Re: [fw-wiz] Hopefully not too OT

From: Jim MacLeod (
Date: 05/03/05

  • Next message: Paul Melson: "RE: [fw-wiz] Hopefully not too OT"
    Date: Tue, 03 May 2005 11:13:09 -0700

    >...I am trying to see where our
    >vulnerabilities lie. In my searching, I pondered long and hard on rogue wireless APs and contractor/vendor laptops with wireless ebabled
    >becoming a potential vector...
    I don't think a jammer is going to fix your problem, but you've heard
    that from everyone else too.

    You need a method to control access to your network. Although a written
    policy is a useful tool to protect you and your company, it's not going
    to be the quick fix you're looking for. It provides a warning to users,
    and authority to you. However, like any rule, it may require smacking
    someone down before it's taken seriously. It also doesn't protect you
    against accidental misconfigurations.

    I think Ben's suggestion of disregarding "inside" and "outside" was the
    closest solution so far. You can't keep the people on your site from
    plugging stuff into the network, but you can keep that stuff from
    talking to anything else. Anything which requires authentication before
    communication should work.

    802.1x is designed to address this very issue by identity-verifying each
    node. Granted, the rollout is going to be tough, especially if you've
    got anything non-standard, which you probably do in a company that size.

    You could also set things up so that all of the employees access the
    servers via VPN. An SSL VPN wouldn't require deploying client software,
    but it could require rearchitecting your server strategy, and there'd
    still be user training issues.

    If you're seriously limited on budget, the smallest solution may be to
    set up computers on various networks to scan for wireless networks.
    These could be old PCs that have been rotated out of use, and the
    no-cost solution is to access each one periodically using VNC. Come to
    think of it, this idea was also suggested by Ben.

    Remember that any solution that's idiot-proof just hasn't been tested
    with a big enough idiot.

    firewall-wizards mailing list

  • Next message: Paul Melson: "RE: [fw-wiz] Hopefully not too OT"

    Relevant Pages

    • TidBITS#785/27-Jun-05
      ... Jeff Carlson continues his exploration of computerized poker ... and Adam examines both the Canary Wireless ... Rogue Amoeba's Audio Hijack Pro ... A Canary in the Network ...
    • Re: Linksys NAS200 Network Storage adapter
      ... The only two wireless network settings that are of any consequence are the SSID and the encryption method and password. ... either click the "Print Network Settings" button on the final screen of the Wizard or simply access the appropriate XML file and get at them that way and then use the information to configure the router manually as I explained earlier. ... I've read thru some of the MS web site on that product and it appears to do everything a NAS will do plus other cool features, such as, with an xbox360 with the wireless adapter, I can stream my video/pics to my TV for family viewing. ...
    • [NMRC Advisory] Microsoft Windows Wireless Exposure on Laptops
      ... Application: Wireless Network Connection ... This advisory documents an anomaly involving Microsoft's Wireless Network ... If a laptop connects to an ad-hoc network it can later start ... This is known as a Link-Local address, and by default Link-Local is turned on on all Windows platforms on all interfaces, including wireless interfaces. ...
    • RE: palm VIIx wireless modem
      ... Here is a Wireless LAN Security FAQ, ... What are solutions to minimizing WLAN risk? ... that connects clients to the internal network. ...
    • only 1299.99
      ... With the arrival of the Sony Vaio VGN-UX280P Micro PC, ... Advanced Wireless Mobility ... integrates wireless Wide Area Network, ... and check e-mail without having to plug in your Sony Vaio notebook PC, ...