Firewall Wizards mailing list archives

RE: DMZ Ideas

From: "Luke Butcher" <Luke.Butcher () alphawest com au>
Date: Fri, 1 Oct 2004 08:55:28 +1000

MAC Authentication/filtering immediately screams 802.1x so I'd suggest
something that supports that, but this would be implemented at the
access points, so wont change how your DMZ is setup.
I don't know how the network is setup, but vlans would be a minimum if
you can't have physically separate switches. Then just pump this
lan/vlan into a separate interface on your firewall.

There's also a family of products made by Bluesocket that may fit the
situation as well. Checkout their website www.bluesocket.com, works
quite well but not sure if it'll support the RF tagging gear your usng.
More aimed at the laptop/PDA market.
Disclaimer: The company I work for are resellers of Bluesocket gear but
all opinions contained herein are my own.


Luke Butcher
Network/Security Consultant
Alphawest Services Pty Ltd
www.alphawest.com.au



-----Original Message-----
From: firewalladmin () bellsouth net [mailto:firewalladmin () bellsouth net] 
Sent: Friday, 1 October 2004 5:59 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] DMZ Ideas

Hi All:

I am looking for some unique suggestions for a sitaution developing here
at my place of employment. A contractor is being hired to set up some
wireless stuff for RF tagging (bar code tracking stuff for
shipping/receiving). They will be placing readers that send data to
Wireless Access Points, which then need to terminate in a DMZ of some
sort before it enters the LAN. We will require them to use encryption
and MAC filtering along with the appropriate measures to secure the
distance/range of the wireless signal to within the confines of the
compound. My question is this - What would make a good DMZ for this
setup? We have a few suggestions up in the air and it's all prliminary
stuff right now. Some ideas are VLAN's (in my opinion too much
management overhead, room for error and not necessarily very secure),
seperate subnet on router, etc. The tough part is what do we filter the
traffic by? There is no "user" to authenticate, only unmanaged
readers/devices. The site is the size
  of a big college campus, so separating the devices onto a seperate
backbone/subnet will be physically difficult and expensive as well. All
suggestions are appreciated. Thanks,

Mark

Mark F.
MCP, CCNA
"You can spend your life any way you want... But you can only spend it
once."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: DMZ Ideas Luke Butcher (Sep 30)
- <Possible follow-ups>
- Re: DMZ Ideas Marcus J. Ranum (Sep 30)
- Re: DMZ Ideas Kevin (Oct 01)
- Re: DMZ Ideas Carric Dooley (Oct 01)
- Re: DMZ Ideas Dale W. Carder (Oct 05)