Re: [fw-wiz] Securing a wireless network
From: Jim Seymour (jseymour_at_linxnet.com)
To: firstname.lastname@example.org Date: Fri, 29 Oct 2004 13:52:36 -0400 (EDT)
> At my so-called place of business, there exists a completely insecure
> public wireless network that I wish to lock down (ignoring WEP, Radius,
> and other wireless security methods).
Well, WEP is basically worthless, so I can understand that. But why
ignore WPA + RADIUS? You do understand that WEP or WPA is more than
just identification/authentication, right? They also provide wireless
encryption, without which you might as well be sending a traffic feed
to the local radio broadcast station.
Even WPA-PSK might be "acceptable" (with a suitably-long PSK), *if* you
can tolerate the labour involved when a client has to be eliminated
from WLAN access.
> I am looking for a means of forcing 'unverified' clients (by MAC
> address?; not at all worried about spoofing) to run a script or program
> of some sort before being able to interface with other network devices
> (to scan for viruses, check software configuration, and whatever
Okay, quarantining mobile devices freshly-arrived on the $corp network
is a good idea. But you're going to grant network access based on the
MAC address, and you aren't concerned about MAC address spoofing? And
on a WLAN w/o encryption?
> The general idea:
> - unknown client connects to network and obtains IP from DHCP
> - client opens web browser, and is redirected to some generic page with
> - client follows instructions, runs script
> - <slightly hazy with a chance of rain>
> - client is assigned new [IP|VLAN|something else] and is able to
> connect to the rest of the network
- Bad guy sniffing WLAN logs all this, waits for auth'd client to go
away, becomes auth'd client with spoofed MAC.
> Can anyone point me in some direction or offer a different solution?
WPA + FreeRADIUS, for starters. Haven't really come up with a good
idea for semi-automatically handling client decontamination, yet.
firewall-wizards mailing list