Ashley M. Kirchner wrote: > Craig White wrote: >> generally the preferred method is to require a VPN to connect the LAN >> through a wireless system given the security implications of wireless. >> > I can't enforce that on all of our clients. Some of them barely know > how to properly turn off their computers... > >> that notwithstanding though, if you use a dhcp server OTHER than the >> Linksys device, you can assign a useless gateway address to specific >> clients which in effect would not allow them to get to any network other >> than the network which they can directly access > Of course, I didn't think of DHCP. Yes, the Linux server would be > running DHCP and the WAP would get it's IP from that. I just need to > figure out how to tell it to have connecting clients fetch an IP from > the linux server once I turn off it's internal DHCP. > With most access points, this is not a problem. They just pass on the DHCP requests to the rest of the network, and the DHCP server responds. > This whole thing is probably more convoluted than it really needs to > be but the gist of it is, when someone walks in with their laptop, we > want them to be able to connect to the WAP and only able to see one > single network drive (which is on the same Linux server) so they can > drop files for us. The server itself is also connected to our internal > network so our internal machines can get to it as well, however the WAP > can't go "through" the server and see our internal network. > > However, if one of our employees were to bring in their laptop, they > can connect to the same WAP and would be able to see everything > "through" that server and access everything on the network (and > internet.) So there's some configuration that I need to figure out on > the linux server to start with. On the one hand, if an unknown client > connects, issue a dummy IP that won't have any network routing, but that > would still allow a local drive to be "seen" on that dummy network, and > if a known client connects, issue a valid (internal) IP so they can > work. Hrm. I wonder if the server itself also need to have a dummy IP > so it can communicate with whatever dummy IP gets issued... > It is not hard to have 2 IP addresses on one NIC. It is also fairly easy to set up the DHPC server with 2 pools of addresses. One pool for costumers, and one for employees. You can use the MAC address to assign IP addresses for company and employee machines that you know about. The hard part is from people spoofing MAC addresses, or using their own address. For limiting Internet access, you could set up a proxy server. It is limiting access to the rest of the network is hard. Someone that knows what they are doing can ignore the settings from the DHCP server. What you may want to do is to have 2 NICs on the server, and the access point connected to one of them. That way, all wireless connections have to go through the server, and its firewall rules. You can then have a program on the server that will change the IP tables rules to let a specific machine to access the rest of the network. But having employees set up a VPN connection would be a lot more secure. Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup!
Attachment:
signature.asc
Description: OpenPGP digital signature