Re: [fw-wiz] Securing a wireless network

• Previous message: Paul Foster: "[fw-wiz] Re: Ethics, morality and the industry"
• In reply to: Claudiu Dragalina-Paraipan: "Re: [fw-wiz] Securing a wireless network"
• Next in thread: Smith, Aaron: "RE: [fw-wiz] Securing a wireless network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Claudiu Dragalina-Paraipan <dr.clau@gmail.com>
Date: Thu, 28 Oct 2004 07:24:39 -0600

There a couple of vendors that offer solutions to prevent unwanted wireless
users from connecting to your network.

www.sygate.com
www.airdefense.com
www.rovingplanet.com

there are several others also

Each one of their solutions offer a different solution to your stated
network architecture, how one goes about adjusting your network to include
security measurements without disrupting availability is another topic by
itself

At 01:41 AM 10/29/2004, Claudiu Dragalina-Paraipan wrote:
>Hi,
>
>you could use VPNs. What I would do is this:
>- set a VPN server, my choice would be FreeBSD or OpenBSD, for what I
>think that are obvious reasons;
>- on the client side, which I assume uses Windows, you can use the VPN
>client that comes with Windows (2000, XP), or get one for older
>version from Internet;
>- back to the server, you should NAT/pass only IPs that come through
>the VPNs, while the other http traffic can be redirected to an
>instruction page.
>
>This way you have almost what you want. You still can use DHCP to give
>IPs to new clients, but allow only connections to Internet from IPs
>used for VPNs. If you put your networks servers behind this "vpn
>server", you can filter connections to them also.
>
>This is not exactly what you want, but is far more secure then what
>you have already.
>Probably you can make a general user for VPNs, thus you don't have to
>provide everyone with a user and password.
>
>I hope this helps you.
>
>Best regards,
> Claudiu.
>
>
>On Thu, 28 Oct 2004 20:14:05 -0400, chris@compucounts.com
><chris@compucounts.com> wrote:
> > At my so-called place of business, there exists a completely insecure
> public wireless network that I wish to lock down (ignoring WEP, Radius,
> and other wireless security methods).
> >
> > I am looking for a means of forcing 'unverified' clients (by MAC
> address?; not at all worried about spoofing) to run a script or program
> of some sort before being able to interface with other network devices
> (to scan for viruses, check software configuration, and whatever
> else). The best bet at the moment seems to include VLAN's and some sort
> of destination NAT to a generic web server that says "hey, run this!",
> but I'm having trouble finding literature on the subject. Partly because
> I'm not entirely sure what I'm looking for.
> >
> > The general idea:
> > - unknown client connects to network and obtains IP from DHCP
> > - client opens web browser, and is redirected to some generic page with
> instructions
> > - client follows instructions, runs script
> > - <slightly hazy with a chance of rain>
> > - client is assigned new [IP|VLAN|something else] and is able to
> connect to the rest of the network
> >
> > Currently, the network (entirely Cisco) is setup as follows:
> >
> > - Backbone: Cisco Catalyst 6509 multilayer switch
> > - Closets: various models of manged Catalyst switches running an
> enterprise IOS version
> > - Access Points: Cisco Aironet AP350's and 1120's
> >
> > Can anyone point me in some direction or offer a different
> solution? My idea is not to authenticate clients and reject unknown
> users; the idea is to force users to have semi-secured computers while
> maintaining an otherwise open network.
> >
> > I would prefer a solution that requires the least amount of changes to
> the backbone switch (because all requests regarding it have to be
> forwarded to dept. A, which sends it to B, then C, and yadda yadda yadda;
> 5 years later, it *might* get done), but I'm open to any possibilities.
> >
> > Thanks in advance,
> >
> > - Chris Carlson
> >
> > นนนนนนนบบบบบบบบบบบบบบบบบบบบบบบน
> > * "First they ignore you, then they laugh at you, then they
> > fight you, then you win." ~Mahatma Ghandi
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@honor.icsalabs.com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> >
>
>
>--
>Claudiu Dragalina-Paraipan
>e-mail: dr.clau@gmail.com
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Paul Foster: "[fw-wiz] Re: Ethics, morality and the industry"
• In reply to: Claudiu Dragalina-Paraipan: "Re: [fw-wiz] Securing a wireless network"
• Next in thread: Smith, Aaron: "RE: [fw-wiz] Securing a wireless network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]