On Saturday 08 January 2005 11:18 am, perthie wrote:
> <snip>
>
> > Now I am more confused than I was. The issue to me is not clear. So
> > let me
> > explain what we have and what I need and then maybe someone can
> > advise me.
> >
> > There are 3 existing computers in our second office. Two can
> > communicate with
> > each other and with the outside world by wireless. One, mine, can not
> >
> > communicate with the other two computers as that is not desirable
> > from an
> > employment perspective. I can communicate with the outside world. If
> > I added
> > a fourth computer with a fourth wireless router/bridge it would need
> > to be
> > set so that it could not communicate with any other computer by
> > wireless only
> > communicating with the outside world. A firewall is not desirable in
> > this
> > router/bridge as the system to be connected would be a SuSE 9.2 which
> > as you
> > are aware of has internal firewall capabilities nor would normal
> > routing
> > action be required only straight in straight out.
> >
> > Under these circumstances can a wireless router [normally used to
> > connect to
> > the line side] be used as a wireless bridge [normally connected to
> > the
> > computer side]?
> >
> > Thanks
> >
> > Frank
Yes, people have been giving misleading information here. You ask the wrong
question. It probably should be how do I connect these so they work the way I
want them to?
You have different ways to flog that network. And each way is very simple to
do.
You can have a three way firewall where each NIC connects to A. the internet
B. your PC subnet and C. the subnet with two PCs. Now you can specify where
each packet can go. You can add that 3rd NIC to your SuSE machine.
I prefer this one as I have full control of what it does. Commercial firewalls
are not as reliable as the ones you make yourself if you know how. What
happens all the time with commercial solutions is that they are first and
foremost controlled by financial interest, not technological. Whereas f.ex.
an OpenBSD box is entirely driven by technology (and has the best firewall
technology of all the OS's).
You can create two different subnets and not include the gateway to find the
other subnet. This is weaker from a security viewpoint as somone who rooted a
machine can add the route themselves on the hacked machine.
As far as your 4th computer, add one more subnet for it.
Another note. A firewall should be a dedicated to being a firewall. The
problem with your SuSE box is that it runs all sorts of programs. Each one
the potential door for a hacker.
With a dedicated box it ONLY runs as a firewall and thus have a much smaller,
and more managable amount of programs running, since they are always the
same.
You should ALSO have each box configured with their OWN firewall. The reason
for this is that security is NOT solved by simply putting up a firewall. It's
a multi pronged solution, where more is better.
Today a script kiddie (one who does not know how things work and just executes
scripts) can gain various kinds of access which is simply not solved with a
firewall. Security is a multilevel approach. I bet none of the PC you have
really need to allow anyone into them, except for a function or two. So you
lock everything else down.
I use an old PI 266MHz PC as my firewall. It has all of 48MB RAM and is able
to handle any network load you could throw at it.
Remember a firewall has to have holes in it to let any traffic through. Like
web browsing and email. Which is what most virues uses to spread. So you
firewall is quite useless from stopping spyware and viruses.
I like locking down firewalls for both inbound and outbound traffic so only
the specific ports I need are open. This makes it less likely for a request
from a malware (running on one of my PC's) to connect back out to his master.
Which in turn could let him back into my computer.
A final note. It does NOT matter what you have on your computer as far as
being a deciding factor for a hacker to attack you. He does not even know
before he hacks you. Nor is he likely to care.
What he looks for is typically a machine other than his that he can use to
attack someone else from, and a place to hide his tools. You could f.ex.
become part of a spammers spam network without you ever knowing.
Then there's the not very likely but potential that as FBI is chasing down the
path to a hacker, who's using your PC, get's the idea you are involved. At
which point they will grab ALL computer equipment they can. You may see it
six months later when they finish their investigation.
The law is usually not very good at the technical end and are prone to making
errors. Which is why they often try to convert a hacker to work for them when
possible.
--Steve Szmidt
"They that would give up essential liberty for temporary safety deserve neither liberty nor safety." Benjamin Franklin ----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:07:29 EDT