Date: Sun, 15 Jul 2001 11:33:19 -0700 (PDT) From: kjerste soderberg <kjerstes@yahoo.com> To: mobile@freebsd.org Cc: pir@pir.net, bobj@ufl.edu Subject: Re: Driver for D-Link DWL-650 card? [encryption now working] Message-ID: <20010715183319.48320.qmail@web9707.mail.yahoo.com> In-Reply-To: <20010715134530.A17077@pir.net>
next in thread | previous in thread | raw e-mail | index | archive | help
My worries are the same. We'd also use the same AP's and same cards (D-LINK DWL-650's)w/ FBSD4.3 but regardless of the H/W, I've been thinking about the SAME statement U make "xtra layer of security". Yep! worried about the "parking lot" lurkers with a promisc. mode wireless card .. sniffin away .. Here is what I'm contemplating; Pls if ANYONE has a better mousetrap Pls advise; PLAN A; The AP IS NOT directly plugged into the ethernet hub. Instead in-between the AP and the hub sits a P133 (yesterday's "trash") w/ FBSD4.3 running as a firewall BUT on the same 192.168.x.x segment for the purpose of servicing the few laptops. No inetd and just ssh allowed solely. ssh would also forward X traffic The only way the laptops would access the LAN is via ssh. Of course this leaves me with much to be desired, sacrificed for security's sake; like NO EASY WAYS to: POP3 & SMTP general surfing on port80 (remember everything's denied save ssh) also propagating past just 1 AP to multiple APs scattered about for "infrastructure type coverage". A firewall per AP is a headache. So I was thinking of PLAN B; running an extra hub plugged into our router. This 16 port hub would be used for all the AP's solely. Our "real" wired network would sit behind our present firewall. So the AP's and ALL the associated wireless users would be part of the "great unprotected", if they wanna get into our regular network they gotta ssh in thru our firewall just as if they're comin in from the "outside". Better suggestions welcomed please. --- Peter Radcliffe <pir@pir.net> wrote: > Bob Johnson <bobj@ufl.edu> probably said: > > Keep in mind that if you aren't using WEP, anyone > with a null network > > name in their NIC can probably connect to (and > use) your AP if they > > can get within range. That is what my real worry > is - I've been > > turning off the AP when I wasn't using it. > > Well, you can use a closed network so they at least > have to sniff the > network name from raw packets (possible but not > trivial for j.random > person on the street) or you can limit by MAC > address with some base > stations so they'd have to sniff a valid MAC address > and use it > (possible but nontrivial) ... even if you use WEP > then they can break > the key (shown to be possible but very nontrivial, I > havn't seen any > tools to do this yet). All of these things can slow > people down, > though. > > If you're worried about your network you need an > extra layer of > security between the wireless and anything else. > > P. > > -- > pir pir@pir.net > pir@net.tufts.edu > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-mobile" in the body of the message __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-mobile" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010715183319.48320.qmail>