Saturday, July 19, 2003
Friday, July 11, 2003
Thursday, July 10, 2003
Question:
What's a bridge, and how does it differ from a router?
How will this be better and how will it improve security?
Do you plan to make before-and-after block diagrams?
Answer:
A bridge is basically a simple way of gluing two networks together. A router must accept an IP packet, mangle, address, and forward it to the other network (which is difficult when the two networks are on the same subnet). Mangling and addressing (aka Network Address Translation) can cause problems with protocols flowing over the network, particularly NetBEUI (SMB). A bridge simply reproduces received frames on one NIC on the other, creating a protocol-independent transparent link between two networks. Security can be added by instituting a firewall on the bridge, which filters what traffic flows through the machine. This can create a trace-less security mechanism that cannot be located by standard utilities, reducing the likelihood of hacking the firewall. This is important for creating a wireless bridge since an attacker has a greater ability to tack at the network from just about anywhere. Without any kind of firewall the wireless bridge would provide an open door to the network. Using a router-based firewall, the attacker has a target and knows it's there. With the bridged firewall, the packets pass transparently, or they are just dropped. If traced, it looks like a connection failure between the points before and after the bridge. The bridge itself is invisible.
Diagrams:
Soon
What's a bridge, and how does it differ from a router?
How will this be better and how will it improve security?
Do you plan to make before-and-after block diagrams?
Answer:
A bridge is basically a simple way of gluing two networks together. A router must accept an IP packet, mangle, address, and forward it to the other network (which is difficult when the two networks are on the same subnet). Mangling and addressing (aka Network Address Translation) can cause problems with protocols flowing over the network, particularly NetBEUI (SMB). A bridge simply reproduces received frames on one NIC on the other, creating a protocol-independent transparent link between two networks. Security can be added by instituting a firewall on the bridge, which filters what traffic flows through the machine. This can create a trace-less security mechanism that cannot be located by standard utilities, reducing the likelihood of hacking the firewall. This is important for creating a wireless bridge since an attacker has a greater ability to tack at the network from just about anywhere. Without any kind of firewall the wireless bridge would provide an open door to the network. Using a router-based firewall, the attacker has a target and knows it's there. With the bridged firewall, the packets pass transparently, or they are just dropped. If traced, it looks like a connection failure between the points before and after the bridge. The bridge itself is invisible.
Diagrams:
Soon
Ideas for implementation...
Hardware:
I already have an x86 box with two ethernet NICs. A D-Link DWL-810 wireless bridge is en route. The rest of the wired LAN is set up. The LinkSys BEF11S4 wireless router is set with cable connection.
Goal:
Provide the existing wired LAN (in the garage) with access to the Internet via my wireless router in the den.
Impetus:
I've seen projects for wireless bridging using access points, but the APs only talk to each other to connect the physical LANs. That's great for connecting disparate wired networks, but I also want to maintain my ability to roam with my laptop around the house. My existing wireless router does not support bridging, regardless. The WAP solution also introduces significant security risk to the process by transmitting the core intranet over a public space. I determined I'd need something a little more elaborate than the WAP-to-WAP solution.
Thoughts:
Most projects I've seen online for the wireless bridge involve installing a wireless NIC, which leads to a bunch of firmware issues when trying to bridge through the kernel patch. I'm thinking I'll just avoid that problem all together by creating a strait wired-wired ethernet bridge, then attaching a "wireless bridge" to one of the ethernet ports. The model I have purchased is the D-Link DWL-810 wireless bridge. It may not offer all of the functionality of an access point, such as load balancing between APs to determine the best reception, but it will do to simply attach the wired bridge (and attached LAN) to the wireless router. Implementing a firewall on the wired bridge will provide some protection to the wired LAN beyond the MAC filtering and WEP features of the wireless network.
References:
http://bridge.sourceforge.net/
http://www.linuxgazette.com/issue76/whitmarsh.html
http://ldp.kernelnotes.de/HOWTO/mini/Bridge+Firewall.html
http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/
Searches:
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=wireless+linux+bridge
http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=linux+bridge
http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=wireless+bridge
Hardware:
I already have an x86 box with two ethernet NICs. A D-Link DWL-810 wireless bridge is en route. The rest of the wired LAN is set up. The LinkSys BEF11S4 wireless router is set with cable connection.
Goal:
Provide the existing wired LAN (in the garage) with access to the Internet via my wireless router in the den.
Impetus:
I've seen projects for wireless bridging using access points, but the APs only talk to each other to connect the physical LANs. That's great for connecting disparate wired networks, but I also want to maintain my ability to roam with my laptop around the house. My existing wireless router does not support bridging, regardless. The WAP solution also introduces significant security risk to the process by transmitting the core intranet over a public space. I determined I'd need something a little more elaborate than the WAP-to-WAP solution.
Thoughts:
Most projects I've seen online for the wireless bridge involve installing a wireless NIC, which leads to a bunch of firmware issues when trying to bridge through the kernel patch. I'm thinking I'll just avoid that problem all together by creating a strait wired-wired ethernet bridge, then attaching a "wireless bridge" to one of the ethernet ports. The model I have purchased is the D-Link DWL-810 wireless bridge. It may not offer all of the functionality of an access point, such as load balancing between APs to determine the best reception, but it will do to simply attach the wired bridge (and attached LAN) to the wireless router. Implementing a firewall on the wired bridge will provide some protection to the wired LAN beyond the MAC filtering and WEP features of the wireless network.
References:
http://bridge.sourceforge.net/
http://www.linuxgazette.com/issue76/whitmarsh.html
http://ldp.kernelnotes.de/HOWTO/mini/Bridge+Firewall.html
http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/
Searches:
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=wireless+linux+bridge
http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=linux+bridge
http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=wireless+bridge
Establish the blog.
