Wireless 'firewall' needed

Jim Carter jimc at math.ucla.edu
Fri Jan 31 10:48:07 EST 2003 

On Thu, 30 Jan 2003, Daniel Curry wrote:
> ... Does anyone
> have any suggestions on an easy to implement 'server' to log users
> (would like to require at least a valid e-mail address), that either
> authenticates to a remote server (maybe a community authentication
> server?) or locally,  and has the ability to restrict bandwidth usage?

My setup:

    laptop ----> access point ----> Linux server ----> DSL egress
                Other hosts ---------^

I can configure the desktop server any way I want, and I have to have it
anyway for printing, backup, nameserver (for my own little intranet), etc.
I have DHCP configured to recognize my family's machines per MAC address
(though a competent hacker can just set IP manually), and to route to the
Internet only if the MAC address is known (or simulated by the hacker).
Plus the routing firewall rules are pretty restrictive.  On the wireless I
use WEP (yes, AirSnort).  The Linux machines have firewalls and can defend
themselves (particularly when they're not at home and are directly on the
Internet);  the one running WinXP ... well, of course Bill has all the
security holes plugged :-)  And we know how to run Windows Update.  And the
server does NAT, so only a careful targeted attack on the Windows machine
would succeed.  At least it's not Win98.

I'm balancing effective protection against ease of use and system
administration.  There is no effective authentication for people to use my
wireless net (I'm thinking of X.509 certificates and the like).  I've never
seen any wireless probes, though my logs are full of crap from the Internet
side -- 1 hack packet a minute, on bad days.  Maybe I live in a good
neighborhood.  Someone who just wanted to download MP3's using my DSL would
find it very frustrating due to the routing restrictions; someone who was
assigned to snoop on my SSL datastreams would have no trouble to do so, not
that it would do him any good.

But if you're thinking of setting up community wireless, this doesn't
address many important issues.  Check your service agreement with your ISP.

James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA  90095-1555
Email: jimc at math.ucla.edu    http://www.math.ucla.edu/~jimc (q.v. for PGP key)

More information about the wireless mailing list