Re: [fw-wiz] Hopefully not too OT
From: Jim MacLeod (jmacleod_at_gmail.com)
To: email@example.com Date: Tue, 03 May 2005 11:13:09 -0700
>...I am trying to see where our
>vulnerabilities lie. In my searching, I pondered long and hard on rogue wireless APs and contractor/vendor laptops with wireless ebabled
>becoming a potential vector...
I don't think a jammer is going to fix your problem, but you've heard
that from everyone else too.
You need a method to control access to your network. Although a written
policy is a useful tool to protect you and your company, it's not going
to be the quick fix you're looking for. It provides a warning to users,
and authority to you. However, like any rule, it may require smacking
someone down before it's taken seriously. It also doesn't protect you
against accidental misconfigurations.
I think Ben's suggestion of disregarding "inside" and "outside" was the
closest solution so far. You can't keep the people on your site from
plugging stuff into the network, but you can keep that stuff from
talking to anything else. Anything which requires authentication before
communication should work.
802.1x is designed to address this very issue by identity-verifying each
node. Granted, the rollout is going to be tough, especially if you've
got anything non-standard, which you probably do in a company that size.
You could also set things up so that all of the employees access the
servers via VPN. An SSL VPN wouldn't require deploying client software,
but it could require rearchitecting your server strategy, and there'd
still be user training issues.
If you're seriously limited on budget, the smallest solution may be to
set up computers on various networks to scan for wireless networks.
These could be old PCs that have been rotated out of use, and the
no-cost solution is to access each one periodically using VNC. Come to
think of it, this idea was also suggested by Ben.
Remember that any solution that's idiot-proof just hasn't been tested
with a big enough idiot.
firewall-wizards mailing list