Re: [fw-wiz] Securing a wireless network
From: Morrow (morrow.long_at_yale.edu)
Date: 10/31/04
- Previous message: Jason Lewis: "Re: [fw-wiz] Securing a wireless network"
- In reply to: Mark D Robinson: "Re: [fw-wiz] Securing a wireless network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com, Mark D Robinson <mrobinso@fpkc.com>, chris@compucounts.com, Tony Rall <trall@almaden.ibm.com> Date: Sat, 30 Oct 2004 21:45:09 -0400
The Internet2 Salsa document draft you cited is a fantastic resource.
In addition to the network access control systems sold commercially it
references:
Bradford Campus Manager
Perfigo (now acquired by Cisco)
there are also many systems sold specifically for securing wireless
networks
(usually adding 802.1X for authentication and/or web-based auth, an
agent including an EAP 'supplicant' can also act as a host-based scanner
agent, patch checker, firewall/IDS, etc.). If you are a more recent
wireless
vendor with a security solution and I've left you out please forgive
me...
Aruba www.arubanetworks.com
BlueSocket www.bluesocket.com
Cranite Systems http://www.cranite.com/
Ecutel www.ecutel.com
Fortress Tech http://www.fortresstech.com/
ReefEdge www.reefedge.com
Vernier www.vernier.com
Harvard Medical School and the Boston Public Library have used
BlueSocket.
A number of other institutions have used the other commercial solutions
above.
An article (that is now a bit dated) covers the subject from Network
World Dec 02:
http://www.nwfusion.com/news/2002/1202earlywlan.html
Many Universities have 'rolled' their own quaruntine/isolation systems
by
using a combination of integrating public domain and commercial systems
for:
* mandatory network registration (NetReg -- the Southwest or a variant )
* DHCP servers
* VLANs and/or RFC1918 subnets
* network vulnerability assessment scanners (Nessus or NASL modules)
* Windows host-based security assessment agents (home-built or
commercial)
to check patch management and the existence/operation of A/V, S/W F/W,
HIDS, policies, etc.
* Routers using ACLs (Access Control Lists), Firewalls or IPSes to
limit access off
the wireless network
* 'NoCatAuth' captive web portals -- redirection servers to 'capture'
the captive systems
web browser sessions and put up pages explaining why the PC is
isolated, how to get
out of quaruntine (via patching, sanitization, downloading/installing
an agent
program, registering the PC, etc.) as well as providing A/V software,
worm removal
tools & patch downloads (e.g. MS SUS/WUS servers).
Many Universities and colleges use such systems to attempt to control
the masses of
residential (dorm) student PCs connecting to their campus networks
(initially these network
access control systems were for wired networks and now are also used
for authenticating &
screening PCs before allowing them access from wireless network
connections).
H. Morrow Long, CISSP, CISM
Director - Information Security Office
Yale University, ITS
On Oct 29, 2004, at 10:12 PM, Mark D Robinson wrote:
> You might try looking through the list archives. I vaguely remember a
> discussion about a custom system that was set up on a university
> network to
> enforce up-to-date security settings (patch level, AV updates, etc.)
> before
> the host was given access. Unfortunately, I don't remember any
> specifics
> right this minute, but I do remember being pretty impressed from the
> description. I think that some or all of the software was freely
> available.
> It was probably last year or early this year. Someone else on the list
> may
> remember more.
>
> This might also help:
> "Strategies for Automating Network Policy Enforcement"
> er
>
> HTH
>
>
> Mark Robinson
> IT Manager
> Frilot, Partridge, Kohnke & Clements, L.C.
>
>
> -----Original Message-----
> ...
> A few other relevant solutions have been suggested, but they're all
> retail. I was actually expecting more of the 'free unix' approach;
> maybe I've been on Full-Disclosure for too long ;).
> ...
>
> -----------------------------------------------------------------------
> ----
> The information in this electronic message may be privileged and
> confidential and is intended for the use of the individual(s) or
> entity(ies) named above. If you are not the intended recipient, you
> are on
> notice that any unauthorized disclosure, copying, distribution, or
> taking
> of any action in reliance on the contents of these electronically
> transmitted materials is prohibited.
> -----------------------------------------------------------------------
> ----
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Jason Lewis: "Re: [fw-wiz] Securing a wireless network"
- In reply to: Mark D Robinson: "Re: [fw-wiz] Securing a wireless network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
