Multi-home Box Security Questions
 

Hi,

I've got a box inside our lan doing logging and Snort. Management wants wireless Internet access for guests.

I'm considering putting in a couple more NICs into the Debian box to make it a more robust, firewalled and accountable access point. The Access Point NICs would be in a totally different subnet.

Question:
Do I run a substantial risk of a compromise such that a cracker can get into my wired LAN from the wireless IP addresses?

Any feedback, even if it's obvious would help.

Michael

This probably qualifies as obvious:
 

The fundamental assumption of most firewall design is that the upstream environment is hostile and the downstream environment is benign, so it's safe to let anything through from downstream. This assumption is especially dangerous when the downstream environment is wireless because of the difficulty of controlling access to a wireless node. But IMHO there is nothing inherent in the design of e.g. ipchains (the only implementation I know much about) to _require_ it to be asymmetric.

As usual, you need to begin your design by deciding
a. what goals you need to accomplish with the AP;
b. what costs and risks those goals are worth;
c. whom you will allow to connect to this AP;
d. how you will identify them, both before and after they connect;
e. what you will let them do once they are connected;
f. and how you will respond when they try to do something else.

And depending on items b. and f. you may have the further task of trying to persuade management that this AP is really not a good idea.

Good luck!