mirror of https://github.com/tLDP/LDP
remove; name change
This commit is contained in:
parent
ed0c72320c
commit
6bde9678f5
|
@ -1,738 +0,0 @@
|
|||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook V3.1//EN">
|
||||
|
||||
<article>
|
||||
|
||||
<!-- Header -->
|
||||
|
||||
<artheader>
|
||||
|
||||
<title>Wireless Authentication Gateway HOWTO</title>
|
||||
|
||||
<author>
|
||||
<firstname>Nathan</firstname>
|
||||
<surname>Zorn</surname>
|
||||
<affiliation>
|
||||
<address>
|
||||
<email>zornnh@musc.edu</email>
|
||||
</address>
|
||||
</affiliation>
|
||||
</author>
|
||||
|
||||
<revhistory>
|
||||
<revision>
|
||||
<revnumber>0.02</revnumber>
|
||||
<date>2001-09-28</date>
|
||||
<authorinitials>KET</authorinitials>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>0.01</revnumber>
|
||||
<date>2001-09-06</date>
|
||||
<authorinitials>nhz</authorinitials>
|
||||
</revision>
|
||||
|
||||
|
||||
|
||||
|
||||
<!-- Additional (*earlier*) revision histories go here -->
|
||||
</revhistory>
|
||||
|
||||
<abstract>
|
||||
<indexterm>
|
||||
<primary></primary>
|
||||
</indexterm>
|
||||
|
||||
<para>
|
||||
There are many concerns with the security of wireless networks. These
|
||||
concerns are not met with current security implementations. A work around
|
||||
has been proposed by using an authentication gateway. This gateway
|
||||
addresses the security concerns by forcing the user to authenticate
|
||||
in order to use the wireless network.
|
||||
</para>
|
||||
</abstract>
|
||||
|
||||
</artheader>
|
||||
|
||||
|
||||
<!-- Section1: intro -->
|
||||
|
||||
<sect1 id="intro">
|
||||
<title>Introduction</title>
|
||||
|
||||
<indexterm>
|
||||
<primary>security!introduction</primary>
|
||||
</indexterm>
|
||||
|
||||
|
||||
<para>
|
||||
With wireless networks it is very easy for an unauthorized user to
|
||||
gain access. Unauthorized users can look for a signal and
|
||||
grab connection information from the signal. Security has been
|
||||
put in place such as WEP, but this security can be subverted with tools like
|
||||
AirSnort. One approach to solving these problems is to not rely on
|
||||
the wireless security features , and instead to place
|
||||
an authentication gateway in front of the wireless network and force
|
||||
users to authenticate against it before using the network. This HOWTO
|
||||
describes how to set up this gateway with Linux.
|
||||
</para>
|
||||
|
||||
<!-- Section2: copyright -->
|
||||
|
||||
<sect2 id="copyright">
|
||||
<title>Copyright Information</title>
|
||||
|
||||
<para>
|
||||
This document is copyrighted (c) 2001 Nathan Zorn and is
|
||||
distributed under the terms of the Linux Documentation Project
|
||||
(LDP) license, stated below.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Unless otherwise stated, Linux HOWTO documents are
|
||||
copyrighted by their respective authors. Linux HOWTO documents may
|
||||
be reproduced and distributed in whole or in part, in any medium
|
||||
physical or electronic, as long as this copyright notice is
|
||||
retained on all copies. Commercial redistribution is allowed and
|
||||
encouraged; however, the author would like to be notified of any
|
||||
such distributions.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
All translations, derivative works, or aggregate works
|
||||
incorporating any Linux HOWTO documents must be covered under this
|
||||
copyright notice. That is, you may not produce a derivative work
|
||||
from a HOWTO and impose additional restrictions on its
|
||||
distribution. Exceptions to these rules may be granted under
|
||||
certain conditions; please contact the Linux HOWTO coordinator at
|
||||
the address given below.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In short, we wish to promote dissemination of this
|
||||
information through as many channels as possible. However, we do
|
||||
wish to retain copyright on the HOWTO documents, and would like to
|
||||
be notified of any plans to redistribute the HOWTOs.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If you have any questions, please contact
|
||||
<email>zornnh@musc.edu</email>
|
||||
</para>
|
||||
</sect2>
|
||||
|
||||
<!-- Section2: disclaimer -->
|
||||
|
||||
<sect2 id="disclaimer">
|
||||
<title>Disclaimer</title>
|
||||
|
||||
<para>
|
||||
No liability for the contents of this documents can be accepted.
|
||||
Use the concepts, examples and other content at your own risk.
|
||||
As this is a new edition of this document, there may be errors
|
||||
and inaccuracies, that may of course be damaging to your system.
|
||||
Proceed with caution, and although this is highly unlikely,
|
||||
the author(s) do not take any responsibility for that.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
All copyrights are held by their by their respective owners, unless
|
||||
specifically noted otherwise. Use of a term in this document
|
||||
should not be regarded as affecting the validity of any trademark
|
||||
or service mark.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Naming of particular products or brands should not be seen
|
||||
as endorsements.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
You are strongly recommended to take a backup of your system
|
||||
before major installation and backups at regular intervals.
|
||||
</para>
|
||||
</sect2>
|
||||
|
||||
<!-- Section2: newversions-->
|
||||
|
||||
<sect2 id="newversions">
|
||||
<title>New Versions</title>
|
||||
|
||||
<indexterm>
|
||||
<primary>(your index root)!news on</primary>
|
||||
</indexterm>
|
||||
|
||||
<para>
|
||||
This is the initial release.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The newest release of this document can be found at <ulink url="http://www.itlab.musc.edu/~nathan/wireless_gateway/">http://www.itlab.musc.edu/~nathan/wireless_gateway/</ulink>.
|
||||
Related HOWTOs can be found at the
|
||||
<ulink url="http://www.linuxdoc.org/">Linux Documentation
|
||||
Project</ulink> homepage.
|
||||
</para>
|
||||
</sect2>
|
||||
|
||||
<!-- Section2: credits -->
|
||||
|
||||
<sect2 id="credits">
|
||||
<title>Credits</title>
|
||||
<para>Jamin W. Collins</para>
|
||||
</sect2>
|
||||
|
||||
|
||||
<!-- Section2: feedback -->
|
||||
|
||||
<sect2 id="feedback">
|
||||
<title>Feedback</title>
|
||||
|
||||
<para>
|
||||
Feedback is most certainly welcome for this document. Without
|
||||
your submissions and input, this document wouldn't exist. Please
|
||||
send your additions, comments and criticisms to the following
|
||||
email address : <email>zornnh@musc.edu</email>.
|
||||
</para>
|
||||
</sect2>
|
||||
|
||||
</sect1>
|
||||
|
||||
<!-- Section1: intro: END -->
|
||||
|
||||
|
||||
<!-- Section1: services -->
|
||||
|
||||
<sect1 id="services">
|
||||
<title>What is needed</title>
|
||||
|
||||
<para>
|
||||
This section describes what is needed for the authentication gateway.
|
||||
</para>
|
||||
|
||||
|
||||
|
||||
<sect2 id="netfilter">
|
||||
<title>Netfilter</title>
|
||||
|
||||
|
||||
<para>
|
||||
The authentication gateway uses Netfilter and iptables to manage the
|
||||
firewall. Please see the
|
||||
<ulink url="http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/index.html">Netfilter HOWTO</ulink>.
|
||||
</para>
|
||||
|
||||
|
||||
</sect2>
|
||||
|
||||
|
||||
|
||||
<sect2 id="pamiptables">
|
||||
<title>PAM for Netfilter rules.</title>
|
||||
|
||||
<para>
|
||||
This is a pluggable authentication module (PAM) written by Nathan Zorn that can be found
|
||||
at <ulink url="http://www.itlab.musc.edu/~nathan/pam_iptables/">http://www.itlab.musc.edu/~nathan/pam_iptables</ulink>.
|
||||
</para>
|
||||
|
||||
|
||||
</sect2>
|
||||
|
||||
|
||||
<sect2 id="dhcpd">
|
||||
<title>DHCP Server</title>
|
||||
|
||||
<para>
|
||||
The authentication gateway will act as the dynamic host
|
||||
configuration protocol (DHCP) server for the wireless network. It
|
||||
only serves those requesting DHCP services on the wireless
|
||||
network. I used the <ulink url="http://www.isc.org/products/DHCP/">ISC DHCP Server
|
||||
</ulink>.
|
||||
</para>
|
||||
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2 id="authentication">
|
||||
<title>Authentication mechanism</title>
|
||||
|
||||
<para>The gateway can use any means of PAM authentication.
|
||||
The authentication mechanism the Medical University of South
|
||||
Carolina uses is LDAP. Since LDAP was used for authentication,
|
||||
the pam modules on the gateway box were set up to use
|
||||
LDAP. More information can be found at <ulink
|
||||
url="http://www.padl.com/pam_ldap.html">http://www.padl.com/pam_ldap.html</ulink>.
|
||||
PAM allows you to use many means of authentication. Please see
|
||||
the documentation for the PAM module you would like to use. For
|
||||
more information on other methods, see <ulink url="http://www.kernel.org/pub/linux/libs/pam/modules.html">pam modules</ulink>.
|
||||
</para>
|
||||
</sect2>
|
||||
|
||||
<sect2 id="dnsserver">
|
||||
<title>DNS Server</title>
|
||||
|
||||
<para>
|
||||
The gateway box also serves as a DNS server for the wireless
|
||||
network. I installed <ulink
|
||||
url="http://www.isc.org/products/BIND/">Bind</ulink>, and set it
|
||||
up as a caching nameserver. The rpm package
|
||||
caching-namserver was also used. This package came with Red Hat.
|
||||
</para>
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
||||
|
||||
|
||||
|
||||
<sect1 id="setup">
|
||||
<title>Setting up the Gateway Services</title>
|
||||
|
||||
<para>
|
||||
This section describes how to setup each piece of
|
||||
the authentication gateway. The examples used are for a private
|
||||
wireless network in the 10.0.1.0 subnet. eth0 is the interface on
|
||||
the box that is connected to the internal network. eth1 is the
|
||||
interface connected to the wireless network. The IP address used
|
||||
for this interface is 10.0.1.1. These settings can be
|
||||
changed to fit the network you are using. Red Hat 7.1 was used for
|
||||
the gateway box, so a lot of the examples are specific to Red Hat.
|
||||
</para>
|
||||
|
||||
|
||||
|
||||
<sect2 id="netfiltersetup">
|
||||
<title>Netfilter Setup</title>
|
||||
|
||||
|
||||
<para>
|
||||
To setup netfilter the kernel must be recompiled to include netfilter
|
||||
support. Please see the <ulink url="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html">Kernel-HOWTO</ulink>
|
||||
for more information on configuring and compiling your kernel.
|
||||
</para>
|
||||
<para>
|
||||
This is what my kernel configuration looked like.
|
||||
<screen>
|
||||
#
|
||||
# Networking options
|
||||
#
|
||||
CONFIG_PACKET=y
|
||||
# CONFIG_PACKET_MMAP is not set
|
||||
# CONFIG_NETLINK is not set
|
||||
CONFIG_NETFILTER=y
|
||||
CONFIG_NETFILTER_DEBUG=y
|
||||
CONFIG_FILTER=y
|
||||
CONFIG_UNIX=y
|
||||
CONFIG_INET=y
|
||||
CONFIG_IP_MULTICAST=y
|
||||
# CONFIG_IP_ADVANCED_ROUTER is not set
|
||||
# CONFIG_IP_PNP is not set
|
||||
# CONFIG_NET_IPIP is not set
|
||||
# CONFIG_NET_IPGRE is not set
|
||||
# CONFIG_IP_MROUTE is not set
|
||||
# CONFIG_INET_ECN is not set
|
||||
# CONFIG_SYN_COOKIES is not set
|
||||
|
||||
|
||||
# IP: Netfilter Configuration
|
||||
#
|
||||
CONFIG_IP_NF_CONNTRACK=y
|
||||
CONFIG_IP_NF_FTP=y
|
||||
CONFIG_IP_NF_IPTABLES=y
|
||||
CONFIG_IP_NF_MATCH_LIMIT=y
|
||||
CONFIG_IP_NF_MATCH_MAC=y
|
||||
CONFIG_IP_NF_MATCH_MARK=y
|
||||
CONFIG_IP_NF_MATCH_MULTIPORT=y
|
||||
CONFIG_IP_NF_MATCH_TOS=y
|
||||
CONFIG_IP_NF_MATCH_TCPMSS=y
|
||||
CONFIG_IP_NF_MATCH_STATE=y
|
||||
CONFIG_IP_NF_MATCH_UNCLEAN=y
|
||||
CONFIG_IP_NF_MATCH_OWNER=y
|
||||
CONFIG_IP_NF_FILTER=y
|
||||
CONFIG_IP_NF_TARGET_REJECT=y
|
||||
CONFIG_IP_NF_TARGET_MIRROR=y
|
||||
CONFIG_IP_NF_NAT=y
|
||||
CONFIG_IP_NF_NAT_NEEDED=y
|
||||
CONFIG_IP_NF_TARGET_MASQUERADE=y
|
||||
CONFIG_IP_NF_TARGET_REDIRECT=y
|
||||
CONFIG_IP_NF_NAT_FTP=y
|
||||
CONFIG_IP_NF_MANGLE=y
|
||||
CONFIG_IP_NF_TARGET_TOS=y
|
||||
CONFIG_IP_NF_TARGET_MARK=y
|
||||
CONFIG_IP_NF_TARGET_LOG=y
|
||||
CONFIG_IP_NF_TARGET_TCPMSS=y
|
||||
</screen>
|
||||
</para>
|
||||
<para>
|
||||
iptables needs to be installed. To install iptables either use
|
||||
a package from your distribution or install from source.
|
||||
Once the above options were compiled in the new kernel and iptables
|
||||
was installed, I set the following default firewall rules.
|
||||
</para>
|
||||
|
||||
<screen>
|
||||
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
iptables -A INPUT -i eth0 -m state --state NEW, INVALID -j DROP
|
||||
iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP
|
||||
iptables -I FORWARD -o eth0 -j DROP
|
||||
iptables -I FORWARD -s 10.0.1.0/24 -d 10.0.1.1 -j ACCEPT
|
||||
</screen>
|
||||
|
||||
<para>
|
||||
The above commands can also be put in an initscript to start up when
|
||||
the server restarts.
|
||||
To make sure the rules have been added issue the following
|
||||
commands:
|
||||
</para>
|
||||
|
||||
<screen>
|
||||
iptables -v -t nat -L
|
||||
iptables -v -t filter -L
|
||||
</screen>
|
||||
|
||||
<para>
|
||||
To save these rules I used Red Hat's init scripts.
|
||||
</para>
|
||||
|
||||
<screen>
|
||||
/etc/init.d/iptables save
|
||||
/etc/init.d/iptables restart
|
||||
</screen>
|
||||
|
||||
<para>
|
||||
Once the rules are in place turn on IP forwarding by
|
||||
executing this command.
|
||||
</para>
|
||||
|
||||
<screen>
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
</screen>
|
||||
|
||||
<para>
|
||||
To make sure ip forwarding is enabled when the machine restarts
|
||||
add the following line to <filename>/etc/sysctl.conf</filename>.
|
||||
</para>
|
||||
|
||||
<screen>
|
||||
net.ipv4.ip_forward = 1
|
||||
</screen>
|
||||
|
||||
<para>
|
||||
Now the gateway box will be able to do network address translation
|
||||
(NAT), but it will drop all forwarding packets except those
|
||||
coming from within the wireless network and bound for the gateway.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2 id="pamiptablessetup">
|
||||
<title>PAM iptables Module</title>
|
||||
|
||||
<para>
|
||||
This module is a PAM session module that inserts the firewall rule
|
||||
needed to allow forwarding for the authenticated client. To set it
|
||||
up simply get the <ulink
|
||||
url="ftp://ftp.itlab.musc.edu/pub/pam_iptables.tar.gz">source</ulink>
|
||||
and compile it by running the following commands.
|
||||
</para>
|
||||
|
||||
<screen>
|
||||
gcc -fPIC -c pam_iptables.c
|
||||
ld -x --shared -o pam_iptables.so pam_iptables.o
|
||||
</screen>
|
||||
|
||||
<para>
|
||||
You should now have two binaries called
|
||||
<filename>pam_iptables.so</filename> and <filename>pam_iptables.o</filename>.
|
||||
Copy <filename>pam_iptables.so</filename> to
|
||||
<filename>/lib/security/pam_iptables.so</filename>.
|
||||
</para>
|
||||
|
||||
<screen>
|
||||
cp pam_iptables.so /lib/security/pam_iptables.so
|
||||
</screen>
|
||||
|
||||
<para>
|
||||
The chosen authentication client for the gateway was ssh so we added the
|
||||
following line to <filename>/etc/pam.d/sshd</filename>.
|
||||
</para>
|
||||
|
||||
<screen>
|
||||
session required /lib/security/pam_iptables.so
|
||||
</screen>
|
||||
|
||||
<para>
|
||||
Now, when a user logs in with ssh, the firewall rule will be added.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The default interface for pam_iptables is eth0. This default can be
|
||||
changed by adding the interface parameter.
|
||||
</para>
|
||||
|
||||
<screen>
|
||||
session required /lib/security/pam_iptables.so interface=eth1
|
||||
</screen>
|
||||
|
||||
<para>
|
||||
This is only needed if the interface name that connects to the external
|
||||
network is not eth0.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
To test if the pam_iptables module is working perform the following
|
||||
steps:
|
||||
</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Log into the box with ssh.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Check to see if the rule was added with the command
|
||||
<command>iptables -L</command>.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Log out of the box to make sure the rule is removed.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
</sect2>
|
||||
|
||||
|
||||
<sect2 id="dhcpdsetup">
|
||||
<title>DHCP Server Setup</title>
|
||||
|
||||
<para>I installed DHCP using the following
|
||||
<filename>dhcpd.conf</filename> file.
|
||||
</para>
|
||||
|
||||
<screen>
|
||||
subnet 10.0.1.0 netmask 255.255.255.0 {
|
||||
# --- default gateway
|
||||
option routers 10.0.1.1;
|
||||
option subnet-mask 255.255.255.0;
|
||||
option broadcast-address 10.0.1.255;
|
||||
|
||||
option domain-name-servers 10.0.1.1;
|
||||
range 10.0.1.3 10.0.1.254;
|
||||
option time-offset -5; # Eastern Standard Time
|
||||
|
||||
default-lease-time 21600;
|
||||
max-lease-time 43200;
|
||||
|
||||
}
|
||||
</screen>
|
||||
|
||||
<para>The server was then run using eth1 , the interface to the
|
||||
wireless net.
|
||||
</para>
|
||||
|
||||
<screen>
|
||||
/usr/sbin/dhcpd eth1
|
||||
</screen>
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2 id="authenticationsetup">
|
||||
<title>Authentication Method Setup</title>
|
||||
|
||||
<para>
|
||||
As indicated in previous sections, I've set this gateway up to use
|
||||
LDAP for authenticating. However, you can use any
|
||||
means that PAM allows for authentication. See <xref linkend="authentication"> for
|
||||
more information.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In order to get PAM LDAP to authenticate, I installed <ulink
|
||||
url="http://www.openldap.org">OpenLDAP</ulink> and configured it
|
||||
with the following in <filename>/etc/ldap.conf</filename>.
|
||||
</para>
|
||||
|
||||
<screen>
|
||||
# Your LDAP server. Must be resolvable without using LDAP.
|
||||
host itc.musc.edu
|
||||
|
||||
# The distinguished name of the search base.
|
||||
base dc=musc,dc=edu
|
||||
ssl no
|
||||
</screen>
|
||||
|
||||
<para>
|
||||
The following files were used to configure PAM to do the LDAP authentication.
|
||||
These files were generated by Red Hat's configuration utility.
|
||||
</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry><term><filename>/etc/pam.d/system-auth</filename> was created and looked
|
||||
like this.</term>
|
||||
<listitem>
|
||||
<para><screen>
|
||||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authconfig is run.
|
||||
auth required /lib/security/pam_env.so
|
||||
auth sufficient /lib/security/pam_unix.so likeauth nullok
|
||||
auth sufficient /lib/security/pam_ldap.so use_first_pass
|
||||
auth required /lib/security/pam_deny.so
|
||||
|
||||
account required /lib/security/pam_unix.so
|
||||
account [default=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
|
||||
|
||||
password required /lib/security/pam_cracklib.so retry=3
|
||||
password sufficient /lib/security/pam_unix.so nullok use_authtok
|
||||
password sufficient /lib/security/pam_ldap.so use_authtok
|
||||
password required /lib/security/pam_deny.so
|
||||
|
||||
session required /lib/security/pam_limits.so
|
||||
session required /lib/security/pam_unix.so
|
||||
session optional /lib/security/pam_ldap.so
|
||||
</screen>
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry><term>Then the following
|
||||
<filename>/etc/pam.d/sshd</filename> file was created.</term>
|
||||
<listitem><para>
|
||||
<screen>
|
||||
#%PAM-1.0
|
||||
auth required /lib/security/pam_stack.so service=system-auth
|
||||
auth required /lib/security/pam_nologin.so
|
||||
account required /lib/security/pam_stack.so service=system-auth
|
||||
password required /lib/security/pam_stack.so service=system-auth
|
||||
session required /lib/security/pam_stack.so service=system-auth
|
||||
#this line is added for firewall rule insertion upon login
|
||||
session required /lib/security/pam_iptables.so debug
|
||||
session optional /lib/security/pam_console.so
|
||||
</screen>
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</sect2>
|
||||
|
||||
<sect2 id="dnssetup">
|
||||
<title>DNS Setup</title>
|
||||
|
||||
<para>
|
||||
I installed the default version of Bind that comes with Red Hat
|
||||
7.1, and the caching-nameserver RPM. The DHCP server tells
|
||||
the machines on the wireless net to use the gateway box as their nameserver.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
||||
<sect1 id="usage">
|
||||
<title>Using the authentication gateway</title>
|
||||
<para>
|
||||
To use the authentication gateway, configure your client machine to use
|
||||
DHCP. Install a ssh client on the box and ssh into the gateway.
|
||||
Once you are logged in, you will have access to the internal network.
|
||||
The following is an example session from a unix based client:
|
||||
</para>
|
||||
|
||||
<screen>
|
||||
bash>ssh zornnh@10.0.1.1
|
||||
zornnh's Password:
|
||||
|
||||
gateway>
|
||||
</screen>
|
||||
|
||||
<para>
|
||||
As long as you stayed logged in, you will have access. Once you log out,
|
||||
access will be taken away.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
|
||||
<!-- Section1: resources: END -->
|
||||
|
||||
<sect1 id="remarks">
|
||||
<title>Concluding Remarks</title>
|
||||
|
||||
<indexterm>
|
||||
<primary>(your index root)!conclusion</primary>
|
||||
</indexterm>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>
|
||||
This method of security does not rely on the security provided by the
|
||||
wireless network community. It assumes that the entire wireless network
|
||||
is insecure and outside of your network.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem><para>
|
||||
The gateway does not encrypt traffic. It only allows you access
|
||||
to the network behind it. If encryption and authentication are desired,
|
||||
a VPN should be used.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
</sect1>
|
||||
|
||||
<!-- Section1: remarks: END -->
|
||||
|
||||
|
||||
<!-- Section1: resources -->
|
||||
|
||||
<sect1 id="resource">
|
||||
<title>Additional Resources</title>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>A <ulink
|
||||
url="http://www.nas.nasa.gov/Groups/Networks/Projects/Wireless/index.html">document</ulink>
|
||||
describing the NASA implementation of the authentication gateway.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
A <ulink url="http://www.ualberta.ca/~beck/authgw.html">white
|
||||
paper</ulink> describing how the University of Alberta created an authentication gateway.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</sect1>
|
||||
|
||||
<!-- Section1: faq -->
|
||||
|
||||
<sect1 id="faq">
|
||||
<title>Questions and Answers</title>
|
||||
|
||||
<indexterm>
|
||||
<primary>(your index root)!FAQ</primary>
|
||||
</indexterm>
|
||||
<indexterm>
|
||||
<primary>(your index root)!frequently asked questions</primary>
|
||||
</indexterm>
|
||||
|
||||
<para>
|
||||
This is just a collection of what I believe are the most common
|
||||
questions people might have. Give me more feedback and I will turn
|
||||
this section into a proper FAQ.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
|
||||
<!-- Section1: faq: END -->
|
||||
|
||||
</article>
|
||||
|
||||
<!-- Keep this comment at the end of the file
|
||||
Local variables:
|
||||
mode: sgml
|
||||
sgml-omittag:t
|
||||
sgml-shorttag:t
|
||||
sgml-namecase-general:t
|
||||
sgml-general-insert-case:lower
|
||||
sgml-minimize-attributes:nil
|
||||
sgml-always-quote-attributes:t
|
||||
sgml-indent-step:1
|
||||
sgml-indent-data:nil
|
||||
sgml-parent-document:nil
|
||||
sgml-exposed-tags:nil
|
||||
sgml-local-catalogs:nil
|
||||
sgml-local-ecat-files:nil
|
||||
End:
|
||||
-->
|
||||
|
||||
|
Loading…
Reference in New Issue