[ale] kimset

Chris Ricker kaboom at gatech.edu
Wed Feb 12 11:51:43 EST 2003


On Wed, 12 Feb 2003, James P. Kinney III wrote:

> If a certificate based VPN is used to gain access to the network, then
> only those who are authorized gain any access at all. The war-driver
> will see a wireless signal and can get an IP address, but that's as far
> as it goes. Of course, this does require a dedicated PC to serve as the
> head end for the VPN. A spare old pentium box to allow connections from
> 3-4 wireless connections should be no problem.
> 
> wireless client<-->AP<-->VPN box<-->LAN<-->Firewall/gateway<-->Internet

You can also get a little more fancy. We did our office so that there are
two different wireless networks in the air. One is locked down as much
as wireless can (require WEP, etc.). If you attach to that one, you're
put in a VLAN which terminates at an IPSec router which requires certs.
The other wireless network is wide-open. If you attach to it, you're put
in a separate VLAN which is completely firewalled off from the rest of the
network, and then we're doing QoS to bandwidth-limit that VLAN.

With a configuration like that, visitors to your office can still get on the
net to have Internet access w/o sucking your bandwidth (too much) or having
access to your corporate net (our visitors need access -- if yours don't,
this is way overkill ;-), and you can use the certificate-based VPN for
"full" access....

later,
chris
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list