Firewall Wizards mailing list archives
RE: DMZ Ideas
From: "Luke Butcher" <Luke.Butcher () alphawest com au>
Date: Fri, 1 Oct 2004 08:55:28 +1000
MAC Authentication/filtering immediately screams 802.1x so I'd suggest something that supports that, but this would be implemented at the access points, so wont change how your DMZ is setup. I don't know how the network is setup, but vlans would be a minimum if you can't have physically separate switches. Then just pump this lan/vlan into a separate interface on your firewall. There's also a family of products made by Bluesocket that may fit the situation as well. Checkout their website www.bluesocket.com, works quite well but not sure if it'll support the RF tagging gear your usng. More aimed at the laptop/PDA market. Disclaimer: The company I work for are resellers of Bluesocket gear but all opinions contained herein are my own. Luke Butcher Network/Security Consultant Alphawest Services Pty Ltd www.alphawest.com.au -----Original Message----- From: firewalladmin () bellsouth net [mailto:firewalladmin () bellsouth net] Sent: Friday, 1 October 2004 5:59 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] DMZ Ideas Hi All: I am looking for some unique suggestions for a sitaution developing here at my place of employment. A contractor is being hired to set up some wireless stuff for RF tagging (bar code tracking stuff for shipping/receiving). They will be placing readers that send data to Wireless Access Points, which then need to terminate in a DMZ of some sort before it enters the LAN. We will require them to use encryption and MAC filtering along with the appropriate measures to secure the distance/range of the wireless signal to within the confines of the compound. My question is this - What would make a good DMZ for this setup? We have a few suggestions up in the air and it's all prliminary stuff right now. Some ideas are VLAN's (in my opinion too much management overhead, room for error and not necessarily very secure), seperate subnet on router, etc. The tough part is what do we filter the traffic by? There is no "user" to authenticate, only unmanaged readers/devices. The site is the size of a big college campus, so separating the devices onto a seperate backbone/subnet will be physically difficult and expensive as well. All suggestions are appreciated. Thanks, Mark Mark F. MCP, CCNA "You can spend your life any way you want... But you can only spend it once." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: DMZ Ideas Luke Butcher (Sep 30)
- <Possible follow-ups>
- Re: DMZ Ideas Marcus J. Ranum (Sep 30)
- Re: DMZ Ideas Kevin (Oct 01)
- Re: DMZ Ideas Carric Dooley (Oct 01)
- Re: DMZ Ideas Dale W. Carder (Oct 05)