adminguy
/
Teardowns_2020
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9 Commits
1 Branch
269 MiB
Tree: d51dccb225
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd51dccb225'
${ noResults }
Teardowns_2020/soekris_engineering_net4801-60/resources/soekris.html

193 lines
7.6 KiB
Raw Normal View History

u
4 years ago
 
  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
  3.                       "http://www.w3.org/TR/xhtml111/DTD/xhtml111.dtd">
  4. 

  5. <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
  6.   <head>
  7.     <title>Soekris Router Project</title>
  8.     <link rel="stylesheet" href="style.css"/>
  9.   </head>
  10. 

  11.   <body>
  12.     <p>
  13.       This document no longer reflects my configuration, but rather
  14.       than delete possibly useful information, I've made notes of my
  15.       changes on a new <a href="errata.html">errata</a> page.
  16.     </p>
  17.     
  18.     <h1>Introduction</h1>
  19.     <p>
  20.       Typically there are two choices when setting up a small network:
  21.       buy consumer grade commercial hardware, or find an old machine
  22.       and install unix.  A small wireless router and firewall from <a href="https://www.netgear.com"> NetGear</a> or <a href="https://www.linksys.com">Linksys</a> could hardly be easier
  23.       to install and has many pretty <a
  24.       href="http://www.brabandt.de/html/blinken_lights.html">blinken
  25.       lights</a>.  It isn't very flexible though, often two or more
  26.       different boxes are needed, upgrading means buying another one,
  27.       and some "enterprise" features are plain not available at the
  28.       low end.  On the other hand, a full fledged computer makes a lot
  29.       of noise and has many moving parts to fail.
  30.     </p>
  31. 

  32.     <p>
  33.       The solution: create a custom network device running on silent
  34.       hardware designed for embedded systems.  Select the best
  35.       hardware and software available to create a device
  36.       unparalleled by anything in the commercial marketplace.
  37.     </p>
  38. 

  39.     <ol>
  40.       <li>Stateful packet filtering with NAT</li>
  41.       <li>High power 802.11b wireless access point</li>
  42.       <li>Routing</li>
  43.       <li>Network services (DHCP, NTP, SSH, caching DNS)</li>
  44.       <li>IPsec endpoint</li>
  45.       <li>Upgradable (802.11g, IPv6, etc)</li>
  46.     </ol>
  47. 

  48.     <p>
  49.       The real selling point however is that this network device will
  50.       be running a full unix operating system, which provides nearly
  51.       infinite flexibility.  All aspects of operation can be fine
  52.       tuned, comprehensive monitoring is possible, and arbitrary
  53.       programs may be installed.
  54.     </p>
  55. 

  56.     <h1>The Platform</h1>
  57.     <p>
  58.       <a href="https://www.soekris.com">Soekris Engineering</a>
  59.       produces an excellent line of tiny, x86 compatible,
  60.       embedded computers complete with cases.  So first on the list, one <a href="https://www.soekris.com/net4521.htm">net4521</a> which has
  61.       the following key specifications:
  62.     </p>
  63.     
  64.     <ul>
  65.       <li>AMD <a href="https://www.amd.com/epd/processors/4.32bitcont/14.lan5xxfam/24.lansc520/">Elan SC520</a> 486 class 133mhz CPU, 64 megs of RAM</li>
  66.       <li>Two 10/100 megabit ethernet ports</li>
  67.       <li>Two PCMCIA/PCCard/CardBus slots</li>
  68.       <li>One Mini-PCI slot, filled with a 
  69.       <a href="https://www.soekris.com/vpn1201.htm">vpn1211</a> hardware crypto board</li>
  70.       <li>A CompactFlash card slot for permanent storage of the system software</li>
  71.     </ul>
  72. 

  73.     <p>
  74.       The Soekris boards support all the free *BSD variants, Linux,
  75.       and probably anything else that runs on standard PC compatible
  76.       hardware.  Soekris has quite a following amongst the wireless
  77.       networking community, and so has a lively <a
  78.       href="http://lists.soekris.com/mailman/listinfo/soekris-tech">mailing
  79.       list</a> with volumes of information about how to get everything
  80.       working.
  81.     </p>
  82. 

  83.     <h1>The Wireless Card</h1>
  84.     <p>
  85.       Next is an 802.11b wireless card.  Many aren't capable of acting
  86.       as an access point, and some aren't even supported under open
  87.       source operating systems.  Fortunately there is a wonderful
  88.       chipset called Prism from <a
  89.       href="http://www.intersil.com">Intersil</a> that is very well
  90.       supported under *BSD and Linux, and it supports an access point
  91.       mode.
  92.     </p>
  93. 

  94.     <p>
  95.       One of the people on the Soekris mailing list happens to have a
  96.       company named <a href="https://www.netgate.com">NetGate</a>, and
  97.       this company just happens to ship a <a href="https://www.netgate.com/EL2511.html"> 802.11b PC-Card</a>
  98.       based on the Prism 2.5 chipset which puts out 200mw with
  99.       excellent sensitivity ratings. Not only that but they sell <a href="https://www.netgate.com/kits.html">kits</a> which include:
  100.     </p>
  101. 

  102.     <ul>
  103.       <li>The card itself</li>
  104.       <li>A "pigtail" which connects the card to a connector on the outside of
  105.       the Soekris case</li>
  106.       <li>An antenna which greatly increases the range</li>
  107.     </ul>
  108. 

  109.     <p>Great stuff!</p>
  110. 

  111.     <h1>The Operating System</h1>
  112.     <p>
  113.       Choosing the right network operating system may be the toughest
  114.       task.  Linux and the *BSDs (FreeBSD, NetBSD, OpenBSD) will all
  115.       run on this hardware, as will other non-free operating systems
  116.       which I gave no thought to.  The <a
  117.       href="http://hostap.epitest.fi">HostAP</a> driver and software
  118.       are what allow a Prism based 802.11b card to act as an access
  119.       point.  Apparently this was written for Linux but it is
  120.       available on BSD too.
  121.     </p>
  122. 

  123.     <p>
  124.       <a href="https://www.openbsd.org">OpenBSD</a> has a hard won
  125.       reputation for security, stability, and everything else I am
  126.       looking for.  It was the natural choice, and many other people
  127.       on the Soekris mailing list have discovered the same thing.
  128.       There is even a project called <a
  129.       href="http://opensoekris.sourceforge.net">OpenSoekris</a> which
  130.       will help set up a Soekris based system from an existing OpenBSD
  131.       install.
  132.     </p>
  133. 

  134.     <p>Some of the key features of OpenBSD are:</p>
  135.     
  136.     <ul>
  137.       <li>A great <a href="https://www.openbsd.org/faq/faq6.html#PF">packet filter</a>
  138.       with which to make a firewall and NAT engine</li>
  139.       <li>An <a href="https://www.openbsd.org/faq/faq13.html">IPsec</a> engine</li>
  140.       <li>Plus hardened services like a DNS server</li>
  141.     </ul>
  142.     
  143.     <h1>Security</h1>
  144. 

  145.     <p>
  146.       Sure WEP can be cracked, so can a copper cable network, it just
  147.       requires more intrusive physical access.  Even more intrusive is
  148.       tapping into fiberoptic cables, but that too is possible.  Real
  149.       security requires top strength crypto and a great solution
  150.       is <a href="https://www.ietf.org/html.charters/ipsec-charter.html">IPsec</a>.
  151.     </p> 
  152. 

  153.     <p>
  154.       IPsec, via the ISAKMP protocol, can handle client authentication
  155.       via passphrases or x.509 certificates.  No need to worry about
  156.       802.1x or proprietary enhancements to WEP.  IPsec is extremely
  157.       strong and isn't tied to wireless networks.  So, the security
  158.       portion of the plan is:
  159.     </p>
  160. 

  161.     <ol>
  162.       <li>Deny all access from the internet interface</li> 
  163.       <li>Allow all local clients access to DHCP and ISAKMP</li>
  164.       <li>Deny all other unencrypted communications to wireless clients</li>
  165.       <li>Allow IPsec traffic from authenticated wireless clients</li>
  166.       <li>Allow local administration via SSH</li>
  167.     </ol>
  168. 

  169.     <h1>Sections</h1>
  170.     <p>The project is divided into the following sections:</p>
  171. 

  172.     <ol>
  173.       <li>Introduction</li>
  174.       <li><a href="openbsd.html">OpenBSD Configuration</a></li>
  175.       <li><a href="diskless.html">Diskless Booting</a></li>
  176.       <li><a href="cf-install.html">CompactFlash Installation</a></li>
  177.     </ol>
  178. 

  179.     <p>There are also client configuration how-tos:</p>
  180. 

  181.     <ol>
  182.       <li><a href="macosx-ipsec.html">Mac OS X IPSec</a></li>
  183.     </ol>
  184. 

  185.     <p>
  186.       <a class="section" href="openbsd.html">
  187.       Next: OpenBSD Configuration &gt;&gt;</a>
  188.     </p>
  189. 

  190.     <p><img alt="email address" src="contact.png"/></p>
  191.   </body>
  192. </html>
  193.