You still aren't getting my point. 802.11 wireless is bridging. Where you attach a router and what it does is not part of 802.11. There's not one word that even mentions routeing or IP addresses in the IEEE 802.11 specifications.
formatting link
any of 802.11a/b/g specs and find me where it says "router".
All 802.11 wireless cards are bridged. You can attach a router at both ends and hide the bridging from the client, but the basic protocol is bridging.
That with bridging, it's not important that the IP address of the wireless device be in the same subnet as the wireless LAN.
I don't understand your terms "dummy compliance", "tutos", and what needs to be "activated". What does WPA have to do with anything in bridging and routeing. WPA encryption is totally transparent to both.
What should I read in there? That's the router part of the WRT54G.
Done. I still don't understand what you're asking or suggesting.
Do you want everything in one box? If so, I've listed 3 possible wireless VPN routers. If you can live with everything in seperate boxes, then it can be done with a much wider and cheaper variety of boxes.
Hardware IPSec is about the same complexity as software (FreeSWAN) especially when dealing with poorly defined features such as replay protection. I've seen compatibility issues that were not fun to troubleshoot.
I'm not suggesting you build a complex network for your home wireless. I'm simply suggesting that you seperate the modem, VPN router, and wireless access point into three seperate boxes. I can list the benifits when you're ready to listen.
So what? My use of IPsec was behind a NAT router and BlackIce to
*supplement* them both as neither one of them had the ability to stop outbound traffic from a machine. Now, I am out on the road on a dial-up connection a direct connection to the Internet and can fully understand the power of IPsec as a packet filtering solution.
There you go with another one of your *bitch* moves. You said NetBIOS over TCP IP not me. What I should have said was the NetBIOS port that even BI protects. But just keep in mind you're the greatest guru of ALL TIMES not me.
And I have been to college too but I don't flaunt it like I have seen you do it the onetime I read a post that you made to some one you flaunted it. . What you can do for me is kiss my BLACK ass that's what you can do. You put your pants on one leg at a time and a POS like you will never be better than me. You are nothing but a somewhat educated POS.
And you're a dime a dozen out here on the Internet.
Wait just a damn minute here you lurking *clown*. You made some posts to me and I cannot do the same with you as you went out of your way to do it? GTF out of here with this. You POS it is not your show in this NG or the Internet. You may think that it is your show, your NG, and your Internet and apparently your world. But you can rest assured that it's not. :)
You're so funny Duane, ONE guy asked and I answered his question. You call that flaunting it to reply to his question "where did you learn stuff"? You have issues.
Yep, you really do have a complex. Get therapy or grow up.
learn abit about the french product called 'freebox': it natively support wireless routing, and it is REALLY A ROUTER: software conf can activate (or not) routing to wireless; by default it is off and you can only access wired part.
Pb about this device is that the manifacturer does not sell it. It is an afforded part to customer who pay for internet access ...
I mean that in this device, the wireless card is not briged.
what is your point in this part ?
hmmm, did you ever try to activate WDS ? did you read routing table of a WRT54g ?
if yes, read me again ...
I can perfectly well do it on my old pentium 120 ...
question is: can ahardware router do it for me ?
that why I ask hardware device
(but still, I expect this kind of hardware to be upgradable ... when WPA is encoded (let say) into silicon, IPSEC ought to be encoded into FLASH device)
some companies have over 10000 box in a single building: if you use only hub and switches, you need a star network, where the root switch may saturate with a
100gb ... because if two end branch clients want to exchange, they are likely to have to come back to root switch ... when a routed network can be designed as islands, then islands can be interconnected a smart way.
I have been customer in a network you describe: it was deadly slow and unstable: breaking the root switch shotdown whole the network ... for example when you unplug the switch the leads to the DHCP server room ...
The TZ 170 SP Wireless allows network administrators to create user accounts for occasional guest users such as consultants and contractors that permit wireless connections to the Internet without providing access to the corporate network.
at a 94 IETF meeting in the gateway working group ... a friend introduced something that has since come to be called VPN. my view was that it somewhat upset the ipsec people ... since they were working on end-to-end. the issue with ipsec has been that it required updates to all the deployed (mostly kernel) tcp/ip protocol stacks. VPN could be deployed w/o impacting current installed systems. eventually things were somewhat patched over with the ipsec people labeling VPNs as light-weight ipsec ... and lots of other people referring to ipsec as heavy-weight ipsec. there was at least one vendor who announced a purely vaporware vpn product that dec. ... in response to the uptake of the concept after the ietf meeting.
to a large degree, the apperance of SSL was because of the same factor ... the difficulty with doing end-to-end ipsec because of its impacting, existing deployed systems.
towards the end of 94, my wife and i got called in to cpmsult with the small client/server company that had come up with ssl ... who wanted to do payments on their server
formatting link
at the time, they had this stuff that was going to use something called digital certificates issued by these organizations called certification authorities (as part of something called PKI). as part of doing payments ... we had to go around and do some end-to-end business audits on these organizations calling themselves certification authorities ... some collected postings on the subject off SSL certificates
formatting link
SSL implementation at the time was one-way authentication between the server and the browser. using SSL for the webserver to payment gateway traffic ... we required an SSL implementation that supported mutual authentication.
however, as part of that effort, we coined the term "certificate manufactoring" ... since the majority of the operations weren't actually doing full-fledge PKIs ... no actual management and administration of the certified information (contained in the digital certificates) ... just the straight-forward manufactoring of the certificates. In fact, numerous certificate-based infrastructures from the period would rely on existing business operations for administration of the current validaty of the certified information (as opposed to actually deploying a full-fledge PKI). The issue then was that for such operations ... it was quite a trivial proof to show that the digital certificates were redundant and superfluous (if you were relying on existing business operations for real-time validity ... then it was a very short step to having existing business operations also providing public keys in real time).
there is now even cross-over between the original 94 vpn and the 94 ssl ... with the apparance of ssl-based VPNs.
the basic technology is asymmetric key cryptography; what one key (of a key-pair) encodes, the other key decodes (to differentiate from symmetric key which uses the same key for both encoding and decoding).
there are business process applications of asymmetric key cryptography called "public key" (where one key is identified as public and made available, and the other key is identified as private and kept confidential and never divulated) and "digital signature" (which involves encoding a hash of a message/document with a private key).
However, there are numerous examples of infrastructures that use public keys, digital signatures, encrypted channels that don't involve PKI, certification authorities, and/or digital signatures.
one of the most prevalent authentication infrastructures is RADIUS ... starting out having been a userid/password implementation. There have been extensions to RADIUS where public keys are registered in lieu of passwords and digital signatures used for authentication ... totally certificateless operation
formatting link
another wide-spread authentication environment is KERBEROS, found as integral part of a large number of platforms. the original pk-init specification had public keys being registered in lieu of passwords and supporting digital signature authentication ... again a certificateless operation
formatting link
pk-init specification was later upgraded to also include PKI and certificate-based operation ... supporting the ability for total strangers to log on to your system ... recent lengthy description
formatting link
Logon with Digital Signature
another public key, non-PKI authentication and confidential infrastructure with relatively wide deployment is SSH
formatting link
in any case, IPSEC PKI infrastructure can carry with it a much heavier infrastructure operation than is actually needed for public key authentication and encryption (and even can be redundant and superfluous compared to simple upgrades to existing management and administrative operation).
But you can do that with any AP that provides multiple SSID's (or a couple of AP's) that map to seperate VLAN's, one for employees and one VLAN going straight out to the internet.
Can you stop posting to me like a *bitch*. That's all you amount to me is that and nothing else. And that's what you would be viewed as in the *hood* or on the *streets* a man acting like a *bitch*.
Difficulty is an understatement. The AH encapsulation would effectively prevent re-writing the header on NAT firewalls making that useless. At least ESP payload only works though NAT. Replay attack prevention seems to cause some compatibility issues with different implementations. I lost count of how many different encryption and authentication protocols were available. Compatibility still seems to be a problem:
formatting link
've also lost count of how many bug reports I've submitted to manufacturers over VPN compatibility issues. My guess(tm) is that SSL is becoming popular because it offers considerable simplicity and compatibility.
Well, part of the incentive was the Verisign was charging ridiculous amounts for a server certificate. That might be justifiable with a big ecommerce site, but not with a small hosted web site that just wants something better than a password. If Verisign had recognized the market and priced their PKI services accordingly, there would not have been any need for the "certificate manufactorys". |
formatting link
|
formatting link
|
formatting link
Well, when the browser now says "Just click here to accept this certificate as valid" without the slightest authentication, one might as well pretend that everything is valid. As I recall that was in response to MS expiring all their certificates issued with Windoze runtimes in 2000(?) combined with the social engineering of some MS certificates from Verisign, where MS discovered they had no way to revoke a certificate.
Yes, for good reason. The browsers all have SSL capability and an SSL based VPN can therefore be deployed with a minimum of butchery on the client side. |
formatting link
|
formatting link
Ummm.... Pre shared keys? (Never mind).
We're talking about a home user with probably a handful of potential users. The alleged benefit of PKI is that it authenticates the terminating web pages as being whom they claim to be. I've setup bogus servers to see how typical clients react. I've found that some method of authentication is a required as almost all users are clueless when a counterfeit web page appears. I even got caught in my own trap when I forgot to turn it off one day. Same with a faked SSID hot spot running HostAP. One doesn't really "need" PKI and a CA to do the authentication, but methinks it is generally a good idea.
Where did you get 100 from? I said ONE AP that supports multiple SSID's otherwise use 2 AP's, one for each SSID and use VLAN's to seperate the networks.
The setup is stock Sveasoft Alchemy. ~ # cat /etc/motd
------------------------------------------ Welcome to the Sveasoft WRT54G/GS Firmware Alchemy-V1.0 build version v3.37.6.8sv USE OF THIS FIRMWARE IS AT YOUR OWN RISK
formatting link
WDS is fairly simple to setup.
formatting link
It's Linux: ~ # uname -a Linux router 2.4.20 #2 Thu Apr 21 19:40:17 CEST 2005 mips unknown
br0 is the bridge port and can be linked to any of the other bridged ethernet ports on the switch. I'll guess (not sure) that the routeing table uses br0 instead of eth0 because br0 is the filtered port name while eth0 is the unfiltered port name.
u cant be more offtopic that those 2 insulting guys ...
if you consider really secure systems, those where the user is really user, and not root or admin ...
how could a simple user land browser install a certificate the kernel could use to establish a new network layer ?
that would require right separation that are planed in GNU/Hurd, and not that stable in UML, or fuse ...
=> point is: there is no use to tell about SSL support of browser: root ought to wget gateway/certificate then restart a daemon ...
one point for you (regarding most admins thinking ...)
about me: I am the only admin on all box I install, especially on my familly's computers ...
and that is not enough yet to prevent them doing stupid things ...
the worse things are now impossible to them:
- I hey, I found that free demo CD in supermarket, but it says I have no right to install it
- I made you not to have this right because I knew you would try to install it !
what happened for real:
- I was given this CD that offers cheap internet access
- you already have cheap internet access for the same price as the one on your new CD, exept that you attemp to install your stuipd CD broke IE down
by that time, my dad was admin on the box, and the CD broke out all GUI of IE, including home page, connection params, bookmarks and so on ... after what my brother (7y more experience in IT than me) founded about 18 troyans on their (live) box ... I founded 8 more ones using offline scan ...
(hell, a brother who claims to be IT professionnal, and does AV scan on a live box ... I cant believe it)
YOUR STUPIDITY HIDES YOU THAT BR0 HAD TO BE SET UP MANUALLY !!!
I never had access to any WRT in my life (just touch the plastic box in a shop), BUT YOU SHOW ME TOURSELF THAT I AM RIGHT IN MY ASSUPMTIONS !!!
go and try set up a WDS gateway, and you will learn from life that there is no such thing like what you think life is.
some clue to help your mind: what is br0 ? how to set it up ? have you ever seen a hardware NIC that the driver makes available as br0 ? if it's really a linux running around, why arnt there eth0 and eth1 in the routing tables ???
have you ever seen on the market a hardware NIC that does at the same time wired and non-wired ? I never did => where are eth0 and wlan0 ???
===>>> stop writing clueless, and stop insulting and arguing with David, Duane, or who ever they are.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.