Jeff
Tue Jul 22 12:39:10 CDT 2003
It's about now that I wish that OE supported a sketch mode! :)
web
| public subnet
SBS/ISA firewall
| private LAN
Your LAN
|
Hardware Firewall
| DMZ/private address space
WAP
Essentially, this is creating DMZ by treating the world beyond the hardware
firewall in the same manner you would the web, it's just that you only have
the private WAP subnet out there.
Now, if you use this for wireless printing, the thing you probably want to
do is configure the standard WiFi security and authentication, and if
possible (meaning if the WiFi product you use supports it), try to use an
additionally stronger form of security to limit the access. Maybe the WiFi
print server supports IPSEC tunneling, but that's not likely. You could use
MAC address security on the firewall, if it supports that. Probably about
the best you can do is to configure all the ports blocked except for what is
required to do the printing.....but you have to be careful on this because
it's the same ports here that are your risk of attack inside the LAN on
Netbios ports. Therefore, you could consider using one of various IPP
(internet protocol printing) services, or just tighten down whatever
features you can to limit the scope of what can be used on this. For one
thing, you could limit the ability of the firewall to forward to any gateway
in the LAN, therefore it couldn't provide web access to an intruder. You
could configure the router to only publish connections to the server hosting
the printer.
The way you approach this will vary based upon your perception of risk and
control needs, and mostly what you are trying to do is simply make this WAP
a lower value target to hack, with less functionality extended to anyone
trying to break into it.
Obviously, if you had computers on this WAP, you would look into using VPN
to authenticate into the LAN via a VPN passthrough or VPN host feature on
the firewall. The printing becomes a tricky problem because authenticating
it is more difficult, not a common feature.
"Mike" <spyder3@comcast.net> wrote in message
news:00ba01c35073$21076620$a401280a@phx.gbl...
> Jeff,
>
> You just made a lot of things more clear for me. Thank You
> very much. I just have one question. When you mean to have
> the WAP on a dead-end subnet, do you mean to set up a DMZ
> and put it there??
>
> I also have another question. This WAP is going to be used
> for wireless printing to a print server also. Obviously,
> this WAP WILL need to be inside the LAN in order for that
> to happen. If setting up a DMZ,(like I think you're
> talking about) will this still work??
>
> >-----Original Message-----
> >I think the real problem is that a firewall with a
> Wireless Access Point
> >(WAP) built in just doesn't make sense if the WAP
> connects "inside the
> >firewall" given that conventional thinking is that
> Wireless invites
> >connections you don't trust, if not only indirectly.
> >
> >The general theory on firewall design in a LAN is that
> you want to have a
> >firewall between your trusted LAN and any segments,
> entries or connections
> >you don't fully trust. Therefore, you want a firewall
> between you and the
> >Internet. Next, you look at the wireless connection, and
> you probably don't
> >want to trust it, someone can be outside your building
> looking into your LAN
> >over the wireless link. Therefore, you really don't want
> to put the WAP
> >inside you LAN, you want it outside of a firewall. Now
> you look at the combo
> >device you have here (Linksys) and it probably has the
> firewall only on the
> >external WAN port, and the WAP is connected into the
> hub/switch
> >side.....therefore you have the firewall on the wrong
> side of the WAP to
> >protect you.
> >
> >What if you did have the WAP outside your LAN firewall,
> between your ISA
> >server and the gateway to the Internet? What do you have
> there? Cool, you
> >just created a hotspot WAP for the general public to use
> your Internet
> >connection for free! Hmm. Not the intended result there.
> What you really
> >want is to have the WAP on a dead-end subnet that isn't
> trusted by your LAN,
> >and doesn't have access to the web without authenticating
> first to get
> >there.
> >
> >What makes more sense is to have a seperate device for
> the WAP and the
> >firewall. Assume that you have ISA on your SBS as your
> primary firewall to
> >the Internet. If you do that, then you now simply connect
> the hardware
> >firewall as another device on your LAN (not going to the
> web itself), then
> >connect the WAP on the WAN port of the firewall, and now
> you have the
> >problem solved. This little dead-end segment has the WAP
> trapped on a subnet
> >outside the LAN, and the hardware firewall traps the
> traffic from entering
> >without authenticating first, assuming that you can
> configure the hardware
> >firewall to support a remote authentication.
> >
> >The alternative is to do the same logic by using another
> connection to the
> >SBS, the so-called 3-NIC solution where the ISA server
> authenticates the
> >users on the WAP.
> >
> >Turns out that wireless connections make a mess of
> security planning, and
> >it's not just for an SBS, it the entire concept of a
> private link you don't
> >trust that you want to connect to your LAN anyway.
> >
> >
> >"Javier Gomez" <javier_gomez@remove-this-
> bit.engineer.com> wrote in message
> >news:euQLh6$TDHA.1552@TK2MSFTNGP10.phx.gbl...
> >> I would definitely won't change ISA for a Linksys
> firewall... I recommend
> >> you to read a lot of SBS before you start installing it
> for real (do some
> >> test installs first)
> >>
> >> The way I see it you have two options:
> >>
> >> a) Put the Linksys box in front of the SBS box (as a
> second firewall) and
> >> VPN your wireless users onto the network (this could be
> very secure...
> >since
> >> even your wireless portion is not inside your LAN). The
> downside is that
> >you
> >> need to configure another thing in your network (which
> can be easy) and
> >you
> >> need to set up VPN for your wireless users.
> >>
> >> b) Put the Linkys box in the network side of SBS...
> turn off DHCP and
> >don't
> >> use it's firewall. The good thing is that it may be
> easier to configure...
> >> the downside is that you will have wireless portion of
> your network inside
> >> your LAN and that may not be a good thing.
> >>
> >> I think either way is okay... it depends on how much
> you want to work.
> >>
> >> HIH,
> >>
> >> Javier
> >>
> >> "Mike" <spyder@comcast.net> wrote in message
> >> news:04cc01c34ff2$b2f5d0c0$a601280a@phx.gbl...
> >> > Thanks for the reply. How do I incorporate the
> wireless
> >> > router/firewall into that? Do I leave it where it is,
> or
> >> > do i put it behind the server and then just let the
> server
> >> > act as the firewall? I originally planned on using the
> >> > Linksys as the firewall along with the wireless
> services
> >> > that it will be handling.
> >> > This SBS is new to me, and from what i'm reading,
> there
> >> > seems to be a lot of features that i'm not aware of
> yet.
> >> > In about two weeks, is when i plan on deploying this
> >> > network, so i need to get all my questions in now.
> >> >
> >> > Thanks for the help....
> >> >
> >> > >-----Original Message-----
> >> > >You really need two nics for a variety of reasons,
> mainly
> >> > security from the
> >> > >Internet side. ISA will not function properly
> without
> >> > two - having the LAN
> >> > >on one nic and the Internet on the other is how ISA
> >> > prevents THEM from
> >> > >getting at YOU : )
> >> > >
> >> > >See KB article 306802 "How to Configure Small
> Business
> >> > Server for Full Time
> >> > >Internet Access with Two Network Adapters"
> >> > >
> >> > >
> >> > >"spyder" <spyder3@comcast.net> wrote in message
> >> > >news:045f01c34fe9$3b6bca40$a501280a@phx.gbl...
> >> > >> I have a question regarding the network setup with
> >> > >> smallbiz. I'm in the process of setting up the
> network
> >> > now
> >> > >> and I came across this site(
> >> > >>
>
http://www.smallbizserver.net/sbs2000/network.aspx ). Is
> >> > >> this the way that I should be setting up my
> network? I
> >> > >> will have a cable modem, next in line will be the
> >> > Linksys
> >> > >> Wireless Router/Firewall and then out from there
> into a
> >> > >> switch where all the computers including the
> server will
> >> > >> be attached. Should I have it set up this way or
> should
> >> > I
> >> > >> have the SmallBiz Server set up with 2 NIC's and
> have it
> >> > >> before the switch.
> >> > >>
> >> > >> If anyone can help me and let me know what your
> thoughts
> >> > >> are setting this up with the above hardware, it
> would be
> >> > >> greatly appreciated.
> >> > >>
> >> > >> Thank, Mike
> >> > >
> >> > >
> >> > >.
> >> > >
> >>
> >>
> >
> >
> >.
> >