Re: question on

["Ram" <fblarbastanix@yahoo.com>]

Hi Clarence.

Where is the VPN in the diagram? If you run a VPN on your internal
network then you are in good shape- simply require all access to obsd-gw
to use the VPN. This is pretty good.

You can also require WEP to make it a bit more difficult to connect to
your wireless network. This is not very good, but it helps a bit. 

You can also configure your wireless access point to deny clients which
have unknown MAC addresses.

You can also configure your obsd-gw to deny internal packets from
unknown IP addresses [then you should use static IP addresses on your
network].

Note that your weakest machine is your weakest link, so if you run an
unpatched windows machine with "share C$ to all with no password" then
your IPSEC / VPN would be useless against a "copy and paste" attack of
your private key.

If you don't use a VPN internally you can still use the rest of the
suggestions.

Hope this helps,
ram



-----Original Message-----
From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org] On Behalf
Of Clarence
Sent: Tuesday, March 05, 2002 05:54
To: misc@openbsd.org
Subject: question on 

Hello,

For the couple of days, I spent most of the time to study the setup of
VPN, X509... for the infrastructure (LAN).  However, I have one question
in my mind that confuse me very much.  Let me present it with the
diagram
list below.

internet <--> openbsd-gw <--> internal LAN (wireless / wired)

The question is like that how can the sys admin guard the illegal user
from the ineternal LAN to use the facilities of the openbsd-gw.  He may
know the IP of the openbsd-gw, DNS server.  For example, he/she may use
a laptop with a wireless LAN and setup all necessary setting to use the
facilites of the GW.  How can the sys admin control it.  If it is stupid
question, please forget me.    Thanks.

Clarence