Re: [fw-wiz] Securing a wireless network

From: Jim Seymour (jseymour_at_linxnet.com)
Date: 10/29/04

  • Next message: Mark Teicher: "Re: [fw-wiz] Re: Ethics, morality and the industry"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri, 29 Oct 2004 13:52:36 -0400 (EDT)
    
    

    <chris@compucounts.com> wrote:
    >
    > At my so-called place of business, there exists a completely insecure
    > public wireless network that I wish to lock down (ignoring WEP, Radius,
    > and other wireless security methods).

    Well, WEP is basically worthless, so I can understand that. But why
    ignore WPA + RADIUS? You do understand that WEP or WPA is more than
    just identification/authentication, right? They also provide wireless
    encryption, without which you might as well be sending a traffic feed
    to the local radio broadcast station.

    Even WPA-PSK might be "acceptable" (with a suitably-long PSK), *if* you
    can tolerate the labour involved when a client has to be eliminated
    from WLAN access.

    >
    > I am looking for a means of forcing 'unverified' clients (by MAC
    > address?; not at all worried about spoofing) to run a script or program
    > of some sort before being able to interface with other network devices
    > (to scan for viruses, check software configuration, and whatever
    > else).
    [snip]

    Okay, quarantining mobile devices freshly-arrived on the $corp network
    is a good idea. But you're going to grant network access based on the
    MAC address, and you aren't concerned about MAC address spoofing? And
    on a WLAN w/o encryption?

    >
    > The general idea:
    > - unknown client connects to network and obtains IP from DHCP
    > - client opens web browser, and is redirected to some generic page with
    > instructions
    > - client follows instructions, runs script
    > - <slightly hazy with a chance of rain>
    > - client is assigned new [IP|VLAN|something else] and is able to
    > connect to the rest of the network

    - Bad guy sniffing WLAN logs all this, waits for auth'd client to go
    away, becomes auth'd client with spoofed MAC.

    >
    [snip]
    >
    > Can anyone point me in some direction or offer a different solution?
    [snip]

    WPA + FreeRADIUS, for starters. Haven't really come up with a good
    idea for semi-automatically handling client decontamination, yet.

    Jim
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Mark Teicher: "Re: [fw-wiz] Re: Ethics, morality and the industry"