Re: [fw-wiz] Wireless

From: R. DuFresne (dufresne@sysinfo.com)
Date: 08/09/02


From: "R. DuFresne" <dufresne@sysinfo.com>
To: John McDermott <jjm@jkintl.com>
Date: Fri Aug  9 19:39:32 2002

On Fri, 9 Aug 2002, John McDermott wrote:

> ejb3@cornell.edu wrote:
> > Spoofing MAC addresses is easy, even on 802.11b cards. Managing
> > permitted MAC addresses is a good idea for home users with few cards and
> > only a single base station. It's a management nightmare for large
> > installations.
>
> So what is the Best Practice approach to securing a wireless subnet?
> Given a WAP and n known cards, what is the best way to deal with MAC
> spoofing, wandering unauthorized users, etc. to prevent access to all
> lan resources for unauthorized users?
>

Best recommends at present speak of wrapping all transmissions within an
encrypted tunnel. SSH or some IPsec tool. Still one should localise the
range of their transmissions as much as possible, as information leakage
is still present due to the management packets between and through any
device talking to the AP. This gains one the ability to encrypt
the data portions of their connections, but there remains much
information leakage. Basically, no matter how well one tries
to 'secure' their wireless transmissions, they have exposed a ethernet
subnet<s?> to outside sniffing. The range of the sniffing capabilites
lies in how much one wishes to invest time or monies into an antenae for
their sniffing/attack vectors into this realm. There are claims that
homebuilt antenaes can sniff from 1-10 miles out, so sitting in a parking
lot is not a requirement.

Thanks,

Ron DuFresne

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!


Relevant Pages

  • Re: [fw-wiz] Wireless
    ... >> Spoofing MAC addresses is easy, even on 802.11b cards. ... The absolute best solution that I've seen is to put the WAP on a network ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Wireless
    ... > Spoofing MAC addresses is easy, even on 802.11b cards. ... spoofing, wandering unauthorized users, etc. to prevent access to all ...
    (Firewall-Wizards)
  • Re: Psystar Macs Better Than Apple Macs?
    ... expansion cards to add functionality like USB 3.0 when it comes ... They seem happy they got a Mac that they can expand for ... add capture devices and external HDs and external sound devices. ... That Intel Audio chipset is integrated on motherboards. ...
    (comp.sys.mac.advocacy)
  • Re: Psystar Macs Better Than Apple Macs?
    ... expansion cards to add functionality like USB 3.0 when it comes ... They seem happy they got a Mac that they can expand for ... add capture devices and external HDs and external sound devices. ... That Intel Audio chipset is integrated on motherboards. ...
    (comp.sys.mac.advocacy)
  • Re: Psystar Macs Better Than Apple Macs?
    ... expansion cards to add functionality like USB 3.0 when it comes ... They seem happy they got a Mac that they can expand for ... add capture devices and external HDs and external sound devices. ... Integrated chipsets from Intel are usually OK but not high end ...
    (comp.sys.mac.advocacy)