Re: Firewall Planning

To: daniel <daniel@debian-gnu.com>
Cc: Ken Gilmour <ken@playersonly.com>, red@gato.net, debian-firewall@lists.debian.org
Subject: Re: Firewall Planning
From: Sean McAvoy <sean.mcavoy@megawheels.com>
Date: Mon, 27 Oct 2003 12:37:27 -0500
Message-id: <[🔎] 1067276247.7319.13.camel@tech09.toronto.drive-megawheels.net>
In-reply-to: <[🔎] 3F95C43F.7050905@debian-gnu.com>
References: <[🔎] 200310212135.h9LLZDm27424@zaibatsu.sportsmail.ac> <[🔎] 3F95C43F.7050905@debian-gnu.com>

I'd have to say his views are hardly paranoid and most definitely not
radical. The "security" features included with most 802.11a/b/g are
secure only in name, not in function. WEP keys are static and easily
crackable (look at airsnort), as well MAC addresses have to be among the
easiest things to spoof. 
In a home environment that all might be acceptable, but in business
environment having such gaping security holes is irresponsible.

I would suggest the only way to deploy wireless tech is with some sort
of VPN technology, or at least some research into 802.11x (I believe
that is the standard that specifies a *secure* method for changing WEP
keys). IPSec being the best overall solution, but even PPTP would be
better than an open system.

I setup another interface in the firewall specifically for the wireless
AP that I have plugged into it. It allows only DHCP and PPTP on that
interface. Therefore you can get an IP, and then you must connect via
PPTP (which means you've been authenticated) in order to access any
network resource.

Just my $0.02 (cdn)

-Sean

On Tue, 2003-10-21 at 19:41, daniel wrote:
> Your point of view is extremely radical and paranoid, wireless does not 
> mean open to anyone...
> 
> Ken Gilmour wrote:
> > No point in having an external firewall if you have an internal wireless (open) network for anyone who wants to use it. You might as well hang a network cable out your window for anyone to use.
> > 
> > On Tue, 21 Oct 2003 11:04:12 -0500, red Sent a mail to Ken Gilmour stating the following:
> > 
> >>All, This may have come up a billion times in the past but, I am
> >>setting up a FW  and I have some basic questions:
> >>
> >>Setup 1:(idea at least)
> >>
> >> Public ip 64.1.1.x                                          DMZ HOST (ports80,993,143,53)
> >>upstream 64.1.1.                           / (internet)---DSLmodem-
> >>---(64.x)FW(2.x)--HUB/                                         \            1.1.1.0/24
> >>\Linksys(Wireless router)                                           \         \                                                        \              \
> >>  workstation, workstation
> >>
> >>
> >>I have 5 static ips Im using a p400 with two nics (deb woody)
> >>
> >>Goals: I want to do Packet Filtering and logging for the DMZ and the
> >>workstations:
> >>
> >>Questions: 1) Do I need three Nics on the Firewall , one for the
> >>DMZ?
> >>2) In the drawing above I am running DHCP on the LAN with the
> >>Linksys Wireless router. Should I run DHCP on the LAN interface on
> >>the FW instead? What would be the benefits/drawbacks?
> >>3) If the WAN interface in the router is a 64.1.1.x and the LAN
> >>interface is a 2.x.x.x/24 will i be able to route the 1.1.1.x/24 and
> >>DMZ host through the FW?
> >>4) I want to use Iptables because I heard they are more advanced
> >>than ipchains is this true?
> >>5) I am somewhat familiar with the command line IPtables commands,
> >>but was curious at to what other (non gui) tools I could use to
> >>write rules.?
> >>
> >>
> >>
> >>Thanks In advance -red
> >>
> >>
> >>
> >>
> > 
> > 
> > 
> > 
> 
> 
> -- 
> -daniel
> http://www.debian-gnu.com

Reply to:

References:
- Re: Firewall Planning
  - From: Ken Gilmour <ken@playersonly.com>
- Re: Firewall Planning
  - From: daniel <daniel@debian-gnu.com>

Prev by Date: Need to remove the Don't Fragment bit
Next by Date: port forwarding question
Previous by thread: Re: Firewall Planning
Next by thread: Re: Firewall Planning
Index(es):
- Date
- Thread