Re: [fw-wiz] (In)security of wireless LANs and the Cisco Wireless Security Sui te

From: R. DuFresne (dufresne_at_sysinfo.com)
Date: 11/04/03

  • Next message: Ben Nagy: "RE: [fw-wiz] (In)security of wireless LANs and the Cisco Wireless Security Sui te"
    To: "Stewart, John" <johns@artesyncp.com>
    Date: Tue, 4 Nov 2003 10:22:27 -0500 (EST)
    
    

    John,

    As mentioned in previous threads recently on the cisco offering, it
    depends upon LEAP, which is susceptable to a dictionary attack. If you
    can live with that, then shoot, if not, then you may wish to look at some
    other radius server based method of auth and such. Of course, being this
    is soundling like an inside only wireless deployment, such that folks have
    to be on premisses to use, if the AP's are properly tuned so as to not
    braodcast outside the building perimiters <and this means walking the
    grounds with a wireless sniffer to ensure> then your risks are again
    reduced. There was a good set of articles if I recall in either the
    information security mag recently, or network mag. You can find links to
    all the wireless releated work from the two I have published at:

    http://sysinfo.com/wire1.html and http://sysinfo.com/wired2.html

    Thanks,

    Ron DuFresne

    On Mon, 3 Nov 2003, Stewart, John wrote:

    >
    > I've been getting a lot of heat from management at one of our sites to
    > implement wireless networking. I've been adamant in the past that it would
    > not be feasible due to the inherent insecurities with WEP under 802.11.
    >
    > My opinion has been that if they want to use wireless LANs, we can set up a
    > seperate leg on the firewall, treat it like a completely untrusted network,
    > and they can VPN in to get access to internal networks.
    >
    > However, of course the pointy-hairs in that office want to be able to walk
    > around with their laptops as if they were wired. I don't know why it would
    > be so hard to plug the laptop into the wall in the conference room, but I do
    > understand that it would be "nice to have". I use a WAP at home, and like
    > it.
    >
    > Anyhow, the Cisco offering in this area does look to be somewhat promising
    > at ameliorating the risks involved with wireless. Here is their white paper
    > on their Wireless Security Suite offering:
    >
    > http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09
    > 186a00800b469f.shtml
    >
    > It does sound like they're doing some good things, and I'm wondering what
    > the opinion is from you wizards on it. Anyone used it? Is it Good Enough?
    >
    > While I understand that adding wireless access points, even when done
    > properly, is inherently adding security risk that I did not have before, my
    > job (of course) is to balance business need versus security.
    >
    > I guess the question is, with this product, am I taking a larger risk than I
    > am with, say, some of these other issues which would not be necessary in an
    > ideal, secured, world:
    >
    > - Allowing VPNs from users' PCs (a software firewall is required in that
    > case, but certainly this is riskier than not allowing it)
    > - HTTP access to everywhere from the internal (Windows) desktops
    > - Email on Outlook/Exchange. While we disallow executable attachments, and
    > run virus/trojan scanners on the server and desktop, this is certainly
    > another worrisome vector of attack.
    >
    > So, with this "Wireless Security Suite" on some Aironet access points, is a
    > wireless LAN (connected to our internal network) really a bigger risk than
    > these other risks, necessitated by our business requirements?
    >
    > thanks!
    >
    > johnS
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >

    -- 
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
            admin & senior security consultant:  sysinfo.com
                            http://sysinfo.com
    "Cutting the space budget really restores my faith in humanity.  It
    eliminates dreams, goals, and ideals and lets us get straight to the
    business of hate, debauchery, and self-annihilation."
                    -- Johnny Hart
    testing, only testing, and damn good at it too!
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Ben Nagy: "RE: [fw-wiz] (In)security of wireless LANs and the Cisco Wireless Security Sui te"

    Relevant Pages

    • RE: palm VIIx wireless modem
      ... Here is a Wireless LAN Security FAQ, ... What are solutions to minimizing WLAN risk? ... that connects clients to the internal network. ...
      (Security-Basics)
    • Risks Digest 25.33
      ... States throw out costly electronic voting machines ... San Francisco officials looking for hidden network device ... Risks of better security ... ...
      (comp.risks)
    • RE: Wireless Audit Cost
      ... "complete analysis" - to me this means that a full audit of both ... the wired and wireless networks is taking place. ... network off the internal LAN. ... >network has the usual security measures in place, ...
      (Pen-Test)
    • Re: Wireless security question...
      ... > related to wireless security. ... to the computer on that network that's a little different, ... Can this hacker take control of the wireless laptop? ... but it depends on the security running on said laptop..if they have ...
      (Security-Basics)
    • Re: Wi-Fi: Essential Checklist
      ... I prefer, and heartily recommend, regardless of wireless encryption, ... the most basic and easist form of security, which in this case is WPA. ... Is it access to the network? ... will protect your network from sniffing. ...
      (alt.internet.wireless)