Member Avatar for mikeliketrike

I'm going through the process of setting up a "hot spot" for the public for the company I work for.

We had an extra Netgear FVS318 kicking around the office so I set that up to be it's own DHCP to give 10.10.10.x ip addresses and a subnet of 255.255.0.0 (internally we have 192.168.x.x and 255.255.255.0) and blocked all ports except 80 and 443 through the router's built in firewall. From that I have a DLink DWL-G700 access point giving an unsecured wireless signal.

I can catch the wireless and browse the Internet fine. I am (un)successfully denied access to the internal network, so far everything looks good.

I'd like some feedback about how secure this setup is. I know any ICMP traffic can be used/captured, but I'm not too worried about that.

  • 3 Contributors
  • 2 Replies
  • 137 Views
  • 8 Hours Discussion Span
  • Latest Post Latest Post by sknake
Member Avatar for Josh Connerty

From what I can think of, you will need to block the access of the base ip. For instance mine is 192.168.2.1 now if I were to type this into the address bar of my browser whilst connected to it I would receive a log in screen (not sure about net gears) this is deffinetly a security floor for reasons you may expect.

You may have already done this but other than that theres not much more you can do to secure an unsecure wireless network.

Like the guidelines for PHP goes, "Treat it as thogh everyone is trying to harm you". A little paranoya but it's true.

Member Avatar for sknake

It sounds OK but don't block ICMP. So many people know that a ping/pong is related to ICMP so they block the entire protocolol...which leads to a very interesting entry in the iptables manual page:

TCPMSS
This target allows to alter the MSS value of TCP SYN packets, to control the maximum size for that connection (usually limiting it to your outgoing interface's MTU minus 40). Of course, it can only be used in conjunction
with -p tcp. It is only valid in the mangle table.
This target is used to overcome criminally braindead ISPs or servers which block ICMP Fragmentation Needed packets. The symptoms of this problem are that everything works fine from your Linux firewall/router, but machines
behind it can never exchange large packets:
1) Web browsers connect, then hang with no data received.
2) Small mail works fine, but large emails hang.
3) ssh works fine, but scp hangs after initial handshaking.
Workaround: activate this option and add a rule to your firewall configuration like:
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.