Gustin, are you saying IDS is the worst offender here for processor/ram needs??
Shawn Gustin Johnson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The mods I would look at installing: > urlfilter and advanced proxy (provided by the same guy) > http://www.advproxy.net/ > > zerina (OpenVpn install) > http://www.vpnforum.de/zerina/ > > block out traffic (outbound filtering GUI options) > http://blockouttraffic.de/ > > I would put the wireless AP on a blue interface and then use block out > traffic to deny everything except 80,110,143,443,587,993,995 > possibly port 22 if you are nice. > > Your current VPN will likely break behind a router. IPSec is not NAT > friendly, and the client software that ships with XP is crippled (ie. it > is a partial implementation). The other VPN option supported by Windows > out of the box has a number of known weaknesses. I would use the Zerina > OpenVPN on the IPCOP box to do the actual VPN. It is less likely to > break when your users are in some random hotel or hotspot. > > If you want a really secure Wifi, you deny all traffic via Block Out > Traffic except the OpenVPN port. The only access is via OpenVPN. It > does not matter if anyone cracks the WEP/WPA key, you could even run a > completely open AP if you wanted to. > > Of course you would have to install the open vpn client software > (http://openvpn.se/download.html) on all the laptops (usb key or via the > wired lan). > > As for your hardware, you should be OK with 512 MB of RAM as long as you > don't use the IDS. Chances are it's reports will be meaningless to most > anyway. > > TekBudda wrote: > | Hi All, > | > | I am starting the process for building an IP-Cop firewall at work as one > | of the things I do before I depart. > | > | Initially it will likely just do basic firewalling, but I would > | anticipate down the road it doing the following: > | * Proxying: To assit in reducing bandwidth usage. I am also looking at > | proxying e-mail before it hits the exchange box. > | * Content/Web Filtering: reducing/eliminating spam, virus, etc as well > | as blcoking sites we shouldn't be going to. > | * VPN: This is a maybe. people are currently VPN'ing thru our cheap > | router which passes thru the connection and authetication is done by the > | server. > | * Wifi: Conneting a Wifi router to a NIC. > | > | I would imagine there may be other things, but thats all I can think of > | right now. > | > | The box that I have elected for this task has the following specs: > | * CPU: P-III I GB > | * RAM: 512 currently, but i was thinking of taking of removing one stick > | and using it somewhere else. > | * HDD: 30 GB (?) > | * NIC: Contains one onboard NIC. I wa sthinking of attaching this to > | the WiFi. If the onboard NIC fails, the WifI isn't a critical item, so > | if we lost it temporaryily it wouldn't matter > | > | From what I have hear, does it sound like this guy would be up to the > | task or would I need something beefier? Are there any other > | considerations for things like plug-ins or anything else I can thing > | of? Suggestions? Pitfalls? Flames? Smacks in the head? > | > | Any and all input is appreciated. > | > | TekBudda > | > | > | ------------------------------------------------------------------------ > | > | _______________________________________________ > | clug-talk mailing list > | [email protected] > | http://clug.ca/mailman/listinfo/clug-talk_clug.ca > | Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > | **Please remove these lines when replying > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFIhvddwRXgH3rKGfMRAgaKAJ4ke7zUsxp+4m19Q7Qol5+WjNpknACdGs7t > Xk/5BkBllAfWxrfw7lC3W2M= > =PUfg > -----END PGP SIGNATURE----- > > _______________________________________________ > clug-talk mailing list > [email protected] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > **Please remove these lines when replying _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
