Re: (solved) Re: how to (dis)allow some users from using wireless router?
On Mon, 13 Aug 2007 08:57:45 +1000 Adrian Levi [EMAIL PROTECTED] wrote: On 8/13/07, Celejar [EMAIL PROTECTED] wrote: On Mon, 13 Aug 2007 08:18:19 +1000 Snipped I don't quite follow you. Can you explain in more detail? Celejar Ok, Assuming your wireless router can use an open Linux distribution or your wireless router connects directly to a linux firewall, you can use the following tools to set up proper encryption and authentication between each allowed client and the router. I have never done this but know it's possible. http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet Using pppoe the client computer makes a connection to the wireless router, handshaking is done, The client is given an IP address for the pppoe connection. http://www.ssh.com/support/documentation/online/ssh/winhelp/32/Tunneling_Explained.html The ssh tunnel provides proper authentication and protection for the otherwise insecure and sniff able traffic that is broadcast wirelessly. This step also ensures that a non trusted client cannot transfer any data over your network. As I say earlier, I have not done this, I cannot explain any further. Good luck but this Is what I am looking to implement on my network. I'm no networking expert, but I'm afraid I don't understand how this stops untrusted clients from accessing your network. He obviously won't be able to read ssh encrypted traffic, but I think he'll still be able to log on to the router. Adrian Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: (solved) Re: how to (dis)allow some users from using wireless router?
On 8/15/07, Celejar [EMAIL PROTECTED] wrote: On Mon, 13 Aug 2007 08:57:45 +1000 Adrian Levi [EMAIL PROTECTED] wrote: On 8/13/07, Celejar [EMAIL PROTECTED] wrote: On Mon, 13 Aug 2007 08:18:19 +1000 Snipped I don't quite follow you. Can you explain in more detail? Celejar Ok, Assuming your wireless router can use an open Linux distribution or your wireless router connects directly to a linux firewall, you can use the following tools to set up proper encryption and authentication between each allowed client and the router. I have never done this but know it's possible. http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet Using pppoe the client computer makes a connection to the wireless router, handshaking is done, The client is given an IP address for the pppoe connection. http://www.ssh.com/support/documentation/online/ssh/winhelp/32/Tunneling_Explained.html The ssh tunnel provides proper authentication and protection for the otherwise insecure and sniff able traffic that is broadcast wirelessly. This step also ensures that a non trusted client cannot transfer any data over your network. As I say earlier, I have not done this, I cannot explain any further. Good luck but this Is what I am looking to implement on my network. Adrian I'm no networking expert, but I'm afraid I don't understand how this stops untrusted clients from accessing your network. He obviously won't be able to read ssh encrypted traffic, but I think he'll still be able to log on to the router. Celejar Everyone needs to be able to access the router - trusted and un-trusted, At this point you don't know who are your legitimate users. This method Assumes that any wireless broadcast traffic is _hostile_. I think you may be trying to secure the wrong part of the link. What you are stopping is any traffic passing onto your wired network that does not originate through a ssh tunnel is discarded and the connection dropped. What you are doing is setting up a VPN from your trusted wired network over the hostile wireless network segment to your trusted wireless clients. http://nst.sourceforge.net/nst/docs/user/ch07s03.html http://mia.ece.uic.edu/~papers/volans/ssh-vpn.html What I wrote in the above email was backward, SSH is established first then pppoe or just plain ppp is tunnelled through that link to provide full network functionality. A basic outline of a transaction follows: 1: Client contacts firewall. 2: Firewall issues dhcp address. 3: ssh link established. 4: pppoe tunnel through ssh link established. 5: IP address from pppoe link allocated - this one is the default gateway. Adrian -- 24x7x365 != 24x7x52 Stupid or bad maths? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: (solved) Re: how to (dis)allow some users from using wireless router?
On Sat, 11 Aug 2007 11:02:05 +0100 Liam O'Toole [EMAIL PROTECTED] wrote: On Sat, 11 Aug 2007 09:06:15 + (UTC) Simon Brandmair [EMAIL PROTECTED] wrote: Please notice, that filtering by mac address doesn't really add any extra security. The mac address can easily be changed with ifconfig, which is IMO default on every Debian machine. While it is true that the MAC address can be spoofed, the intruder would need to have an allowed MAC address at their disposal. It would require some technical savvy to obtain one. Not very much; a scanner will report attached clients' MACs without any real effort by the 'attacker'. Liam Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: (solved) Re: how to (dis)allow some users from using wireless router?
On 8/13/07, Celejar [EMAIL PROTECTED] wrote: On Sat, 11 Aug 2007 11:02:05 +0100 Liam O'Toole [EMAIL PROTECTED] wrote: On Sat, 11 Aug 2007 09:06:15 + (UTC) Simon Brandmair [EMAIL PROTECTED] wrote: Please notice, that filtering by mac address doesn't really add any extra security. The mac address can easily be changed with ifconfig, which is IMO default on every Debian machine. While it is true that the MAC address can be spoofed, the intruder would need to have an allowed MAC address at their disposal. It would require some technical savvy to obtain one. Not very much; a scanner will report attached clients' MACs without any real effort by the 'attacker'. Liam Celejar Would it not be a good idea to use pppoe on the clients and use an ssh tunnel to provide security / authentication? Adrian -- 24x7x365 != 24x7x52 Stupid or bad maths? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: (solved) Re: how to (dis)allow some users from using wireless router?
On Mon, 13 Aug 2007 08:18:19 +1000 Adrian Levi [EMAIL PROTECTED] wrote: On 8/13/07, Celejar [EMAIL PROTECTED] wrote: On Sat, 11 Aug 2007 11:02:05 +0100 Liam O'Toole [EMAIL PROTECTED] wrote: On Sat, 11 Aug 2007 09:06:15 + (UTC) Simon Brandmair [EMAIL PROTECTED] wrote: Please notice, that filtering by mac address doesn't really add any extra security. The mac address can easily be changed with ifconfig, which is IMO default on every Debian machine. While it is true that the MAC address can be spoofed, the intruder would need to have an allowed MAC address at their disposal. It would require some technical savvy to obtain one. Not very much; a scanner will report attached clients' MACs without any real effort by the 'attacker'. Liam Celejar Would it not be a good idea to use pppoe on the clients and use an ssh tunnel to provide security / authentication? Adrian I don't quite follow you. Can you explain in more detail? Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: (solved) Re: how to (dis)allow some users from using wireless router?
On 8/13/07, Celejar [EMAIL PROTECTED] wrote: On Mon, 13 Aug 2007 08:18:19 +1000 Snipped I don't quite follow you. Can you explain in more detail? Celejar Ok, Assuming your wireless router can use an open Linux distribution or your wireless router connects directly to a linux firewall, you can use the following tools to set up proper encryption and authentication between each allowed client and the router. I have never done this but know it's possible. http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet Using pppoe the client computer makes a connection to the wireless router, handshaking is done, The client is given an IP address for the pppoe connection. http://www.ssh.com/support/documentation/online/ssh/winhelp/32/Tunneling_Explained.html The ssh tunnel provides proper authentication and protection for the otherwise insecure and sniff able traffic that is broadcast wirelessly. This step also ensures that a non trusted client cannot transfer any data over your network. As I say earlier, I have not done this, I cannot explain any further. Good luck but this Is what I am looking to implement on my network. Adrian -- 24x7x365 != 24x7x52 Stupid or bad maths? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: (solved) Re: how to (dis)allow some users from using wireless router?
Hi! On Sat, 11 Aug 2007 07:10:07 +0200 Serena Cantor wrote: Thanks! I'll try MAC filter later on. --- steve [EMAIL PROTECTED] wrote: Serena Cantor wrote: I knew WEP can do it. but the password is the same, any user can let others use the router by giving them the password. [...] on my linksys I can block by mac address, check once in a while to see who is connecting then block their mac address if you do not recognize them? Please notice, that filtering by mac address doesn't really add any extra security. The mac address can easily be changed with ifconfig, which is IMO default on every Debian machine. Cheers, Simon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: (solved) Re: how to (dis)allow some users from using wireless router?
On Sat, 11 Aug 2007 09:06:15 + (UTC) Simon Brandmair [EMAIL PROTECTED] wrote: Please notice, that filtering by mac address doesn't really add any extra security. The mac address can easily be changed with ifconfig, which is IMO default on every Debian machine. While it is true that the MAC address can be spoofed, the intruder would need to have an allowed MAC address at their disposal. It would require some technical savvy to obtain one. -- Liam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
(solved) Re: how to (dis)allow some users from using wireless router?
Thanks! I'll try MAC filter later on. --- steve [EMAIL PROTECTED] wrote: Serena Cantor wrote: I knew WEP can do it. but the password is the same, any user can let others use the router by giving them the password. Can the wireless router owner determine who can use the router? Why the wireless hasn't a address like a ethernet card has, so that the router can determine which address can access router? on my linksys I can block by mac address, check once in a while to see who is connecting then block their mac address if you do not recognize them? Shape Yahoo! in your own image. Join our Network Research Panel today! http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Need a vacation? Get great deals to amazing places on Yahoo! Travel. http://travel.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]