RE: Wireless access

• Previous message: Kurt: "RE: MS Outlook/Outlook Express Preview Pane Security Issue?"
• Maybe in reply to: Bruyere, Michel: "Wireless access"
• Next in thread: Dante Mercurio: "RE: Wireless access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 26 Mar 2004 22:11:43 -0500
To: <jswhitford@acm.org>, <security-basics@securityfocus.com>

<snip>
> >make things easier in their eyes. Unless I leave everything
> wide open
> >it's probably easier to plug an Ethernet cable in the PC.
>
> I'd put the access point outside the firewall if you have the
> public DHCP address space. If not I'd put it on an isolated
> DMZ segment. SSID of "meetingroom" or "visitor" with WEP
> disabled. That gives them the Internet with no more rights
> than any other outsider.
<snip>

I'd second this. I think the DMZ interface of a firewall is probably
the best way to go. Give out DHCP and let them connect up. We've
deployed things in this manner once or twice with some added bells and
whistles like IPSEC VPN (only) access to the internal networks from the
wireless segment, should someone from your organization need to be in
there and using the wireless segment along with "untrusted visitors."
Another recommendation might be to have pretty verbose firewall logging
on the dmz interface, and in a perfect world, an IDS sensor listening.
This should catch nefarious visitors up to no good. We've detected
war-drivers a couple of times this way. One of these days we might
actually physically catch one if we can react quick enough and find the
pesky bugger.

Bottom line, as John noted, treat that interface and all nodes on it as
completely untrusted.

**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or the
sender immediately and do not disclose the contents to anyone or make copies.

** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: Kurt: "RE: MS Outlook/Outlook Express Preview Pane Security Issue?"
• Maybe in reply to: Bruyere, Michel: "Wireless access"
• Next in thread: Dante Mercurio: "RE: Wireless access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]