Re: [m0n0wall] FW: MAC filtering on wireless interfaces

From:	Falcor <falcor at netassassin dot com>
To:	Kamil Wencel <wencel at radion dot org>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] FW: MAC filtering on wireless interfaces
Date:	Mon, 08 Dec 2003 01:40:16 -0600
Could you put the WiFi subnet on a separate network.  E.g. LAN is 
192.168.1.0/24 and the WiFi is on 192.168.2.0/24  Then setup PPTP and 
have the WiFi people you want authenticate via 128b PPTP to the LAN, and 
thus get to the Internet LAN etc.  This not only secures who is using 
your WiFi it also keeps those who have managed to spoof a MAC and the 
WEP key from watching what your users are doing as each person's traffic 
is inside its own encrypted tunnel.  Granted you can only have 16 PPTP 
tunnels, but then again you should keep 10-20 people per WiFi AP at a 
max so that is kind of moot.

This is how most corporations are now doing it.  Some still mix in MAC 
and even WEP as deterrence, but you need to establish a VPN connection 
to the real network from the WiFi network to do anything.  This is how I 
do it at home, but my WiFi is on a separate device and physical network 
so it was easier to setup to do this with.  I don't have WiFi in my 
Soekris so I haven't tried it all in one box.

You can still point the PPTP to a radius server if you want for 
challenged authentication.  Depending on the ACE you are using you can 
lock down to the MAC address there... or use a separate WiFi AP that has 
802.1x or a built in MAC filter.

Kamil Wencel wrote:

>So it became quite an active thread ;) I didn´t want to play big
>security guy, all I wanted to point out was the best solution in
>my opinion. Security Deployment is always a balance between costs,
>effort to maintain and the security level.
>
>What was not mentioned at all :
>
>Being paranoid about that ( and I am still far away from it )
>is a matter of law. Times where the internet was a free place
>where everyone could behave as pleased are gone. I just don`t wanna
>be prosecuted because some nerd used my line to do his stuff.
>It would all be pointed on me.
>
>I admit it is rather unlikely but I don´t want to take a chance.
>
>All WE want to do is have fun with m0n0 and experiment a little
>to gain our knowledge. But that´s for us.
>
>Always try to think like the dark side of the force ;)
>
>Kamil
>
>Referring to Fred Weston :
>  
>
>>Hi Mitch,
>>
>>  I've played with NoCat, but it requires you to set up your own
>>AuthService on a separate box if you want to have tight control over
>>your hotspot users.  That also means there has to be connectivity from
>>the AP back to the auth box, and if that were somehow broken nobody
>>could login.  My users are more or less stationary and always connected,
>>so I think something like NoCat would be cumbersome to them.  It does
>>offer the ease of centralized user management, but I just don't think
>>it's right for me.
>>
>>Cheers
>>
>>-----Original Message-----
>>From: Mitch (WebCob) [mailto:mitch at webcob dot com]
>>Sent: Saturday, December 06, 2003 2:48 PM
>>To: Magne Andreassen; 'John Voigt'; m0n0wall at lists dot m0n0 dot ch
>>Cc: fred at daytonawan dot com
>>Subject: RE: [m0n0wall] FW: MAC filtering on wireless interfaces
>>
>>
>>Hey Magne - I agree with you in pricipal - but there are different
>>realities - one like Fred seems to be talking about - WAP hotspots...
>>would put an unrealistic burden on the users to connect if we expect
>>them to configure IPSEC or PPTP on their windows boxes so they can surf
>>in my coffee shop.
>>
>>Found the link I was thinking of Fred: http://nocat.net/
>>
>>There is always a balance of security and usability - if the "cost" of
>>security sacrifices to much usability, then it's pointless - the system
>>won't be used at all...
>>
>>my 2 pennies.
>>m/
>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>    
>>
>
>
>RADION
>Digital Research & Innovation
>
>Kamil Wencel
>Swakopmunder Str. 1
>81827 München
>
>voice 3.1kHz : + 49 89 43746158
>fax-machine  : + 49 89 43746159
>
>email        : wencel at radion dot org
>browser      : www.radion.org
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>  
>