Firewall Wizards mailing list archives
Re: Securing a wireless network
From: jseymour () linxnet com (Jim Seymour)
Date: Fri, 29 Oct 2004 13:52:36 -0400 (EDT)
<chris () compucounts com> wrote:
At my so-called place of business, there exists a completely insecure public wireless network that I wish to lock down (ignoring WEP, Radius, and other wireless security methods).
Well, WEP is basically worthless, so I can understand that. But why ignore WPA + RADIUS? You do understand that WEP or WPA is more than just identification/authentication, right? They also provide wireless encryption, without which you might as well be sending a traffic feed to the local radio broadcast station. Even WPA-PSK might be "acceptable" (with a suitably-long PSK), *if* you can tolerate the labour involved when a client has to be eliminated from WLAN access.
I am looking for a means of forcing 'unverified' clients (by MAC address?; not at all worried about spoofing) to run a script or program of some sort before being able to interface with other network devices (to scan for viruses, check software configuration, and whatever else).
[snip] Okay, quarantining mobile devices freshly-arrived on the $corp network is a good idea. But you're going to grant network access based on the MAC address, and you aren't concerned about MAC address spoofing? And on a WLAN w/o encryption?
The general idea: - unknown client connects to network and obtains IP from DHCP - client opens web browser, and is redirected to some generic page with instructions - client follows instructions, runs script - <slightly hazy with a chance of rain> - client is assigned new [IP|VLAN|something else] and is able to connect to the rest of the network
- Bad guy sniffing WLAN logs all this, waits for auth'd client to go away, becomes auth'd client with spoofed MAC.
[snip]
Can anyone point me in some direction or offer a different solution?
[snip] WPA + FreeRADIUS, for starters. Haven't really come up with a good idea for semi-automatically handling client decontamination, yet. Jim _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Securing a wireless network chris (Oct 28)
- Re: Securing a wireless network Claudiu Dragalina-Paraipan (Oct 29)
- Re: Securing a wireless network Mark Teicher (Oct 29)
- Re: Securing a wireless network Andras Kis-Szabo (Oct 29)
- Re: Securing a wireless network Gary Flynn (Oct 29)
- Re: Securing a wireless network Jim Seymour (Oct 29)
- Re: Securing a wireless network Kevin Sheldrake (Oct 29)
- <Possible follow-ups>
- RE: Securing a wireless network Smith, Aaron (Oct 29)
- Re: Securing a wireless network Michael H (Oct 29)
- RE: Securing a wireless network chris (Oct 29)
- Re: Securing a wireless network Tony Rall (Oct 30)
- Re: Securing a wireless network Mark D Robinson (Oct 30)
- Re: Securing a wireless network David Lang (Oct 31)
- Re: Securing a wireless network Jason Lewis (Oct 31)
- Re: Securing a wireless network Morrow (Oct 31)
- Re: Securing a wireless network Morrow (Oct 31)
- Re: Securing a wireless network Claudiu Dragalina-Paraipan (Oct 29)