Security Basics mailing list archives
RE: WLAN Security, Authentication, and more...
From: "Giddens, Robert" <GiddensRobert () bfusa com>
Date: Mon, 10 May 2004 14:47:05 -0400
Have you looked at Air Fortress? We have had a TON of good luck with this product and securing WLANs. Small client installed on the wireless device whether a PDA, Laptop or what. It is a hardware solution that sits in front of the WLAN device. http://www.fortresstech.com Product PDF http://www.fortresstech.com/pdf/AFproductdatasheet1117.pdf -----Original Message----- From: tom jones [mailto:p0rt_0 () yahoo com] Sent: Sunday, May 09, 2004 8:02 PM To: security-basics () lists securityfocus com Subject: WLAN Security, Authentication, and more... Hello, I have worked with wireless technology on and off for a few years now and feel I have a solid grasp of general best practice, but would appreciate some of your thoughts on the below subjects. I am aware of other infrastructure and configuration settings necessary to minimize the wireless footprint and maximize security (disable SSID broadcast, change admin passwords, place the AP in the DMZ on a switched network / VLAN, etc). I realize this type of question has been asked on lists before, but the majority of answers alsways default to the configurations from the previous sentence. I would greatly appreciate specific input on the following questions: The questions below are asked with the intention of deploying wireless in a bank/hostpital type environment. 1. Security Controls What have you seen / implemented as a standard for wireless security? I know LEAP is out of the question due to the dictionary attack vulerability. Possibly PEAP or some other 802.1x standard? Authentication - I usually see authentication through the DMZ to a back end Radius or Active Directory server. Any other options? Do you require your users to VPN through the DMZ to access internal network resources? 2. How have you detered users from using their laptops at the local coffee shop? Policies and procedures are a start, but are any system level controls in place to only allow connections to the corporate environment? I would be concered an employee may have information traveling in the air on an open network (or have their machines comprimized while drinking some latte). 3. Rogue Wireless Detection - I have done much reading on this subject and would like to know how you all tackle this issue. Some suggest cool toys like AirDefense, etc. Others suggest some sort of MAC monitoring on switches/routers. I am a fan of walking around with Kismet every few weeks. The major issue I have encountered with walking around is the problem of neighboring buildings (in a downtown environment). It's easy enough to find the APs you know about, but finding a rogue AP connected to your network becomes a challenge with all of the other APs popping up. The only way I have found around this is to take a best guess based on signal/noise strength and go from there. Any thoughts/suggestions on what you have read or deployed? I realize there is no silver bullet for all of these questions and that there is a balance that is necessary between security, functionality, ease of use, management, and not loading the air with so much overhead that wireless connections become unusable. Your feedback is greatly appreciated. __________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- WLAN Security, Authentication, and more... tom jones (May 10)
- Re: WLAN Security, Authentication, and more... James Kelly (May 10)
- ssh - AN Security, Authentication, and more... Alvin Oga (May 11)
- Re: ssh - AN Security, Authentication, and more... James Kelly (May 11)
- ssh - AN Security, Authentication, and more... Alvin Oga (May 11)
- <Possible follow-ups>
- RE: WLAN Security, Authentication, and more... Giddens, Robert (May 10)
- RE: WLAN Security, Authentication, and more... Josh Mills (May 10)
- RE: WLAN Security, Authentication, and more... Joerg Over Dexia (May 11)
- Re: WLAN Security, Authentication, and more... Sandy Carr (May 11)
- Re: WLAN Security, Authentication, and more... James Kelly (May 10)