Re: Netbooting (PXE) Wireless and Diskless Clients?

From: jpd (read_the_sig_at_do.not.spam.it.invalid)
Date: 10/08/05


Date: 8 Oct 2005 14:46:48 GMT

Begin <1128733717.714211.265730@g49g2000cwa.googlegroups.com>
On 2005-10-08, pachl <clintpachl@gmail.com> wrote:
[netbooting over wireless]
> Yes, I understand that the implemented security mechanisms are botched.
> It just seems like this should be feasible.

Well, in theory, yes, but in practice, you'd need to implement some
sort of 11x or wpa2 client in your bootrom. ISTR PXE not being powerful
enough to do this. So at least on wintel you can basically forget it.
Other platforms might have powerful enough remote boot mechanisms but in
this world as it is today there is no cheap option to do it securely.

> Would setting up a diskless client with a wired NIC connected directly
> to a wireless access point, which is functionally equivalent, be just
> as insecure? Would restricting communications between the LAN and the
> client's external WAP using MACs suffice?

Yes, unless the boot image resides on the AP and thus doesn't travel
through the air. No, they can be spoofed.

> What I'm trying to do is setup thin clients with only sound, video, and
> a wireless keyboard to place near each TV around the house.

I'd probably opt for booting from flash (CF/disk-on-flash/whatever)
and then, if it isn't enough, have it download additional stuff from
your application server.

> These clients will then stream video and music from a cental server. I
> thought, if I ever wanted to update the software I would only have to
> do it at the server. My other problem is I can't run network cable to
> most of the clients.

The problem is that you can't securely boot over wireless, but if you
have a way of booting and establishing secure communications, you can do
whatever you want after that. Whether you d/l applications every time or
rather have the thing store them locally and only casually update them
is up to you. This just leaves you with the minor problem of updating
the system itself in the face of security problems, but even there you
have multiple options. The simplest would be bringing all affected boxes
in for fixing over a wire, on the premises that it won't be necessairy
very often.

> I guess I'm dreaming. I have several CF and CF-to-IDE adapters laying
> around. So I guess I could put a minimal amount of software on CF to
> get the system wireless. Any suggestions?

You're asking in cubfm? Well...

-- 
  j p d (at) d s b (dot) t u d e l f t (dot) n l .


Relevant Pages

  • Re: Wifi Security
    ... Then add in good practices and secure those endpoints! ... I have changed the security to WPA2 with a 128bit ... and attempt to break into her wireless internet connection. ... part of her network cannot do WPA2 but you actually want her network to ...
    (microsoft.public.security)
  • Re: [Full-Disclosure] Wireless ISPs
    ... > I do understand the implications but yes wireless is> totally legal to eavesdrop. ... > The bottom 6 channels run on HAM frequencies and that> is specifically mentioned as legal to eavesdrop. ... >>>>>All transactions done via secure websites are>>>>secure,>>>>>however the auto mailing feature to confirm orders>>>sometimes contains sensitive data. ... >>>>>When the customer>>>is on a wireless connection, be it ISP or home LAN>>>that data is broadcasted in the clear for anyone>>>within range to eavesdrop. ...
    (Full-Disclosure)
  • Re: Setting up secure wireless in your house.
    ... when they talk about a "secure network" what they really mean is that ... inasmuch as anyone listening in on a wireless ... there is no traffic on my network that I ... and it SHOULD allow me to access and share other devices on my LAN, ...
    (comp.lang.cobol)
  • Re: can they hack into my computer?
    ... The whole issue of responsibility for wireless ... encryption and the time allowed. ... relatively secure if I had a limited amount of time to recover the ... The major difference between Linux and Windoze security is philosophy. ...
    (alt.internet.wireless)
  • Re: NetworkManager - have to reboot to change connections
    ... I can boot up with no connection and then tell it to connect to the ... wireless it works fine, but if later I click disconnect for the wireless ... You then disconnect from wireless, ...
    (Fedora)