Until now we have been talking of the wireless networks as if they were the only networks which existed. There will be a lot of wireless administrators who will have a node connected to other networks, such as the internal company or home network or maybe a connection to the Internet. Bearing this in mind the information which moves from one network to another may need protection for a variety of reasons. Perhaps the administrator doesn't want anyone to enter into his own private network, but he doesn't mind offering wireless facilities to others, or the links to other nodes.
To solve this problem the only reasonable solution is to install and configure a firewall, a technique clearly defined in various places on the Internet, and whose objective is simply to filter the IP traffic which passes between the different networks within a node, filtering information or allowing it to pass without hindrance as required.
Starting with the premise that we want to setup a firewall, we need to take into account several things. There are various possible solutions, some are operating system dependent and there are also commercial solutions which work on a variety of operating systems.
In Linux there are various options which depend on the version of the kernel being used: the main ones being IPCHAINS and the newer IPTABLES. FreeBSD and other BSD versions use ipfw. The advantage of using the facilities provided by the kernel is that they come with the operating system, although they options to use these facilities may not be included in the kernel which is being used. See the relevant manuals as to how to include this functionality in your operating system.
The URL as to how to configure a firewall with IPTABLES in Linux is http://www.boingworld.com/workshops/linux/iptables-tutorial/iptables-tutorial/iptables-tutorial.html. There also exist various HOWTO documents for Linux which explain how to configure a firewall, and there is ample documentation for BSD too.
To configure a firewall correctly several standards should be followed, starting with the design of the node. Some of the factors which should be taken into account are:
the different interfaces to which the firewall is connected
the different networks and associated ip addresses connected to the firewall
The desirability or otherwise of traffic passing from one network to another over each specific interface
The different IP services which should be allowed or disallowed (http, smtp, dns, ping) using tcp, udp, icmp, etc.
If it is necessary to convert the IP addresses as they leave an interface (NAT) and enter a specific network.
A firewall is going to normally have the following connections and networks connected to it:
IP addresses of the node's network
IP addresses of the wireless group's network
IP addresses of the network(s) to other node(s)
IP addresses of the internal network
A link to the Internet (which uses the remaining IP addresses)
Only when looking at the matrix of possible connections between one network, and taking into account that we have to treat IP traffic in both directions do we begin to see the complexity involved in the configuration of this type of firewall.
The majority of the firewall configurations permit us to decide whether to allow or deny traffic through the firewall, but we can normally also define whether to log traffic which attempts [fails to] pass through the firewall to a file or not.
The policy which should be followed with the logs generated by a firewall should be to maintain them for a certain period of time, perhaps 3 months, so that if some incident occurs we will have a record of the event.
We should also note that a node should NOT filter traffic whose source and destination addresses belong to the group's network, because this will obstruct the correct functioning of the network.
If a group decides to connect to another group then the traffic to the other wireless group should not be filtered either. If various nodes have implemented a firewall, they should be given enough time to change their firewall configuration before confirming connectivity to the other group.
One recommendation is to use a IDS (Intruder Detection System) which allows us to detect intruders who try to break into our network, from any of the networks which is connected to the firewall.
There are various IDS, amongst them being snort http://www.snort.org and the policy regarding the period of time to store log files should be the same as with the firewall.
A lot of people are interested in wireless networks as a cheap way to access Internet using someone else's connection.
In principle a connection to Internet can be offered by a node but we bought to bear in mind that connections of this type require the originating IP address be changed to the real address connected to the Internet, using a technique called NAT. This is the case at least when the wireless IP addresses are private.
In these cases it will not be possible to connect from the Internet "inside" for the same reason: the wireless network's IP addresses are not public and therefore they can't be routed from the public Internet.
Nevertheless the connection to Internet, even when using NAT, does allow the use of a large number of services such as DNS, email, web and ftp access amongst others.
We ought to point out that the maximum speed of a wireless network using the 802.11b protocol is 11Mb/s significantly faster than the typical speed that most people are connected to Internet from home even when using ADSL, whose download speed doesn't normally exceed 256kb/s.
Therefore those who offer Internet access to others might easily see their Internet connection saturated if they don't take appropriate steps.
Finally it is worth mentioning that the choice of accessing Internet may not be available from only one place in the network: it may be a service offered by several wireless nodes. The management of these multiple routes within the network to the "default route" can be quite complicated as most routing software doesn't treat this very well and it may well be worth studying the best way to manage these "special" routes.
Quality of Service goes here