RE: Wireless access

[Joe Thompson <jt () techforless com>]

There are a hundred ways to set this up, and there have been quite a few 
good (however partial) answers.

On our networks here we use a combination of things, one is the individual 
separation of our wireless network with it's own dedicated firewall.  This 
allows us to restrict everything separately without having to muck around 
with the rest of our production architecture.  Though the DMZ idea is nice, 
the complete separation of subnets via dedicated firewall's reduces risk of 
a breach to the main firewall, and allows me to change nearly anything 
without fear of affecting the production network.  All traffic destined for 
the production network is handled via VPN and anything else is purely 
"guest" traffic anyhow.

Authentication is handled via certificates and radius, and we use 128 bit 
WEP to make it less inviting for passers by.  A separate snort monitor 
sit's on the same subnet.

Because we use this network primarily for testing, the firewall is quite 
restrictive, most notably we do not allow port 25 access (so as to avoid 
the possibility of unsolicited mail getting out).  When someone need's 
access to a particular service or port to be unrestricted we simply throw a 
static entry into our DHCP setup, kick the rules into our firewall, and let 
them through.  When access is no longer needed we remove all the entries. 
(this is rarely needed as most any legitimate access is handled via the VPN 
connection)

Yes, this is a lot of work on the admin side, bear in mind that most 
firewall's (if not all currently on the market) have fancy web based 
management interfaces, and anything done with IPtables can be easily 
scripted.  The hard part is the initial setup but this tends to run 
extremely smooth for our needs.

Joe Thompson

> On Fri, 2004-03-26 at 14:42, Robert Mezzone wrote:
> How do you handle wireless network security in a corporate environment? A
> couple of the people here want me to setup a wireless network so visitors
> can setup there laptop in a conference room, or anywhere in the office
> and connect to the network, internet not our internal network. I'm not to
> comfortable with this idea but I don't have the final say. It sounds
> like I would have to leave MAC access control turned off, or obtain the
> users MAC address then enter it into control list, and also provide the
> visitor with the SSID and the WEP password. Am I correct in this
> assumption. Wireless networking was suppose to make things easier in
> their eyes. Unless I leave everything wide open it's probably easier to
> plug an Ethernet cable in the PC.
>
> > -----Original Message-----
> > From: Peter Martin [mailto:Peter.Martin () macquarie com]
> > Sent: Friday, March 26, 2004 12:45 AM
> > To: Paul John Summers; security-basics () securityfocus com
> > Subject: RE: Wireless access
> >
> > Most, if not all wireless access points and/or routers will have built-in
> > MAC access control. Usually very simple - just turn it on and add the
> > addresses you wish to allow access.
> >
> > The problem is, like you said, that it is very easy to spoof a MAC
> > address and get around this security. However, for home users, setting
> > an SSID (and NOT something recognisable like "John Smith Home Internet
> > Share"), turning on WEP (or WPA if the devices support it) encryption
> > with a non-easily guessed password, and setting MAC access control;
> > should be more then enough for a user to feel safe.
> >
> > Regards,
> > Peter Martin
> > Network Engineer
> >
> > -----Original Message-----
> > From: Paul John Summers [mailto:paul_john_summers () hotmail com]
> > Sent: Friday, 26 March 2004 6:27 AM
> > To: security-basics () securityfocus com
> > Subject: RE: Wireless access
> >
> >
> > And addendum to that question, do any wireless routers contain tools so
> > that you can block all but specific hardware addresses? That is, my home
> > wireless router would block all but my hardware address, much like
> > hard-wired networks often require registration of hardware addresses
> > before allowing a new system to access it. I do believe there are
> > methods of spoofing hardware addresses but that aside, do wireless
> > routers have capabilities for this
> >
> > sort of thing that a home user could easily administer to better secure
> > their home network?
> >
> > Disclaimer: I'm also a newbie so please forgive any misconceptions or
> > false assumptions!
> >
> >
> > From: "Bruyere, Michel" <mbruyere () ezemcanada com>
> > To: security-basics () securityfocus com
> > Subject: Wireless access
> > Date: Thu, 25 Mar 2004 08:36:05 -0500
> >
> > Hi,
> >         I have a user who uses a wireless network at home. He just asked
> > me
> > (it's a director) to find a way to avoid his laptop (Toshiba tecra
> > running
> > XP Pro) connecting on the neighbor's router instead of his. He has a
> > D-Link
> > 614+, I don't know this model at all so I'm asking you guys if you know
> > a
> > way to restrict his laptop to only HIS router.
> >
> > As you can see, I'm not very familiar with Wireless :/
> >
> > Thanks for any inputs
> >
> > M.Bruyere
> > Network/systems administrator
> > CompTIA A+, Network+
> >
> >
> > ------------------------------------------------------------------------
> > ---
> > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
> > off
> > any course! All of our class sizes are guaranteed to be 10 students or
> > less
> > to facilitate one-on-one interaction with one of our expert instructors.
> > Attend a course taught by an expert instructor with years of
> > in-the-field
> > pen testing experience in our state of the art hacking lab. Master the
> > skills
> > of an Ethical Hacker to better assess the security of your organization.
> > Visit us at:
> > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > ------------------------------------------------------------------------
> > ----
> >
> > _________________________________________________________________
> > Get rid of annoying pop-up ads with the new MSN Toolbar - FREE!
> > http://toolbar.msn.com/go/onm00200414ave/direct/01/
> >
> >
> > ------------------------------------------------------------------------
> > ---
> > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
> > off
> > any course! All of our class sizes are guaranteed to be 10 students or
> > less
> > to facilitate one-on-one interaction with one of our expert instructors.
> >
> > Attend a course taught by an expert instructor with years of
> > in-the-field
> > pen testing experience in our state of the art hacking lab. Master the
> > skills
> > of an Ethical Hacker to better assess the security of your organization.
> >
> > Visit us at:
> > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > ------------------------------------------------------------------------
> > ----
> >
> >
> > ------------------------------------------------------------------------
> > --- Ethical Hacking at the InfoSec Institute. Mention this ad and get
> > $545 off  any course! All of our class sizes are guaranteed to be 10
> > students or less  to facilitate one-on-one interaction with one of our
> > expert instructors.  Attend a course taught by an expert instructor with
> > years of in-the-field  pen testing experience in our state of the art
> > hacking lab. Master the skills
> > of an Ethical Hacker to better assess the security of your organization.
> > Visit us at:
> > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > ------------------------------------------------------------------------
> > ----
> >
> > ------------------------------------------------------------------------
> > --- Ethical Hacking at the InfoSec Institute. Mention this ad and get
> > $545 off  any course! All of our class sizes are guaranteed to be 10
> > students or less  to facilitate one-on-one interaction with one of our
> > expert instructors.  Attend a course taught by an expert instructor with
> > years of in-the-field  pen testing experience in our state of the art
> > hacking lab. Master the skills  of an Ethical Hacker to better assess
> > the security of your organization.  Visit us at:
> > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > ------------------------------------------------------------------------
> > ----
>
>
> -------------------------------------------------------------------------
> -- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
> off  any course! All of our class sizes are guaranteed to be 10 students
> or less  to facilitate one-on-one interaction with one of our expert
> instructors.  Attend a course taught by an expert instructor with years
> of in-the-field  pen testing experience in our state of the art hacking
> lab. Master the skills  of an Ethical Hacker to better assess the
> security of your organization.  Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> -------------------------------------------------------------------------
> ---

Attachment: _bin
Description: