LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-27-2004, 03:08 PM   #1
MatthewSabin
LQ Newbie
 
Registered: Mar 2003
Location: Middletown, CT, USA
Distribution: Mandrake, Xandros and Undead
Posts: 10

Rep: Reputation: 0
bridging, routing and tunnels -- oh my!


I've got a LAN/WAN for employees in all three of our offices and a LAN for contractors and visitors in one of our offices -- they don't presently touch.

The employee LAN/WAN routes to our parent company for firewalled access to/from the internet and each other.

The guest LAN (in building 2) has a DSL router for internet access, and I "trust" visitors not to hack/spy on each other.

I want to put in a wireless access point for users in building 1

Visitors and employees could connect to the AP, and I'd sort them out -- bridging employees to the LAN/WAN as if they were wired, and routing visitors to a tunnel interface in building 1 which would carry them to building 2 for routing over the DSL.

My plan is to build a box with two NIC's and a tunnel with bridging and routing running.

My DHCP server for that subnet is set to issue "employee net" IP addresses to known MAC addresses and "visitor net" IP addresses to unknown MAC addresses.

Right now a machine with a MAC address matching my DHCP table will get an "employee" address and bridges fine.

I'm not entirely sure how to go about setting up the tunnel (encryption not required) and routing.

Any advice? or better suggestions?

The bridge/router/tunnel PC is a PIII running Debian/sarge

--Matthew
 
Old 08-27-2004, 04:07 PM   #2
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 374Reputation: 374Reputation: 374Reputation: 374
Here's a different solution (though I have not tried it myself). Rather than go through the complication of setting up a machine to do all that, just buy two wireless access points. Connect one to your employee network, and enable WEP. Connect the other to the visitor network, and either disable WEP or use a different key/channel/ssid.

Using the different WEPs ought to force the wireless NICs to use the appropriate network. It also provides a minimal amount of security. Your visitors won't be able to set up a wireless packet sniffer and monitor your employee wireless traffic. You didn't explicitly state it, but it sounds like you were relying on the Debian box to do encryption for you. In my opinion, that's overlooking the immediate threat of visitor eavesdropping.

Since you are "trusting" the visitors not to spy on each other, then WEP for their network could be disabled. However, one of your employees could turn around and disable WEP on their NIC, and they could packet sniff on your visitors. I'd make sure your visitors understand they should not be transferring sensitive data without encrypting it on their own. WEP for the visitor network would be weak at best (because every visitor and your employees know the key and could packet sniff), but it would provide some minimal protection for your visitors from random, third-party eavesdroppers.

Cycling the WEP keys for your employee network is also a decent security measure. It would prevent visitors from gaining access to the employee network for an extended period of time, although you risk annoying your employees if you change them too often.

Adding a firewall immediately after the employee access point would be a nice complement. It could be programmed to drop packets from unrecognized MACs similar to what you mentioned before, but without the complication of routing. This way, even if a visitor does get the WEP, they can't access the employee network directly. They could still packet sniff, but that's it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Mindterm tunnels treotan Linux - Software 0 04-26-2005 03:06 AM
NAT over tunnels sqn Linux - Networking 2 03-18-2005 01:08 AM
SSH tunnels and VNC, yet again. Edaph Linux - Security 7 05-23-2004 09:55 AM
Automatic SSH Tunnels fearofcarpet Linux - Software 1 12-04-2003 11:36 PM
gre ip tunnels and their security antken Linux - Networking 5 09-22-2003 04:08 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration