the following tools to set up proper encryption and authentication
> > between each allowed client and the router.
> >
> > I have never done this but know it's possible.
> >
> > http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet
> >
> > Using pppoe the client computer makes a connection to the wireless
> > router, handshaking is done, The client is given an IP address for the
> > pppoe connection.
> >
> > http://www.ssh.com/support/documentation/online/ssh/winhelp/32/Tunneling_Explained.html
> >
> > The ssh tunnel provides proper authentication and protection for the
> > otherwise insecure and sniff able traffic that is broadcast
> > wirelessly. This step also ensures that a non trusted client cannot
> > transfer any data over your network.
> >
> > As I say earlier, I have not done this, I cannot explain any further.
> > Good luck but this Is what I am looking to implement on my network.
> > Adrian
>
> I'm no networking expert, but I'm afraid I don't understand how this
> stops untrusted clients from accessing your network.  He obviously
> won't be able to read ssh encrypted traffic, but I think he'll still be
> able to log on to the router.
>
> Celejar

Everyone needs to be able to access the router - trusted and
un-trusted, At this point you don't know who are your legitimate
users. This method Assumes that any wireless broadcast traffic is
_hostile_. I think you may be trying to secure the wrong part of the
link.

What you are stopping is any traffic passing onto your wired network
that does not originate through a ssh tunnel is discarded and the
connection dropped.

What you are doing is setting up a VPN from your trusted wired network
over the hostile wireless network segment to your trusted wireless
clients.
http://nst.sourceforge.net/nst/docs/user/ch07s03.html
http://mia.ece.uic.edu/~papers/volans/ssh-vpn.html

What I wrote in the above email was backward, SSH is established first
then pppoe or just plain ppp is tunnelled through that link to provide
full network functionality.

A basic outline of a transaction follows:

1: Client contacts firewall.

2: Firewall issues dhcp address.

3: ssh link established.

4: pppoe tunnel through ssh link established.

5: IP address from pppoe link allocated - this one is the default gateway.

Adrian

-- 
24x7x365 != 24x7x52 Stupid or bad maths?
Reply to: