Paul on Fri, 19 Sep 2003 11:44:18 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] cable modem and MAC

So far the wired part of the network has been easy to secure, although I'm not sure exactly how secure it is right now. (modem-->firewall -->IP_masq-->trusted_net) All I did was use RedHat's overly simple utility to configure the firewall to block traffic coming from the Internet and to trust the LAN. Then, I added port forwarding with IP masquerading to allow the LAN to reach the Internet.

I'm anticipating that securing the wireless segment, the way I want it to work, will not be as simple. Right now there is hole the size of Lincoln Tunnel in my network. (laptop-->adhoc_wireless-->IP_masq-->modem) I want the laptop to be able to access the LAN and the Internet through an encryted tunnel. Nothing but the tunneled connection should be allowed. I'm thinking VPN.

So, the questions become... How can I establish an encypted tunnel between a Windows laptop and a GNU/Linux PC? How can I make sure the laptop will not be compromised, allowing an attack to use that encryted tunnel for its own purposes? Should I not use adhoc mode?

LeRoy Cressy wrote:

Also, if you have public access like a mail server or web server running, you should have a minimum of 3 ethernet cards in your firewall.
Internet eth0
DMZ eth1
Lan eth2

For the paranoid it should be virtually impossible to get from the DMZ network or the Internet to the Lan, but allow the Lan access to both the Internet and the DMZ. This makes it a little hard, but and impossible for remote administration / access.

Art Clemons wrote:

Since you are going to go this route, could you over the course of a few weeks detail what you're doing for a router. For example are you going to try something like Coyote Linux or are you just going to run a script on an already working box? I personally am intrigued by the concept of a one floppy setup system and have played with them but the NAT routers are fun. Of course tcpdumping the IP address was fun, and let me know that at least someone in my cable subnet was scanning ports.

Philadelphia Linux Users Group        --
Announcements -
General Discussion  --