The important issue you have is not WHAT somebody can hack. It's what somebody can DO and ACCESS, WHEN you've been hacked. If somebody does manage to take over one of your systems, he most certainly gains access to ALL to systems on the same physical (sub)network. As ALL your systems are on the same net, draw the conclusion. Combine that conclusion with the innate vulnerability of WiFi networks and do the math. It's unwise to use your set up. period. It's not for nothing that reccomendations always talk about shielding your WiFi with a firewall. Now for personal use, it might be acceptable to do otherwise, but that's up to you, as always the choice is between security and convenience. -Sietse ________________________________ From: Anssi Hannula [mailto:anssi.hannula@xxxxxxxxx] Sent: Wed 26-Jul-06 13:21 To: Sietse van Zanen Cc: R. DuFresne; netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Messages in log with SNAT target Sietse van Zanen wrote: > That, or put your WiFi in a DMZ behind a firewall, and have the firewall protect your private network. > > Making WiFi DMZ's is sort of standard practice. > > -sietse I don't really get it. As far as I can see, there are currently two weak points in my network: 1. Someone could compromise one of the hosts remotely. 2. Someone could crack the WLAN encryption. No matter what kind of firewalls or network schemes I deploy, neither of those points goes away. > ________________________________ > > From: Anssi Hannula [mailto:anssi.hannula@xxxxxxxxx] > Sent: Wed 26-Jul-06 10:16 > To: R. DuFresne > Cc: Sietse van Zanen; netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: Messages in log with SNAT target > > > > R. DuFresne wrote: > >>On Mon, 24 Jul 2006, Anssi Hannula wrote: >> >> >>>>Sietse van Zanen wrote: >>>> >>>> >>>>>The security risk is, and it is a MAJOR one, especially with WiFi >>>>>networks is that any PC on the network could just be set up with a >>>>>private IP on your private network, start sniffing for passwords etc. >>>>> >>>>>It's a very, very bad idea to put your public and private WiFi >>>>>infratructure on the same physical network. >>>>>I would say, there's even no point in firewalling this. Firewalling >>>>>is seperating, you are combining. >>>>> >>>>>-Sietse >>>> >>>> >>>>In this case the private network is only a very small home network. I >>>>don't see there being too big a risk of anyone setting up a box with >>>>private IP on the network with harm on their mind. If that would be >>>>possible, wouldn't the security of the whole system be compromised so >>>>much that the private/public separation doesn't matter anymore? >>>> >>>>The main purpose of the private IPs here is the ease of use and having >>>>no public IP for a system if so wanted. >> >> >> >>Hopefully, for yer sake, you are the only home for mile and miles >>around....Yet, I doubt such is the case, so you are a risk to all sadly. >> > > > So, what do you suggest, then? > > That I have 2 separate wireless networks, one for the internet and one > for the private network? > > (the WLAN is of course WPA encrypted) > > -- > Anssi Hannula > > -- Anssi Hannula
