[nycbug-talk] VPN vs IPsec

George Georgalis george
Fri Jul 15 15:05:19 EDT 2005 

On Fri, Jul 15, 2005 at 11:07:27AM -0700, pete wright wrote:
>On 7/15/05, michael <lists at genoverly.net> wrote:
>> After the last NYCBUG talk "Angelos Keromytis: OpenBSD IPsec stack" I have been reading up on securing a wifi connection.  Two alternatives to WEP are OpenVPN and IPsec.
>> 
>> According to a SANS white paper (http://www.sans.org/rr/whitepapers/vpns/1459.php) "IPsec VPNs are either too expensive or too difficult to use securely."  The paper goes on to support OpenVPN.
>> 
>> Angelos gave an informative talk and even put up graphs that showed IPsec pushes more/faster.
>> 
>> I know there are a lot of variables to examine, but...
>> 1. Does anyone bother to secure wifi beyond WEP?
>> 2. Are OpenVPN and IPsec good alternatives?
>> 3. Of those which makes more sense for a wifi installation?
>> 
>
>On a similar topic, have you checked out nocatauth?
>(http://nocat.net/)
>
>I think this address a larger issue with wifi networks than that of
>encryption of data (which is very important, but can be addressed with
>end user security policies i.e. using ssh and https).  notcatauth
>provides a way to track who is using your network, and doing so in
>such a way that users can be notified about terms of use for your
>network.
>


...somebody at bsdcan suggested, let the dhcp connect you to
a https that gives your ip a gw after passwd cgi, don't know about
release...

I want to setup a wap on dmz, for wireless dhcp that gets a host lan ip
for gw. Only way to reach it is via openvpn to host.


inet---fw/DMZ------wap--*
                \
                 \
                  host---LAN

the fw gives gw to host ip only
wap gives LAN ip of host as gw
wap client must openvpn connect to host to access gw ip from dhcp

keeps the wap off the lan, nothing fancy on the client, which can be
any OS and the host doesn't have to give anything _but_ gw, if that's
desired, and no route changes after dhcp.

The motivation of this design is too allow the wap client full access to
the LAN...  I'm still thinking about a few ways to make dns available

or maybe I should take a closer look at nocatauth ;)

// George


-- 
George Georgalis, systems architect, administrator Linux BSD IXOYE
http://galis.org/george/ cell:646-331-2027 mailto:george at galis.org

More information about the talk mailing list