This is a discussion on Re: [fw-wiz] Locking down public wireless access - Firewalls ; Chris From what I gather, you're looking for accountability. Bearing in mind = =20 MAC addresses can be spoofed (and IP addresses are likely to be dynamic),= =20 how do you intend to identify the users for accounting purposes? They ...
From what I gather, you're looking for accountability. Bearing in mind =
MAC addresses can be spoofed (and IP addresses are likely to be dynamic),=
how do you intend to identify the users for accounting purposes? They lo=
in, sure, but then what? I think the problem is that once in there is no=
real difference between any of the users.
I would suggest that you need a different crypto key for each user. Then=
only if the keys are compromised are you going to end up not knowing who =
did what. I would suggest IPSec as a suitable multi-user multi-key =20
technology. Users would need to register in person (you don't want those=
keys transmitted in clear over the air do you?) and be issued with a =20
strong PSK or a certificate, depending on the config.
I would certainly recommend you read the NTA-Monitor paper on ISAKMP if =20
you do go this way.
> At my university, the computer science department would like to offer
> wireless access to computer science students, but would like the
> access to not be anonymous. Current problems with unrestricted access
> to the internet are obvious, anonymous kids downloading porn, movies,
> mp3s, etc, and as the university allowed this to happen, they could be
> held liable.
> enforcing a logon policy would help limit the university's liability
> in said situations.
> ideally, we would like to implement a system in which the user will
> connect to un-encrypted wireless, but any attempts to get out will be
> redirected to the authentication page. Once the user logs in, they
> will be given the WEP key of the day, and then they will have
> unrestricted access.
> I'm investigating the usage of Linksys WRT45G routers, with a modified
> firmware, but I have no actual experience with this. I would like to
> look into other methods of doing this, as well, such as Perfigo (which
> has now been acquired by Cisco)...
> If you have any suggestions for hardware, or existing documentation
> floating on the net about how to achieve this sort of setup, please
> let me know.
> firewall-wizards mailing list
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Cheltenham) Ltd
firewall-wizards mailing list