Re: [fw-wiz] Wireless

From: Dave Piscitello (dave@corecom.com)
Date: 08/19/02 

From: Dave Piscitello <dave@corecom.com>
To: firewall-wizards@honor.icsalabs.com
Date: Mon Aug 19 14:13:01 2002

Moving off topic from "identifying rogue APs" but...

Like every other security "problem", best practices is layered defenses.

1) Strong authentication - companies like netmotion, columbitech, funk have
solutions in this space
2) higher level encryption (than WEP) - netmotion and columbitech use
application stream proxies (SSL, for example),
3) access controls - bluesocket and vernier et. al. have wireless
firewalls, with various mac and IP level ACLs. these also support IPsec

But you need desktop/laptop security measures as well.

You've talked only about APs (infrastructure mode); if you're really
worried, you have to think about Bob, your power user who runs wireless in
a peer-to-peer mode at home for "Internet sharing" then comes to the
office, and connects with his 10BaseT PC card to your network, and is just
smart enough to have enabled forwarding on Win2K or whatever he runs.

I just completed a white paper on the "best practices" subject for a
client; when they release it for public consumption I'll post the URL.

At 03:31 PM 8/9/2002 -0400, Paul Robertson wrote:
>On Fri, 9 Aug 2002, John McDermott wrote:
>
> > So what is the Best Practice approach to securing a wireless subnet?
> > Given a WAP and n known cards, what is the best way to deal with MAC
> > spoofing, wandering unauthorized users, etc. to prevent access to all
> > lan resources for unauthorized users?
>
>Treat it like the Internet and a VPN- encrypt everything going to any
>node, put a layer 3 device between the WAP and the wireline/fiber network,
>put PC firewalls on the PC nodes, and have the layer 3 device do
>strong authentication and decryption for allowed users to
>selected internal resources.
>
>Paul
>-----------------------------------------------------------------------------
>Paul D. Robertson "My statements in this message are personal opinions
>proberts@patriot.net which may have no basis whatsoever in fact."
>probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave@corecom.com
843.689.5595
www.corecom.com

Relevant Pages

  • Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
    ... ** The r00t of the problem is a failure to follow best practices from ... > server; security HAS to come second to that. ... > As for how many are protected - not enough, which is again a cost issue. ...
    (Full-Disclosure)
  • Re: Access Control Best Practices for shared hosting seem at odds with Web Site Starters
    ... The practical implementation of security measures is an exercise for the ... reader -- but best practices is not. ... With respect to DotNetNuke and the Community Server, yes, these are not ... > permissions because the app requires it or I use an Access database. ...
    (microsoft.public.inetserver.iis.security)
  • Re: [fw-wiz] PCI DSS & Firewalls
    ... Over and over in my 17 years in security people whining for the next unsafe ... Not to mention poor design practices that put ring 0 devices on the edge ... my midldle management idiot self can busy myself doing BETTER than ...
    (Firewall-Wizards)
  • RE: Microsoft technologies. By default, non-HIPAA compliant?
    ... Anything But Microsoft wrote: ... > security practices are a federally mandated requirement. ... Customer service reps may need web access to look up local doctor's ...
    (Bugtraq)
  • LOCKING OUT UNAUTHORIZED USERS
    ... How do I set up security for my computer to keep ... unauthorized users from entering windows. ... in an open area, and they is not a physical lock. ...
    (microsoft.public.windowsxp.security_admin)