[isf-wifidog] FirewallRuleSets & User Classes
Scott Tully
scott.tully at gmail.com
Mer 2 Mar 15:17:00 EST 2005
> I don't see any implementation problem with your approach. The following isn't
> at all meant to stop you from doing it this way.
Don't worry - it won't :-)
>
> If you gate access to your private network with wifidog, there are two
> reasonably easy way to attack it.
>
> The easiest and most obvious one is to simply spoof the MAC adress of someone
> currently using the protected subnet. That requires someone to be using the
> connection at the time of the attack.
True, but that doesn't mean we should not try... After all, locks on
doors only keep out honest people. A thief will always find a way in.
Still, I sleep better with my door locked at night..
>
> The second is that using wifidog to gate a private subnet breaks one of the
> assumptions of our security architecture: We assume that the worst that can
> happen if you trick the gateway is for someone to access the internet without
> control. So to keep wifidog simple and really small the connection with the
> server isn't encrypted. This wasn't a problem, since if you are in a
> position to do a man-in-the-middle attack you ALREADY have internet access.
> Now if you use it to gate a private subnet, that assumption is no longuer
> true. It's not a terminal flaw since all wireless traffic is in the clear
> anyway, but it's something to keep in mind.
Thank you, i will. That's the nice thing about the way you have the
FirewallRuleSet defined. You can really customize each class very
easily... An individual can block or allow anything... I suppose the
"global rules" could be used to create a walled garden as well...
>
> > BTW- Sorry if i am being too enthusiastic about your project. I don't
> > want to seem like a bully, or too aggressive... i just want to use the
>
> Don't worry about that: overenthousiasm is good, constructive criticism even
> better!
I will have more constructive criticism after a week or two. Most of
the feedback will probably be on the authserver ui, but i'll get to
that later when i start living in that code...
Overall i am very impressed! Great job!!
Scott
Plus d'informations sur la liste de diffusion WiFiDog