IPSEC wireless router ?

I am looking for something secure:
hardware wireless router:

- une ethernet port dedicated to provider (DHCP and PPPOE capable)
- one LAN port which would be linked to some switch
- wireless repeter

BUT but BUT: I want the wireless interface NOT TO BE BRIGED to LAN ethernet, but
rather require any client to use IPSEC tunneling.

Thats for home use; I am too lame to set linux box, because I dont feel liike
setting up an IPSEC server, and had too much bad XP with IDE disks on home made
router (usually crash after 2 or 3 years 24/24).

I hope such a device should be available between 150 and 300 e

Maybe there is some tutorials to convert this way some Linksys WRT ?
or some Dlink with such native support ?

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/

> I am looking for something secure:
> hardware wireless router:

I know where you're going with that but why? You can use WPA on a
WRT54G as long as your clients support it and given a strong password,
that's going to suit pretty much all home users.

IPSec has limitations too, how were you planning on authenticating?
Which EAP type were you going to use? EAP-MD5 for example is easily
dictionary crackable for example.

David.

DEMAINE Benoit-Pierre <(E-Mail Removed)> wrote in
news:43353ab0$0$24372$(E-Mail Removed):

> I am looking for something secure:
> hardware wireless router:
>
> - une ethernet port dedicated to provider (DHCP and PPPOE capable)
> - one LAN port which would be linked to some switch
> - wireless repeter
>
> BUT but BUT: I want the wireless interface NOT TO BE BRIGED to LAN
> ethernet, but rather require any client to use IPSEC tunneling.
>
> Thats for home use; I am too lame to set linux box, because I dont
> feel liike setting up an IPSEC server, and had too much bad XP with
> IDE disks on home made router (usually crash after 2 or 3 years
> 24/24).
>
> I hope such a device should be available between 150 and 300 e
>
> Maybe there is some tutorials to convert this way some Linksys WRT ?
> or some Dlink with such native support ?
>

I don't think you can do what you want. You can use an IPSEC tunnel
between computers through the O/S such as Win 2K, XP and etc and that's a
VPN solution software to software, you can have a software VPN client on
a client machine with server software VPN implemented on a device such as
a firewall appliance or a er such as a Watchguard or others that fall
into that category such a Sonicwall, Cisco and others, software client to
server host VPN solutions such as AT&T Extranet or you can have hardware
to hardware VPN solution router to router.

http://www.homenethelp.com/vpn/

But some kind of a VPN solution between the wireless gateway device such
as a NAT router and your wireless machines on the LAN is questionable.
Maybe, a VPN solution with a wireless Watchguard FW appliance or others
and its client VPN software solution on the machines may work to protect
a wireless LAN situation between the gateway device and the clients I
don't know.

You can checkout the WG X5 series I think that's around $300 but the VPN
on the client machines cost extra and you can checkout others too

Duane

On Sat, 24 Sep 2005 15:33:55 +0200, DEMAINE Benoit-Pierre
<(E-Mail Removed)> wrote:

>I am looking for something secure:
>hardware wireless router:
>
>- une ethernet port dedicated to provider (DHCP and PPPOE capable)
>- one LAN port which would be linked to some switch
>- wireless repeter
>
>BUT but BUT: I want the wireless interface NOT TO BE BRIGED to LAN ethernet,

Not possible. 802.11 wireless is bridging by definition. No routing,
IP addresses, or services (such as IPSec) involved. There's no other
way to connect between wireless and wired devices other than bridging.

Now, you could isolate the wired and wireless part with a router, VPN,
or filters, but that requires layer 3 services in addition to
bridging.

>but
>rather require any client to use IPSEC tunneling.

Overkill. You have WPA encryption for the wireless. On top of that,
you want to add VPN encryption. You don't really need both. WPA is
enough.

>Thats for home use; I am too lame to set linux box, because I dont feel liike
>setting up an IPSEC server, and had too much bad XP with IDE disks on home made
>router (usually crash after 2 or 3 years 24/24).

The bigger they are, the harder they crash. How about this
alternative? Use an access point, not a wireless router for the
wireless part of the puzzle. Use WPA encryption. Use a seperate
IPSec VPN router to terminate the tunnel. Netgear seems to have a
good selection:
| http://www.netgear.com/products/busi...ecurity_sb.php
There are lots of other wired VPN routers to chose from at around
$100US. If you want your VPN termination, it's in the box. This will
also allow you to be rather creative in locating the wireless access
point and allow easy upgrades to the latest 802.11 acronyms.

There are products that sorta do what you want:
| http://www.netgear.com/products/details/FWAG114.php
| http://www.sonicwall.com/products/tz170SP_wireless.html
I don't think you'll like the prices.

>I hope such a device should be available between 150 and 300 e
>
>Maybe there is some tutorials to convert this way some Linksys WRT ?
>or some Dlink with such native support ?

Yes. The WRT54G can handle alternative firmware with VPN termination
features. Sveasoft Alchemy includes PPTP VPN services which is handy
for Windoze clients as it comes with the operating system. IPSec is
available in various custom builds. I'm too lazy to find these. Bug
me if you need URL's.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

I just want you to know that I am sitting out here in and Extended stay inn
using a dial-up direct connection to the Internet. Before implementing
Analogx's IPsec Secpol rules for configuring IPsec to act in a firewall like
mannerism, BlackIce was sounding off and blocking unsolicited inbound
traffic. I have not been on a dial-up connection with a machine in several
years and was surprised at the number of probes, scans and attacks being ran
against the machine such as MS SQL Server, RPC, *NetBIOS*, etc, which BI was
blocking and logging and alerting on things such as O/S Fingerprinting. And
I have some vulnerable applications running such as IIS and SQL Server.

However, since implementing IPsec on the XP Pro machine and activating the
Analogx's SecPol rules with making adjustments in the rules like allowing
SMTP on TCP port 587, because EarthLink uses port 587 and not 25 and
configuring AnalogX's rules to block all the Windows Networking ports and
other ports IPsec protects by default such as TCP 135 only allowing traffic
in a LAN situation, BlackIce has not log anything in the logs, barked,
whined, or alerted with IPsec supplementing BI.

I was using BI and IPsec to supplement the no FW Linksys NAT router I was
using. But until now, I was not aware of how powerful of a solution IPsec is
and its ability to be used in a FW like manner to stop inbound or outbound
traffic by port, protocol or IP and nothing is coming past it *NOTHING*
which would make BlackIce react.

I am very impressed with IPsec and its ability to supplement in a FW like
manner. <g>

http://www.petri.co.il/block_ping_tr...with_ipsec.htm
http://www.analogx.com/contents/articles/ipsec.htm
http://support.microsoft.com/kb/813878

But just keep in mind I am not a guru like you are, and therefore, you can
kiss my *ASS* about IPsec and anything else for that matter with your
*tounge* hanging out. <vbg>

> using. But until now, I was not aware of how powerful of a solution IPsec is
> and its ability to be used in a FW like manner to stop inbound or outbound
> traffic by port, protocol or IP and nothing is coming past it *NOTHING*
> which would make BlackIce react.

It's not new Duane. All you're doing is blocking traffic by port. I'm
surprised that it's new to you.

The main advantage of IPSec is the Sec part, i.e. security. Simply
creating filters and a filter action like you are doing is the very very
simplest start. What the original poster wanted was security which to
do properly requires a PKI implementation. Then you get mutual
authentication and encryption, none of which you have right now.

> I am very impressed with IPsec and its ability to supplement in a FW like
> manner. <g>

Being doing that for ages, it's not new but it does have value, it's
just not the friendliest interface for noddies to configure and it
doesn't provide any stateful inspection or application inspection but
yes, if all you want to do is set up block/allow filters, it's fine.

> But just keep in mind I am not a guru like you are, and therefore, you can
> kiss my *ASS* about IPsec and anything else for that matter with your
> *tounge* hanging out. <vbg>

No need but keep reading, you'll learn as you go along. It fascinates
me why you post what you do sometimes.

Just remember, IPSec is an IP only solution, if you have NWLink or
NetBEUI installed and bound, you might just as well hand your PC over to
Mr Hacker.

David.

"David Taylor" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) d.com...
>> using. But until now, I was not aware of how powerful of a solution IPsec
>> is
>> and its ability to be used in a FW like manner to stop inbound or
>> outbound
>> traffic by port, protocol or IP and nothing is coming past it *NOTHING*
>> which would make BlackIce react.
>
> It's not new Duane. All you're doing is blocking traffic by port. I'm
> surprised that it's new to you.

MOOT

>
> The main advantage of IPSec is the Sec part, i.e. security. Simply
> creating filters and a filter action like you are doing is the very very
> simplest start. What the original poster wanted was security which to
> do properly requires a PKI implementation. Then you get mutual
> authentication and encryption, none of which you have right now.

Who cares about what the OP is talking about? This goes back to last week
between you and I..

>
>> I am very impressed with IPsec and its ability to supplement in a FW like
>> manner. <g>
>
> Being doing that for ages, it's not new but it does have value, it's
> just not the friendliest interface for noddies to configure and it
> doesn't provide any stateful inspection or application inspection but
> yes, if all you want to do is set up block/allow filters, it's fine.

I been using it for a couple of years and that's after someone made me aware
of it so how can it be new to me? I have made posts about using IPsec as a
supplement for a couple of years so how can it be new to me? Hell, people
who look for solutions in securing machines and that's their job don't know
about using IPsec and it's ability until I inform them about it. I already
know about IPsec statefulness and other short comings. After all, IPsec is
not FW software but can act in limited FW like manner to protect the Windows
NT based O/S like Win 2K and up as a supplemetal solution..

IPsec was not introduced to the Windows NT based O/S until Win 2K so that
someone could use it as a possible solution particularly in the home or on
the road situations. Many, many, many, many users of the WIN 2K and up
O/S(s) are not aware that it's even there. And many users *bitch* about the
XP O/S FW not being able to stop outbound traffic .However, with the use of
IPsec on the machine with the XP FW, IPsec can be used to supplement the XP
FW and stop outbound traffic if need be.
>
>> But just keep in mind I am not a guru like you are, and therefore, you
>> can
>> kiss my *ASS* about IPsec and anything else for that matter with your
>> *tounge* hanging out. <vbg>
>
> No need but keep reading, you'll learn as you go along. It fascinates
> me why you post what you do sometimes.

What? Am I going to learn something from you? LOL I doubt it seriously. <g>

What's the fascination? I have been doing it for years on the Internet for
those I do not *RESPECT*. So guess what I don't have for you? <g> and <EOR>

>
> Just remember, IPSec is an IP only solution, if you have NWLink or
> NetBEUI installed and bound, you might just as well hand your PC over to
> Mr Hacker.

I think I mentioned the word *supplement* several times in my original post
and on the post where you started going to left field.on NWLink and NetBIOS.

Maybe, you need to look up the word *supplement* and the meaning of the
word, since you're such the guru and I might add an
*university/college/boy -- ass-wipe*. <g> and <EOR>

Why would someone need NetBEUI and NWLink on a dialup? However, some ISP(s)
would bind NetBEUI on WIN 2K and down when installing its software like
Netzero a few years back and one knew to unbind it And one uses NWLink in
a LAN situation if needed with something like a router setting there and
possibly IPsec as a *supplemental* solution.

And besides if some end user that does understand how to make filtering
rules on any type of FW such as a PFW solution, then IPsec is a piece of
cake with the use of the AnalogX rules.

Really, I am not posting about IPsec to you in particular but you do need
your ass kicked about it up in my face with your *Bull Shit*. The post was
for others who may be reading this post between you and I and understand
that there is another element on the Win 2K and up O/S that can be used in a
supplemental fashion to protect the machine and it can protect by port,
protocol and IP inbound or outbound and is a powerful supplemental tool
that can be used that has been made easy to use by using the AnalogX SecPol
rules.

Users are not aware of IPsec sitting on the O/S and what it can do in the
protection of the Windows NT based O/S.

I have seen posts about IPsec being used as the only solution to protect the
machine as a FW. <g>
..

David Taylor wrote:
>>I am looking for something secure:
>>hardware wireless router:
>
>
> I know where you're going with that but why? You can use WPA on a
> WRT54G as long as your clients support it and given a strong password,
> that's going to suit pretty much all home users.

Even if I buy WPA APs, few clients have it yet

WPA is not down compatible with 802.11b ... IPSEC is with any wireless card and any
OS ... and will remain secure as long as SSL is not broken, when optimists people
think than WPA will be broken within 12 months.

I am not to buy for WPA which will soon be weak.

> IPSec has limitations too, how were you planning on authenticating?
> Which EAP type were you going to use? EAP-MD5 for example is easily
> dictionary crackable for example.

exchange of primary key can be done by email the day before my customer joins me, or
the first day using transparent proxy that allows access only to HTTPS webmails ...

or just hand in hand (aka oral confirmation that the signature of the key is really
mine).

IPSEC cant be weaker than WPA, simply because like WEP, WPA is limitted by hardware,
and broken proto means you can throught out your devices, when IPSEC can be upgraded
even on old machines, and keeps the network compliant with any other devices.

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/

> I am very impressed with IPsec and its ability to supplement in a FW like
> manner. <g>

IPSEC just rules where most other protos just sux.

ATM I never seted it up myself, but from tutos I have read, it way non-trivial to
set up (server side), but really claimed by every one to be highly secure, and may
be the only known REALLY secure layer to encapsulate VPNs.

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/

could you stop trolling and talk about avaibale wireless IPSEC DEVICES ?

btw: clients will be Linux and BSDs laptops ...
so that even pentium (1) 150MHz with PCMCIA1 802.11b adapters can still benefit of
my secure wireless network, witout need of those PCMCIA2 cards (which are not
supported by old lappies), nor need of OS that require 256MB or even 2GB just to
install ...

IPSEC support can be added to 8 years old BSD laptops !!!

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/