[unisog] A question regarding pppoe on wireless

Stasiniewicz, Adam stasinia at msoe.edu
Mon Jul 3 02:12:26 GMT 2006


Some schools have taken a simpler solution to dealing with the multitude of
insecure wireless authentication and encryption protocols.  They allow
regular internet access via the wireless network, but any internal network
access requires tunneling with an industry standard VPN solution (i.e.
IPSec).  I have also heard good things about OpenVPN (if you don't want to
go the Cisco/Microsoft route).  This has the benefit of ensuring that no one
can hijack a wireless session (which is very easy using many of these
protocols) and encrypts data (and it can't get crack in 2 minutes, like with
WEP).

Regards,
Adam Stasiniewicz
 
-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of fooler
Sent: Saturday, July 01, 2006 4:50 AM
To: UNIversity Security Operations Group; unisog at sans.org
Subject: Re: [unisog] A question regarding pppoe on wireless

----- Original Message ----- 
From: "Christopher F. Wilson" <chrisw at nipissingu.ca>
To: <unisog at sans.org>
Sent: Friday, June 30, 2006 1:31 AM
Subject: [unisog] A question regarding pppoe on wireless


> We are looking at implementing pppoe over wireless for authentication, and

> are wondering if anyone else has tried this.
>
> In our small test group(20 laptops) we had no problems at all, but are 
> unsure of what back end hardware we should use.
>
> Our test server was using a 500 MHz p3 with 256mb ram running FreeBSD 
> setup smiler to the white paper on this site
>
> http://www.hpi.net/whitepapers/warta/
>
> We noticed no slowdowns at all in our testing, but when we go live we will

> be have 800-1000 clients using this setup and are wondering what kind of 
> server hardware should we be looking at?

you have to look how much ppp process eats up a memory and multiply it with 
800 to 1000 clients for your ram needs... you need a higher processor and 
make HZ=1000 or higher value for cpu attention per ppp process... network 
card bandwidth depends how much bandwidth you will allocate per pppoe 
client...

encryption security of wireless network card and access point vendors are 
not compatible with each other... you have to set no encryption in your 
wireless access points and broadcast your SSID for wider audience and 
compatibility... let the higher layer of the osi model do the encryption for

you... do not use pap nor chap for authentication.. use microsoft chap 
version 2 (mschapv2) and mppe instead for your encryption over the wireless 
medium...

you need two network cards for your pppoe server... one facing the internet 
with an ip address and one facing your wired and wireless clients without 
using any ip address for added security and protection...

use radius for authentication, authorization and accounting... with radius 
you can do prepaid service, time restriction, protocol restriction and other

features that radius can do...

fooler. 

_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3057 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20060702/f0612373/attachment.bin 


More information about the unisog mailing list