[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to secure access to WLAN?

On Tuesday 07 October 2003 19:57, Mariano Kamp wrote:
>   a couple of words about my boxes set up at home. I have one box,
> rock, connected to a dsl-router on one interface, outside interface,
> and the remaining
> boxes on another interface, inside interface. On rock I use
> shorewall/iptables for NAT and blocking all incoming tcp/ip
> connections. So far so safe, I
> believe.
>   (Un)fortunately I also have a wlan access point plugged on to the
> inside interface. 

Well, I haven't done this, but it has been on my mind, so I'm just 
taking the opportunity to air my ideas.

>   Would I need a third network card to put into rock in order to
> separate the wlan clients "physically" and ease setting up things
> with the vpn and the firewall?

This was exactly my idea: Get a third NIC for the router/firewall (I 
have one lying around allready), and have the WLAN Access Point on that 
NIC. The Access Point itself, I would configure to be very open. 
Anybody can connect, I don't mind. It is firewalled off from the 
internal network, just like the Internet, with the exception that a 
CUPS server is accessible. It's in a not-very-densely populated area, 
so if any of the neighbours would need some bandwidth...., I'll just 
monitor it to see if it gets out of the hand (it's like going over and 
ask "can I borrow a cup of bandwidth, please?" :-) Neighbours should do 
that for each other). Another exception I have thought about is to 
limit the outwards bandwidth on port 25 so that pumping large amounts 
of e-mail is infeasible, just in case anybody who is connecting has a 

One concern is that if somebody has a router with a connection to the 
Internet and my Access Point (which isn't bad in itself, as long as my 
packets can go either way), then my CUPS server would be accessible to 
the world, not what I desired, I wanted it only to be accessible to the 
machines connecting directly to the Access Point. Is there simple 
solution to this?

How does this sound?


Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net  webmaster@skepsis.no  editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/        OpenPGP KeyID: 6A6A0BBC

Reply to: