[fw-wiz] Securing a wireless network

• Previous message: R. DuFresne: "RE: [fw-wiz] Ethics, morality and the industry"
• Next in thread: Claudiu Dragalina-Paraipan: "Re: [fw-wiz] Securing a wireless network"
• Reply: Claudiu Dragalina-Paraipan: "Re: [fw-wiz] Securing a wireless network"
• Maybe reply: Smith, Aaron: "RE: [fw-wiz] Securing a wireless network"
• Reply: Andras Kis-Szabo: "Re: [fw-wiz] Securing a wireless network"
• Reply: Gary Flynn: "Re: [fw-wiz] Securing a wireless network"
• Reply: Jim Seymour: "Re: [fw-wiz] Securing a wireless network"
• Maybe reply: Michael H: "Re: [fw-wiz] Securing a wireless network"
• Reply: Kevin Sheldrake: "Re: [fw-wiz] Securing a wireless network"
• Maybe reply: chris_at_compucounts.com: "RE: [fw-wiz] Securing a wireless network"
• Maybe reply: Mark D Robinson: "Re: [fw-wiz] Securing a wireless network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <firewall-wizards@honor.icsalabs.com>, on@der-keiler.de, dbi.compucounts.com@der-keiler.de
Date: Thu, 28 Oct 2004 20:14:05 -0400

At my so-called place of business, there exists a completely insecure public wireless network that I wish to lock down (ignoring WEP, Radius, and other wireless security methods).

I am looking for a means of forcing 'unverified' clients (by MAC address?; not at all worried about spoofing) to run a script or program of some sort before being able to interface with other network devices (to scan for viruses, check software configuration, and whatever else). The best bet at the moment seems to include VLAN's and some sort of destination NAT to a generic web server that says "hey, run this!", but I'm having trouble finding literature on the subject. Partly because I'm not entirely sure what I'm looking for.

The general idea:
- unknown client connects to network and obtains IP from DHCP
- client opens web browser, and is redirected to some generic page with instructions
- client follows instructions, runs script
- <slightly hazy with a chance of rain>
- client is assigned new [IP|VLAN|something else] and is able to connect to the rest of the network

Currently, the network (entirely Cisco) is setup as follows:

- Backbone: Cisco Catalyst 6509 multilayer switch
- Closets: various models of manged Catalyst switches running an enterprise IOS version
- Access Points: Cisco Aironet AP350's and 1120's

Can anyone point me in some direction or offer a different solution? My idea is not to authenticate clients and reject unknown users; the idea is to force users to have semi-secured computers while maintaining an otherwise open network.

I would prefer a solution that requires the least amount of changes to the backbone switch (because all requests regarding it have to be forwarded to dept. A, which sends it to B, then C, and yadda yadda yadda; 5 years later, it *might* get done), but I'm open to any possibilities.

Thanks in advance,

- Chris Carlson
 
นนนนนนนบบบบบบบบบบบบบบบบบบบบบบบน
* "First they ignore you, then they laugh at you, then they
  fight you, then you win." ~Mahatma Ghandi

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: R. DuFresne: "RE: [fw-wiz] Ethics, morality and the industry"
• Next in thread: Claudiu Dragalina-Paraipan: "Re: [fw-wiz] Securing a wireless network"
• Reply: Claudiu Dragalina-Paraipan: "Re: [fw-wiz] Securing a wireless network"
• Maybe reply: Smith, Aaron: "RE: [fw-wiz] Securing a wireless network"
• Reply: Andras Kis-Szabo: "Re: [fw-wiz] Securing a wireless network"
• Reply: Gary Flynn: "Re: [fw-wiz] Securing a wireless network"
• Reply: Jim Seymour: "Re: [fw-wiz] Securing a wireless network"
• Maybe reply: Michael H: "Re: [fw-wiz] Securing a wireless network"
• Reply: Kevin Sheldrake: "Re: [fw-wiz] Securing a wireless network"
• Maybe reply: chris_at_compucounts.com: "RE: [fw-wiz] Securing a wireless network"
• Maybe reply: Mark D Robinson: "Re: [fw-wiz] Securing a wireless network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: AS4.1 and XV6700 ... It is only when reading that you had problems with your Cisco VPN ... When you open the Cisco VPN client and click the Options tap, ... the BlackIce firewall is also installed. ... that partially worked was when I booted the PC into safe mode with network ... (microsoft.public.pocketpc.activesync) Re: Cisco VPN client connecting trough ISA 2004 - problem ... I've send it to the cisco guy and it's working finaly. ... that command should be used on client side or at PIX ... Clients are Cisco VPN 4.6 connecting to PIX IOS 6.3. ... My problem is that clients connectig from network behing ISA 2004 ... (microsoft.public.isa.vpn) RE: Lost my outlook contact... :( ... the network configuration is started from a web page located ... client computer, you will see a welcome page to invite you to start the ... local user profiles to the domain user profile. ... Before joining client computers to the network, ... (microsoft.public.windows.server.sbs) Re: [fw-wiz] PIX split tunneling ... Search the Cisco site with Google with "my query words site:cisco.com" ... on a public network then if they change the config then they change it. ... If the client VPN associations are with the firewall nearest to them (in ... (Firewall-Wizards) Re: SMS 2.0 and SMS 2003 Running at same time in same domain. ... the clients are on the network. ... The operating system reported error 53: ... Possible cause: The client is offline. ... Verify that the client is connected to the network and that the SMS ... (microsoft.public.sms.setup)