[ previous ] [ next ] [ threads ]
 
 From:  =?WINDOWS-1252?B?lSCV?= <googl3meister at gmail dot com>
 To:  thomas at sprinzing dot org
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] VLAN woes
 Date:  Wed, 29 Jun 2005 10:00:05 +1000 
On 6/29/05, Thomas Sprinzing <thomas at sprinzing dot org> wrote:
> After trying hard with different setup i can't see the wood for the trees.
> 
> i want to have a lan 192.168.1 / 24 with dhcp enabled  (guest dirt laptops)
> 
> another lan 172.17 / 16 with static ips   (goodnet -my cool pcs)
> 
> on the same Interface (sis1)
> 
> 
> i want to have a DMZ lan set up on sis2 192.168.35/24
> 
> 
> both sis1 nets must have NAT to th world (which is done via WAN - sis0
> interface.
> both sis1 nets must have DNS service forwarded by gateway.

> both sis1 nets must not be bridged. they shall be isolated.

Isolating the traffic on a single LAN with different subnets is not
very easy.  It is especially difficult when you have no control over
the clients.  If they turn off DHCP and assign themselves a static 172
address then they become goodguys.  Using {some freely and publicly
available tools} they could quite trivially take over the m0n0
gateway's MAC address and direct all LAN traffic via their laptop
man-in-the-middle style - taking over the gateway with sufficient
physical and logical access takes about 10 seconds... After which you
can sniff all traffic and brute force/db lookup all the password
hashes collected, etc etc.

VLANs are the not answer. They reduce the collision domain and provide
the ability to significantly increase port density in large networks.
Any one can use packet rewriting software to insert the appropriate
vlan tags/sniff from the wire.

What you want is access from your good machines both to your DMZ and
the 'net, whilst at the same time limiting visiting laptops to just
'net access.  I think the best you can do short of adding another m0n0
somewhere internally is to:
- run DHCP as planned for your visiting laptops
- use firewall rules to allow only the 172.x/16 to the DMZ and
statically map (arp -s) these on m0n0
- statically map m0n0's MAC addr on all the 172.x/16 machines also if poss.
- use more coutermeasures against those you cannot trust - see here
for more examples:
http://safariexamples.informit.com/0201719568/Misc/dsniff/faq.htm#Countermeasures

It's probably easier to install another interface into your existing/a
new m0n0, then all this goes away and becomes a simple interface-based
firewall rule :)

--cheers
gm