Re: firewall package for laptop wi-fi client
On Fri, 7 Jan 2011 19:51:59 +0000 (UTC)
Camaleón <email@example.com> wrote:
> On Fri, 07 Jan 2011 20:53:44 +0200, Andrei Popescu wrote:
> > On Vi, 07 ian 11, 16:23:16, Eduardo M KALINOWSKI wrote:
> >> On Sex, 07 Jan 2011, Andrei Popescu wrote:
> >> >If you consider an open wireless to be more dangerous, what additional
> >> >protective measures do you suggest?
> >> Enable encryption of the wireless traffic (but not WEP, which is too
> >> weak).
> > I might not have control over that (hotel or pub wireless).
> >> SSL is always nice, but there isn't much you can do if the remote site
> >> does not use it.
> >> A VPN (or a ssh tunnel) will provide more security, but you'll need a
> >> remote host.
> > No, I'm not going to set up a VPN just to browse public sites from a
> > public wireless. Of course, I would not access sensitive stuff unless
> > properly protected (SSH, SSL, ...), but this is not different than what
> > I'm doing anyway when using my home connection (wired or not).
> > What *other* protection do you think is necessary, something that you
> > would not do anyway if the same computer was connected *directly* to the
> > internet (no NAT and/or external firewall)?
> Open wifi hot-spots (or open networks) are dangerous because all your
> "neighbors" can represent a potential security risk (they have "physical"
> access to your machine), meaning that you should enforce your computer
> firewall rules to treat all of the LAN computers as "untrusted" hosts
> which BTW is not the normal behavior of a firewall (in a LAN environment,
> internal hosts are the "good" guys and rules are relaxed for the whole
> LAN machines).
> For that precisely purpose there are firewall "profiles", to harden
> policies when going through open networks (aka: close all ports, do not
> allow traffic from any machine to my host and monitor all the traffic
> going in/out... alias: heads-up!).
>From your last paragraph, it sounds like you're talking about a
'personal' firewall - i.e., one running on your laptop. But if so, it
can actually get pretty tricky to distinguish between traffic from the
LAN and from the big, bad WWW, since your gateway router is probably
doing NAT on incoming traffic. IOW, how do you tell the firewall
"accept ssh connections from the LAN but not from the 'net", when the
'net connections have been NATed to look like they're originating from
foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator