When you start providing networking services for your neighbors it’s a little like inviting them into your house for a visit. You can let them and their children run around your house all hours of the day and night, pillaging and plundering as they go as if they are Peter Pan.
Or you can chaperone their visit making sure that they only go where you want and when you want. Any network that allows outside connections must install security features meant to limit the client if it hopes to maintain any security at all and protect its resources. Sometimes it’s not possible to be as secure as you might ideally like to be.
If you and your family members are sitting around the dining room table with an ad hoc wireless network and their firewalls prevent file transfers, then most people will turn off their personal firewalls for the short time that they are doing that kind of work.
Any secure networking system must have a barrier to entry in the form of a firewall or authentication server. If you are setting up a network neighborhood and have a choice of devices, don’t simply set up an access point and allow users to connect. Choose instead wireless devices that have the management features of a firewall.
Those features include, but are not limited to the following:
- Authenticates users in some manner.
- Controls who gets a network address and for how long (DHCP).
- Limits the type of traffic that a user can communicate with; for example HTTP yes, AIM (AOL Instant Messenger) no.
- Controls time of access.
- Limits bandwidth so that the network isn’t saturated and you can stop spamming and DOS (Denial of Service) attacks.
- Shields the identities of your internal LAN systems from outside view. That is, plays the role of a proxy server and offers NAT or Network Address Translation.
The two most important things you can do in terms of securing your LAN while providing wireless access are to make sure that your LAN is protected by a firewall and that your firewall is placed between your LAN and the publicly available access point, and that you use a mechanism such as a firewall (the same one or an additional one) to authenticate and manage users.
A firewall can be as complicated as a specialized router/VPN setup, or as simple as a dual-homed computer serving as a router. It has been our experience that software firewalls are not enough protection.
It’s too easy to turn your firewall off (such as when you are installing some remote software package) and forget to turn it back on. A combination of hardware and software provides a stronger, more effective barrier to entry.