The more secure way would be to put it outside the firewall, use LEAP or EAP/TLS for authentication and VPN back into the corp. net. Static WEP alone is easily cracked but you will still have a secondary auth. To get past to get to the corp. net. But the problem is that if someone gets associated to your wireless segment then any systms on that segment and the AP is vulnerable and will be compromised and then they get past your F/W.
-d -----Original Message----- From: Lile Elam [mailto:lile@;art.net] Sent: Monday, October 28, 2002 2:53 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [BAWUG] AP placement on network ? Hi folks, So I have a client who had an AP on their internal business network which was completely open... no password or WEP was enabled. Needless to say, anyone could connect to any machine on their network from the street. I suggested that we put the AP on the outside of their firewall and leave it open. We tried this but it turns out that access to inside machines was still available. So we turned on WEP and set a password on the AP for the network. Now I was talking with a few network geeks in a hottub about this and we were discussing what the best configuration would be... the majority of response was that I should move the AP back into the internal network and leave WEP on. This was a surprise... I would have thought that you would want to keep the AP in the DMZ zone... and not on the internal network. Also, I am wondering why people could see the internal network machines from the DMZ... was the router not really protecting the internal network? Ideally I would like to set up such clients with AP's in the DMZ zones that are completely open so that there will be more public access points. Would love to hear folks comments on the above... and ideas on what the best config would be. thanks, -lile hacker artist GeekMaids.Com - Creating Order out of Chaos... Cleaning and Beyond! -- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless -- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
