-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The mods I would look at installing: urlfilter and advanced proxy (provided by the same guy) http://www.advproxy.net/
zerina (OpenVpn install) http://www.vpnforum.de/zerina/ block out traffic (outbound filtering GUI options) http://blockouttraffic.de/ I would put the wireless AP on a blue interface and then use block out traffic to deny everything except 80,110,143,443,587,993,995 possibly port 22 if you are nice. Your current VPN will likely break behind a router. IPSec is not NAT friendly, and the client software that ships with XP is crippled (ie. it is a partial implementation). The other VPN option supported by Windows out of the box has a number of known weaknesses. I would use the Zerina OpenVPN on the IPCOP box to do the actual VPN. It is less likely to break when your users are in some random hotel or hotspot. If you want a really secure Wifi, you deny all traffic via Block Out Traffic except the OpenVPN port. The only access is via OpenVPN. It does not matter if anyone cracks the WEP/WPA key, you could even run a completely open AP if you wanted to. Of course you would have to install the open vpn client software (http://openvpn.se/download.html) on all the laptops (usb key or via the wired lan). As for your hardware, you should be OK with 512 MB of RAM as long as you don't use the IDS. Chances are it's reports will be meaningless to most anyway. TekBudda wrote: | Hi All, | | I am starting the process for building an IP-Cop firewall at work as one | of the things I do before I depart. | | Initially it will likely just do basic firewalling, but I would | anticipate down the road it doing the following: | * Proxying: To assit in reducing bandwidth usage. I am also looking at | proxying e-mail before it hits the exchange box. | * Content/Web Filtering: reducing/eliminating spam, virus, etc as well | as blcoking sites we shouldn't be going to. | * VPN: This is a maybe. people are currently VPN'ing thru our cheap | router which passes thru the connection and authetication is done by the | server. | * Wifi: Conneting a Wifi router to a NIC. | | I would imagine there may be other things, but thats all I can think of | right now. | | The box that I have elected for this task has the following specs: | * CPU: P-III I GB | * RAM: 512 currently, but i was thinking of taking of removing one stick | and using it somewhere else. | * HDD: 30 GB (?) | * NIC: Contains one onboard NIC. I wa sthinking of attaching this to | the WiFi. If the onboard NIC fails, the WifI isn't a critical item, so | if we lost it temporaryily it wouldn't matter | | From what I have hear, does it sound like this guy would be up to the | task or would I need something beefier? Are there any other | considerations for things like plug-ins or anything else I can thing | of? Suggestions? Pitfalls? Flames? Smacks in the head? | | Any and all input is appreciated. | | TekBudda | | | ------------------------------------------------------------------------ | | _______________________________________________ | clug-talk mailing list | [email protected] | http://clug.ca/mailman/listinfo/clug-talk_clug.ca | Mailing List Guidelines (http://clug.ca/ml_guidelines.php) | **Please remove these lines when replying -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIhvddwRXgH3rKGfMRAgaKAJ4ke7zUsxp+4m19Q7Qol5+WjNpknACdGs7t Xk/5BkBllAfWxrfw7lC3W2M= =PUfg -----END PGP SIGNATURE----- _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
