Contributed by Sean Comeau on from the use-openbsd-everywhere dept.
At the recent PacSec conference in Tokyo, I demonstrated how we can easily secure wireless networks with OpenBSD. This solution uses IPsec to protect the traffic between the wireless clients and the Access Points. Users authenticate using OpenSSH (authpf) before they are allowed access to network resources. All of this is automated making it user friendly and very secure. These slides may be of interest to undeadly readers. They are also available in pdf.
(Comments are closed)
By Anonymous Coward (205.233.28.32) on
It speaks of Dual Factor Encryption and IPSEC as strong authentication.
Comments
By Sean Comeau (24.81.14.122) on
Comments
By Anonymous Coward (205.233.28.32) on
Comments
By Sean Comeau (24.81.14.122) on
OpenSSH & authpf are used with keys (what you have) & passphrase (what you know) to apply your user specific pf rules.
thanks for pointing it out
By Michael Pounov (82.103.114.3) misho@openbsd-bg.org on
Comments
By Anonymous Coward (66.11.66.41) on
Comments
By Michael Pounov (80.72.90.196) misho@openbsd-bg.org on
Wistron CM9 is crapy hardware ??? :):):):) heh
or D-link or may be ... ??
Who hardware with atheros works of free-hal 5GHz fine like ap-client ot adhoc where is ACKTIMEOUT ? TIMESLOTS where? :):):):):)
Sorry, but binary hal WORK fine! not freehal :)
Comments
By Anonymous Coward (66.11.66.41) on
By Anonymous Coward (81.57.42.108) on
By the way, what's the licence of the .vbs and .bat files ? could we reuse them ?
If yes, may I ask if it would be possible to provide the complete vbs (I mean, with the error checks) ?
visual basic isn't trivial for me, as unix sysadmin ...
Whatever your position for the vbs & bat files, thanks for this great demo .
How, and side question: how many tunnels / how much throughput can an emb-564 stand ?
AFAIK, windows can only do 3DES for IPsec, and 3DES is not accelerated by the cool cryptos functions of the Via Eden (as opposed to AES). So how far can we go with those boxes ?
Does anyone else have a good tip about hardware for good 3DES perfs ? (yes, there's crypto cards, but none are really well suported - apparently hifn is quite buggy ...).
Comments
By Chad Loder (69.228.48.73) on
Comments
By Anonymous Coward (66.11.66.41) on
By Anonymous Coward (81.57.42.108) on
Sadly, MS Windows can only do DES and 3DES for IPsec. That's why the slides from the story show the use of 3DES rather than a faster algo. And hence my question about 3DES throughput.
On my OpenBSD IPsec gateway (intel p4 2.8Ghz), I can't go better than 20Mo/s. Would a recent opteron (with a better memory bw thant this old intel) give really better performances ?
By sthen (81.168.66.229) on
PCI crypto cards are often not much help on slower machines for encrypting network traffic, since they introduce a lot of overhead. On-chip instructions like on the newer c5p-cored VIA chips help a lot more.
Comments
By Anonymous Coward (211.30.160.26) on
I'm hitting 80Mbps+ (AES256) on my VIA PD10000 (VIA C3 "Nehemiah" with Padlock). (It falls to 60Mbps+ if you use SHA-256 and AES256, as SHA is done in software only. (C3 can't do hardware SHA, but the newer C7 can!)
It does 80 to 90Mbps with just normal NAT/pf, which is similar to a typical PIII 500Mhz.
In comparison, software AES is 25% to 50% slower.
If you think about it, EPIAs with Padlock are more efficient in this VPN role. Power consumption-wise, its much better than either P4 or AMD solution. At most, these EPIA mobos hit 24W under full load.
(Under full load, a P4 or Opteron CPU does 4 to 6 times more...That's just the CPU alone!)
I think what's holding the EPIA back is the chipset. I suspect the C3 with Padlock won't have trouble handling Gigabit speeds. (Of course, the VIA chipset isn't efficient and currently, no VIA C3 powered board is designed to be with Gigbit Ethernet connections)...But if you're requirements are for 80Mbps or less, they are sufficient for the role.
Hopefully, the newer C7 and accompanying chipset does better.
(The newer chipset does support Gigabit, but time will tell how efficient VIA's implementation is).
Comments
By Anonymous Coward (211.30.160.26) on
You can buy two regular EPIAs (Padlock capable ones) and a pair of quad-port NICs for the same price!
By Uwe Brechlin (81.245.62.9) on
It supports 3-DES and is said to be fully supported by OpenBSD and FreeBSD.