[ previous ] [ next ] [ threads ]
 
 From:  Chet Harvey <chet at pittech dot com>
 To:  Mikael Bohlin <Mikael dot Bohlin at se dot flextronics dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Odd kind of setup?
 Date:  Thu, 8 Jul 2004 09:21:29 -0400
Actually putting them in a DMZ is a great idea. For several reasons:

1 - no access to your corporate systems

2 - if they have a virus it will not pound your systems or networks

3 - with captive portal you control access


I would also limit their bandwidth usage. Dont want them bogging down your T1 
using bit torrent or winmx.

Another suggestion for a setup like this if you are concerned is to put in 
another firewall in bridged mode running snort. A bit advanced (beyond m0n0) 
but for corporate networks who have a lot of "guests", i.e. vendors, etc, it is 
also a good step to prevent "bad" behavior.

Quoting Mikael Bohlin <Mikael dot Bohlin at se dot flextronics dot com>:

>  
> Good thought, and that is what I will do.
> But I also want the guest to logon from a web page, so they do not get full
> Internet access at one...
> So I'll use MonoWall for the Captive Portal and the logon page there...
> Or could I do that in any other way?
> 
> 
> //
> Mikael 
> 
> 
> -----Original Message-----
> From: Bryan Kohlstedt [mailto:bk at aventuremail dot com] 
> Sent: den 8 juli 2004 14:41
> To: m0n0wall at lists dot m0n0 dot ch; Mikael dot Bohlin at se dot flextronics dot com
> Subject: Re: [m0n0wall] Odd kind of setup?
> 
> 
> 
> Is there a reason you're not putting the visitors in a dmz? I'm doing
> something similar to you except all my visitors are going to go in the dmz
> so they have unfiltered access to the internet (wan interface) but no access
> to our machines on our network (lan interface).
> 
> Bryan
> ----- Original Message -----
> From: "Mikael Bohlin" <Mikael dot Bohlin at se dot flextronics dot com>
> To: m0n0wall at lists dot m0n0 dot ch
> Sent: Thursday, July 08, 2004 02:55 AM
> Subject: [m0n0wall] Odd kind of setup?
> 
>  Everyone,
>  
>  I'm about to test the Monowall in a slightly different scenario then what I
> guess most of you guys do.
>  
>  I am about to build a separate network for our viristors and guests. From
> this Visitor network our guests should get Internet access but no access to
> our company resources.
>  On this network I connect the Monowall LAN interface, enables DHCP and DNS
> forwarding. I will also use the Captive portal function, forcing them to log
> on first.
>  On my company network I connect the Monowall WAN interface.
>  
>  With this setup there pop's up a couple of questions:
>  
>   - Can I disable the Management on the LAN interface??? I do no want any
> clever visitor trying to logon to the Monowall and changing stuff.
>   - When a user logs on to the Captive portal page, it performs a HTTP POST
> sending the user ID and password in clear text. Any user with a network
> sniffer will easily find the others credentials... Can this be changed into
> a HTTPS-POST??? It would add a lot of security into it.
>  
>  
>  Thanks,
>  
>  Mikael
>  
>  
>  ____________________________________________
>  
>  Mikael Bohlin
>  IT Security Coordinator
>  Flextronics Network Services
> 
> --------------------------

> AventureHost.com - Worldwide Hosting - http://www.aventurehost.com Sent from
> AventureMail.com, 2GB Free Email!
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 


-- 
Chet Harvey
Pitbull Technologies <http://www.pittech.com/> 
Protecting your Digital Assets
703.407.7311