Hi,
(find answers at the appropriate places below...)
Post by LEE Tet YoonPost by Raimund EimannHi,
thanks for all the comments so far, I really appreciate it :)
My idea was to run IPsec instead of PPtP, because the latter seems to have
a rather bad reputation when it comes to security... (judging by googling
for "PPtP" and "security").
I'm not an expert for IPsec, but what I understand so far is that IPsec
can apparently be run in two different modes, one of which implements is
on top of TCP/UDP (with some open ports, 50 [and others?]). When I
understand things right, this is the "transport mode" of IPsec, which is
used to connect two hosts.
However, I would like to connect two networks, therefore I have the idea
of using IPsec in its "tunnel mode", which apparently must be set up on
the border gateways of the two networks.
I couldn't find any specific IPsec support in the M1122's I use in both
networks, this is one of the reasons why I want to shift the routing task
into the Firewall boxes that sit behind the M1122's. The other reason is
that some IPsec implementations (my one among them) seem not to not like
NAT.
So far, I understand that getting the firewall box behind the M1122 to do
the PPP connection I need to switch the connection mode from "PPP over
ATM (ppp-vc)" to "Local tunneling / PPP over ATM (tunneled-ppp-vc)".
1) Do I also have to enable the "bridging" checkbox or not?
2) Does the M1122 keep an internal of IP address?
3) Am I correct in setting the network card in the firewall which connects
to the M1122 to PPPoE?
I don't know of ANY modem/router that allows you to use IPSEC to connect to
the modem. Afaik PPtP is used because it is extremely simple since your are
more or less just passing the PPP session to the device (computer or
whatever). There is a modem that uses some malformed version of PPPoE but
this is not any more secure than PPtP.
Half bridging is the alternative method, not supported by the M1122 but
support by some others including IIRC DSE and Alcatel 530 (which also
supports PPtP). However again, it is not any more secure and in fact I have
heard that buggy implementations may make it less secure in that there
might be a possibility someone can be half bridging from a remote location.
In countries where PPPoE is supported, you can put your modem/router in to
full bridging mode and use your computer/whatever to establish the PPPoE
connection but again, this is not any more secure.
There are other options but most have the same issue since generally
speaking, your equipment should be secure. As Steve has mentioned if the
cable between your computer/whatever and M1122 is a potential security
risk, you probably need to reconsider your set up. Bear in mind with the
M1122 all someone has to do is to connect a special serial cable to your
modem and they can get full access. Indeed, in most cases if someone has
physical access to your modem/router they could potentially gain full
access. I believe your intending to set up your computer as a router in
which case bear in mind that unless you set up your computer with full hard
disk encryption, it would be easy to gain full access regardless of whether
you use IPsec or not. Generally speaking you should not expect great
security if someone has physical access to your computer unless you set
everything up very carefully. Even less so with a router/modem probably...
I have the feeling that you guys misunderstood my setup...
I have two Linux networks at different sites. Both networks are connected to
the Internet via an M1122 and static IPs. Both M1122s and both firewalls
behind the M1122s are locked up. Access to the firewall boxes is via SSH
only. No console access to the M1122s.
Net A - Firewall - M1122 - Internet - M1122 - Firewall - Net B
What I would like to do is safely extend the Network File System and Yellow
Pages I'm running in one of the networks (say, A) to the other (B). I gather
that with an IPsec tunnel, I could transparently access any service I like in
A from B. Otherwise I would have to set up SSH tunnel for every single
service, to get the communication _outside my house_ secure.
To make it perfectly clear: The cabling at either of the sites is safe. I
don't want to protect the cable between an M1122 and a firewall box. I want
to protect the wire between the two M1122s.
Steve rightfully points out that probably no one would even _want_ to sniff my
traffic at any telco that provides the link between the two sites. He might
be right with that. However, I think I've got a point of being concerned when
authentications are passed around in the plain over a link that I cannot
control.
Post by LEE Tet YoonPersonally, I'm with Steve. Rather then going about a round-about way, just
secure your computer/whatever and M1122 for heaven sakes. Lock it up in a
room, kick out the dodgy flat mates/kids/partner. Whatever.
This is already the case.
Post by LEE Tet Yoon1) Bridging should not be used.
2) Yes otherwise how does your computer connect to it? Generally speaking
you should assign the M1122 an IP address on a different subnet to your
main LAN. See below for how my arrangment is set up
3) No. the M1122 uses PPtP not PPPoE.
My set up (and the recommended set up) is as follows
M1122<>computer router<>LAN
Ok, that looks what I need. So far I tried PPPoE for the link "M1122<>computer
router" I will change that to PPtP then.
Post by LEE Tet YoonNote that the computer router connects to the M1122 on a different network
card from the LAN. I.e. you should have 2 network cards in your computer.
Each should be on a different subnet. You can use a 10mbit network card for
the M1122 since the M1122 only has a 10mbit network port anyway.
Of course. The firewall boxes both have two network cards in them, one
pointing to the inside, the other one pointing to the M1122. The above setup
is what I've been running for two years now. I'm just a bit tired of having
to SSH into the firewall boxes first and then make a second SSH connection
from that gateway to one of the LAN boxes to get a job done.
Thanks for this _constructive_ response! My hopes for constructive responses
were fading after Steve's one yesterday...
Cheers,
Raimund
--
Today's wisdom:
Never do today what you can put off until tomorrow. For you may be a
consultant then.
--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to ***@lists.unixathome.org
with "unsubscribe adsl" in the body of the message