Re: How to secure access to WLAN?
On Tuesday 07 October 2003 19:57, Mariano Kamp wrote:
> a couple of words about my boxes set up at home. I have one box,
> rock, connected to a dsl-router on one interface, outside interface,
> and the remaining
> boxes on another interface, inside interface. On rock I use
> shorewall/iptables for NAT and blocking all incoming tcp/ip
> connections. So far so safe, I
> believe.
>
> (Un)fortunately I also have a wlan access point plugged on to the
> inside interface.
Well, I haven't done this, but it has been on my mind, so I'm just
taking the opportunity to air my ideas.
> Would I need a third network card to put into rock in order to
> separate the wlan clients "physically" and ease setting up things
> with the vpn and the firewall?
This was exactly my idea: Get a third NIC for the router/firewall (I
have one lying around allready), and have the WLAN Access Point on that
NIC. The Access Point itself, I would configure to be very open.
Anybody can connect, I don't mind. It is firewalled off from the
internal network, just like the Internet, with the exception that a
CUPS server is accessible. It's in a not-very-densely populated area,
so if any of the neighbours would need some bandwidth...., I'll just
monitor it to see if it gets out of the hand (it's like going over and
ask "can I borrow a cup of bandwidth, please?" :-) Neighbours should do
that for each other). Another exception I have thought about is to
limit the outwards bandwidth on port 25 so that pumping large amounts
of e-mail is infeasible, just in case anybody who is connecting has a
virus.
One concern is that if somebody has a router with a connection to the
Internet and my Access Point (which isn't bad in itself, as long as my
packets can go either way), then my CUPS server would be accessible to
the world, not what I desired, I wanted it only to be accessible to the
machines connecting directly to the Access Point. Is there simple
solution to this?
How does this sound?
Best,
Kjetil
--
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net webmaster@skepsis.no editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC
Reply to: