Re: firewall for isolating wireless network?
From: David (davidwnh_at_adelphia.net)
Date: Wed, 22 Oct 2003 21:09:30 GMT
Definitely not the most efficient way of doing things but it is cost
effective and adds minimal administrative overhead. Otherwise the
alternative is to use an AP that has a built-in VPN or deploy one of
your spare machines as a VPN server.
> The router would only allow wireless users to access one machine-- the
> existing VPN server-- on a specific range of ports.
> All wireless traffic would be encrypted using the VPN clients already
> installed on the laptops and usually used for connections from home.
> The problem with this scheme is that the VPN server is remotely
> located. When connecting from home, users connect through the
> internet to the Southern California corporate internet connection, to
> the VPN server, then through a T1 to our Northern California facility.
> The T1 would slow things down, but the home connections are generally
> slower than that.
Once someone gets access to an AP all machines whether they are wired or
wireless are potential targets. You can apply restrictions if you are
using vpn connections, however the other wireless machines are actually
easier targets because they are on the same switch(the AP). So you need
to restrict all anonymous access on the wireless machines, put personal
firewalls on them to block non VPN access from other wireless machines,
or get an AP that has a built-in VPN. An AP with a built in VPN is
theoretically the most secure way of doing things. The wireless clients
need specific vpn client software to connect to the AP in the first
place and you don't have to deal with the problems associated with
personal firewalls and LAN traffic, WEP insecurities, etc. You have to
look at compatibility issues closely to be sure they support the
specific OS's/versions you use and also your wireless adapters. This is
a good solution except for the fact that you are locked into using the
specific technologies that the device provides. Look for a manufacturer
that is known to be good about firmware updates. I'm currently watching
to see which outfits are actively upgrading their firmware to WPA
standards as opposed to those who will end up forcing users to buy new
hardware if they want WPA compatibility.
> Digressing-- I've never heard of anyone attacking a wireless node
> directly. Attacks are usually sniffing the WAP <-> node traffic or
> attacking machines on the wired network behind the WAP. For nets
> using RADIUS (I'm thinking Starbucks/T-mobile) or a VPN that arent'
> using WEP, the WAP/wired net are pretty secure, but what about the
When there is a will there is a way. You can set up machine using a
wireless adapter to act as an AP, so someone would need to do this, use
the same ESSID,etc. and know how to effectively hijack connections.
>Does "infrastructure mode" (vs. ad-hoc) prevent connections
> from anywhere but through the WAP?