Re: [fw-wiz] Securing a wireless network

From: Jim Seymour (jseymour_at_linxnet.com)
Date: 10/29/04

  • Next message: Mark Teicher: "Re: [fw-wiz] Re: Ethics, morality and the industry"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri, 29 Oct 2004 13:52:36 -0400 (EDT)
    
    

    <chris@compucounts.com> wrote:
    >
    > At my so-called place of business, there exists a completely insecure
    > public wireless network that I wish to lock down (ignoring WEP, Radius,
    > and other wireless security methods).

    Well, WEP is basically worthless, so I can understand that. But why
    ignore WPA + RADIUS? You do understand that WEP or WPA is more than
    just identification/authentication, right? They also provide wireless
    encryption, without which you might as well be sending a traffic feed
    to the local radio broadcast station.

    Even WPA-PSK might be "acceptable" (with a suitably-long PSK), *if* you
    can tolerate the labour involved when a client has to be eliminated
    from WLAN access.

    >
    > I am looking for a means of forcing 'unverified' clients (by MAC
    > address?; not at all worried about spoofing) to run a script or program
    > of some sort before being able to interface with other network devices
    > (to scan for viruses, check software configuration, and whatever
    > else).
    [snip]

    Okay, quarantining mobile devices freshly-arrived on the $corp network
    is a good idea. But you're going to grant network access based on the
    MAC address, and you aren't concerned about MAC address spoofing? And
    on a WLAN w/o encryption?

    >
    > The general idea:
    > - unknown client connects to network and obtains IP from DHCP
    > - client opens web browser, and is redirected to some generic page with
    > instructions
    > - client follows instructions, runs script
    > - <slightly hazy with a chance of rain>
    > - client is assigned new [IP|VLAN|something else] and is able to
    > connect to the rest of the network

    - Bad guy sniffing WLAN logs all this, waits for auth'd client to go
    away, becomes auth'd client with spoofed MAC.

    >
    [snip]
    >
    > Can anyone point me in some direction or offer a different solution?
    [snip]

    WPA + FreeRADIUS, for starters. Haven't really come up with a good
    idea for semi-automatically handling client decontamination, yet.

    Jim
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Mark Teicher: "Re: [fw-wiz] Re: Ethics, morality and the industry"

    Relevant Pages

    • RE: Wireless Security Notes and Findings (from this list and other places)
      ... There are two general areas of wireless security: Authentication and ... authentication standard that works with wireless networks. ... client computer runs a client program to connect to the network with a ...
      (Security-Basics)
    • Re: Lan Wifi Network
      ... >knowledge of computer network... ... a wireless user has gone away. ... client software to do the job. ... connection which can be timed. ...
      (alt.internet.wireless)
    • Re: Netgear WGPS606 <-> Netgear WGT624
      ... |>| A key principle of networking is to carefully plan the network first, ... It would have been just right had wireless ... | can't use a wireless client bridge as a wireless router. ... If I was wiring my house with coaxial ethernet, it would all be in one ...
      (alt.internet.wireless)
    • Re: Wireless and "not so much on" internal attacks
      ... 128bit WEP. ... The question about internal attacks stems from the fact that customers have ... Wireless and "not so much on" internal attacks ... While on the network an attack would become more of an ...
      (Security-Basics)
    • Automated wireless client penetration tool "hotspotter" released.
      ... During a wireless assessment for a customer some time ago, ... strange characteristic of the Microsoft Windows XP wireless client. ... for the EAP/TLS network, and a second for the "ANY" network, using an ... Automated penetration using Hotspotter ...
      (Bugtraq)