Search This Blog

Wednesday, January 27, 2010

firewall-wizards Digest, Vol 45, Issue 12

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Is it possible to control access between clients on same
LAN with a firewall? (William Fitzgerald)
2. Re: Is it possible to control access between clients on same
LAN with a firewall? (Paul D. Robertson)


----------------------------------------------------------------------

Message: 1
Date: Tue, 26 Jan 2010 17:03:02 +0000
From: William Fitzgerald <wfitzgerald@4c.ucc.ie>
Subject: Re: [fw-wiz] Is it possible to control access between clients
on same LAN with a firewall?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <4B5F2046.6090702@4c.ucc.ie>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi everyone,

Thanks for the constructive feedback.

I'll read into the proposed areas such as private vlans and the possible
configurations of vlans within dd-wrt.

I now know what some of the terminology used is (private vlan etc) in
order to hone in on the correct types of documentation to read.

kind regards,
Will.

PS: This reply may not get to you for some time, as I seem to need
moderator approval to post to the list.


Pete.LeMay wrote:
> To accomplish the isolation, you should take a look at features of the switch.
>
> I found a few articles showing dd-wrt supports multiple vlans that would effectively isolate users on the wireless side. I didn't read anything more than the short description on google though. In the enterprise, I suggest you read up on private vlans.
>
> You could also look at ipsec policies in windows to limit the machines that can talk to each machine.
>
> Hope this points you in the right direction,
>
> Pete
> -----Original Message-----
> From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of William Fitzgerald
> Sent: Monday, January 25, 2010 11:22 AM
> To: firewall-wizards@listserv.cybertrust.com
> Subject: [fw-wiz] Is it possible to control access between clients on same LAN with a firewall?
>
> Dear all,
>
> I was just wondering how people control access amongst machines on the same subnet (LAN) that are protected by the same firewall.
>
> In my case, the firewall is a home router (WRT54G) running DD-WRT, so iptables is the firewall there.
>
> Presumably as with all firewalls, once a packet is not being sent to the firewall itself or forwarded through the firewall towards another network, the firewall will not protect machines behind the firewall from each other. Perhaps as a result of the built-in switch, packets don't get up to layer 3 and so the firewall is oblivious to inter-LAN packet traffic.
>
> It would be nice to be able to restrict some LAN clients from talking to each other, perhaps by layer 3 filtering. For example, it may make sense to prohibit the network printer from talking to a web server and vice versa.
>
> Is there away to force/make it easier for the firewall to inspect inter-LAN packets. Perhaps examining packets at layer 2 could capture this.
>
> I understand that one solution would be to install a local firewall on each machine.
>
> This is just a general question, so that I might better understand the area of "inter-LAN" protection.
>
> While it may be possible to have a firewall to not just protect traffic from Internet to LAN and LAN to Internet but also LAN to LAN, it may not be a practical thing to do.
>
> Any comments or insights are welcomed.
>
> regards,
> Will.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>

--
________________________________________
William M. Fitzgerald (MSc, BSc)
PhD Student,
Cork Constraint Computation Centre,
Computer Science Dept.,
University College Cork,
Cork,
Ireland.
----------------------------------------
www.williamfitzgerald.net
www.linkedin.com/in/williamfitzgerald
http://4c.ucc.ie/web/people.jsp?id=143
________________________________________

------------------------------

Message: 2
Date: Wed, 27 Jan 2010 10:57:21 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] Is it possible to control access between clients
on same LAN with a firewall?
To: wfitzgerald@4c.ucc.ie, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.1001271043570.3959-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Mon, 25 Jan 2010, William Fitzgerald wrote:

> Dear all,
>
> I was just wondering how people control access amongst machines on the
> same subnet (LAN) that are protected by the same firewall.
>
> In my case, the firewall is a home router (WRT54G) running DD-WRT, so
> iptables is the firewall there.

I'm going to give you the non-firewall, imperfect but quick and easy
solution because with my quick reading of the postings I've approved, I
didn't see anyone suggest it yet- and it works no matter what you're using
as a router, assuming that it operations normally, and someone hasn't been
too clever in making it work...

Supernet the router, so use something like say 10.10.0.0/255.255.0.0 as
the "internal" network on the router. From here, you'll either need
relatively smart devices where you can assign routes, virtual addresses on
the internal router interface if you've got more than one "dumb" device.
Let's say we're going to assign the router 10.10.3.1.

Now, let's assume 2 computers, a printer and a WII...

Give the desktop 10.10.1.0/255.255.255.0 as its subnet and assign it an
address, say 10.10.1.111. Add a static route to the netbook if you need
to share files/printers just putting its address in your routing table as
an interface route. Now add a static interface route to the router's
10.10.3.1 address (something like 'route add host 10.10.3.1 netmask
255.255.255.255 gw en0')

Give the printer 10.10.1.0/255.255.255.0 as well, as you'll be printing to
it from the desktop. It doesn't need to reach the Internet, so it doesn't
get to route there.

Give your Netbook 10.10.2.0/255.255.255.0 as its subnet and assign it an
address, say 10.10.2.20. Print through a queue on the desktop if
necessary.

Give your Wii 10.10.3.0/255.255.255.0 as it's network and give it an
address in that range. The Wii probably can't add host routes, so it
needs to be on the same subnet as the router.

That's it. It won't stop an attacker who can add routes, but it'll stop
anything automatic, anyone who's dumb and 90% of the network
administrators on the planet from getting from any single device to any
other that's not a "normal" communication.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 45, Issue 12
************************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)