Re: Messages in log with SNAT target

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Sietse van Zanen wrote:
> That, or put your WiFi in a DMZ behind a firewall, and have the firewall protect your private network.
>  
> Making WiFi DMZ's is sort of standard practice.
>  
> -sietse

I don't really get it.

As far as I can see, there are currently two weak points in my network:
1. Someone could compromise one of the hosts remotely.
2. Someone could crack the WLAN encryption.

No matter what kind of firewalls or network schemes I deploy, neither of
those points goes away.


> ________________________________
> 
> From: Anssi Hannula [mailto:anssi.hannula@xxxxxxxxx]
> Sent: Wed 26-Jul-06 10:16
> To: R. DuFresne
> Cc: Sietse van Zanen; netfilter@xxxxxxxxxxxxxxxxxxx
> Subject: Re: Messages in log with SNAT target
> 
> 
> 
> R. DuFresne wrote:
> 
>>On Mon, 24 Jul 2006, Anssi Hannula wrote:
>>
>>
>>>>Sietse van Zanen wrote:
>>>>
>>>>
>>>>>The security risk is, and it is a MAJOR one, especially with WiFi
>>>>>networks is that any PC on the network could just be set up with a
>>>>>private IP on your private network, start sniffing for passwords etc.
>>>>>
>>>>>It's a very, very bad idea to put your public and private WiFi
>>>>>infratructure on the same physical network.
>>>>>I would say, there's even no point in firewalling this. Firewalling
>>>>>is seperating, you are combining.
>>>>>
>>>>>-Sietse
>>>>
>>>>
>>>>In this case the private network is only a very small home network. I
>>>>don't see there being too big a risk of anyone setting up a box with
>>>>private IP on the network with harm on their mind. If that would be
>>>>possible, wouldn't the security of the whole system be compromised so
>>>>much that the private/public separation doesn't matter anymore?
>>>>
>>>>The main purpose of the private IPs here is the ease of use and having
>>>>no public IP for a system if so wanted.
>>
>>
>>
>>Hopefully, for yer sake, you are the only home for mile and miles
>>around....Yet, I doubt such is the case, so you are a risk to all sadly.
>>
> 
> 
> So, what do you suggest, then?
> 
> That I have 2 separate wireless networks, one for the internet and one
> for the private network?
> 
> (the WLAN is of course WPA encrypted)
> 
> --
> Anssi Hannula
> 
> 


-- 
Anssi Hannula
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux