Re: [fw-wiz] Securing a wireless network

• Previous message: Paul D. Robertson: "RE: [fw-wiz] Re: Ethics, morality and the industry"
• In reply to: chris_at_compucounts.com: "[fw-wiz] Securing a wireless network"
• Next in thread: Michael H: "Re: [fw-wiz] Securing a wireless network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Fri, 29 Oct 2004 13:52:36 -0400 (EDT)

<chris@compucounts.com> wrote:
>
> At my so-called place of business, there exists a completely insecure
> public wireless network that I wish to lock down (ignoring WEP, Radius,
> and other wireless security methods).

Well, WEP is basically worthless, so I can understand that. But why
ignore WPA + RADIUS? You do understand that WEP or WPA is more than
just identification/authentication, right? They also provide wireless
encryption, without which you might as well be sending a traffic feed
to the local radio broadcast station.

Even WPA-PSK might be "acceptable" (with a suitably-long PSK), *if* you
can tolerate the labour involved when a client has to be eliminated
from WLAN access.

>
> I am looking for a means of forcing 'unverified' clients (by MAC
> address?; not at all worried about spoofing) to run a script or program
> of some sort before being able to interface with other network devices
> (to scan for viruses, check software configuration, and whatever
> else).
[snip]

Okay, quarantining mobile devices freshly-arrived on the $corp network
is a good idea. But you're going to grant network access based on the
MAC address, and you aren't concerned about MAC address spoofing? And
on a WLAN w/o encryption?

>
> The general idea:
> - unknown client connects to network and obtains IP from DHCP
> - client opens web browser, and is redirected to some generic page with
> instructions
> - client follows instructions, runs script
> - <slightly hazy with a chance of rain>
> - client is assigned new [IP|VLAN|something else] and is able to
> connect to the rest of the network

- Bad guy sniffing WLAN logs all this, waits for auth'd client to go
away, becomes auth'd client with spoofed MAC.

>
[snip]
>
> Can anyone point me in some direction or offer a different solution?
[snip]

WPA + FreeRADIUS, for starters. Haven't really come up with a good
idea for semi-automatically handling client decontamination, yet.

Jim
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Paul D. Robertson: "RE: [fw-wiz] Re: Ethics, morality and the industry"
• In reply to: chris_at_compucounts.com: "[fw-wiz] Securing a wireless network"
• Next in thread: Michael H: "Re: [fw-wiz] Securing a wireless network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]