This was a surprise... I would have thought that you would want to keep the AP in the DMZ zone... and not on the internal network.
Exactly.
Also, I am wondering why people could see the internal network machines from the DMZ... was the router not really protecting the internal network?
Firewall config problems - the rulebase needs a good look through (and if, for example, they're NATting on the firewall itself, they probably need to have someone look at possible interactions between NAT and firewall). Might just be that sometime someone added a temporary rule to copy files to/from a DMZ machine and forgot to remove it, or could be a deeper problem.
Would love to hear folks comments on the above... and ideas on what the best config would be.
Dan Seoane pointed out any wireless clients have access to that network segment, perhaps it would be better to place wireless clients on a separate interface on the firewall to protect any DMZ machines. That still leaves the problem of wireless clients being vulnerable from other wireless clients (which is of course a problem whether or not the AP is intentionally left open). It can be made more secure by being careful about what software is run on the client machines (though judging by the popularity of Klez et al, many companies don't seem to be unduly concerned by security anyway!). One thing that could help on a windows machine would be to unbind network clients and services from the wireless interface (leaving them only bound to the VPN interface). I have a feeling that some commercial VPN client software is able to block non-encrypted traffic that isn't related to the VPN session setup - this would be helpful, and would give a good level of protection from other wireless clients, though I'm not sure about specific software supporting it. I think I remember seeing it in an old version of SecuRemote, but Checkpoint's public website is pretty short on details, so I can't check if it's still there...seems like a pretty useful feature for a VPN client to have, so perhaps somebody else here knows of software that might be suitable. Failing that, something could probably be done with HostAP, but it might not be all that easy (: -- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
