February 26th, 2006, 03:45 PM
Wireless adds a wrinkle. I've seen DMZ's that weren't worth a plugged nickel (belkin routers), but you should be ok with OpenBSD. I'd test the DMZ anyway from your roommate's wireless network to see if you can get back in on the rest of your network.
Port monitoring programs like Active Ports and TCP View (or for that matter, F-Port and Netstat) will tell you where your Windows machines are connecting if need be. I run Ettercap and Etherape from a linux unit to get a quick fix on any rogue IP's that may be camping out on my networks. And I run
Ethereal every now and then on my webserver (W2K) to see what's happening there. Snort's built-in to my FTP server (RH7) and it picks some things up, but I'm not as up on it as I'd like to be.
Either way, the best network defense you will have going for you is paying attention. Know all the devices on your network and their ip addresses. You're in for a learning experience.
Just my two bits.
“Everybody is ignorant, only on different subjects.” — Will Rogers
March 6th, 2006, 11:53 PM
Outside of defining what exactly you want your security level is going to be (what gets on the internet, what's denied explicitly, etc), I'd recommend not having your roomie's laptop as a DMZ. It's very much akin to having a firewall and just allowing any program to talk to the internet. By not having a DMZ (and in my opinion, there's really no reason good enough to have a machine outside the protection of your router/gateway), you can reduce the amount of security you'd have to layer on said wireless laptop. And it keeps prying eyes out on a lot of levels.
My network consists of the following:
My PC connected to the router via cat-5, static IP.
My server connected to the router via cat-5, static IP.
Fiance's laptop connected to the router, static IP wireless with WPA + password.
Router is a DLink Gaming router + wireless with everything turned off and MAC filtering enabled. Port forwaring exists only for the server utilities which are restricted to ports 80, 15234, and 22. All FTP is done over SFTP on port 22. Server has services like telnet turned off.
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
March 8th, 2006, 04:40 AM
Keeping the laptop out of the network is beneficial for two reasons. One is that my roommate is always using Limewire to download music and other software. He doesn't believe that anything will happen to his system, despite my advice. As such, keeping him out of the DMZ is actually protecting my network.
My second reason is that I don't trust the wireless router. What if someone gets to the router (via port 80 for instance, which allows you to change its settings), or if one of my neighbors is able to crack the wireless password. This is also another mechanism for protecting my network.