Ben Boulanger said: >On 2 Aug 2002, Kenneth E. Lussier wrote: >> >From the outside in: >> >> router -> firewall -> FreeS/WAN gateway -> encrypted traffic to LAN. >> >> Each machine on the LAN had it's own keypair that was registered with >> the gateway, so when a desktop was fired up, it would authenticate >> itself to the gateway, and it was then free to communicate with anyone. >> Anyone that was able to sniff the traffic just got encrypted streams. If >> you could get a system onto the network, it would be useless unless the >> gateway was compromised to accept a bogus key.
This is a good way to secure an 802.11b network too. > >Very cool idea... I like it alot. Did you actually implement it? Any >idea what the overhead was like? I imagine that your FreeS/WAN gateway >would need some decent horsepower - otherwise you'd have scaling issues as >your user base grows, right? For smaller networks, or maybe large >networks segmented into smaller ones, this could be a nice setup. > >I guess one question is - the FreeS/WAN gateway solution still gives >someone a connection in, correct? They can get on the network the same >way (put a box in physically, have it phone home, connect) they just can't >talk to anyone else. This solves the one problem, however, it doesn't >solve the problem where you have a client that can't run something that >talks to your FreeS/WAN gateway. Printservers, specialized boxes, etc.. You could put them on an unsecured private network. Throw a firewall in front of the the unsecured network with key pairs too. Well, I guess someone could hack that network, but you could probably do something allowing only certain MAC addresses. The author of LPRng described how to do this with printers. He had to print stock certificates or something like that. Postscript is a programming language. You can hid a key at random on the printer in RAM or on an attached hard drive. So he implemented RSA in postscript. Some of these specialized boxes have Java. There's an SSH in Java. I've looked at implementing private firewalls on servers. eg; a backup server running on an insecure net. With ipfilter, iptables, and windows 2k or XP it's not hard. There's always the DOD approach: put the network cables in conduit that has a vibration alarm on it. Use 10base2, token ring, or FDDI; something that detects a break and stops passing traffic if a splice is made. -- ------- Tom Buskey ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
