On Mon, 28 Oct 2002 14:53:25 -0800 (PST) Lile Elam <[EMAIL PROTECTED]> wrote:
> > Hi folks, > > So I have a client who had an AP on their internal business network > which was completely open... no password or WEP was enabled. Needless > to say, anyone could connect to any machine on their network from > the street. > > I suggested that we put the AP on the outside of their firewall > and leave it open. We tried this but it turns out that access to > inside machines was still available. I would first try and figure out why Wireless clients could access machines behind the firewall from outside. If thats correct the firewall isn't stopping anything and you have bigger problems than figureing out where to put an AP. > Now I was talking with a few network geeks in a hottub about this > and we were discussing what the best configuration would be... > the majority of response was that I should move the AP back into > the internal network and leave WEP on. Bad idea...WEP is too easy to hack through. Even with a MAC ACL you are still to exposed to risk. APs should always be in a secure DMZ w/ VPN. > > This was a surprise... I would have thought that you would want > to keep the AP in the DMZ zone... and not on the internal network. > Also, I am wondering why people could see the internal network > machines from the DMZ... was the router not really protecting the > internal network? Is it a router or a firewall...a firewall shouldn't allow any unchecked traffic from the internet to the inside. > > Ideally I would like to set up such clients with AP's in the DMZ > zones that are completely open so that there will be more public > access points. > If the Access Point is intended for general, on the street passer-bys then your idea is perfectly find, though a disclaimer would probably be a good thing releasing them from any liability a cracker targeting other people could generate. If the Access point is intended to be primarily for company use, it should be in a DMZ (that restricts outboud traffic) and uses VPN to access the internal network. -- Tom Don't throw your computer out the window, throw the Windows out of your computer! -- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
