At 09:35 AM 2/11/03 -0800, Danny Carter wrote:
[old stuff deleted]Since security is a major concern when attached to the Internet, why not make use of the three-interface firewall solution within Bearing/Shorewall and place the wireless access point on that third interface of the firewall within the DMZ? Maybe I'm overlooking a "barn-door" security breach, but it just seems logical to use your wireless devices on "that" interface, and routing traffic accordingly. Anyone else have any thoughts on this?
Whether this works or not depends on (a) what you want the wireless LAN to do and (b) what you want to protect from it.
Normally, hosts on a DMZ cannot initiate connections either to the Internet or to the (wireline, in this case) LAN. The ruleset covering the DMZ interface may open particular holes ... to allow DNS inquiries, for example ... but the basic role of a DMZ is to respond to traffic from the Internet or the LAN. So putting a WAP on the DMZ will not allow the WAP hosts to have normal access to the Internet.
But what if you use a separate, "normal" LAN interface for the WAP, rather then an interface configured as a DMZ? Again, it depends. If someone breaks the security on the WAP LAN, he or she will be able to do whatever legitimate users there can do (use it to send SPAM? access hosts on the wireline LAN? download porn? it depends on how much you trust yourlegit users not to use the connection in disapproved ways).
The basic problem remains -- you need to make the wireless LAN itself secure. To do that, you have the following options (that I can think of - can someone suggest others?):
1. WEP encryption. The consensus of opinion seems to be that this works against casual break-ins, but not against determined ones. (Peter provided a link to one WEP cracker; another is airsnort.)
2. MAC address control, implemented either in the WAP itself (however it does this) or in the LEAF router (as DHCP restrictions). Works as long as a break-in attempt does not manage to spoof an allowed MAC address.
3. Some other authentication mechanism for hosts. Possibilities are requiring use of an ssh tunnel or some form of IPSec. This slows down the wireless LAN but probably provides good security (though the mechanisms for doing this may not be available off the shelf).
4. Service-level restrictions. The options available to you here (e.g., proxy servers, user-side certificates, pop-before-smtp checks on outgoing mail, SSL and ssh connections to LAN hosts) depend on how much you are willing to limit what legit users of the WAP LAN can do.
I haven't yet implemented a "real" WAP LAN here; I have just started experimenting with an isolated lab-bench one. So I offer these thoughts more as a first pass at the problem than as anything definitive, more designed to clarify the issues than to settle anything. I am quite interested in any better ideas that others can offer.
--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
-------------------------------------------------------------------------------
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
