Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

DMZ for wireless internet connection

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> DMZ for wireless internet connection Page: [1]
Login
Message << Older Topic   Newer Topic >>
DMZ for wireless internet connection - 30.Oct.2006 4:22:48 PM   
jrink

 

Posts: 51
Joined: 22.Jul.2002
From: Wisconsin
Status: offline 		I currently have an ISA 2004 server with 3 NICs; internal, external, and a dmz.   I'm considering adding a fourth NIC to the server and connecting it to a internal VLAN that is setup for our wireless Cisco APs.  I'm figuring I can then allow laptops to communicate with the ISA server to get internet access over the VLAN and set my specific access rules for that fourth interface to limit what exactly users can do (mainly 80/443 only).

Any reason why I shouldn't do this?  Sure seems simple to me.

JR


Post #: 1
RE: DMZ for wireless internet connection - 30.Oct.2006 5:18:58 PM   
elmajdal

 

Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:


Any reason why I shouldn't do this?  Sure seems simple to me.

on the contrary, http://www.isaserver.org/tutorials/2004wirelessdmzpart1.html

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to jrink)
Post #: 2
RE: DMZ for wireless internet connection - 31.Oct.2006 9:34:35 AM   
jrink

 

Posts: 51
Joined: 22.Jul.2002
From: Wisconsin
Status: offline
quote:

on the contrary, http://www.isaserver.org/tutorials/2004wirelessdmzpart1.html


????

What do you mean, "on the contrary"?  This is basic ISA configuration stuff, nothing complex here.  There is probably less than 30 minutes involved in doing this, most of which will be adding a 4th NIC to my server.

I guess that's why I asked originally if I'm missing something here because this seems extremely easy.

(in reply to elmajdal)
Post #: 3
RE: DMZ for wireless internet connection - 1.Nov.2006 8:09:06 PM   
elmajdal

 

Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline 		u asked
quote:

Any reason why I shouldn't do this? 


and i answered :
quote:

on the contrary, http://www.isaserver.org/tutorials/2004wirelessdmzpart1.html


which means that its better to put your Wireless users ona different Network than your Internal Network

Means Go ahead, you are on the right track.

any more misunderstanding ???

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to jrink)
Post #: 4
RE: DMZ for wireless internet connection - 1.Nov.2006 9:21:01 PM   
jrink

 

Posts: 51
Joined: 22.Jul.2002
From: Wisconsin
Status: offline 		Ah.   I had thought your "to the contrary" statement was in reference to my "sure seems simple to me" statement.  Heh.  I thought you were trying to tell me it's NOT easy, which is why I was confused, because it seemed like a very easy setup.

I've gone ahead with this option utilizing the 4th NIC interface for a wireless network that is open for public use and VLAN'd off our regular network.  I'm also trying out the WebTOS service that I've seen mentioned here a few times.  So far so good.  It's really a painless configuration. 

JR

(in reply to elmajdal)
Post #: 5
RE: DMZ for wireless internet connection - 2.Nov.2006 4:06:06 AM   
Guest
quote:

Means Go ahead, you are on the right track.

that's rubbish.
what exactly means public to you?
if public really means public(everybody) that's not the way to do it!

< Message edited by adrian_dimcev -- 2.Nov.2006 4:08:42 AM >

(in reply to jrink)
  Post #: 6
RE: DMZ for wireless internet connection - 2.Nov.2006 9:08:30 AM   
jrink

 

Posts: 51
Joined: 22.Jul.2002
From: Wisconsin
Status: offline
quote:

ORIGINAL: adrian_dimcev
if public really means public(everybody) that's not the way to do it!

Why do you say that?  If the interface is completely isolated from the Internal interface and DMZ interface, and only has internet access to the External interface, while running on a seperated VLAN, what would you say the problem is or the 'right' way to do it?

(in reply to Guest)
Post #: 7
RE: DMZ for wireless internet connection - 2.Nov.2006 9:48:21 AM   
Guest
 you still didn't answer my question.
there is a defference between guest access and public access.
you don't put all the eggs in the same basket.
for me public means:
ok. I can came, nobody ask me who am I and have Internet access for free.
in this case you should have two Internet lines for every connection.
how do you plan to restrict me from consuming your all Internet bandwith?
you think you can monitor me?
block me?
just think again.
http://www.stealthsurfer.biz/

(in reply to jrink)
  Post #: 8
RE: DMZ for wireless internet connection - 2.Nov.2006 9:48:31 AM   
elmajdal

 

Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

ORIGINAL: adrian_dimcev
that's rubbish.
what exactly means public to you?
if public really means public(everybody) that's not the way to do it!


Hi Adrian,
you can contact Tom and tell him that his article is rubbish !!

have u read the article i refered to abov ? have u read that the Subject is : Configuring an Untrusted Wireless DMZ on the ISA Firewall
 


_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to Guest)
Post #: 9
RE: DMZ for wireless internet connection - 2.Nov.2006 10:02:23 AM   
Guest
 yep I've read that article. I'm not saying that.
but again I need to say that there is a difference between a guest access(you have some people coming to your company, I don't know maybe partners, speakers at a conference... and you want to allow them access to the Internet from their laptops) and public access: everybody is invited.
by the way both untrusted.
IMHO: It is impossible to use the same Internet connection for your Internal network, dmz... and for public access for everybody and put them all togheter just like that.
You have to make a difference

< Message edited by adrian_dimcev -- 2.Nov.2006 10:43:15 AM >

(in reply to jrink)
  Post #: 10
RE: DMZ for wireless internet connection - 2.Nov.2006 12:27:45 PM   
jrink

 

Posts: 51
Joined: 22.Jul.2002
From: Wisconsin
Status: offline
quote:

ORIGINAL: adrian_dimcev

yep I've read that article. I'm not saying that.
but again I need to say that there is a difference between a guest access(you have some people coming to your company, I don't know maybe partners, speakers at a conference... and you want to allow them access to the Internet from their laptops) and public access: everybody is invited.
by the way both untrusted.
IMHO: It is impossible to use the same Internet connection for your Internal network, dmz... and for public access for everybody and put them all togheter just like that.
You have to make a difference


It will be used for people coming to our company and also limited public use.  Regardless, I don't see why this is problematic.  A simple bandwidth manager such as Bandwidth Controller Enterprise for $189 assures you a commmited rate of bandwidth and scheduling those rates for a particular interface or types of traffic/ports and would guarantee a specified level of performance.

And yes, obviously they're untrusted, that's where VLANs come in and the seperate interface on ISA, so I'm not sure how that really matters if the infrastructure doesn't give up any security/performance to allow this functionality.

Not every company out there has the means to provide a completely seperate internet connection for wireless users.  I personally believe it can be a foolish expenditure if you can accomplish the same result using an existing internet connection without compromising security or performance.

Glad to see you added IMHO to your last message because it's not impossible at all.



(in reply to Guest)
Post #: 11
RE: DMZ for wireless internet connection - 3.Nov.2006 4:48:44 AM   
Guest
quote:

Glad to see you added IMHO to your last message because it's not impossible at all.

my friend, if that little word make you feel comfortable I'll delete it. But I assured you has a good meaning.
the network infrastructure it is crucial!
yesterday I was in a hurry and maybe I wasn't so specific.
it's not all about the Internet connection.
this is only one aspect of the problem.
again: there is a difference between guest and public.
the network design you are doing when you are saying public it is very very poor.
quote:

If the interface is completely isolated from the Internal interface and DMZ interface, and only has internet access to the External interface

I saw on this site and not only here articles that start with some words like this:
Most of the people feel bulletproof because now they have a firewall in place and everything it is secure. we have a big weapon here that can take down all the enemies.
Lets' make it something clear: this firewall has a clear mission:
to protect your company networks(internal, webs servers..) and to achieve maximum performance with it for company..
you don't need to route garbage traffic with it.
you think that it can take any load and do just fine?
your firewall has already a door to your networks: the external interface.
and now you are adding another door which gives direct connection to your network for everybody. more important you are providing free and direct access to ISA.
quote:

Not every company out there has the means to provide a completely seperate internet connection for wireless users.
A simple bandwidth manager such as Bandwidth Controller Enterprise for $189 assures you a commmited rate of bandwidth and scheduling those rates for a particular interface or types of traffic/ports and would guarantee a specified level of performance.

Let me see if I understand this:
it is a common procedure for companies to make sure they have a second Internet connection for redundancy so they will always have Internet connectivity and maybe for load balancing in some cases.
It seems that you are having money to permit a huge bandwitdh for the Internet connection and just use a part of it. And you are eager to share the rest it with others for free. why don't you buy a cheaper connection with less bandwidth ?
your company shoud have a dedicated connection not a shared one. A shared connection might not work as good as a dedicated one.
Also your are talking about guest acces and public access:
how are you going to differentiate between them?
your guest might be business parteners and you will have to give them a decent Internet connection. but if the "public users" are consuming your bandwidth they will get only frustration.
a good administrator must ensure first that his company is well served, if not he should be fired.
for security reasons it is better to deploy a front-end firewall to protect your corporate firewall. and you, what are you doing?
that's rubbish.
quote:

And yes, obviously they're untrusted, that's where VLANs come in and the seperate interface on ISA,

the purpose of Vlans is not security, this can be easy surppased.
do you want me to continue with other reasons?
I have a lot of them right now coming to my mind.
quote:

it's not impossible at all.

it is a free world. you can do everything you want. but don't try to teach me.
trust me: it is easier to prevent than to cure.
And I can assure you, you will not get the chance to cure anything 'cause will be too late for you.
let me put this how I'm seeing it:
the secret of a weapon does not lie within, it lies within the arm that holds it, but the spirit will alway rise above the arm and weapon.
by the way do you know that ISA 2004 has limited flooding capability?

< Message edited by adrian_dimcev -- 3.Nov.2006 7:40:06 AM >

(in reply to jrink)
  Post #: 12
RE: DMZ for wireless internet connection - 3.Nov.2006 10:44:32 AM   
jrink

 

Posts: 51
Joined: 22.Jul.2002
From: Wisconsin
Status: offline
quote:

ORIGINAL: adrian_dimcev
the network design you are doing when you are saying public it is very very poor.


You seem to have all the answers for my environment which you know very little about... You state a lot of fact and "must-do" practices in your posts which are not really facts or must-do practices, but merely opinions. And you state all this without knowing very much about my (or anyones) individual environment. The blanket statements you make may have validity in some networks, but not necessarily mine. You also make many assumptions about my network that I find to be quite humorous.

quote:

I saw on this site and not only here articles that start with some words like this...


Your paragaph that begins with "I saw on this site..." reads like conspiracy theorists. Uh, true I suppose, but with that mindset, I'd be better off going back to stand alone PCs instead of taking such a risk  If anyone takes that to heart, no one would even have a network, let alone an internet connection because some how, some way, someone has the means to hack it.
.
quote:

it is a common procedure for companies to make sure they have a second Internet connection for redundancy so they will always have Internet connectivity and maybe for load balancing in some cases.


It is?  "Common", meaning "widespread", "generally", or "ordinary" by it's dictionary meaning?  You would have me believe that it's common for companies to have two internet connections, one for failover or load balancing?  In my many years as a consultant and network engineer, I would not say that having two internet connections for a single company is at all common, but in fact is rare.

quote:

It seems that you are having money to permit a huge bandwitdh for the Internet connection and just use a part of it. .


Yet another assumption that is just wrong.  Our internet bandwidth is continually monitored and we are sized appropriately based on traffic reports.  Somehow of course you know better than me, without ever having seen anything on my network. 

quote:

And you are eager to share the rest it with others for free. why don't you buy a cheaper connection with less bandwidth ?


Why would we buy a cheaper internet connection when we are sized appropriately as-is?  Why are willing to share it?  Because likely most places, our internet traffic in near absolutely zero during off-business hours during weeknights and weekends.  Providing internet access for certain community members (our stakeholders) during these time periods will not have any effect on our ability to maintain performance during regular business hours.

quote:

Also your are talking about guest acces and public access:
how are you going to differentiate between them?  your guest might be business parteners and you will have to give them a decent Internet connection. but if the "public users" are consuming your bandwidth they will get only frustration.


To be blunt.  I'm not differentiating.  There isn't a need.  Guest access will occur during the normal course of business hours, public access will occur during off-business hours.  It's not like they will be competing for available bandwidth.  Somehow I think you're getting this idea that we will be providing public and guest  access for hundreds of people.  Did you even consider that maybe we're just talking about a handful of people here?  Just because a company has wireless APs on their network doesn't necessarily mean that just anyone can hop on the network from anywhere.  There are means of controlling this that I'm sure you're aware of that I won't bore you with.

quote:

a good administrator must ensure first that his company is well served, if not he should be fired.


Finally something I can agree with.

quote:

for security reasons it is better to deploy a front-end firewall to protect your corporate firewall. and you, what are you doing?


Again, blanket statements like this really bother me.  As somehow once again you know what's best for our environment based on a few online messages.  Is it true that companies would be able to provide better security with a front-end firewall to protect the corporate firewall?  Okay, sure.  Is it a must-do for every network environment, cost effective solution, and absolutely necessary however?  Absolutely not. 


quote:

the purpose of Vlans is not security, this can be easy surppased.
do you want me to continue with other reasons?
I have a lot of them right now coming to my mind.


Actually, no, I'd rather you not continue.  You're making my head hurt the way it is.  We're using VLANs to logically seperate traffic for the wireless APs from the rest of the internal network traffic.  This is common (yes, I'll use that word) practice by many in the industry.  However, if you're against doing such a thing because perhaps you read on some website somewhere... By all means, don't use them.

quote:

it is a free world. you can do everything you want. but don't try to teach me.


Who's trying to teach who here?  All I see you someone making broad statements which do have validity in some environments, but not in others.  Nor do you take the time in your posts to add verbage such as, "in some conditions it may be better to..." or "under certain circumstances, I would recommend...".  Instead, it seems as if one-size-fits-all in regards to how you analyze networks and what others NEED to do.

quote:


trust me: it is easier to prevent than to cure.
And I can assure you, you will not get the chance to cure anything 'cause will be too late for you.
let me put this how I'm seeing it:
the secret of a weapon does not lie within, it lies within the arm that holds it, but the spirit will alway rise above the arm and weapon.


Umm.  Okay....  anyways.

My problem with your comments have absolutely nothing to do with the ideas you present.  It has to do only with how you present them.  If you wish to opine, by all means, but realize that not every environment out there needs to conform to what you believe is a "must" in regards to network security.

I think Shinder's article, for most network environents, provides a safe solution that most companies can get away with without compromising their internal infrastructure.  IMHO, our environment falls into that category.

Regards
JR

(in reply to Guest)
Post #: 13
RE: DMZ for wireless internet connection - 3.Nov.2006 12:11:21 PM   
Guest
 my friend if you seem to have an answer for everything, why have you posted here if you know them all?
first let's make some clear:
ok. I don't know your network infrastracture.
but it is all about common sense.
You are saying that I've made some guessing.
you are right. so when guessing sometimes you are wrong.
but it is a common issue on a forum to make some guessing.
by the way my comments did not refere particulary to your network because when you are addressing a particular network design probably you are not doing this on a forum, you will do this with a consultant.
my comments were all made arround the word public. so all of my statements remain untouched.
quote:

You would have me believe that it's common for companies to have two internet connections, one for failover or load balancing?  In my many years as a consultant and network engineer, I would not say that having two internet connections for a single company is at all common, but in fact is rare.

ok maybe I did not write that very clear. I meant to say that is common to have two Internet connection to provide failover and load balancing.
Are you sure you are knowing what you are talking about?
just give it on this site a search and you'll find how rare is that.
why are people here complain all the time that ISA does not support that feature?
quote:

Your paragaph that begins with "I saw on this site..." reads like conspiracy theorists.

you are funny:
From Tom article:
quote:

Just about every firewall administrator has heard the old joke where the guy's boss asks him "is our network secure?" and the response is "of course, we have a firewall!"

http://www.isaserver.org/articles/2004tales.html
quote:

just because a company has wireless APs on their network doesn't necessarily mean that just anyone can hop on the network from anywhere.

for me this is what the word public means.
quote:

We're using VLANs to logically seperate traffic for the wireless APs from the rest of the internal network traffic.

this is unclear to me(correct me if I'm wrong): if you would put the AP in dmz it would be already separated by the Internal network, it would have nothing to do with the internal network.
indeed with vlan you are separating traffic and enhacing security, but vlans were  created to logically group devices or users not to provide security.
quote:

This is common (yes, I'll use that word) practice by many in the industry.  However, if you're against doing such a thing because perhaps you read on some website somewhere... By all means, don't use them.

what are you talking about?
if SANS institute means just some site to you I can give you a link:
http://www.sans.org/resources/idfaq/vlan.php
quote:

Try not to use VLANs as a mechanism for enforcing security policy. They are great for segmenting networks, reducing broadcasts and collisions and so forth, but not as a security tool.

I tell who says it is secure: Cisco does, but Cisco tells that the using of access-lists provides security(ok they can be used but they don't mean too much)....
one more thing remains unclear to me:
quote:

Guest access will occur during the normal course of business hours, public access will occur during off-business hours.

how can you do this?
I'm not going to do any supposition here.
one more thing.
I don't have nothing personal with you, so if I offended you in any way please accept my appologies.

< Message edited by adrian_dimcev -- 3.Nov.2006 1:08:00 PM >

(in reply to jrink)
  Post #: 14
RE: DMZ for wireless internet connection - 3.Nov.2006 1:20:02 PM   
jrink

 

Posts: 51
Joined: 22.Jul.2002
From: Wisconsin
Status: offline
quote:

ORIGINAL: adrian_dimcev
From Tom article:
Just about every firewall administrator has heard the old joke where the guy's boss asks him "is our network secure?" and the response is "of course, we have a firewall!"

I'm familiar with that joke, but I don't see a correlation between it and your previous statements about someone who doesn't see the neccessity to run multiple firewalls in their organization.  If no one should run a single ISA firewall because it's not safe enough, MS should stop selling individual licenses and instead require a minimum of two from now on.

I'm happy for the larger sized organizations who need a front end firewall to protect their corporate firewall, but this isn't necessarily true for everyone.

quote:

quote:

just because a company has wireless APs on their network doesn't necessarily mean that just anyone can hop on the network from anywhere.

for me this is what the word public means.


Alright.  Imagine for a moment that a company or organization has an AP, or several APs within their large building.  Now imagine that those APs were setup so that their respective signals only reached a specific area of the building, or room, in which they were located.  In other words, just having those APs doesn't necessarily mean access to them is a free-for-all when a person is on premesis, and definitely not accessible from outside the building either.  Now imagine, that people who are trying to access those APs "publically" were only allowed into those specific areas of the building during certains times of the day, and/or certain days of the week. 

So now what you have is a designated area of the building which provides free access to the AP during certain times of the day only, and the traffic on that wireless network is isolated on a completely seperate VLAN, and is setup on its' ownInterface on ISA which under no circumstances provides access to the Internal network, but only explicit access to web traffic on the External network.  Now imagine the company has an ample sized internet pipe able to support over 1000 computers but where internet bandwidth during non-business hours is hardly utilized, and the amount of people who are accessing this "public" network during this non-business hours over wireless isn't in the hundreds, but likely less than 50 people, and more likely, much fewer than that during a given weeknight or weekend.

Now imagine this company or organization, who has the means to provide such access to the public without exposing themselves to a big security risk, does so in part to satisfy the stakeholders in the community who have helped to pay for the teechnology infrastructure as a whole. 

In certain cases... a single internet pipe and single ISA server may well be "enough" for some organizations.

quote:

Guest access will occur during the normal course of business hours, public access will occur during off-business hours.


As eluded to above, not everything has to be solved by technological means.  Maybe an organization or company allows "guest" access during business hours but does not allow the "public" in and vice versa during off-business hours. 

quote:

I don't have nothing personal with you, so if I offended you in any way please accept my appologies.


No offense taken.  I just don't want someone who is considering doing something like this to suddenly discard the idea because of a statement like, "if public really means public(everybody) that's not the way to do it!" when in certain cases, it will be more than an adequate solution and you're doing them a disservice by saying it's not the way to do it.  On the other hand, I certainly hope that people strongly consider the potential pitfalls of a setup like this if it's not thoroughly planned out for the many different variables involved... which, I believe is what your good intention was (is).

JR


(in reply to Guest)
Post #: 15
RE: DMZ for wireless internet connection - 6.Nov.2006 4:55:07 AM   
Guest
 First about the original question:
No one can answers to this question because you have already did it:
you have a particular network with particular needs and so only a person that knows exactly what you need can answer to it.
This is a good one:
quote:

not everything has to be solved by technological means

Oh no my friend, it is all about technology.
As these words from me maybe sound weird because I've used a more poetic approach:
quote:

the secret of a weapon does not lie within, it lies within the arm that holds it, but the spirit will alway rise above the arm and weapon.

I will put the translation for them in just two words:
progress and evolution.
It is all about technology, progress and evolution. But when you are having the right technology but you are not having the right skills it is useless. Even so, what comes up must comes down.
I love this words from one of the link below:
quote:

Technology always gets better; it never gets worse.

And these is true no matter on which side of the barricade you are.
That's why today you have a state-of-the-art firewall like ISA.
That's why today you have choosen ISA over a simple traditional PIX.
quote:

Now imagine the company has an ample sized internet pipe able to support over 1000 computers. In certain cases... a single internet pipe and single ISA server may well be "enough" for some organizations.

of course there are many scenario, I did not have said that. But again maybe it is my mistake so I will try to be more specific:
the second Internet connection sometimes has litlle to do with bandwith. Because it is becoming popular, that after companies that have recorded some success in their businesses and definetely need to change their network infrastructure to support their growth, to host themselves their web servers, mail servers and other services. Because some of these services are vital they need to have a permanent Internet connection(you cannot achieve 100% but you must try to get closer as possible to that) so that's the purpose of the second Internet connection. Also during some moments(for some reasons) it is possible that one of the Internet lines to not provide the adequately bandwith so the second line(even if you at the beggining need it only for failover ) comes in action. today most firewalls support this type of scenario(even cheap ones do). It is a shame that ISA doesn't but fortunetely there are couple solution available.
About the front-end firewall. Many scenario possible.
It is always a matter of cost. But when it comes to security nothing seems to be enough. One good reason to do that is to take away the anonymous traffic from the corporate firewall and to move within just "authenticated" traffic, the traffic that serves only the internal network and its dependencies. the anonymous web server and other stuff like this don't belong to that category. You have so much http restriction on ISA just to make sure you are allowing exactly what is needed. Even internal users aren't allow to surf the Internet free and are allowed just to browse only some certain sites and are closely monitored. With anonymous traffic you can't do that.
The need of such a high level of security was the reason of the appearence of a firewall like ISA.
It is very common to have "something" in front of ISA for some reasons(a Cisco 1841 has some limited firewalls capability, but for example can stop certain DoS from reaching your corporate firewall ). Every litlle detail counts. It is all about details.
back to the "hot topic":
quote:

not everything has to be solved by technological means

quote:

Now imagine that those APs were setup so that their respective signals only reached a specific area of the building, or room, in which they were located.  In other words, just having those APs doesn't necessarily mean access to them is a free-for-all when a person is on premesis, and definitely not accessible from outside the building either.

WOW!!!
it this a bad joke or what? Are you comming from the stone age?
well, first, I'm just an ordinary guy who instead going to have a beer took his time to answer some dumb questions.
Since I'm just an ordinary guy with enough common sense I've learnt a small thing:
google is the best friend.
I've learnt that if I have a problem it is very likely that someone else is experience it. If I have something to resolve it is probably that someone else has the same problem to deal with and maybe it has already an answer.
So I'm used to hit google to find some answers. If I don't find them no matter how hard I'm trying I have two big possibilities: I'm trying to do such a dumb thing that it is inconceivable or I'm talking real business.
Just imagine that the limiting the signal strenght can be a security solution.
For every security solution that comes on the market you can bet that someone it is "working" on it. And maybe he has an answer on it. It is all a matter of time and technology.
And guess what:
if someone smart find a solution all the "dumb" people can benefit from it. few people can explain how mobile phones work, or how computers work but they do know how to use them.
From my tiny experience(I'm quite young actually) I have learnt one thing about wireless: if you want it secure and not open for public use you have just one option: locked it down with a strong encryption and authentication, like 802.1x with a RADIUS server.
For your solution some people have already answered it long time ago:
http://www.schneier.com/blog/archives/2005/08/wireless_interc.html
http://www.windowsecurity.com/articles/Wireless-Network-Security-Home.html.
Otherwise if you don't have a completed seal room for radio waves there is no way you can do what you are saying. Read every good book, every article that takes a look at wireless security and you will not find anywhere the solution you have described above.
I can go and buy with just 60$ an antenna with a 24 dBi gain. And they will give me a book with instruction also. with some quick searches on "some web sites" I will be ready to party in no time.
But if you will locked down your wlan you will have to solve the problem how to allow guest access for roaming users. you can achive this with the right hardware or the right software. if you are using the right hardware you will be noticed of the risks and how to limit it for only a certain period.....(stuff like this) by the manufacturer.
You are saying that I'm using too general statements that do not apply to a particular environment.
When designing a particular environment, the start points are the basic cautions to be taken, the basic questions why not to do this and that. Although this is a complex topic most of them start from a general approach which will be customise(if not, that is another story but this story is way beyond your question). One thing probably will be taken into consideration soon will be: to make a compromise for certain reasons.You can feel the rain like an english summer. but no matter what, it is still raining though. On wireless the basic cautions that are to be taken are very straight.
for me one thing it is clear: you have no clue about modern wireless security and the risks of having a wireless lan.
In my country we have a proverb, here it is the appropiate translation:
"Not everything that flies can be eaten".
They say you can have ISA on SBS because that's right "it is secure". Is it so, then why don't we have that option with ISA 2006?
Don't trust them my friend.
Why would you trust somebody you don't know?
Why would you trust me, or trust Tom, or Tarek, or Cisco, or MS?
We all have our reasons, good or bad, it is hard to know.
This recent article make it very clear(if it is still necessary):
quote:

Don't belive it, prove it.

http://www.isaserver.org/tutorials/ISA-Server-2006-Kitchen-Utensil-Part1.html
That's right, there is only one way to answer this: test it yourself.
In the mean time if you will find the answer to your problem write a book about it. Something like this:
"How to securely deploy an untrusted, non encrypted, public Wlan through
the corporate firewall for certain users".
It will be a best-seller.
for me it is only one answer: this is not the way to do it.
Tchuss!

< Message edited by adrian_dimcev -- 6.Nov.2006 7:28:24 AM >

(in reply to jrink)
  Post #: 16
RE: DMZ for wireless internet connection - 6.Nov.2006 9:19:35 AM   
jrink

 

Posts: 51
Joined: 22.Jul.2002
From: Wisconsin
Status: offline 		You sure have a way of making me smile.  You're posts are some of the strangest I think I've read ever on a message board.

Continuing this is pointless... there comes a point of diminishing returns.

Regards
JR

(in reply to Guest)
Post #: 17

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> DMZ for wireless internet connection Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts