The problem is we have many customers with legacy systems with
2M WL2400 cards and such.

If a new customer needs to share the sector these folks are on and needs over the air crypt. then I have to rebuild the existing customers.
I don't like to disrupt working / happy customers.

This dang security issue keeps popping up.
It points out that it is most likely best to use an real computer as the customer CPE so we can control both ends. Then make the Crypt. totally non standard so an off the shelf device cannot attach.

We are not able to provide any more security than WEP, and we don't even like that. Your customers should be using their own VPN if they are concerned. Anything else will only serve to give them a false sense of security and they will simply blame you later because you accepted the responsibility.

I would put this right back at the customer because you have no idea on your financial exposure if you accept the responsibility for their security. At the very least they should have to sign off releasing you of any risk if you have used your best efforts.

What about IPSEC and X.509 signed 'node' certificates?

We can do that if we have our software at each end, but many of you guys want to use the standard Windows driver and that means no IPSEC. Is there something we don't know about and that we can do?

True, it won't support Windows 95-ME users nor NT 4.0 however Windows 2000 and XP do support IPSEC along with X.509 identification. It's also supported in most of the open source unicies.

In our community most people still have Windows 95, then comes Windows 98SE, very few Win2K and WinME, and as they upgrade they are now showing up WinXP Home. 95 still rules.

MultiTech (the old MultiModem Manager company) makes a dandy RoutFinder 550 VPN box that retails for $179. Dealer about 30% off. You can put one on each end (up to five tunnels, so you could have six locations all networked together) and is a piece of cake to set up. Supports all the Window networking stuff. (Network Neighborhood shows all the shared computers or file structure at all sites.) Has "keep alive" for remote locations to stay connected to home site.

They also have a IPSEC license for $79 for a remote PC to connect without the hardware box.

One included feature on the RouteFinder is a "fallback" serial port on which you can put a dialup modem for WDSL failure and dialup up your modem bank for connectivity (without VPN.) Gives you a service to sell along with a registered IP in a package to a client. I get $50/mo. for the "add on" package. (100% profit after set up.) (smile) Although I do have to butcher up a Registered Class C in /30s to give them one IP for the VPN box and one for a gateway on my StarOS or PICO BSD CPEs.

Free toll-free telephone support for ever. They will still give me free support on modems purchased 7 years ago! And they treat ISPs as first class citizens, not second.

Ira

re: multitech
I don't know why they treat you so good and us like we are asking support for something built in the stone age... we threw away our EXPENSIVE multitech modem racks because the power supplies were failing, and replacements were no longer available from multitech. We purchased some used modem chassi's to rob for power supplies, and those started failing right away...

Re: security
I have read whitepapers that imply the 802.11b standard supports per-user wep keys. Combined with wep plus, this would make a nice low-end no-extra-cost secure network that runs at the full speed of the radios.


George

Our documentation, and whitepapers on 802.11b, and the technical specs for Intersil and Agere wireless cards have no mention of per-user WEP authentication. It would be interesting to implement, but the current generation 802.11b cards do not natively support this via firmware.