My radius server allows me to limit ANY login, be it MAC, PPOE, or whatever...
----- Original Message ----- From: "Eje Gustafsson" <[EMAIL PROTECTED]> To: "Jeremy Oswalt" <[EMAIL PROTECTED]> Sent: Monday, September 29, 2003 12:01 PM Subject: Re[2]: [smartBridges] Why use PPPoE?? > I'm sorry I don't follow why you wouldn't be able to do much if they > use broadband router ? > > Yes PPPoE would kill this right off. Sure they can share the > username/password BUT with the option of only-one in the pppoe server > then only one of them can be online at the same time. If they still > want to share then they have to setup a network between themselves so > they use ONE connection to get on the net. Then you simply bill them > per usage (bandwidth consumed) and when doing pppoe you get accounting > data collected and you can easily bill based on it. =) > > / Eje > > Monday, September 29, 2003, 8:05:24 AM, you wrote: > > JO> You can set the PPOE to allow for one session, but if they are using a > JO> broadband router, then there's not much you can do. > > > > JO> If you are worried about their usage, then you should probably bill by > JO> usage. > > > > JO> Jeremy > > > > JO> -----Original Message----- > JO> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > JO> On Behalf Of Sevak Avakians > JO> Sent: Monday, September 29, 2003 8:52 AM > JO> To: [EMAIL PROTECTED] > JO> Subject: Re: [smartBridges] Why use PPPoE?? > > > > JO> Here's a scenario (close to what I may be having): > > JO> 2 friends (or brothers) who live in separate houses decide to pay for only 1 > JO> service, use the legitimate MAC address for the other friend and both are > JO> online. If we add ppoe, wouldn't they still be able to just share the login > JO> & pw? Can anything be done about this? > > JO> Sevak > > > JO> On Sun, 2003-09-28 at 22:26, Eje Gustafsson wrote: > > TWN>> This is slightly OT... > > TWN>> FIRST...a little background: > > TWN>> I have a pure sB wireless network. ALL of my clients are connected via > TWN>> an airBridge or airPoint. I obviously do not provide any information > TWN>> about our network to my clients, nor do they have admin rights to the > JO> sB > TWN>> device. Therefore, the network is pretty locked down...which does not > TWN>> allow clients to sniff wireless traffic (without first cracking WEP) > TWN>> because they can NOT put the sB device into promiscuous mode. > > TWN>> I will NEVER have the need to allow non-paying customers to access my > TWN>> network either (hotspot webpage login). > > TWN>> I currently use WEP and MAC internal authentication (although I will > TWN>> soon move to external RADIUS). > > TWN>> I deploy SOHO routers at EVERY client home which is located between the > TWN>> sB device and the client internal network. I assign static IPs to > JO> EVERY > TWN>> sB device and client router. Therefore, there are only 2 IPs seen from > TWN>> any one of my clients (sB device and router). > > TWN>> My SOHO router that I deploy at EVERY client has web based admin > TWN>> authorized from ONLY my NOC IP addresses. This allows me to not only > TWN>> manage all the devices remotely, but it also allows me to PING the > TWN>> internal network (beyond the sB device) to prove that the sB device is > TWN>> passing traffic to the wired LAN. Piece of mind for me. > > TWN>> The SOHO routers have built-in PPPoE that I "could" enable if I want > JO> to. > > TWN>> My question is this....Why should "I" use PPPoE for "THIS" network? > > JO> Additional security. > > TWN>> 1. Does it provide more security? (not really, I think) > JO> Absolutely. > > TWN>> 2. Or would the only reason be for bandwidth limiting (which I > JO> currently > TWN>> can not do)? > > JO> That to. > > TWN>> I do NEEEEEED bandwidth limiting, but the new XO radios will do this. > TWN>> So...really...does the use of PPPoE provide any greater level of > TWN>> security? > > JO> Yes Sir sure does. > > TWN>> If someone manages to crack my WEP, then sniff someone's IP and MAC, > TWN>> then bumps that client off the network and assumes their identity, > JO> would > TWN>> PPPoE stop them from surfing? Who would really care at that point?? > > JO> Cracking your WEP ain't to hard. Sniffing someone's IP and MAC isn't > JO> that hard either... Now to the killer they don't need to bump the > JO> client of the network to assume their identity. They could simply just > JO> assume their identity and surf away with piece in mind. > JO> As long as the client can't hear the thiefs radio then their router > JO> will not complain about duplicate ip on the network it just assumes > JO> the traffic that was sent to the ip/mac combo was someone attempting > JO> to communicate with them and simply ignore it while the thief also > JO> will get the traffic which is to him legit. > JO> The thief will be surfing away stealing your service and you would > JO> NEVER know about it. > JO> PPPoE if their login have not been authorized they don't get an IP and > JO> can not surf. Since you no longer is passing TCP traffic but PPPoE > JO> traffic you have to have a special software to create the pppoe > JO> tunnel. When you run PPPoE you don't even need to have a IP assign on > JO> your routers ethernet interface that is to your clients because it's > JO> all done over pppoe. > > TWN>> Does PPPoE use encrypted LOGIN? > > JO> Yes Sir. Encrypted logins so they have to capture the PPPoE login > JO> frames and then be able to crack the username and password out of > JO> those frames (pretty much impossible since it's done on a handshake > JO> basis and the password is not reverse decryptable). > > JO> Also depending on the client and server you can even create a > JO> encrypted pppoe tunnel so not only the login frames are encoded but > JO> ALL traffic is encrypted as well.. > > JO> Plus you can turn on compression as well and you can compress the > JO> traffic between the clients and the server. Save you some bandwidth > JO> there.. > > TWN>> I just don't see the need right now.....any advice would be greatly > TWN>> appreciated? > > JO> You could probably get away by doing what your doing without any > JO> problems. But who knows you might not and the problem is that you will > JO> almost NEVER be able to tell for sure if you been hacked. > JO> Only way to tell is if you KNOW that a certain radio is offline and > JO> yet the client is sending data OR your trying to manage a radio and > JO> sometimes you have problem getting into the unit. Say if the hacker is > JO> using a different brand of radio and you try to us SimpleMonitor on > JO> your clients radio the hackers radio don't understand simplemonitor > JO> and when you try to connect it might tell you failure to connect IF > JO> the hackers radio responded first. But if the clients radio respond > JO> first then you get your info. > JO> Also if you look in the association list you might see that the remote > JO> client identifies as say a DLINK instead of a smartbridges radio but > JO> that is not a guarantee that you will see that (ones again depends on > JO> what radio was fastest in their reply). > > JO> When you run pppoe you can set "only-one" just like on dailup so if > JO> user A have successfully logged in he has to logoff before someone > JO> else can login with user A's username and password. This way IF the > JO> hacker get hold of it as long as user A is online the hacker can't use > JO> it. If hacker get online then user A can't get online but then hey he > JO> will call complain and you will take a look and see that he is already > JO> online. You kick the user offline and he can get online then somewhat > JO> later he calls again complain. Now you kick him offline but ask him to > JO> turn of his radio and you see him getting back online even though his > JO> radio is off.. HACKER ALERT!!! > JO> Time to change that users password... > > JO> Best regards, > JO> Eje Gustafsson <mailto:[EMAIL PROTECTED]> > JO> mailto:[EMAIL PROTECTED] > JO> --- > JO> The Family Entertainment Network <http://www.fament.com> > JO> http://www.fament.com > JO> Phone : 620-231-7777 Fax : 620-231-4066 > JO> eBay UserID : macahan > JO> - Your Full Time Professionals - > > > > Best regards, > Eje Gustafsson mailto:[EMAIL PROTECTED] > --- > The Family Entertainment Network eFax : 240-376-7272 > Phone : 620-231-7777 Fax : 620-231-4066 > Online Store http://www.fament.com/catalog/ > - Your Full Time Professionals - > > -- > [This E-mail scanned for viruses by Declude Virus] > > ----------ANNOUNCEMENT---------- > Don't forget to register for WISPCON IV > http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm > > The PART-15.ORG smartBridges Discussion List > To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> > To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) > Archives: http://archives.part-15.org > ----------ANNOUNCEMENT---------- Don't forget to register for WISPCON IV http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org
