Re: [fw-wiz] Securing a wireless network

From: Claudiu Dragalina-Paraipan (dr.clau_at_gmail.com)
Date: 10/29/04

  • Next message: Smith, Aaron: "RE: [fw-wiz] Securing a wireless network"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri, 29 Oct 2004 09:41:51 +0200
    
    

    Hi,

    you could use VPNs. What I would do is this:
    - set a VPN server, my choice would be FreeBSD or OpenBSD, for what I
    think that are obvious reasons;
    - on the client side, which I assume uses Windows, you can use the VPN
    client that comes with Windows (2000, XP), or get one for older
    version from Internet;
    - back to the server, you should NAT/pass only IPs that come through
    the VPNs, while the other http traffic can be redirected to an
    instruction page.

    This way you have almost what you want. You still can use DHCP to give
    IPs to new clients, but allow only connections to Internet from IPs
    used for VPNs. If you put your networks servers behind this "vpn
    server", you can filter connections to them also.

    This is not exactly what you want, but is far more secure then what
    you have already.
    Probably you can make a general user for VPNs, thus you don't have to
    provide everyone with a user and password.

    I hope this helps you.

    Best regards,
           Claudiu.

    On Thu, 28 Oct 2004 20:14:05 -0400, chris@compucounts.com
    <chris@compucounts.com> wrote:
    > At my so-called place of business, there exists a completely insecure public wireless network that I wish to lock down (ignoring WEP, Radius, and other wireless security methods).
    >
    > I am looking for a means of forcing 'unverified' clients (by MAC address?; not at all worried about spoofing) to run a script or program of some sort before being able to interface with other network devices (to scan for viruses, check software configuration, and whatever else). The best bet at the moment seems to include VLAN's and some sort of destination NAT to a generic web server that says "hey, run this!", but I'm having trouble finding literature on the subject. Partly because I'm not entirely sure what I'm looking for.
    >
    > The general idea:
    > - unknown client connects to network and obtains IP from DHCP
    > - client opens web browser, and is redirected to some generic page with instructions
    > - client follows instructions, runs script
    > - <slightly hazy with a chance of rain>
    > - client is assigned new [IP|VLAN|something else] and is able to connect to the rest of the network
    >
    > Currently, the network (entirely Cisco) is setup as follows:
    >
    > - Backbone: Cisco Catalyst 6509 multilayer switch
    > - Closets: various models of manged Catalyst switches running an enterprise IOS version
    > - Access Points: Cisco Aironet AP350's and 1120's
    >
    > Can anyone point me in some direction or offer a different solution? My idea is not to authenticate clients and reject unknown users; the idea is to force users to have semi-secured computers while maintaining an otherwise open network.
    >
    > I would prefer a solution that requires the least amount of changes to the backbone switch (because all requests regarding it have to be forwarded to dept. A, which sends it to B, then C, and yadda yadda yadda; 5 years later, it *might* get done), but I'm open to any possibilities.
    >
    > Thanks in advance,
    >
    > - Chris Carlson
    >
    > นนนนนนนบบบบบบบบบบบบบบบบบบบบบบบน
    > * "First they ignore you, then they laugh at you, then they
    > fight you, then you win." ~Mahatma Ghandi
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >

    -- 
    Claudiu Dragalina-Paraipan
    e-mail: dr.clau@gmail.com
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Smith, Aaron: "RE: [fw-wiz] Securing a wireless network"

    Relevant Pages

    • Re: Question about Data Safety and VPN
      ... the data to the server at the office. ... My application will require about typically 10 sensors, ... IPSec VPNs, SSL-Based VPNs, PPTP-Based VPNs ... can live with some lost and delayed messages, ...
      (comp.arch.embedded)
    • Cannot access shared printers over a vpn
      ... we have a client that VPNs in to our network via RAS. ... these shared printers so that they are available to us when the client is ...
      (microsoft.public.windows.server.networking)
    • Re: Pakistan to ban encryption software
      ... If you were downloading files from me on a p2p program for example, couldn't you just get them using port 80 as though I were a web server? ... As far as banning VPNs ot Tor in the USA, ... with such a ban. ... any American laws outlawing VPNs ...
      (uk.legal)
    • Re: Pakistan to ban encryption software
      ... As far as banning VPNs ot Tor in the USA, ... with such a ban. ... my US server, and Britain would not be able ... any American laws outlawing VPNs ...
      (uk.legal)
    • Re: DNS settings
      ... > XP and VPNs to our exchange server. ... If the clients are setup for MAPI and not as a POP3 client, ... the relay error is based on your server trying to relay to another server. ...
      (microsoft.public.win2000.dns)