Re: [PLUG] wireless networks, web browsing, and forced pages

Michael C. Toren on 9 Apr 2004 04:57:02 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] wireless networks, web browsing, and forced pages

From: "Michael C. Toren" <mct@toren.net>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] wireless networks, web browsing, and forced pages

Date: Fri, 9 Apr 2004 00:56:02 -0400

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

On Thu, Apr 08, 2004 at 10:45:02PM -0400, sean finney wrote: > if there are more controls in place, like router acl's for > unauthenticated clients, it's a little more difficult to get around, but > some patience and packet/frame sniffing (? la ettercap) can still get > you the mac addresses of other machines on the network, and you win if > any of them aren't subject to the restrictions. This may work on a wireless network implementing MAC an IP address filtering (so long as the real, authenticated machine doesn't send RST packets to kill your TCP sessions it receives ACKs for but knows nothing about), but it's possible to implement a wired solution which is immune to such attacks. Imagine a situation in a hotel, where each room has a wired network jack which is connected to a VLAN-capable (Virtual LAN; 802.1q) switch. If each room is placed in a separate VLAN, and the uplink to the Linux gateway box is trunked, the Linux box can enable and disable access to a room based on the VLAN rather than based on MAC and IP address filtering. Even better, customers won't be able to sniff traffic other than their own, authenticated or not. This situation allows for other neat possibilities as well: in addition to running DHCP for customers requesting dynamically assigned IP addresses, if the Linux box is configured to proxy arp for the world and SNAT any inbound packets from customers, customers who try to use the service with even a misconfigured static IP address would be able to get online. If the Linux box also hijacks packets destined to port 53 using iptables DNAT, it wouldn't matter what nameserver the customer is configured to use, either. -mct ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

References:

[PLUG] wireless networks, web browsing, and forced pages
From: Jeff Abrahamson <jeff@purple.com>

Re: [PLUG] wireless networks, web browsing, and forced pages
From: sean finney <seanius@seanius.net>

Re: [PLUG] wireless networks, web browsing, and forced pages
From: Jeff Abrahamson <jeff@purple.com>

Re: [PLUG] wireless networks, web browsing, and forced pages
From: sean finney <seanius@seanius.net>

Prev by Date: Re: [PLUG] wireless networks, web browsing, and forced pages

Next by Date: Re: [PLUG] wireless networks, web browsing, and forced pages

Previous by thread: Re: [PLUG] wireless networks, web browsing, and forced pages

Next by thread: Re: [PLUG] wireless networks, web browsing, and forced pages

Index(es):

Date

Thread