[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: question on
Howdy Clarence,
As I've not done this myself on obsd yet I can't help you with any
specifics - yet.
I've been reading the various obsd lists for the past few weeks as
preparation for migrating my own system to use obsd as a firewall++. I
expect I'll complete my project in 6-10 weeks, depending on my social
and work loads. I'll be happy to help out more by then.
For now I suggest you search the archives for misc@openbsd.org for "VPN"
or "IPSEC" and read it all. Be sure to read the appropriate man pages as
well [vpn(8) IPSEC(4)] as well as the OBSD FAQ on IPSEC
http://www.openbsd.org/faq/faq13.html . If this is not enough try
learning a bit more about IPSEC and VPNs first - http://www.faqs.org has
tons of reasonable content.
Deploying a VPN up and running is a complicated project. I suggest that
you start small. Try getting something working (back it up) and keep
improving it until you have what you want. Having a couple of scratch
machines to build a 'play' network is very useful for this kind of fun.
best wishes,
ram
-----Original Message-----
From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org] On Behalf
Of Clarence
Sent: Tuesday, March 05, 2002 22:53
To: Ram
Cc: misc@openbsd.org
Subject: Re: question on
Hi Ram,
Thanks for you answer. Although I am not fully understand all of them.
On Tue, 5 Mar 2002, Ram wrote:
> Hi Clarence.
>
> Where is the VPN in the diagram? If you run a VPN on your internal
> network then you are in good shape- simply require all access to
obsd-gw
> to use the VPN. This is pretty good.
>
Yes, internal VPN should be part of the answer. For the past few days,
I
study the FAQ (VPN on using X509 OBSD), examples from the internet,
email, books... I tried to go through the examples with vpn (obsd) and
PGPnet. However, I finally mess up all the things about the VPN,
X509...
I think some working examples for setup the VPN using the X509 which I
am
going to use for my LAN. Can you show me some direction for it ? I
don't
need the every detail of VPN using X509, but some basic and practical
working steps and examples. Thanks.
> You can also require WEP to make it a bit more difficult to connect to
> your wireless network. This is not very good, but it helps a bit.
>
I do think it is not my desire too.
> You can also configure your wireless access point to deny clients
which
> have unknown MAC addresses.
>
I don't have an access point. What I am using is a obsd-3.0 machine
acting like a access point using wicontrol commands. I think it could
be
done using pf but it would be trouble if there is machines.
> You can also configure your obsd-gw to deny internal packets from
> unknown IP addresses [then you should use static IP addresses on your
> network].
>
> Note that your weakest machine is your weakest link, so if you run an
> unpatched windows machine with "share C$ to all with no password" then
> your IPSEC / VPN would be useless against a "copy and paste" attack of
> your private key.
>
> If you don't use a VPN internally you can still use the rest of the
> suggestions.
>
> Hope this helps,
> ram
>
>
>
> -----Original Message-----
> From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org] On Behalf
> Of Clarence
> Sent: Tuesday, March 05, 2002 05:54
> To: misc@openbsd.org
> Subject: question on
>
> Hello,
>
> For the couple of days, I spent most of the time to study the setup of
> VPN, X509... for the infrastructure (LAN). However, I have one
question
> in my mind that confuse me very much. Let me present it with the
> diagram
> list below.
>
> internet <--> openbsd-gw <--> internal LAN (wireless / wired)
>
> The question is like that how can the sys admin guard the illegal user
> from the ineternal LAN to use the facilities of the openbsd-gw. He
may
> know the IP of the openbsd-gw, DNS server. For example, he/she may
use
> a laptop with a wireless LAN and setup all necessary setting to use
the
> facilites of the GW. How can the sys admin control it. If it is
stupid
> question, please forget me. Thanks.
>
> Clarence