Re: Wireless Security
On Fri, 25 Apr 2003, R. Wayne McCorkle wrote:
> The network address for each of the interfaces is shown above. Connections
> to the access point are exclusivly MS Windows machines running XP. A file
> server in the LAN runs Samba and a DHCP server (I plan to serve DHCP
> address from the LAN, not the access point ... if possible).
You might be able to do DHCP on the firewall, but from within the LAN is
likely to get sticky.
> I understand that WEP is not optimal. My research indicates that IPSec
> would be better. Any suggestions or pointers on setting up IPSec on
> the new firewall? Or, is there someting prefereable to IPSec?
Most places I've seen use the WEPed 802.11 traffic as nothing more than a
transport layer. The actual traffic is all carried in IPSec tunnels between
the mobile client and the VPN server (the firewall in your case).
I think what I'd do in this situation (not having come up against it so far,
but I will be soon, ironically enough) is to not route 192.168.2.0/24
anywhere except to the firewall. Enforce that with a rule which says that
'-s 192.168.2.0/24 -d ! $FWAPIP -j REJECT', rather than just assuming it
won't go anywhere anyway. Then, anyone who wants to get anywhere from their
mobile machine must set up an IPSec tunnel into the firewall, which will be
assigned different source addresses (192.168.3.0/24, say) which can be
routed according to your security policy.
> What can I use to autenticate the Windows services from Samba. It seems
> to me that I am going to have a two step autentication process. First
> step is authenticate access to the Access Point. Second step is granting
> permission to utilize services shared by machines on the LAN (i.e.
If anything from 192.168.2.0/24 isn't allowed past the firewall, unauthed
clients won't get anywhere. If you route 192.168.3.0/24 into the LAN, then
I think that you should be naturally fine with your Windows shares (although
browsing *might* not work; I get the unpleasant feeling you'd need to put a
LMB in 192.168.3.0/24 somehow, or allocate your VPN addresses in a sub-block
of 192.168.1.0/24 and do some transparent bridging).
> Will I be able to access Samba services across the network boundary
> from 192.168.1.x to 191.168.2.x?
Not unless you've got a LMB in 192.168.2.0/24 which knows to talk to your
DMB in 192.168.1.0/24. Whether you want anything from 192.168.2.0/24 to get
anywhere near your internal network is another question entirely.
> I realize these are not all Debian related questions. But I will be
> running Debian on the firewall and this seemed like a good place to start.
> Ideas and pointers to documentation/HowTos would be much appreciated.
Well, for setting up IPSec I think there's a FreeS/WAN HOWTO around. Samba
stuff is pretty well covered in the Samba HOWTO collection (on www.samba.org
or your local mirror). Basic firewalling issues are in Rusty's Unreliable
Guides (at www.netfilter.org) and more advanced routing stuff is in the
Advanced Linux Routing and Traffic Control HOWTO (or some name like that).
Matthew Palmer, Geek In Residence