[BillingsLUG] WAN to WAN help question

[dan]

My first action if I am testing security is to sniff packets, which will
instantly give me source and destination addresses, ports, etc etc.  By not
having DHCP you are really just making it difficult on yourself if someone
with a laptop comes in and needs to get online, or you are setting up a net
machine.  Real network security is going to be significantly more involved.
 There are two common roads to go down. A) improve security for your network
services or B) encrypt network traffic.

A) this means locking down services, making sure passwords are in place,
disabling insecure services like telnet.  You should do this anyway
B) use ipsec in transport mode, on each client setup firewall rules that it
will only talk to other devices speaking ipsec and set some ipsec policies.
 Make some exceptions for printing.  Your internet gateway would have to be
ipsec as well or you would have to make an exception which kind defeats the
purpose.

>
>
Suggestions?:
If you are looking at a pre-build, branded router then look at the Cisco 800
series, the 881 is Ethernet WAN and has a 4 port switch.  Solid router, can
handle 20 ipsec VPN tunnels.  If you want multiple WAN, you will need an
1821 or better.

I would suggest that you look at a pfsense router.  Very easy to get up and
running, lots of support out there, the irc chan is very helpful, and it is
rock solid.  You can put something together from http://www.netgate.com/  or
buy a premade from Phoenix
http://www.hacom.net/catalog/network-appliances/pfsense/phoenix or
http://www.hacom.net/catalog/mercury-neo-pfsense-appliance.  Better yet, you
can build one for pretty cheap.

I really like pfsense, it can do ipsec tunnels with ease, openvpn, be a
content filter, and do all kinds of other high end functions.  I have run
pfsense on a netbook.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.billingslug.org/pipermail/billingslug/attachments/20100719/24950be0/attachment.html