Securing an open hotspot...

There is a point to this madness, but I'm now beginning a new quest -- to
figure out how to "secure" an "open" hotspot. :^)

By "open", I am implying a hotspot that is using no WEP/WPA encryption,
authentication, or MAC filtering. This is by intention.

By "securing", I am implying a method that would provide some protection to
in-flight packets from would-be sniffers. Yes, I know they can't be
prevented from being collected, but it seems resonable that they could be
encapsulated with some sort of encryption -- other than WEP or WPA.

The objective is to allow open access to any client, with zero configuration
on their behalf, while at the same time provide some level of protection to
in-flight packets.

Just spent some of the morning looking at the IEEE 802.11[n] drafts and,
unfortunetly, without using WEP/WPA everything is going out over the air
plain-text, with the exception of data coming from an SSL website of course.
I'm looking for a way to make wireless the equivalent of, say, an open
ethernet network. Anyone can plug right into the ethernet network, but at
the same time the ethernet (being hardwire) provides some level of physical
security. Yes, I am aware, that someone could simply just plug into it and
sniff away -- but as I said, "some level" of physical security. Wireless is
a whole new animal.

The only thing that immiedietly comes to mind is setting up a proxy web
server that would provide an SSL layer for absolutetly EVERYTHING that
passes through, but this would would work only for HTTP access. If
possible, would also like to protect, at least, email data transfers as
well -- that is, email transfered to/from email clients, not web-based
email.

The pony trick is doing this without requiring any configuration on the
client's behalf. :^)

Thinking SSL is probably the only thing that would work here, so if need
be -- I could set up a web based email portal that would work with any POP3
email address.

Just throwing this out into the wind to see if anyone knows of any clever
tricks. Probably commercial hardware that does all of this, but not looking
to spend thousands on a "Cisco 5000
v.everything-you-ever.could-possibly-want". Computer hardware resources,
however, are no problem. (Got 16 old fully working P2's in the basement.
Bought a whole skid of them at a very good price. They are all 200 Mhz,
64MB RAM, 9 GB HDD, CD, ethernet, ect. Played around with parallel
processing at one time and also use them for "special projects".) Also, I'm
open with working with any OS as well.

Cheers!
-Eric

"Eric" <(E-Mail Removed)> wrote in news:cQHTd.785$Nv5.271
@fe1.columbus.rr.com:

> The pony trick is doing this without requiring any configuration on the
> client's behalf. :^)


I don't think this is possible.

But clients who care about security would use VPN anyways.

"Anon-E-Moose" wrote in message
>
> I don't think this is possible.
>
> But clients who care about security would use VPN anyways.

I did the proxy HTTP SSL thing earlier tonight and did get something
working -- but for anything else, the prospects don't seem too good. :^)

Agreed about VPN, but this was more of a just a learning exercise of
enthusiasim. (Fitting square plugs into round holes.)

Cheers,
-Eric

In article <cQHTd.785$(E-Mail Removed)>, Eric
<(E-Mail Removed)> wrote:

> There is a point to this madness, but I'm now beginning a new quest -- to
> figure out how to "secure" an "open" hotspot. :^)
>
> By "open", I am implying a hotspot that is using no WEP/WPA encryption,
> authentication, or MAC filtering. This is by intention.
>
> By "securing", I am implying a method that would provide some protection to
> in-flight packets from would-be sniffers. Yes, I know they can't be
> prevented from being collected, but it seems resonable that they could be
> encapsulated with some sort of encryption -- other than WEP or WPA.
>
> The objective is to allow open access to any client, with zero configuration
> on their behalf, while at the same time provide some level of protection to
> in-flight packets.

would isolating each of the wireless clients from one another suffice?

the linksys wrt54g can enable 'ap isolation' which will create a
virtual network for each wireless client and they will not be able to
communicate with each other.