For a home installation I think that a Wireless Access Point or a Wireless Router on the LAN segment will work perfectly well.
But if someone manage to log into your wireless network due to weak or incorrect encryption they will be inside your green security zone.
By the way to use Wep encryption allone is near up to the same as using nothing and to have an open public network. I dont know how safe the WPA encryption is considered to be just totay. One other problem with wireless access point is that they could be left open by accident or by missconfiguration.
If you use a third network card you can have an aditional layer of security.
One other situation is if you want to have an open wireless network for "guests". Then they can be left into a secure 3'rd zone.
One other possible use for the 3'rd network adapter is if you run some sort of aditional server function and if you do not want that server function to run on the same security zone as your LAN wokstations.
I believe from a theoretical point of view it should be possible to make a kind of "virtual dmz" in a LAN zone by configuring the 2 port firewall for that. (I wonder if I saw something about that it exist such a contrib or mod for the SME server ??)
My opinion: To run a 3'rd DMZ or WLAN network card in a private home is normally really not neccessary for the purpose of secuity (Unless you use an old WEP based access points or if it suddenly gets usual to crack WPA encryption.)
My personal meaning is that it would be more important to have an more fine grained and more easy controll over the existing 2 port firewall and that should be a lot more easy (and usable) project, at least for the home user (but the 3 port variant is more difficult and because of this, I think, more fun to make
.
If I'm not wrong: Lets say you want to test out a new web server in your LAN zone. I think it will not possible to forward port 80 or port 443 via the existing sme firewall tools, to your alternate LAN web server. (If it was not only fingertrouble that made it not to work for me.)
I think that a firewall configuration tool that gave the user the full control and the full overview at any time would be an nice alternative (and for the home user more important than the 3'rd NIC.)
"Practical security" will, as I would sse it, allways be a trade off between "fuctionality" and "theoretical security".
My opinion is that if you haven't got hacked the last year, the security was good enough for that last year.
7 Replies
1698 Views