I hear ya Eje. But...I hide my wireless network as much as possible. We do door-to-door advertisements (little postcard ads) in the areas of coverage.
I am attempting to pucker down the network as much as possible. I don't even want to open up my HTTP server to anyone who is not a client (using ONLY MY GEAR). But...you saying that my setup is "great" tells me I am okay. You are the MAN EJE!! Thanks! Sully -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eje Gustafsson Sent: Monday, September 29, 2003 9:05 AM To: The Wirefree Network Subject: Re[2]: [smartBridges] Why use PPPoE?? That sounds great.. Might want to add hotspot where you can advertise your business name as well open up your AP but disallow client to client communications. That way someone could find your AP associate with it and get your "business ad" then they call you per instructions on your page. Can simply remove the login option if you don't want to allow automated signups. / Eje Monday, September 29, 2003, 10:52:01 AM, you wrote: TWN> "IF" I use PPPoE, I am pretty sure that my setup scenario will TWN> prevent what you are speaking of. TWN> I already provide a router at EVERY install. This router has TWN> built-in PPPoE. The clients behind this router will ALL gain TWN> access to our network via THIS router. The Username/Password is preloaded, and TWN> Password is hashed. So...they cant hand it out to someone else. My TWN> NOC IPs are the only IPs authorized to manage the router. TWN> I track EVERYONE's usage. If they go over my set bandwidth limits TWN> (per month), then I charge them. This STOPS them from purposely TWN> sharing their bandwidth with neighbors. TWN> I am using MAC internal (soon RADIUS) for authorizing the sB TWN> (wireless) device with the aPPo. This STOPS odd balls from TWN> associating with my aPPo. TWN> I will most likely use PPPoE for authorization to communicate TWN> through the gateway. This will STOP folks from being able to surf TWN> for free. TWN> I use WEP for all wireless traffic. This STOPS the illpatient, TWN> kiddie script hacker from eavesdropping. WEP is not that easy to TWN> crack (have you done it on an sB network?). TWN> Again...I am NOT running a HOTSPOT. I do NOT allow passerbys to TWN> connect to my network to get to a login/payment home page!! TWN> I provide ALL the equipment necessary to connect to MY network. I TWN> DO NOT provide the clients with ANY knowledge of the wireless network. TWN> All they know is that they hook up their switch inside their TWN> home/building and set all PCs to DHCP. If they want to use their TWN> own wireless router inside the home/building, then fine...they TWN> still need to setup the WAN side for DHCP and I dont care what they TWN> do on the LAN side of their router. I also use the rooftop sB TWN> device to periodically sniff the wireless traffic (looking for APs) TWN> around my clients locations. If I find unsecured networks or TWN> networks on my channels, I go for a drive and inform them of the TWN> problems they may have (me as well) with their network and offer my TWN> assistance (most likely gain a client at the same time). TWN> What do y'all think?? TWN> Sully TWN> -----Original Message----- TWN> From: [EMAIL PROTECTED] TWN> [mailto:[EMAIL PROTECTED] On Behalf Of Sevak Avakians TWN> Sent: Monday, September 29, 2003 5:52 AM TWN> To: [EMAIL PROTECTED] TWN> Subject: Re: [smartBridges] Why use PPPoE?? TWN> Here's a scenario (close to what I may be having): TWN> 2 friends (or brothers) who live in separate houses decide to pay TWN> for only 1 service, use the legitimate MAC address for the other TWN> friend and both are online. If we add ppoe, wouldn't they still be TWN> able to just share the login & pw? Can anything be done about TWN> this? TWN> Sevak TWN> On Sun, 2003-09-28 at 22:26, Eje Gustafsson wrote: TWN>> This is slightly OT... TWN>> FIRST...a little background: TWN>> I have a pure sB wireless network. ALL of my clients are TWN>> connected TWN> via TWN>> an airBridge or airPoint. I obviously do not provide any TWN> information TWN>> about our network to my clients, nor do they have admin rights to TWN> the sB TWN>> device. Therefore, the network is pretty locked down...which does TWN> not TWN>> allow clients to sniff wireless traffic (without first cracking TWN> WEP) TWN>> because they can NOT put the sB device into promiscuous mode. TWN>> I will NEVER have the need to allow non-paying customers to access TWN> my TWN>> network either (hotspot webpage login). TWN>> I currently use WEP and MAC internal authentication (although I TWN> will TWN>> soon move to external RADIUS). TWN>> I deploy SOHO routers at EVERY client home which is located TWN>> between TWN> the TWN>> sB device and the client internal network. I assign static IPs to TWN> EVERY TWN>> sB device and client router. Therefore, there are only 2 IPs seen TWN> from TWN>> any one of my clients (sB device and router). TWN>> My SOHO router that I deploy at EVERY client has web based admin TWN>> authorized from ONLY my NOC IP addresses. This allows me to not TWN> only TWN>> manage all the devices remotely, but it also allows me to PING the TWN>> internal network (beyond the sB device) to prove that the sB TWN>> device TWN> is TWN>> passing traffic to the wired LAN. Piece of mind for me. TWN>> The SOHO routers have built-in PPPoE that I "could" enable if I TWN> want to. TWN>> My question is this....Why should "I" use PPPoE for "THIS" TWN>> network? TWN> Additional security. TWN>> 1. Does it provide more security? (not really, I think) TWN> Absolutely. TWN>> 2. Or would the only reason be for bandwidth limiting (which I TWN> currently TWN>> can not do)? TWN> That to. TWN>> I do NEEEEEED bandwidth limiting, but the new XO radios will do TWN> this. TWN>> So...really...does the use of PPPoE provide any greater level of TWN>> security? TWN> Yes Sir sure does. TWN>> If someone manages to crack my WEP, then sniff someone's IP and TWN> MAC, TWN>> then bumps that client off the network and assumes their identity, TWN> would TWN>> PPPoE stop them from surfing? Who would really care at that TWN> point?? TWN> Cracking your WEP ain't to hard. Sniffing someone's IP and MAC TWN> isn't TWN> that hard either... Now to the killer they don't need to bump the TWN> client of the network to assume their identity. They could simply TWN> just TWN> assume their identity and surf away with piece in mind. TWN> As long as the client can't hear the thiefs radio then their router TWN> will not complain about duplicate ip on the network it just assumes TWN> the traffic that was sent to the ip/mac combo was someone TWN> attempting TWN> to communicate with them and simply ignore it while the thief also TWN> will get the traffic which is to him legit. TWN> The thief will be surfing away stealing your service and you would TWN> NEVER know about it. TWN> PPPoE if their login have not been authorized they don't get an IP TWN> and TWN> can not surf. Since you no longer is passing TCP traffic but PPPoE TWN> traffic you have to have a special software to create the pppoe TWN> tunnel. When you run PPPoE you don't even need to have a IP assign TWN> on TWN> your routers ethernet interface that is to your clients because TWN> it's TWN> all done over pppoe. TWN>> Does PPPoE use encrypted LOGIN? TWN> Yes Sir. Encrypted logins so they have to capture the PPPoE login TWN> frames and then be able to crack the username and password out of TWN> those frames (pretty much impossible since it's done on a handshake TWN> basis and the password is not reverse decryptable). TWN> Also depending on the client and server you can even create a TWN> encrypted pppoe tunnel so not only the login frames are encoded but TWN> ALL traffic is encrypted as well.. TWN> Plus you can turn on compression as well and you can compress the TWN> traffic between the clients and the server. Save you some bandwidth TWN> there.. TWN>> I just don't see the need right now.....any advice would be TWN>> greatly TWN>> appreciated? TWN> You could probably get away by doing what your doing without any TWN> problems. But who knows you might not and the problem is that you TWN> will TWN> almost NEVER be able to tell for sure if you been hacked. TWN> Only way to tell is if you KNOW that a certain radio is offline and TWN> yet the client is sending data OR your trying to manage a radio and TWN> sometimes you have problem getting into the unit. Say if the hacker TWN> is TWN> using a different brand of radio and you try to us SimpleMonitor on TWN> your clients radio the hackers radio don't understand simplemonitor TWN> and when you try to connect it might tell you failure to connect IF TWN> the hackers radio responded first. But if the clients radio respond TWN> first then you get your info. TWN> Also if you look in the association list you might see that the TWN> remote TWN> client identifies as say a DLINK instead of a smartbridges radio TWN> but TWN> that is not a guarantee that you will see that (ones again depends TWN> on TWN> what radio was fastest in their reply). TWN> When you run pppoe you can set "only-one" just like on dailup so if TWN> user A have successfully logged in he has to logoff before someone TWN> else can login with user A's username and password. This way IF the TWN> hacker get hold of it as long as user A is online the hacker can't TWN> use TWN> it. If hacker get online then user A can't get online but then hey TWN> he TWN> will call complain and you will take a look and see that he is TWN> already TWN> online. You kick the user offline and he can get online then TWN> somewhat TWN> later he calls again complain. Now you kick him offline but ask him TWN> to TWN> turn of his radio and you see him getting back online even though TWN> his TWN> radio is off.. HACKER ALERT!!! TWN> Time to change that users password... TWN> Best regards, TWN> Eje Gustafsson <mailto:[EMAIL PROTECTED]> TWN> mailto:[EMAIL PROTECTED] TWN> --- TWN> The Family Entertainment Network <http://www.fament.com> TWN> http://www.fament.com TWN> Phone : 620-231-7777 Fax : 620-231-4066 TWN> eBay UserID : macahan TWN> - Your Full Time Professionals - Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network eFax : 240-376-7272 Phone : 620-231-7777 Fax : 620-231-4066 Online Store http://www.fament.com/catalog/ - Your Full Time Professionals - -- [This E-mail scanned for viruses by Declude Virus] ----------ANNOUNCEMENT---------- Don't forget to register for WISPCON IV http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org ----------ANNOUNCEMENT---------- Don't forget to register for WISPCON IV http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org
