[TriLUG] wireless security
Michael Thompson
thompson at easternrad.com
Fri Aug 20 12:00:14 EDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I agree the 3 NIC setup would be optimal. If you use an OpenBSD
firewall, you could use authpf on your wireless network to require that
users log in with a ssh session before the firewall will open the
outgoing ports for *that* ip only. I currently use that setup at home,
now an attacker would have to crack my openbsd box to get out to the
net. Even if the WEP is cracked, the wardriver will be trapped in the
wireless 'DMZ'. Of course, they can still sniff your wireless traffic,
so this is still not a replacement for standard wireless security
policies...
I've been trying to document my setup for a while now, but haven't had
the time. I hope to upgrade my OBSD firewall to v3.5 this weekend, if I
do, I'll try to document as I go and build a small 'how-to' and post to
the list.
Just $.02 :)
- --mike
Andrew Perrin wrote:
| Welcome! My own thought is that I would use a plain WAP for the wireless
| itself -- makes life easier to separate that out -- and then an iptables
| box to route in and out. If you will also have wired connections to the
| server, I would recommend using three ethernet cards in the routing box:
| one to the outside world, one to the WAP, and one to wired clients. That
| way anything coming in on the wired card can be issued an address, while
| requests coming in from the WAP can be treated with more suspicion.
|
| ap
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFBJiANuxlRkoWKZoMRAv0TAJ9cNbw4WeyuwLdocvKdmBYIM8v9xgCgnz87
Pa4WtQohnSKr3eso6si84UI=
=fnbK
-----END PGP SIGNATURE-----
More information about the TriLUG
mailing list