Most if not all Access Concentrators have the ability to limit the PPPoE session to 1 simultaneous.
--Eric ----- Original Message ----- From: "Sevak Avakians" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 29, 2003 7:51 AM Subject: Re: [smartBridges] Why use PPPoE?? > Here's a scenario (close to what I may be having): > > 2 friends (or brothers) who live in separate houses decide to pay for > only 1 service, use the legitimate MAC address for the other friend and > both are online. If we add ppoe, wouldn't they still be able to just > share the login & pw? Can anything be done about this? > > Sevak > > > On Sun, 2003-09-28 at 22:26, Eje Gustafsson wrote: > > > TWN> This is slightly OT... > > > > TWN> FIRST...a little background: > > > > TWN> I have a pure sB wireless network. ALL of my clients are connected via > > TWN> an airBridge or airPoint. I obviously do not provide any information > > TWN> about our network to my clients, nor do they have admin rights to the sB > > TWN> device. Therefore, the network is pretty locked down...which does not > > TWN> allow clients to sniff wireless traffic (without first cracking WEP) > > TWN> because they can NOT put the sB device into promiscuous mode. > > > > TWN> I will NEVER have the need to allow non-paying customers to access my > > TWN> network either (hotspot webpage login). > > > > TWN> I currently use WEP and MAC internal authentication (although I will > > TWN> soon move to external RADIUS). > > > > TWN> I deploy SOHO routers at EVERY client home which is located between the > > TWN> sB device and the client internal network. I assign static IPs to EVERY > > TWN> sB device and client router. Therefore, there are only 2 IPs seen from > > TWN> any one of my clients (sB device and router). > > > > TWN> My SOHO router that I deploy at EVERY client has web based admin > > TWN> authorized from ONLY my NOC IP addresses. This allows me to not only > > TWN> manage all the devices remotely, but it also allows me to PING the > > TWN> internal network (beyond the sB device) to prove that the sB device is > > TWN> passing traffic to the wired LAN. Piece of mind for me. > > > > TWN> The SOHO routers have built-in PPPoE that I "could" enable if I want to. > > > > TWN> My question is this....Why should "I" use PPPoE for "THIS" network? > > > > Additional security. > > > > TWN> 1. Does it provide more security? (not really, I think) > > Absolutely. > > > > TWN> 2. Or would the only reason be for bandwidth limiting (which I currently > > TWN> can not do)? > > > > That to. > > > > TWN> I do NEEEEEED bandwidth limiting, but the new XO radios will do this. > > TWN> So...really...does the use of PPPoE provide any greater level of > > TWN> security? > > > > Yes Sir sure does. > > > > TWN> If someone manages to crack my WEP, then sniff someone's IP and MAC, > > TWN> then bumps that client off the network and assumes their identity, would > > TWN> PPPoE stop them from surfing? Who would really care at that point?? > > > > Cracking your WEP ain't to hard. Sniffing someone's IP and MAC isn't > > that hard either... Now to the killer they don't need to bump the > > client of the network to assume their identity. They could simply just > > assume their identity and surf away with piece in mind. > > As long as the client can't hear the thiefs radio then their router > > will not complain about duplicate ip on the network it just assumes > > the traffic that was sent to the ip/mac combo was someone attempting > > to communicate with them and simply ignore it while the thief also > > will get the traffic which is to him legit. > > The thief will be surfing away stealing your service and you would > > NEVER know about it. > > PPPoE if their login have not been authorized they don't get an IP and > > can not surf. Since you no longer is passing TCP traffic but PPPoE > > traffic you have to have a special software to create the pppoe > > tunnel. When you run PPPoE you don't even need to have a IP assign on > > your routers ethernet interface that is to your clients because it's > > all done over pppoe. > > > > TWN> Does PPPoE use encrypted LOGIN? > > > > Yes Sir. Encrypted logins so they have to capture the PPPoE login > > frames and then be able to crack the username and password out of > > those frames (pretty much impossible since it's done on a handshake > > basis and the password is not reverse decryptable). > > > > Also depending on the client and server you can even create a > > encrypted pppoe tunnel so not only the login frames are encoded but > > ALL traffic is encrypted as well.. > > > > Plus you can turn on compression as well and you can compress the > > traffic between the clients and the server. Save you some bandwidth > > there.. > > > > TWN> I just don't see the need right now.....any advice would be greatly > > TWN> appreciated? > > > > You could probably get away by doing what your doing without any > > problems. But who knows you might not and the problem is that you will > > almost NEVER be able to tell for sure if you been hacked. > > Only way to tell is if you KNOW that a certain radio is offline and > > yet the client is sending data OR your trying to manage a radio and > > sometimes you have problem getting into the unit. Say if the hacker is > > using a different brand of radio and you try to us SimpleMonitor on > > your clients radio the hackers radio don't understand simplemonitor > > and when you try to connect it might tell you failure to connect IF > > the hackers radio responded first. But if the clients radio respond > > first then you get your info. > > Also if you look in the association list you might see that the remote > > client identifies as say a DLINK instead of a smartbridges radio but > > that is not a guarantee that you will see that (ones again depends on > > what radio was fastest in their reply). > > > > When you run pppoe you can set "only-one" just like on dailup so if > > user A have successfully logged in he has to logoff before someone > > else can login with user A's username and password. This way IF the > > hacker get hold of it as long as user A is online the hacker can't use > > it. If hacker get online then user A can't get online but then hey he > > will call complain and you will take a look and see that he is already > > online. You kick the user offline and he can get online then somewhat > > later he calls again complain. Now you kick him offline but ask him to > > turn of his radio and you see him getting back online even though his > > radio is off.. HACKER ALERT!!! > > Time to change that users password... > > > > Best regards, > > Eje Gustafsson mailto:[EMAIL PROTECTED] > > --- > > The Family Entertainment Network http://www.fament.com > > Phone : 620-231-7777 Fax : 620-231-4066 > > eBay UserID : macahan > > - Your Full Time Professionals - > ----------ANNOUNCEMENT---------- Don't forget to register for WISPCON IV http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org
