NAC Phase 1 was deployed using EAPoUDP (EAP over UDP). It used routers to quarantine devices. It is a layer 3 solution. Other devices could still infect layer 2 connected devices.
NAC Phase 2 (just announced) is deployed using EAPo802.1x (EAP over 802.1x). It uses switches to quarantine devices. It is a layer 2 solution. Thus an infected device cannot infect other layer 2 devices.
The hardware link in the main article has gotten bad reviews. Check around.
Mod this parent up, as they are correct. However, you can do as one post said, which is have a colo box, you can follow this example: http://lartc.org/howto/lartc.loadshare.h tml
If you don't have access to a colo box, you can spread the load of different logical connections.
I've done this under linux. You will use Advanced IP routing. iproute2 Here is the URL howto: http://lartc.org/howto/lartc.rpdb.multiple -links.h tml
Note the last portion about Load Balancing. It basically associates a destination IP address with a connection, so you get some packets going out one interface and some going out another interface. Not the best solution, but Cable Modem and DSL providers aren't offering full BGP peering.
I've mainly been dealing with the effect of the HIPAA regulations on email. The organization I work for primarily communications with other health care organizations, not patients directly. We will probably implement a mix of solutions and make the option available to the other organization of what they want to use. You only need to worry about encrypting email that contains PHI (patient health information).
1. STARTTLS - Implement it in you mail server or border mail gateway, and you email gets encrypted on the fly without requiring any user intervention. Works great only a couple of things you need to look out for. An informal agreement with the other organization will help iron these out. (a) You need to ensure that the other mail server (the one in the MX record) is the last hop across public networks. You don't want that server forwarding on the message unencrypted after you send it encrypted. (b) You need to enforce the use of TLS for some domains. Postfix allows this and I'm sure others do. (c) Signed SSL certificates by a proper CA (not self-signed) help prevent man in the middle style attacks.
2. S/MIME - Works, but you got to train the users on both ends. Put your S/MIME public keys up on your website so that users can download them.
3. PGP - Works, but same as S/MIME, you got to train the users on both ends. Put your PGP public keys up on your website so that users can download them.
4. A secure web mail contact form - Good for only one-way communication (them sending messages to you), but it works a lot easier than trying to train an AOL User/patient how to use S/MIME. Prevents them from broadcasting to the Internet their SSN, and health problems in clear text.
5. An S/MIME gateway - Most mail servers can act as STARTTLS servers, but most don't have the option of being an S/MIME gateways, so you have to add an additional commercial piece of software, and so do all the other organizations that you are communicating to. Also it only helps the organization to organization level, since AOL is running an S/MIME gateway, and neither is hotmail.
Personally I would like to see the HIPAA regulations jumpstart the use of STARTTLS enabled SMTP servers. S/MIME and PGP are difficult for users, and will probably not end up being used if it isn't easy.
Get a Toughbook from Panasonic. By far the best laptop I've ever had, and it changes the way you interact with your laptop. No longer do you coddle it, and worry about it getting damaged at all times. Now you can use it as a coaster, or to stop subway doors from closing. Battle your friends that have toughbooks also, in hand-to-hand toughbook battles. I have the CF-17, which you can pickup used on Ebay for about $400, but they have tons of other models also, new and used.
Oh, please. Doing port forwarding and SSH is not the answer I'm going to offer my mother to use. It may work for the geeks, but not for the general populace.
Geeks end up setting up their own servers to offer this, or just use SSH. There needs to be a provider for the rest of the uses.
Yahoo! are you listening: Here is what I want from a for-pay email provider
As myself and other people start using more and more wireless networks (specifically public wireless networks), I have realized that there is no email provider that offers the proper services:
IMAP via TLS & SSL
SMTP via TLS & SSL with Auth - Allowing you to send mail from any return address after you have already authenticated
POP via SSL
WebMail via Full SSL (not just the login)
Allow you to forward your other email accounts to it
Allow you to send from a return email address of your other account (i.e. yourname@yourcompanyemail.com).
Fetchmail functions for automatic downloading of your other email accounts.
A reasonable amount of disk storage
The option to download your email for offline archiving
If other email providers are listening or someone wants a quick business idea, start providing secure email services, and no Hushmail doesn't count because the don't offer POP, IMAP or SMTP. And no I don't want to host this email on my home server like I already do. It needs to something that the mass populous can be referred to.
Sidenote to the Yahoo, AOL, Earthlink and other top email providers. Please start requiring secure login protocols (no cleartext passwords). The average user is never going to click on that extra link for an SSL login page.
The IBM T-23 is great under Linux. I'm running Debian Woody (3.0) on it, and it works perfectly.
1.2Ghz Mobile Intel Pentium III - also works great as a lap warmer when compling the kernel.
Upgraded to 1 GB Ram - Enable 4GB ram mode in Linux Kernel
up to 60GB 5400RPM drives (Mine has 48gb)
CD-RW/DVD Combo
integrated 802.11b Ethernet (mini-PCI, use the linux-wlan-ng drivers to support this) The built in antennas make it feel like a 100mW pcmcia card (though it's only 30mW)
integrated Intel 10/100 - Supported in Kernel
integrated 56k win modem - Supported under linux
14.1" 1400x1050 TFT Screen with SuperSavage Chipset (supported by Xfree86 4.1, download latest driver from www.s3graphics.com)
Audio supported under linux - install modules i810_audio soundcore ac97_codec
Use the UltraBay Battery and get over 6 hours of battery life (with all the convservation options turned on).
Earthlink's SMTP server allow you to send out messages with return address for all domains, not just @earthlink.net etc. Just set your mail software to use Earthlink's mailserver instead.
If you run the mail server (POP, SMTP or IMAP, etc), or you know the person who does run the mail server. Tell them to put the services on an additional port that MSN won't be blocking.
If your using an ISP for your mail services. Ask them to put the mail server on an additional port. www.mailbank.com does this.
If MSN is blocking low number ports, use high numbered ports.
If you are a company, business, organization or individual who has been disconnected (primarily internet access, but VoIP is a possible solution) by the WTC attacks and would like assistance from NYCwireless, send the following information:
Name
Company Name
Address & Cross Streets
email address and phone number if working or other forms of contact
# of floors in building
# of floor you are on
How many users / computers are disconnected
Bandwidth Needs if know
What your "Line of Sight" is like, include a link to a webpage with digital pictures of you line of sight if possible.
Email requests for assistance to wtcreliefrequest@nycwireless.net
Please only send direct request from the affected organizations and individuals.
If you have resources and would like to contribute, the following would be useful:
Wireless Building to Building LAN bridges
802.11 Access Points & Cards
Antennas (Yagi, Sector, and Omni) and mounting hardware
Cables, Connectors and Arrestors
Locations in NYC area with available internet bandwidth
Locations in NYC area for antenna placements with good line of sight
Individuals that can install wireless hardware
Individuals that can install antennas
Individuals that can provide networking support
Individuals who can provide VoIP solutions
VoIP hardware
Email offers to wtcreliefoffer@nycwireless.net
NYCwireless has been very busy working with the affected businesses and organizations in New York. We apologize if we do not respond to every email offering support.
#1467 - 1472 were taken before the second tower collapsed.
#1473 - 1474 is the National Guard deployed on Lexington Ave.
#1775 - 1746 are people trying to get out of Manhattan waiting at a bus
stop.
#1477 - 1490 is lower Manhattan at 3pm.
#1491 - 1496 is two blocks from the world trade center at 3pm.
#1497 is a fire boat on the Hudson river.
#1499 - 1503 is the world trade center an surrounding buildings
#1505 is a fire truck damaged by the collapse 2 blocks away from the WTC.
#1507 - 1510 is the WTC.
#1511 - 1512 is a neighboring building.
#1513 - 1515 is the surrounding area to the WTC.
Everyone is free to forward these pictures, and use them without permission. Mirrors are welcome.
--Terry
Ok, so this must have been a typo. It must have been a 36kbytes/sec download not a 36kbits/sec download.
I have used the Washington Square Park connection many times, and depending on the site I can get up to a 400kbytes/sec download. Better than most DSL and cable modems.
More modern OSes have less of a problem releasing and getting DHCP addresses.
Windows 2000 even has a nice feature that it monitors the link connection, when the link drops and is reestablished (even if only briefly) it sends out a DHCP address again. Works great for walking past a bunch of a access points on multiple subnets.
Mac OS X handles roaming between base stations relatively well (sometimes you have to turn Airport on and off).
This feature could probably be implemented in Linux/FreeBSD pretty easily but AFAIK doesn't currently exist. Instead you just tell your dhcp client to get another address. No rebooting.
I love slashdot. The amount of people talking out of their ass is amazing.
The Xircom Handspring module may not be "WiFi compliant", but IT DOES WORK WITH AIRPORT.
I have personally seen people have used the Xircom Handspring modules with the Apple Airport base station, the Lucent/Orinoco RG-1000, and the Lucent AP-1000. You don't have to buy their access point.
About the Xircom being throttled to serial speed. If we are talking 115200, then you not hurting much. How much data can the Handspring handle?
I put of the first NYCwireless node 3 1/2 months ago (after seeing the article about Seattle Wireless here) so I thought I would respond to some of the valid the comments.
* As far as violating the terms of service, most of the internet connections we are using we are ok, since we are not reselling the service, only sharing it to the our immediate friends and neighbors. Providers may choose to change there terms of services though. We are paying for this service, and choosing to let people use bandwidth we have already bought.
* As far as the network getting used by to many users and becoming useless. Most of the access points have Linux or FreeBSD machines as gateways. If this becomes an issue we will just install traffic shaping software on the gateway. The goal is not to provide you with a superfast connection that will make you give up your home cable modem and DSL line to sit in the park (though that would be nice). The goal is to provide a public free open wireless network for anyone to use. Even if the network gets saturated and we are only providing each person with 10kBytes/sec, that is still double the speed of dialup and adequate for web browsing and email. I watch the bandwidth usage very carefully, and people have been very good about using the free network.
* Wireless is not a replacement for a wired network, and free networks are not a replacement for commercial networks. That being said we are never going to replace commercial wired networks. We can provide an alternative for you to use though.
If your interested in starting a project in your area, do it.
1. Put up a simple web page on geocities or something.
2. Start a mailing list on Yahoo Groups
3. Post links to your website on the Seattle Wireless and Personal Telco web pages.
-That is how NYCwireless (originally RooftopsNYC) got started.
Possible Simple Large ISP solution
on
Code Redux
·
· Score: 1
Can someone please tell me why the big ISPs just don't take this simple approach to handling the increased traffic by Code Red I & II.
1. Run IDS at the backbone level.
2. When you see a packet come across that is a Code Red I or II web server probe (it is real simple in detecting this), mark down the IP address.
3. Transfer the IP address to your routers and drop all packets coming from that machine for a period of time (say 2 days).
Ta da.. Suddenly you stopped all the excess traffic that is happening from these infected machines probing your network.
Better yet, why aren't they turning off the connections of machines that are infected and thus generated the majority of the traffic on their network???
Road Runner in NYC is getting a ton of traffic (mainly ARP requests from the machines looking for hosts) because of Code Red. No packet loss though.
Slashdot Mirror
Reply to clueless slashdotter:
t ml
NAC Phase 1 was deployed using EAPoUDP (EAP over UDP). It used routers to quarantine devices. It is a layer 3 solution. Other devices could still infect layer 2 connected devices.
NAC Phase 2 (just announced) is deployed using EAPo802.1x (EAP over 802.1x). It uses switches to quarantine devices. It is a layer 2 solution. Thus an infected device cannot infect other layer 2 devices.
http://www.acuitive.com/musings/hmv7-12.htm
http://newsroom.cisco.com/dlls/2005/prod_101805.h
Then switch to a VoIP provider with that pricing model. Like VoicePulse Connect http://connect.voicepulse.com/
US Per Minute Rate:
2.95 / minute
If you want an Incoming phone number tied to your VoIP line:
Incoming phone numbers:
$7.99 / month (each)
Incoming rate:
0 / minute
If you don't have an incoming phone number, no monthly fees, only usage fees.
There are other that offer this also, like:
TerraCall http://www.terracall.com/
NikoTel http://www.nikotel.com/
Maybe you should subscribe to the debian security mailing list.
d ebian-security-announce-2003/msg00213.html
They posted an alert this morning.
http://lists.debian.org/debian-security-announce/
Since the update servers were offline due to the recent security hacks, they gave you a direct link to update.
Too Many Users
There are too many connected users. Please try again later.
The hardware link in the main article has gotten bad reviews. Check around.
h tml
e -links.h tml
Mod this parent up, as they are correct. However, you can do as one post said, which is have a colo box, you can follow this example:
http://lartc.org/howto/lartc.loadshare.
If you don't have access to a colo box, you can spread the load of different logical connections.
I've done this under linux. You will use Advanced IP routing. iproute2
Here is the URL howto:
http://lartc.org/howto/lartc.rpdb.multipl
Note the last portion about Load Balancing.
It basically associates a destination IP address with a connection, so you get some packets going out one interface and some going out another interface. Not the best solution, but Cable Modem and DSL providers aren't offering full BGP peering.
I've mainly been dealing with the effect of the HIPAA regulations on email. The organization I work for primarily communications with other health care organizations, not patients directly. We will probably implement a mix of solutions and make the option available to the other organization of what they want to use. You only need to worry about encrypting email that contains PHI (patient health information).
1. STARTTLS - Implement it in you mail server or border mail gateway, and you email gets encrypted on the fly without requiring any user intervention. Works great only a couple of things you need to look out for. An informal agreement with the other organization will help iron these out. (a) You need to ensure that the other mail server (the one in the MX record) is the last hop across public networks. You don't want that server forwarding on the message unencrypted after you send it encrypted. (b) You need to enforce the use of TLS for some domains. Postfix allows this and I'm sure others do. (c) Signed SSL certificates by a proper CA (not self-signed) help prevent man in the middle style attacks.
2. S/MIME - Works, but you got to train the users on both ends. Put your S/MIME public keys up on your website so that users can download them.
3. PGP - Works, but same as S/MIME, you got to train the users on both ends. Put your PGP public keys up on your website so that users can download them.
4. A secure web mail contact form - Good for only one-way communication (them sending messages to you), but it works a lot easier than trying to train an AOL User/patient how to use S/MIME. Prevents them from broadcasting to the Internet their SSN, and health problems in clear text.
5. An S/MIME gateway - Most mail servers can act as STARTTLS servers, but most don't have the option of being an S/MIME gateways, so you have to add an additional commercial piece of software, and so do all the other organizations that you are communicating to. Also it only helps the organization to organization level, since AOL is running an S/MIME gateway, and neither is hotmail.
Personally I would like to see the HIPAA regulations jumpstart the use of STARTTLS enabled SMTP servers. S/MIME and PGP are difficult for users, and will probably not end up being used if it isn't easy.
Get a Toughbook from Panasonic. By far the best laptop I've ever had, and it changes the way you interact with your laptop. No longer do you coddle it, and worry about it getting damaged at all times. Now you can use it as a coaster, or to stop subway doors from closing. Battle your friends that have toughbooks also, in hand-to-hand toughbook battles. I have the CF-17, which you can pickup used on Ebay for about $400, but they have tons of other models also, new and used.
Oh, please. Doing port forwarding and SSH is not the answer I'm going to offer my mother to use. It may work for the geeks, but not for the general populace.
Geeks end up setting up their own servers to offer this, or just use SSH. There needs to be a provider for the rest of the uses.
All swissmail.org offers is pop, smtp, and web via ssl. No TLS or any of the other things I outlined.
Yahoo! are you listening: Here is what I want from a for-pay email provider
As myself and other people start using more and more wireless networks (specifically public wireless networks), I have realized that there is no email provider that offers the proper services:
- IMAP via TLS & SSL
- SMTP via TLS & SSL with Auth - Allowing you to send mail from any return address after you have already authenticated
- POP via SSL
- WebMail via Full SSL (not just the login)
- Allow you to forward your other email accounts to it
- Allow you to send from a return email address of your other account (i.e. yourname@yourcompanyemail.com).
- Fetchmail functions for automatic downloading of your other email accounts.
- A reasonable amount of disk storage
- The option to download your email for offline archiving
If other email providers are listening or someone wants a quick business idea, start providing secure email services, and no Hushmail doesn't count because the don't offer POP, IMAP or SMTP. And no I don't want to host this email on my home server like I already do. It needs to something that the mass populous can be referred to.Sidenote to the Yahoo, AOL, Earthlink and other top email providers. Please start requiring secure login protocols (no cleartext passwords). The average user is never going to click on that extra link for an SSL login page.
Earthlink's SMTP server allow you to send out messages with return address for all domains, not just @earthlink.net etc. Just set your mail software to use Earthlink's mailserver instead.
Sure a monitor can run of batteries. It's called a laptop.
The article says nothing about this being a wireless monitor. That would be quite a task though, bet that doesn't run across 802.11b or Bluetooth.
If you run the mail server (POP, SMTP or IMAP, etc), or you know the person who does run the mail server. Tell them to put the services on an additional port that MSN won't be blocking.
If your using an ISP for your mail services. Ask them to put the mail server on an additional port. www.mailbank.com does this.
If MSN is blocking low number ports, use high numbered ports.
Email requests for assistance to wtcreliefrequest@nycwireless.net
Please only send direct request from the affected organizations and individuals.
If you have resources and would like to contribute, the following would be useful:
Email offers to wtcreliefoffer@nycwireless.net
NYCwireless has been very busy working with the affected businesses and organizations in New York. We apologize if we do not respond to every email offering support.
Everyone is welcome to use the latest public NYCwireless access point at Tompkins square park or other NYCwireless locations, especially those affected by the WTC attacks.
Thanks,
--Terry Schmidt
NYCwireless
Mirror available at http://www.azaleainternet.com/wtc_mirror/
#1467 - 1472 were taken before the second tower collapsed.
#1473 - 1474 is the National Guard deployed on Lexington Ave.
#1775 - 1746 are people trying to get out of Manhattan waiting at a bus stop.
#1477 - 1490 is lower Manhattan at 3pm.
#1491 - 1496 is two blocks from the world trade center at 3pm.
#1497 is a fire boat on the Hudson river.
#1499 - 1503 is the world trade center an surrounding buildings
#1505 is a fire truck damaged by the collapse 2 blocks away from the WTC.
#1507 - 1510 is the WTC.
#1511 - 1512 is a neighboring building.
#1513 - 1515 is the surrounding area to the WTC.
Everyone is free to forward these pictures, and use them without permission. Mirrors are welcome. --Terry
I have used the Washington Square Park connection many times, and depending on the site I can get up to a 400kbytes/sec download. Better than most DSL and cable modems.
Node Owner of NYCwireless Node #1 www.nycwireless.net
More modern OSes have less of a problem releasing and getting DHCP addresses.
Windows 2000 even has a nice feature that it monitors the link connection, when the link drops and is reestablished (even if only briefly) it sends out a DHCP address again. Works great for walking past a bunch of a access points on multiple subnets.
Mac OS X handles roaming between base stations relatively well (sometimes you have to turn Airport on and off).
This feature could probably be implemented in Linux/FreeBSD pretty easily but AFAIK doesn't currently exist. Instead you just tell your dhcp client to get another address. No rebooting.
The Xircom Handspring module may not be "WiFi compliant", but IT DOES WORK WITH AIRPORT.
I have personally seen people have used the Xircom Handspring modules with the Apple Airport base station, the Lucent/Orinoco RG-1000, and the Lucent AP-1000. You don't have to buy their access point.
About the Xircom being throttled to serial speed. If we are talking 115200, then you not hurting much. How much data can the Handspring handle?
Does this chicago group have a web page??
The softroads group (the former group doing this in Chicago) has been dead for sometime now.
Your email address probably doesn't go to you, and your webpage is just dead, so maybe your just blowing smoke.
If your are serious though, put a link to your group in the Personal Telco Wireless Communties webpage.
---NYCwireless
* As far as violating the terms of service, most of the internet connections we are using we are ok, since we are not reselling the service, only sharing it to the our immediate friends and neighbors. Providers may choose to change there terms of services though. We are paying for this service, and choosing to let people use bandwidth we have already bought.
* As far as the network getting used by to many users and becoming useless. Most of the access points have Linux or FreeBSD machines as gateways. If this becomes an issue we will just install traffic shaping software on the gateway. The goal is not to provide you with a superfast connection that will make you give up your home cable modem and DSL line to sit in the park (though that would be nice). The goal is to provide a public free open wireless network for anyone to use. Even if the network gets saturated and we are only providing each person with 10kBytes/sec, that is still double the speed of dialup and adequate for web browsing and email. I watch the bandwidth usage very carefully, and people have been very good about using the free network.
* Wireless is not a replacement for a wired network, and free networks are not a replacement for commercial networks. That being said we are never going to replace commercial wired networks. We can provide an alternative for you to use though.
If your interested in starting a project in your area, do it.
1. Put up a simple web page on geocities or something.
2. Start a mailing list on Yahoo Groups
3. Post links to your website on the Seattle Wireless and Personal Telco web pages. -That is how NYCwireless (originally RooftopsNYC) got started.
-Maybe there is a group in your area, check: Personal Telco Wireless Communties List
If your in New York City, your welcome to use my node at 84th Street and Lexington Ave. Relax at the corner, or have a coffee at the coffee shop.
www.nycwireless.net
Can someone please tell me why the big ISPs just don't take this simple approach to handling the increased traffic by Code Red I & II.
.. Suddenly you stopped all the excess traffic that is happening from these infected machines probing your network.
1. Run IDS at the backbone level.
2. When you see a packet come across that is a Code Red I or II web server probe (it is real simple in detecting this), mark down the IP address.
3. Transfer the IP address to your routers and drop all packets coming from that machine for a period of time (say 2 days).
Ta da
Better yet, why aren't they turning off the connections of machines that are infected and thus generated the majority of the traffic on their network???
Road Runner in NYC is getting a ton of traffic (mainly ARP requests from the machines looking for hosts) because of Code Red. No packet loss though.
A complete list: Wireless LAN resources for Linux