I'd have to say his views are hardly paranoid and most definitely not radical. The "security" features included with most 802.11a/b/g are secure only in name, not in function. WEP keys are static and easily crackable (look at airsnort), as well MAC addresses have to be among the easiest things to spoof. In a home environment that all might be acceptable, but in business environment having such gaping security holes is irresponsible.
I would suggest the only way to deploy wireless tech is with some sort of VPN technology, or at least some research into 802.11x (I believe that is the standard that specifies a *secure* method for changing WEP keys). IPSec being the best overall solution, but even PPTP would be better than an open system. I setup another interface in the firewall specifically for the wireless AP that I have plugged into it. It allows only DHCP and PPTP on that interface. Therefore you can get an IP, and then you must connect via PPTP (which means you've been authenticated) in order to access any network resource. Just my $0.02 (cdn) -Sean On Tue, 2003-10-21 at 19:41, daniel wrote: > Your point of view is extremely radical and paranoid, wireless does not > mean open to anyone... > > Ken Gilmour wrote: > > No point in having an external firewall if you have an internal wireless > > (open) network for anyone who wants to use it. You might as well hang a > > network cable out your window for anyone to use. > > > > On Tue, 21 Oct 2003 11:04:12 -0500, red Sent a mail to Ken Gilmour stating > > the following: > > > >>All, This may have come up a billion times in the past but, I am > >>setting up a FW and I have some basic questions: > >> > >>Setup 1:(idea at least) > >> > >> Public ip 64.1.1.x DMZ HOST > >> (ports80,993,143,53) > >>upstream 64.1.1. / (internet)---DSLmodem- > >>---(64.x)FW(2.x)--HUB/ \ > >>1.1.1.0/24 > >>\Linksys(Wireless router) \ > >> \ \ \ > >> workstation, workstation > >> > >> > >>I have 5 static ips Im using a p400 with two nics (deb woody) > >> > >>Goals: I want to do Packet Filtering and logging for the DMZ and the > >>workstations: > >> > >>Questions: 1) Do I need three Nics on the Firewall , one for the > >>DMZ? > >>2) In the drawing above I am running DHCP on the LAN with the > >>Linksys Wireless router. Should I run DHCP on the LAN interface on > >>the FW instead? What would be the benefits/drawbacks? > >>3) If the WAN interface in the router is a 64.1.1.x and the LAN > >>interface is a 2.x.x.x/24 will i be able to route the 1.1.1.x/24 and > >>DMZ host through the FW? > >>4) I want to use Iptables because I heard they are more advanced > >>than ipchains is this true? > >>5) I am somewhat familiar with the command line IPtables commands, > >>but was curious at to what other (non gui) tools I could use to > >>write rules.? > >> > >> > >> > >>Thanks In advance -red > >> > >> > >> > >> > > > > > > > > > > > -- > -daniel > http://www.debian-gnu.com
