[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wireless Security

On Fri, 25 Apr 2003, R. Wayne McCorkle wrote:

> The network address for each of the interfaces is shown above. Connections
> to the access point are exclusivly MS Windows machines running XP. A file
> server in the LAN runs Samba and a DHCP server (I plan to serve DHCP
> address from the LAN, not the access point ... if possible).

You might be able to do DHCP on the firewall, but from within the LAN is
likely to get sticky.

>   I understand that WEP is not optimal. My research indicates that IPSec
>   would be better. Any suggestions or pointers on setting up IPSec on
>   the new firewall? Or, is there someting prefereable to IPSec?

Most places I've seen use the WEPed 802.11 traffic as nothing more than a
transport layer.  The actual traffic is all carried in IPSec tunnels between
the mobile client and the VPN server (the firewall in your case).

I think what I'd do in this situation (not having come up against it so far,
but I will be soon, ironically enough) is to not route
anywhere except to the firewall.  Enforce that with a rule which says that
'-s -d ! $FWAPIP -j REJECT', rather than just assuming it
won't go anywhere anyway.  Then, anyone who wants to get anywhere from their
mobile machine must set up an IPSec tunnel into the firewall, which will be
assigned different source addresses (, say) which can be
routed according to your security policy.

>   What can I use to autenticate the Windows services from Samba. It seems
>   to me that I am going to have a two step autentication process. First
>   step is authenticate access to the Access Point. Second step is granting
>   permission to utilize services shared by machines on the LAN (i.e.
>   Samba)

If anything from isn't allowed past the firewall, unauthed
clients won't get anywhere.  If you route into the LAN, then
I think that you should be naturally fine with your Windows shares (although
browsing *might* not work; I get the unpleasant feeling you'd need to put a
LMB in somehow, or allocate your VPN addresses in a sub-block
of and do some transparent bridging).

>   Will I be able to access Samba services across the network boundary
>   from 192.168.1.x to 191.168.2.x?

Not unless you've got a LMB in which knows to talk to your
DMB in  Whether you want anything from to get
anywhere near your internal network is another question entirely.

> I realize these are not all Debian related questions. But I will be
> running Debian on the firewall and this seemed like a good place to start.
> Ideas and pointers to documentation/HowTos would be much appreciated.

Well, for setting up IPSec I think there's a FreeS/WAN HOWTO around.  Samba
stuff is pretty well covered in the Samba HOWTO collection (on www.samba.org
or your local mirror).  Basic firewalling issues are in Rusty's Unreliable
Guides (at www.netfilter.org) and more advanced routing stuff is in the
Advanced Linux Routing and Traffic Control HOWTO (or some name like that).

#include <disclaimer.h>
Matthew Palmer, Geek In Residence

Reply to: