Re: I want to have my cake and eat it too
On Tue, Apr 01, 2003 at 07:50:39PM +1200, Nick 'Zaf' Clifford wrote:
> On Mon, 31 Mar 2003 22:10, Ian Johnstone wrote:
> > Hi
> >
> > At my work we have the need to allow visitors to connect to the Internet
> > from around our building.
> >
> > We do not use DHCP internally. However, I'd like to configure DHCP for
> > visitors and assign them addresses in the 192.168.0.xxx space with a
> > gateway address of a Linux Server 192.168.0.10. I don't want visitors to
> > know of our internal network
>
> Since the visitors will be pluging into the same physical network as
> your internal machines, then there is very little way to really make
> sure they can't access internal machines. If you truely want visitors
> to be able to jack in at various points around the building and not be
> able to access internal machines, then you will need to run two
> physical networks (or a VLAN). However do note that if they plugged
> into a "internal" jack, they'd have access. The only real way to stop
> that would be to run a secure VPN over the top of the normal LAN for
> internal machines (rather like is done with Wireless LANs).
Please note that if you give someone access to your internal LAN, they
will be able to intercept (sniff) traffic. No IP address required. I
demonstrated this at a LUG once with a laptop and tcpdump :-)
--
Nathan Norman - Incanus Networking mailto:nnorman@incanus.net
This message cannot be considered spam, even though it is. Some
law that never was enacted says so.
-- Arkadiy Belousov
Reply to: