Need for a firewall

When reading about the best practices in deploying Wi-Fi into corporate
environment, it says that a firewall must be placed between the access
point and a switch in order to control trafic between the two.

If we use port-based authentication 802.1X, the access point acts as a
proxy server and will not allow external users to access the internal
wired network unless authentication succeeds.

Plus, the access point already features a firewall.

Do we need another firewall on top of that? If so, why ?

Thanks.

Paul



paul_silverman@mail.com

On 27 May 2005 08:37:08 -0700, (E-Mail Removed) wrote:

>When reading about the best practices in deploying Wi-Fi into corporate
>environment, it says that a firewall must be placed between the access
>point and a switch in order to control trafic between the two.
>
>If we use port-based authentication 802.1X, the access point acts as a
>proxy server and will not allow external users to access the internal
>wired network unless authentication succeeds.
>
>Plus, the access point already features a firewall.
>
>Do we need another firewall on top of that? If so, why ?
>
>Thanks.
>
>Paul
The AP firewall is NOT good enough to prevent anything but the script
kiddie attacks. A software or even better a dedicated hardware
firewall will stop the rest. ALOT of people put a Linux machine "on
the net" and then make all others go thru it. Never did it myself but
those that do say it is MUCH more secure than ANY Windows firewall.

(E-Mail Removed) wrote in news:1117208228.689893.267740
@g49g2000cwa.googlegroups.com:

> When reading about the best practices in deploying Wi-Fi into corporate
> environment, it says that a firewall must be placed between the access
> point and a switch in order to control trafic between the two.
>
> If we use port-based authentication 802.1X, the access point acts as a
> proxy server and will not allow external users to access the internal
> wired network unless authentication succeeds.
>
> Plus, the access point already features a firewall.

Yeah, what FW is that? Is that AP is running true FW software or is that
some kind of marketing hype?

> Do we need another firewall on top of that? If so, why ?
>
>

You should learn more about FW(s).

http://www.more.net/technical/netserv/tcpip/firewalls/

You should ask your questions at comp.secuirty.firewalls too. I am sure one
of the Top Guns will help you there.

BTW, keep the wireless out of the trusted LAN zone.

Duane

On 27 May 2005 08:37:08 -0700, (E-Mail Removed) wrote:

>When reading about the best practices in deploying Wi-Fi into corporate
>environment, it says that a firewall must be placed between the access
>point and a switch in order to control trafic between the two.
>
>If we use port-based authentication 802.1X, the access point acts as a
>proxy server and will not allow external users to access the internal
>wired network unless authentication succeeds.
>
>Plus, the access point already features a firewall.
>
>Do we need another firewall on top of that? If so, why ?

No. One firewall is sufficient. It's the firewall that supports the
802.1x authentication. The way it works is that a random wireless
user does not have access to the LAN without authentication except for
EAPOL packets destined to the RADIUS authentication server. Once an
accept frame is received, and the user is properly authenticated, then
the packets can go anywhere. This is quite sufficient for controlling
access to the network.

However, that's only one of many threats that involve corporate
security. Lately, my customers are more interested in detecting and
preventing leakage of internal sensitive data and documents, than in
intrusion issues. Machines leaking customer lists and business plans
are the issue. Same with security issues presented by Trojan Horse
infected desktops, laptops, and PDA's. As soon as we started sniffing
outgoing SMTP email traffic, for company key words, binaries, and
signs of Trojan Horse infections, we started finding security problems
and leaks. One company has officially banned and blocked all outgoing
binaries due to the security issues we found. I suggest you look at
corporate security from the standpoint of what are you trying to
protect, and detecting intrusions and leaks.

Also, back to 802.1x. The default re-authentication timeout is
usually 3600 seconds (1hr) , which methinks it too long for transient
wireless users, but just fine for desktops. I suggest a much shorter
re-authentication timeout.

You might wanna read:
"802.1X Port Access Control for WLANs"
http://www.wi-fiplanet.com/tutorials...le.php/3073201
"EAP Types"
http://www.wi-fiplanet.com/tutorials...le.php/3075481
Linux 802.1X Port-Based Authentication HOWTO
http://www.ibiblio.org/pub/Linux/docs/HOWTO/8021X-HOWTO


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

Jeff,

Thanks a bunch, your post is the answer that I was looking for.

Paul.