Security Basics mailing list archives
RE: Wireless access
From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Fri, 26 Mar 2004 22:11:43 -0500
<snip>
make things easier in their eyes. Unless I leave everythingwide openit's probably easier to plug an Ethernet cable in the PC.I'd put the access point outside the firewall if you have the public DHCP address space. If not I'd put it on an isolated DMZ segment. SSID of "meetingroom" or "visitor" with WEP disabled. That gives them the Internet with no more rights than any other outsider.
<snip> I'd second this. I think the DMZ interface of a firewall is probably the best way to go. Give out DHCP and let them connect up. We've deployed things in this manner once or twice with some added bells and whistles like IPSEC VPN (only) access to the internal networks from the wireless segment, should someone from your organization need to be in there and using the wireless segment along with "untrusted visitors." Another recommendation might be to have pretty verbose firewall logging on the dmz interface, and in a perfect world, an IDS sensor listening. This should catch nefarious visitors up to no good. We've detected war-drivers a couple of times this way. One of these days we might actually physically catch one if we can react quick enough and find the pesky bugger. Bottom line, as John noted, treat that interface and all nodes on it as completely untrusted. ************************************************************************************************** The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** this message has been scanned for viruses, vandals and malicious content ** ************************************************************************************************** --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Wireless access, (continued)
- RE: Wireless access Rosado, Rafael (Rafael) (Mar 26)
- RE: Wireless access William D. Menzie (Mar 26)
- RE: Wireless access Rosado, Rafael (Rafael) (Mar 26)
- RE: Wireless access Judie Ayoola (Mar 26)
- RE: Wireless access Eric Brown (Mar 26)
- What Are These Shares(Remote Admin/Remote IPC)? Mark Sargent (Mar 29)
- Re: What Are These Shares(Remote Admin/Remote IPC)? Alex Lomas (Mar 30)
- What Are These Shares(Remote Admin/Remote IPC)? Mark Sargent (Mar 29)
- RE: Wireless access Rosado, Rafael (Rafael) (Mar 29)
- RE: Wireless access Dante Mercurio (Mar 29)
- Re: Wireless access dries (Mar 30)
- RE: Wireless access Keith T. Morgan (Mar 29)
- RE: Wireless access Robert Mezzone (Mar 30)
- RE: Wireless access Mitchell Rowton (Mar 30)
- RE: Wireless access Cesar Osorio (Mar 30)
- RE: Wireless access Phillip McCollum (Mar 31)