RE: Suggestions for a secure home network

[Erin Carroll <amoeba () amoebazone com>]

Edmond,

A couple of thoughts inline...

> I'm somewhat confused over the options I have and would appreciate your
> comments on the solutions below.  My main question is whether or not I will
> have the same level of security by deploying an all-in-one wireless router
> (such as the Cisco 871W) versus a separate firewall and wireless access
> point as you suggest.  Cost is certainly something that I have to keep in
> mind!

The only security advantages I can think of off the top of my head for
going with a dedicated FW and separate WAP would be the ability to double
NAT and to minimize being exposed due to device-specific bugs or exploits. 
FW gets static (or DHCP depending on service provider) IP which NATs
to a 192.168.* non-routable to your WAP, which in turn NATs to a 10.0.*
network for your servers. If an exploit or bug comes out for your 
all-in-one, you're stuck. But with dedicated devices you have a greater 
chance of being able to mitigate those scenarios with the unaffected 
device.

Plus, I'm preferential to dedicated devices. Few all-in-one solutions will 
have every capability you may need in the future and even then, there will 
be weak spots outside of the main core-focus capabilities the vendor 
concentrates on.

> 1. Linksys WRT54G family of all-in-one wireless routers (inexpensive!)
> 2. Cisco 871W all-in-one wireless router - has similar functionality to
> Linksys WRT54G but costs a lot more (2nd least expensive!)
> 3. Cisco 806 router plus Cisco 1231 wireless access points (expensive!)
> 4. Your solution - Cisco PIX 501 plus Apple Airport Express (2nd most
> expensive!)

There are other dedicated firewall solutions which aren't as expensive you 
can look into. I've got an old Netscreen-10 that has served me well for 
many years and can be picked up fairly cheap secondhand. Depending on your 
bandwidth or VPN needs you could get away with a Sonicwall or other FW 
appliance on the cheap.

> Another question I had pertains to the possibility of having more than one
> wireless access point because of the size and number of floors in my
> client's home.  I'll be visiting his home this afternoon for a site visit so
> I'll soon have a better idea of the coverage area.  Can two Airport Express
> units work in the same network and support handoff from one access point to
> another?

You'd get better bang for the buck with a Wi-Fi bridge or network 
expander.


--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
"Any significantly advanced incompetence 
is indistiguishable from malice"


-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------