[ previous ] [ next ] [ threads ]
 
 From:  "John Voigt" <1geek at jvoigt dot com>
 To:  "David Rodgers" <david dot rodgers at kdsi dot net>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Hotspot Access Pages
 Date:  Wed, 17 Mar 2004 16:39:07 -0500
----- Original Message ----- 
From: "David Rodgers" <david dot rodgers at kdsi dot net>

> > Well, for you it's a firewall.  A lot of people are using it with the
> > Soekris box as a wireless router in their SOHO environment
>
> Yes but this is still not a server it's an access device that traffic
> goes THROUGH... see also below

Perhaps you don't understand what a hotspot is.  There is no "server" just a
static web page where the user agrees with some acceptable use policy
protecting the operator.  Agreeing simply adds a rule to the firewall
allowing limited access to the user who just agreed.
>
> >
> > > All of you people that want it to do samba and nfs and .....the list
> > > goes on and on need to just get another box to do this stuff OR YOU
ARE
> > > CREATING A SECURITY PROBLEM FOR YOURSELVES
> >
> > Running a hotspot is a far cry from samba or nfs.  No one will ever run
> > samba or nfs on an embedded PC.
> Many people are running this on regular PC hardware not embedded.

That is irrelevant.  They are the ones that want samba, nfs, print servers
and other crap which I agree with you about.
>
>
> > >
> > > Is is really that hard to setup a second device to be your server in
> > > these instances????
> >
> > Actually, yes.  It involves more power and physical space in locations
where
> > they are at a premium.

> There are several storage servers out there that are designed for this
> purpose that are smaller than a soekris box that could live behind your
> firewall ... see also tigerdirect.com and the snap server line.

Most hotspots are in coffee shops and other retail environments.  Space is
very limited and it is very desirable to package the entire system in 1
box - as small as possible.  I'm also not sure I agree with your statement
above.  Have you ever seen a Soekris box?  It's smaller than most disk
drives (1x6x8) and a complete hotspot including radios and antennas fit
inside.  It can be fed power over it's ethernet cable.
>
>
> > >
> > > It's very handy but even the dhcp and vpn server running on the
firewall
> > > makes me paranoid. Fortunately this amazing product was designed with
> > > people like me in mind and can be easily disabled.
> >
> > If you trust disabling dhcp and vpn why wouldn't you trust disabling the
> > hotspot code?
>
> I don't TRUST anything I can beat up the box and make sure that OFF
> MEANS OFF and also have access to the lower layer AND the source if I
> still don't quite trust it.

Agreed.
>
> I could disable the hotspot code but I still maintain that allowing the
> general public access to ANY SERVICE running on a firewall IS bad. This
> includes the management interface to m0n0wall itself.

Agreed - for a firewall.
>
> If you are using this as ONLY an access point and don't care about
> anything that is behind it .... hey go ahead .... it's up to you

Again, a hotspot is neither a firewall OR an access point.  It's an
integrated package for giving limited access to wireless users.  Most ports
are blocked to prevent spam and virus leakage and each user is rate limited
to prevent hogging bandwidth.  Monowall and Soekris make an excellent
combination platform to do just this.
>
>
> > >
> > > A FIREWALL SHOULD NEVER UNDER ANY CIRCUMSTANCES BE RUNNING A SERVICE
> > > THAT IS OPEN TO THE OUTSIDE WORLD IN GENERAL .... and even running a
> > > service like nfs or samba on the internal network on your firewall
> > > device isn't safe if you have ANY users other than yourself using the
> > > network.
> >
> > Agreed - see above - not everyone sees this as only a firewall.
>
> Agreed ... but if you read the "mission statement" for why it was
> created it clearly is meant to me. It doesn't say "I set out to build an
> all in one server appliance/access authentication device"
>
> >
> > If you check the history of this project you'll find that it started out
> > life as a cool way to use a Soekris embedded PC.  Many of us continue to
use
> > it that way and don't share your paranoia as our networks have very
little
> > of value on them.  We don't need a $12,000.00 safe to protect our
$300.00
> > worth of jewels.
>
> I am not talking about protecting my "jewels" I am talking about
> protecting the health of my network and the mechines in it as well as
> protecting the internet infrastructure from problems that could occur in
> my network.

My "jewels" are the health of my network, hotspots generally have nothing
else to protect.  In the case of a hotspot, the machines behind it are on
their own which is why you need the disclaimer.